40k? Impressive resolution.
40,000 Security Cameras Found Compromised Online.
Submitted 1 month ago by Pro@programming.dev to technology@lemmy.world
https://www.bitsight.com/blog/bitsight-identifies-thousands-of-compromised-security-cameras
Comments
vane@lemmy.world 1 month ago
Those cameras are there since 90s I remember watching them in ActiveX in real media player plugin in IE. Nothing changed.
Emptiness@lemmy.world 1 month ago
40K?
Praise the Omnissaiah!
Zarxrax@lemmy.world 1 month ago
It would be nice to know what brands or models are most vulnerable.
priapus@piefed.social 1 month ago
What this is talking about is not really about the brand or model, its just about them being misconfigured. These cameras were exposed to the internet with either default credentials or no authentication.
Theres very few good reasons to expose a camera to the internet at all, but if you need to, put some proper authentication in front of it.
cmnybo@discuss.tchncs.de 1 month ago
An IP camera may stay in use for a decade or more without any firmware updates. You shouldn’t trust any sort of authentication that’s built into the camera to be secure. Keep them on an isolated LAN and only allow access from the server that’s running the DVR software.
dan@upvote.au 1 month ago
Any camera you expose to the internet with no protection is vulnerable.
Follow best practices by keeping your cameras on a separate VLAN that’s isolated from the internet, and you’ll be fine. Use a VPN like Tailscale to view your cameras while away.
dan@upvote.au 1 month ago
There’s a site that lists all the insecure cameras: www.insecam.org
Zenlix@lemmy.ml 1 month ago
Even when they are protected, when did they receive the last update? There are probably so much more vulnerable IoT devices.
hansolo@lemmy.today 1 month ago
Shodan.io is the searchable index of open IoT devices.
Change the default password, people!
dan@upvote.au 1 month ago
Hard-coded default passwords have been illegal in California since 2020, so it shouldn’t be as much of an issue with newer devices. Companies aren’t going to make California-specific versions of their devices, so they’ll follow the standards everywhere.
To be legal in California, the device either needs to have a randomly-generated password unique to that device (can be listed on a sticker on the bottom of the device, or in the manual), or it needs to prompt to set a password the first time you use it.
hansolo@lemmy.today 1 month ago
Yes, but no one checks the legality of cheap Chinese devices from Amazon.
Creat@discuss.tchncs.de 1 month ago
Can’t remember when it came into effect, but randomized device specific passwords are also mandatory in the EU now. This was relatively recently though. It means they single device (item, not model type or class) has to have an individual password (also usually it’s on a sticker or something).
And yes, connecting any ip camera to the Internet is just dumb.