Networked security cameras are the most likely to have vulnerabilities when it comes to securing Internet of Things devices in the enterprise, according to a new report by Zscaler.

“I would consider the entire video camera category as particularly dangerous,” said Deepen Desai, director of security research at Zscaler.

[ Get the scoop on the internet of things at its most fundamental level and find out where it's headed, in InfoWorld's downloadable PDF and ePub. | Pick up the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ]

Take, for example, the Flir FX wireless HD monitoring camera. Researchers found that the camera communicated with the parent company in plain text and without authentication tokens.

“The firmware that was being updated was not being digitally signed,” said Desai.

That means that attackers have the opportunity to introduce their own, malicious firmware instead, he said.

GET YOUR DAILY SECURITY NEWS: Sign up for CSO’s security newsletters

Another camera, the Foscam IP surveillance camera, connects to a web server to stream video to users’ desktops or smartphones. That can be a useful feature, but the user credentials, including the password, are transmitted in plain text, over HTTP, right in the URL.

The Axis camera has a remote management console, but it uses basic HTTP authentication, allowing sniffing and man-in-the-middle attacks.

Zscaler also found that consumer devices frequently appeared inside enterprises, such as the Chromecast and Roku media players and smart TVs.

Zscaler didn’t find any security issues with either the Chromecast or the Roku, but the smart TVs used outdated libraries which could be used to get control of the system.

Late last month, a botnet that infected networked devices, cut off access to large areas of the Web. But this isn’t actually the biggest threat that vulnerable IoT devices pose for enterprises, Desai said.

But when Zscaler analysed the traffic from enterprise devices, and correlated it with DDoS attacks, there were no spikes.

“Based on the analysis that we did, none of the devices that were in our customers’ enterprise networks were affected,” Desai said. “My take on that is that enterprises had their IoT devices properly segmented in the network. The way that the Mirai botnet was propagating, it was preying on weak and default connections.”

But just because the most recent round of attacks did not reach these devices, doesn’t mean that companies should get complacent. And the risks are much higher than simply having a device in a network that acts as a DDoS message relay.

An infected device can be an access point into an enterprise network. And an infected camera can do even more damage.

“If an attacker got access to your video camera, they could see what’s going on in the environment,” he said.

So for example, they can see when particular areas are unguarded, to plan both physical attacks and cyber attacks.

Desai suggested that enterprises restrict access to IoT devices as much as possible, by blocking external ports or isolating devices on isolated networks, to prevent lateral movement. They should also change default credentials, and set up a process to apply regular security and firmware updates.

This story, "Surveillance cameras most dangerous IoT devices in enterprise" was originally published by CSO.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.

InfoWorld Security

A piece of Android spyware recently analyzed by researchers with the RedNaga Security team seemed to be yet another Hacking Team spying tool but, according to more recent revelations, another Italian company is its likely source.

Researcher Tim Strazzere, with help of his colleagues, analyzed the sample received practically directly from the target (who wished to remain anonymous), and discovered that the spyware:

  • Asks for practically every permission
  • Can hide itself from the launcher, ensure persistence, mute all audio on the device, turn the GPS on and off, take screenshots or record what can be seen on the screen, record video and audio, reply to or forward messages, lay low while the user is using the device, executed code, exfiltrate data, and so on.
  • Likely masquerades as an update for a Google service, as the target is shown phrases such as “Servizi Google” (Google Service) and “Aggiornamento effettuato con successo” (Successful Update).

What made him think that this might be the work of Hacking Team is the fact that the spyware contacts two IP address located in an address space used by previously known HackingTeam families.

The use of Italian in encrypted strings and SSL certificates is another circumstantial piece of evidence that seemed to point in that direction.

But two former Hacking Team employees and Citizen Lab researcher Bill Marczak believe that particular company was not involved in the creation of this malware.

The former analyzed the code and found it nothing like spyware samples developed by Hacking Team. The latter told Motherboard that the spyware’s infrastructure isn’t linked to Hacking Team’s – and he should know, as he’s been tracking it for a while.

But a mention in the SSL certificate used by one of the servers contains a string that might point to the right source: “Raxir”.


Raxir is the name of an Italian company, started in 2013 and housed at tech incubator “Citta’ Della Scienza” in Naples, Italy.

According to this description, the company develops software for investigations and intelligence gathering, its software can only be used by government and law enforcement agencies.

Currently, it is only being used by those entities in Italy, as well as by the Second University of Naples (“Seconda Università degli Studi di Napoli”), but the “company has ties with Germany, and would like to reach foreign markets, and especially emerging economies/countries.”

According to Marczak’s findings – a server whose digital certificate contains the string “ProcuraNapoliRaxirSrv” – it seems that Raxir’s products are being used by the Naples’ office of the prosecutor.

Both Hacking Team and Raxir did not answer Motherboard’s request for comment on the matter.

Help Net Security