The Cheap Webcam Problem

Summary

IT security teams think about the so-called "cheap webcam problem". That is, with employees and contractors working from home, some new security considerations start to crop up.

This page describes the problem and some of the ways it can be mitigated by workers and security teams.

The Problem

Most home networks are a little network with a firewall to the Internet which is actually quite effective at blocking any access from the Internet to the home network. This is actually a pretty decent security solution.

However, at some point, the network owner decides to buy a cheap network webcam (or indeed any other device, be it a printer, doorbell or whatever). Many of these devices come with a phone "app" which allows you to view the webcam when you're out of the house.

These apps require a way to get to the webcam from the Internet. In a lot of cases (especially the cheaper ones) these devices use a bit of technology called uPnP. This allows the device to talk to the firewall to open a path from the Internet to the device. This path is intended to only allow the app to access the webcam. However, once opened, hackers can use the same route to contact your webcam.

Once hackers get access to your webcam, they can usually bypass the username and password to get access to the little computer inside the device. They often then reprogram it so that it still works like a webcam, but gives them access whenever they want it. Since the webcam is behind your firewall, they can now search around your network for other devices they can hack into. In other words, your perfectly secure home network just lost any meaningful security because of one little, cheap webcam.

Using networks with hackers on them is something IT security teams really don't like. Thus, the "cheap webcam problem" presents organisations challenges with the proliferation of their people working from home.

Solutions

Awareness through education and training is probably the most effective way help consumers buy better products. However, with the best of intentions, problems will still occur. Organising some sort of evaluation and assessment of home networks on a regular basis can at least highlight potential problems. Such evaluations needn't be some long, drawn out and expensive task - assuming the IT team aren't setup for this sort of work, even a local "computer fix it" service can probably help identify anything risky.

Once potential problems are identified, the network owner will need to take steps to respond to them. What constitutes a response and what urgency they should have is something that a company policy can address. Indeed, the need to do "due diligence" on home networks is also something that a policy can stipulate.

Pre-Emptive can help with policies, security and how to achieve it. Contact us to see how we can help you.