Cybersecurity: Vulnerability assessments are pivotal to mitigate risks

As cyberattacks grow in both number and sophistication, cities are increasingly exposed and their potential attack surface includes all Internet of Things devices, applications, and networks.

According to an online survey Swiss technology company Paradox Engineering carried out in autumn 2021, city officers and utility managers acknowledge video surveillance as a very attractive application to hackers. Indeed, cyber threats against IP cameras are real and ongoing.

Particularly when connected to an IoT network, an IP camera may become an attractive target for a cybercriminal for three main reasons. First is about privacy: the hacker may be interested in acquiring and analysing live images of people living or moving in a certain area to learn their habits and behaviours, or get personal sensitive information (faces, car licence plates, etc.). Secondly, the violation may grant visibility on the infrastructure to which the camera is connected and pave the way to a network attack.

Last but foremost, the breach may also lead to the exploitation of its computational power for crypto mining, or as a node of a command-and-control network called botnet. This happened for instance in 2016, when IP cameras were used among other devices as bots to launch denial of service attacks against an Internet management company, resulting in shutdowns of various major websites.

Defusing the violation of an IP camera: A case study

During a routine security assessment on the IoT network of a customer, Paradox Engineering’s cybersecurity team detected a newly installed device – specifically an IP camera.

A research activity was run to assess if the camera could be considered secure enough for being used and exposed on a public network. The team discovered two zero-day vulnerabilities: a zero-day is a computer software vulnerability previously unknown to those who should be interested in its mitigation. As these vulnerabilities are typically found by researchers or potential attackers before the vendor becomes aware of them, no patches are available for their resolution.

“In our daily work we adopt an evil mindset and ask ourselves questions like: How many devices offer an attack surface? How deeply may the attacker have analysed the situation? This is part of the methodological process of our cybersecurity framework”, explained Davide Fiozzi, cybersecurity engineer at Paradox Engineering.

The analysis confirmed it was not secure to publicly expose the IP camera. The customer was given a detailed view of the risk the company was running. The first vulnerability would have allowed an unprivileged user to create a valid account to access all IP camera commands without being authorised. The second vulnerability was related to the passwords of the IP camera users. By reverse engineering the publicly available source code, it would have been possible to discover the salt used in the hash function which stores user passwords.

Two different solutions were suggested: remove the camera and replace it with a more secure product or install a firewall to limit the access to known IP addresses. The customer chose the first option and agreed to remove the IP camera.

“Taking care of the security monitoring of our customer’s IoT network, we succeeded in early detection of two zero-day vulnerabilities of a newly installed IP camera. The prompt response allowed the company to mitigate the risk and restore the overall security level”, said Dario Campovecchi, cybersecurity architect at Paradox Engineering.

About Paradox Engineering

Paradox Engineering is a technology company that designs and markets Internet of Things solutions for open cities and other smart environments. Established in 2005 and headquartered in Switzerland, the company is the IoT Excellence Centre of MinebeaMitsumi Group, leading global provider of Electro Mechanics Solutions™, and controls Tinynode, which specialises in smart parking technologies.

For further information, please visit www.pdxeng.ch