Default Credentials Vulnerability: The Case Study of Exposed IP Cams

Abstract

The spread of IoT devices poses always major challenges to the issue of network security. In this paper, the study focus on the risks linked to the usage of default credentials in IoT devices, in particular, there is a focus on IP cameras. Many cameras on the Internet, in fact, use the manufacturer's default passwords and this makes it extremely easy to access them by a malicious actor. The importance of the problem should not be underestimated. Starting from an unauthorized access to the device, an attacker has access not only to images but also to a whole series of data that can be extrapolated and that can be used as a preliminary step for criminal actions. The risks of leaving credentials by default are closely related to the lack of attention during the design phase and the resulting vulnerabilities present in tools that do not respect the security-by-design standard; the producers, in fact, take often lightly this concept, leaving the whole task of ensure device security to the user. The main issue related to this vulnerability is the lack of legal protection; there are indeed a lot of tools that make available this open data to everyone without any possible legal restriction. In this paper we propose a practical study considering two case studies showing that the number of IP cam directly connected on Internet with default credential is incredible high. The first case focus on a cheap IP Cam model widely used in several contexts. The second one focus on an IP Cam model that corresponds to an high-end security camera intended purely for high-quality video surveillance and thermal imaging.