Some Internet-connected surveillance cameras could be doing more harm than good. Researchers from ReFirm Labs, a Maryland cybersecurity startup founded by former National Security Agency employees, recently discovered vulnerabilities in TRENDnet, Belkin, and Dahua security cameras and routers.
“I wouldn’t even call this a hack because it doesn’t take any sophistication,” said Terry Dunlap, cofounder and CEO of ReFirm Labs.
Anyone could access these cameras, whether they be at your home, your office, or in a public space, without authorization or authentication. All they need to know is the device’s IP address and other easily accessible identifying information.
The attacker could freeze the video feed, replace the video feed with false footage, execute arbitrary commands, shut down the device, or use the camera to launch attacks on other devices on the network. The attacker could also access other private information on your network at home, such as your banking account and financial transactions.
Just four years ago, TRENDnet found itself in a similar situation: the Federal Trade Commission filed charges against TRENDnet because hundreds of consumers’ private lives could be easily broadcasted online for public viewing through faulty cameras—from home security cameras to baby monitors. While TRENDnet was forced to improve its security, ReFirm’s findings bring into question whether TRENDnet has been taking their security seriously enough.
ReFirm also found that Dahua had a backdoor programmed into their products, which ReFirm believes was added deliberately.
“This vulnerability is not the result of an accidental logic error or poor programming practice, but rather an intentional backdoor placed into the product by the vendor,” the ReFirm researchers wrote in the report. “Given that many other Dahua products contain this exact same backdoor, we strongly recommend against connecting any Dahua products to critical or sensitive networks.”
Since patches are not currently available for TRENDnet and Dahua, ReFirm recommends that consumers keep their routers and cameras away from internal networks, limit access to sensitive resources, or remove the devices entirely. They should also regularly check the manufacturer’s website for firmware updates.
As an agent, you should be aware of the range of claims that could result from a breach of an Internet of Things (IoT) device, including surveillance cameras. For example, it’s not difficult to imagine a scenario where bodily injury or property damage could result from a security camera being hacked and footage being frozen, altered, or completely disabled.
The intersection between Cyber policies and the more traditional policies that might otherwise cover BI and PC claims, such as General Liability and Crime, is tricky. You need to understand how policy forms interplay with one another.
For more information about how to get the right cyber insurance for your clients, contact INSUREtrust today at 888-932-7475 or info@INSUREtrust.com.