IP cameras are remote access still and/or video cameras that enable remote monitoring of whatever is in the camera’s view. They have become very popular in recent years as an inexpensive security system. However, several serious security breaches of these devices should make us think twice before installing our own systems.
Some cameras may have insufficient access control. This issue occurs if you are required to provide login credentials when you request the camera’s default page. But, if you access the video page or any other sub-page directly, you will not be prompted to authenticate. With this flaw, you could take the URL used to access your video page, replace your IP or system name with that of someone else’s, and then view their video page without knowing their login.
Other security issues with IP cameras have included default accounts that cannot be disabled or changed, vulnerabilities in default firmware, or debugging features left enabled.
When shopping for an IP camera, take the time to search with the terms “hack”, “attack”, “compromise”, and “exploit” in addition to an IP camera’s vendor and/or model name/number. If you see issues, consider avoiding that product unless you are comfortable with the vendor’s response. For example, if updated firmware is available that addresses the issue. If there is no vendor response and it seems the issue is current, avoid that product.
Before purchasing an IP camera, consider a few additional security issues:
Consider not enabling remote access. Do you really need to remotely access the IP camera, or is local business or home-use-only an option? If you don’t need remote access, don’t configure that feature. This will eliminate any remote exploits from even being attempted. If you want remote access but don’t want to use the vendor’s solution, you could configure a VPN (such as ProXPN.com) or remote access service (TeamViewer.com) to gain secured access into your private network, and then access the local interface of the IP camera.
Check the firmware. If the out-of-the-box firmware is more than a year old and/or the latest updated firmware is more than a year old, then you need to find a different product. Investigate a newer model by the same vendor, or seek out a different vendor. Be sure to update the firmware on any IP camera before deployment.
Read the manual. Be sure to understand all available features. Turn off every feature you do not actually need. You might also want to turn off every feature that you do not understand. However, do so carefully. Make one change at a time, save the configuration, reboot the device, then check to see that the features you need/want are still operational. Often if the name of a setting does not make sense and the manual isn’t helpful, do an Internet search on the exact setting name and also add the vendor name or device model name/number. You can often find discussion forums where esoteric settings are discussed and clarified.
Stay vigilant. Never assume that once secure means always secure. Repeatedly check for attacks and exploits against your product. Monitor the vendor’s website for announcements, product updates, firmware changes, etc. After all, you are the only person who will be actively seeking to protect your interests.