KPN Security: "Home workers eavesdropping is child's play"




Security of Dutch IP cameras disappointing

Listening in on a homeworker during a board meeting, job interview, or work meeting? It is childishly simple with an unsecured IP camera in the living room, warns the Security Research Team (SRT) from KPN Security following its investigation. It shows the importance of securing cameras with a strong password.

The fact that unauthorized persons can watch schools, companies, and living rooms via an unsecured IP camera is nothing new. However, researchers at KPN Security also managed to eavesdrop on users via a poorly configured camera. That is a painful observation, especially now that we are working from home en masse and are conducting business conversations from the study or living room.

The researchers used the ‘IoT search engine’ Shodan to detect unsecured IP cameras. It has an extensive database of devices connected to the internet. Using a very specific search, the researchers quickly traced hundreds of Dutch IP, web, and network cameras that have an unsecure internet connection.

Extensive use of unsecured cameras
The Security Research Team found, among other things, images showing how children walk through their school entrance and are received by the teachers. “The images provided us with sufficient leads to find out which school it concerned, so that we could warn the educational institution,” says Siep van der Waal, researcher at KPN Security. “The school in question took extra security measures the same day.”

The researchers were also able to observe different living rooms, and in some cases even eavesdrop on homeworkers. Van der Waal: “The fact that we could also pick up audio shows what the consequences can be if you don’t know exactly what is connected to your home network. Certainly now that many more people are working from home due to corona and are meeting and consulting at home, business secrets are there for the taking.”

But even in business environments things do not always go well, and unsecured cameras can be connected to the internet. “Some streams we encountered had audio, said Van der Waal. “Based on the streams, we were able to track down a number of organizations and inform them, so that they could take measures.”

A strong password is crucial
“We hope that this research will contribute to awareness in the field of security,” concludes Van der Waal. “It is not bad to use an IP camera per se, but you have to do it in a secure and responsible manner. Ask yourself, for example, whether it is really necessary to switch on the audio, and whether this connection to the internet adds anything. And, has a good and secure password been set? You can easily prevent major problems with a strong password.”