Backdoor, schmackdoor – it’s Christmas Shopping Season, y’all!
This morning my blog, The Security Ledger, ran a story about research from the firm Duo Security that provided more evidence (if any was needed) that the fast-emerging market for IP-enabled “stuff’ has a serious reckoning with the security and privacy crowd.
Specifically: my article discusses research that Duo’s Security Evangelist, Mark Stanislav, presented at a security conference on Tuesday. For his talk, Mark described the findings of a detailed analysis of the IZON home surveillance camera- a sleek looking little product from a Utah based firm, Stem Innovations, that is sold in Apple Stores and at Best Buy. But, like so many cool, new “smart” products, IZON’s exterior polish masks some serious blemishes under the hood, Stanislav discovered.
Among the security issues he uncovered, Stanislav found that IZON devices deploy with an insecure port configuration by default, including exposed Telnet and HTTP ports and a hard-coded “root” (or superuser) account that would provide direct, remote access to the IZON’s (Linux) operating system.
Just as troubling: IZON cameras ship with a laughably guessable default user name and password. Plugging those into the camera’s login screen grants access to a Web-based management console for the device. That means in cases where the IZON camera isn’t hidden behind a firewall or router, anyone with an Internet connection and knowledge of the device’s Internet address could log in and take control of the camera: viewing and recording video of the camera’s surroundings and even sounding alarms that could be heard in the vicinity of the camera.
This is no theoretical problem, either. Stanislav used the hardware-focused search engine Shodan to find 65 such devices online in July spread across a dozen countries including the U.S., Mexico, Germany and China.
This would all be shocking if it weren’t business-as-usual in the fastest evolving part of the technology market: the so-called “Internet of Things,” in which cheap, remote sensors combine with Internet enabled hardware and cloud based management infrastructure to “smarten” all manner of formerly “dumb” stuff: household thermostats, coffee makers, lawn sprinklers, and – of course – cameras.
The FTC just last month reached a settlement with TRENDnet, the maker of Securview cameras, which are very similar in function (if not design) to the IZON. Many of the complaints alleged by the FTC (and later acknowledged by TRENDnet in a settlement) could apply just as well to the IZON.
What’s going on? It’s pretty clear, at this point that consumer device makers are more focused on getting product to market than on pesky issues like hardware and software security.
In an email exchange regarding Stanislav’s research, for example, Stem Innovation’s CTO, Matt MacBeth apologized for the delay in responding to my inquiries about the serious allegations raised about the IZON. In an e-mail, MacBeth explained that his company was super busy getting ready for the Christmas season.
“In addition to 24/7 work on the app/servers/firmware of the current products, we are also in the process of working on new products and services,” read one, breathless e-mail. “While the programmers were grinding away the past few weeks, some of the rest of us were at our factory partners making sure production will be ready for this holiday season and looking into new technologies for integration into future products.” Stem, MacBeth explained was “busy knocking stuff out.”
And that may be the problem. In the rush to get products to market – shiny and powerful products, to be sure – vendors like Stem, TRENDnet and countless others are leaving behind more than two decades of knowledge and experience about how to design and deploy secure Internet devices. Nobody in his or her right mind would hang a linux server out on the Internet with an open Telnet port. Why do it with a linux-based surveillance camera?
The reasons here aren’t totally clear, I’ll admit. It may be, as I said, that Stem and other firms like it are putting profits before privacy. It could be that young, upstart firms populated by youthful programmers and executives simply lack the knowledge and experience necessary to design security into their products. As I noted in an earlier blog post about problems with Philips smart “HUE” light bulbs, it may be that consumer product companies have a difficult time ‘envisioning an enemy.’ “Why,” the thinking goes, “would anyone be interested in hacking our stuff?!”
Whatever the case, the victims in this case are easy to spot: they’re the unwitting consumers who have purchased and deployed technology that then betrays them. Stanislav’s research uncovered scores of IZON cameras that are attached directly to the Internet. The information he uncovered makes it possible to log into these devices and look through the camera into homes and businesses, as their occupants go about their daily business, unaware that they are being watched.
The FTC’s case against TRENDnet was meant as a warning to firms with products like the Securview and IZON cameras – but not explicit to them. The message: “Uncle Sam is watching,” especially when the privacy and physical safety of consumers is in question. Alas, with the promise of riches as consumers warm to “smart home” products, that is a message that is falling on deaf ears.
The last resort, then, will probably be public pressure from customers and, to a lesser extent, the media. As was the case with Microsoft, Adobe and other firms: lax security and other forms of “bad behavior” need to be exposed and their root causes (ignorance, technical failing or carelessness) identified. Then market pressure needs to be applied to manufacturers to make sure that security is a top priority, not an afterthought.