40k? Impressive resolution.
40,000 Security Cameras Found Compromised Online.
Submitted 2 months ago by Pro@programming.dev to technology@lemmy.world
https://www.bitsight.com/blog/bitsight-identifies-thousands-of-compromised-security-cameras
Comments
vane@lemmy.world 2 months ago
Those cameras are there since 90s I remember watching them in ActiveX in real media player plugin in IE. Nothing changed.
Emptiness@lemmy.world 2 months ago
40K?
Praise the Omnissaiah!
Zarxrax@lemmy.world 2 months ago
It would be nice to know what brands or models are most vulnerable.
priapus@piefed.social 2 months ago
What this is talking about is not really about the brand or model, its just about them being misconfigured. These cameras were exposed to the internet with either default credentials or no authentication.
Theres very few good reasons to expose a camera to the internet at all, but if you need to, put some proper authentication in front of it.
cmnybo@discuss.tchncs.de 2 months ago
An IP camera may stay in use for a decade or more without any firmware updates. You shouldn’t trust any sort of authentication that’s built into the camera to be secure. Keep them on an isolated LAN and only allow access from the server that’s running the DVR software.
dan@upvote.au 2 months ago
Any camera you expose to the internet with no protection is vulnerable.
Follow best practices by keeping your cameras on a separate VLAN that’s isolated from the internet, and you’ll be fine. Use a VPN like Tailscale to view your cameras while away.
dan@upvote.au 2 months ago
There’s a site that lists all the insecure cameras: www.insecam.org
Zenlix@lemmy.ml 2 months ago
Even when they are protected, when did they receive the last update? There are probably so much more vulnerable IoT devices.
hansolo@lemmy.today 2 months ago
Shodan.io is the searchable index of open IoT devices.
Change the default password, people!
dan@upvote.au 2 months ago
Hard-coded default passwords have been illegal in California since 2020, so it shouldn’t be as much of an issue with newer devices. Companies aren’t going to make California-specific versions of their devices, so they’ll follow the standards everywhere.
To be legal in California, the device either needs to have a randomly-generated password unique to that device (can be listed on a sticker on the bottom of the device, or in the manual), or it needs to prompt to set a password the first time you use it.
hansolo@lemmy.today 2 months ago
Yes, but no one checks the legality of cheap Chinese devices from Amazon.
Creat@discuss.tchncs.de 2 months ago
Can’t remember when it came into effect, but randomized device specific passwords are also mandatory in the EU now. This was relatively recently though. It means they single device (item, not model type or class) has to have an individual password (also usually it’s on a sticker or something).
And yes, connecting any ip camera to the Internet is just dumb.