Beware of exposure of private IP cameras on the Internet
HKCERT is aware of media reports on IP cameras exposed on the Internet, among which some are located in Hong Kong. According to our research, these exposed IP cameras are usually set up with default administration password, or shipped with vulnerable firmware. The information of the default password and vulnerability of various brands of IP cameras are available on the Internet for download.
IP cameras are usually installed to monitor activities of home, office, shops or warehouse, the exposure of the cameras to the unintended public can cause the following impacts:
- Private life of the house owner and family is exposed.
- Thieves or fraudsters can monitor the status of the premises.
- Sensitive information in the office, shops or warehouse is exposed.
Below are some advices for you to review and secure the setup of IP cameras:
- Do not use the default password of administration or access of the IP camera console webpage. Change and use a strong password.
- Visit the IP camera vendor webpage and upgrade the firmware released for your camera model.
- If your IP camera is not supposed to be accessed outside your organization or network, change the setup so that it is not exposed to the Internet. You can also consider changing the network port number of the camera access. When not in use, switch off the IP camera.
- Be cautious about the location and direction of the IP cameras. They should not be placed such that privacy of people is infringed, or sensitive information like credit card number, can be directly observed.
- Contact and request the vendor to provide support if you cannot find any information about changing setting or firmware upgrade from the manual or their website.
In the past month, HKCERT has been working with information security researchers on information of some exposed IP cameras in Hong Kong. We are verifying the IP addresses of these exposed IP cameras from different sources. Once confirmed, HKCERT will pass the information to the related ISP to notify their customers.