The UK’s National Cyber Security Centre (NCSC) has been forced to issue new guidance on how smart home users can protect their connected cameras from being hijacked.
The public-facing GCHQ body warned that live feeds from such cameras, and smart baby monitors, could be monitored remotely when devices are shipped with easy-to-guess or crack factory default passwords.
This has led to numerous cases in the past of terrified parents and home users finding out they’ve unwittingly made their families less secure by installing such equipment.
The new advice from NCSC urges users to change any default passwords to a unique, strong credential, to keep device firmware regularly updated and to disable the feature that allows them to view camera footage remotely if not needed.
The guidance also suggests users should disable UPnP and port forwarding on their home routers to further reduce the attack surface.
The password flaw is essentially how Mirai hackers managed to hijack hundreds of thousands of connected endpoints and conscript them into botnets over the past few years, launching some of the largest DDoS attacks ever seen.
Seeking to tackle some of these concerns, the UK government is planning to introduce a landmark new consumer law designed to prohibit the sale of IoT products that fail to meet minimum security standards.
The law would ensure “IoT device passwords must be unique and not resettable to any universal factory setting.” It would also force manufacturers to provide a public point of contact as part of a vulnerability disclosure policy, and state the minimum length of time a product would receive updates for.
Kiri Addison, head of data science overwatch at Mimecast, warned that camera footage is starting to be used by hackers to blackmail victims.
“Basic cyber-hygiene, such as changing default passwords and regularly updating software, can go a long way to improving device security,” she added.
“Their capabilities will inevitably increase rapidly in the next few years and the legislation and any accompanying guidance will then need to be updated to maintain an adequate minimum standard of security.”