This past week a significant vulnerability was found in several different makes and models of IP cameras, enabling hackers to gain control of the audio and video feeds. The ThroughTek P2P vulnerability is based on software code that ThroughTek provides to multiple camera manufacturers for devices that have been sold for many years. In the age of deepfakes and commonly available tools to manipulate images, this vulnerability is a critical one to remediate before it causes significant damage. Yet that is at the heart of IoT cyber hygiene – once a vulnerability is detected, what can you do and how fast can you do it?
Credit must be given to both Nozomi Networks and to CISA (Cybersecurity and Infrastructure Security Agency) for quick action in alerting organizations to this vulnerability, especially with clear identification of the specific IP cameras that are impacted. CISA is recommending that operators of impacted devices disable the P2P (stream sharing) capability, or to remove the device from the network. ThroughTek has also made changes to its software, and is recommending setting to be changed to prevent the P2P functionality from being exploited. There will likely be a firmware patch available that would remediate the vulnerability without impacting functionality but it not available yet.
This case is representative of many IoT vulnerabilities and how they get handled for devices already deployed “in the wild”. It’s quite different than how traditional IT systems would remediate cyber vulnerabilities. In March this year there was a major vulnerability found in Microsoft Exchange servers; along with the announcement of the vulnerability came a firmware update that could be applied immediately. And for the most part those firmware patches were done quickly; standard tools for patch management could be used to ensure quick remediation.
IoT vulnerability remediation (such as with IP cameras) is not as straightforward. There are several challenges with IoT that make it very different:
- IoT is distributed; just think of where security cameras are placed (outside buildings, remote corners, etc)
- As with the ThroughTek vulnerability, there are often multiple makes and models involved. Having to learn and manage through several vendor’s unique consoles and interfaces adds to the complexity
- With IoT devices there is often close coordination between the device and an application. Surveillance cameras (the devices) must coordinate with a VMS (video management system) for things like password and firmware updates in order for the mission to be accomplished (in this case, retaining video evidence)
- The personnel responsible for IoT devices are usually not IT people. In many organizations these devices would be under the control of OT (operational technology) personnel who may not have the skill sets and proficiency that IT personnel would have
At Viakoo our mission is to make things work securely – the opposite of disabling functionally, port blocking, or removing vulnerable devices from the network. Treating a vulnerable device that way protects the network, but equally defeats the purpose of the device being used. Instead, make all devices full network citizens by keeping them up to date on firmware patches, certificates, and password rotations. This trifecta of cyber hygiene can be done automatically and across the entire organization, saving time and resources. A good way to learn more about remediating IoT vulnerabilities is with our recent webinar “Patch Me If You Can”, where we go into detail on how IoT devices can be maintained and managed to the same level of cyber hygiene as traditional IT systems.