A team of cybersecurity researchers has discovered several vulnerabilities in Ezviz brand camera models. These flaws could allow a malicious person to control these devices remotely.
It’s hard not to feel observed after this story. A vulnerability was revealed on September 15 on more than 10 million private cameras from the Chinese brand Ezviz. This company, a subsidiary of Hikvision, the world leader in the sector, sells models for individuals at lower prices than the competition.
The BitDefender lab team is behind the discovery of this vulnerability. These experts take everyday connected objects at random and look for potential entry points and, if necessary, notify the manufacturers concerned. “As soon as we discover a flaw, we get in touch with the company. We publish our research, once all the vulnerabilities have been corrected,” explains Dany Da Silva, marketing manager for BitDefender. Concretely, no risk exists today, but the breaches identified were sufficiently important to report them.
Five models, available in several countries, were concerned. The discovered vulnerabilities allow an attacker to “remotely control the camera, download images or retrieve stored passwords,” the cybersecurity research team said in its report. A bug allowed attackers to steal video encryption keys. An overhaul of the security system was therefore urgent.
The security of connected objects is a priority
For users, BitDefender recommends:
- Find out about the existence of a security update policy for connected products;
- Change default passwords;
- Separate connected objects into different subnets (not all connected to the same Wi-Fi network for example) and regularly check for software updates.
“It is estimated that there will be 20 to 50 billion connected objects by 2050. Manufacturers must prioritize their security. A simple Internet router can contain many flaws and I let you imagine everything that can be exploited from this product”, warns Dany Da Silva.
A good example concerning routers: malware of Russian origin had infected thousands of boxes in the United States to create a network of infected connected objects. At the height of the story, the brand targeted by hackers is the one that promised the best security for this type of product on the market.