Remember when Edward Snowden showed the world how easy it is for your cell phone to record everything you say? Initial gut reaction for many was something along the lines of disbelief to shock. As time went by, many people took comfort in the idea that the government could not care less about their day-to-day activities. After all—for most of us—our day consists of the daily routine of workout, work, and daily errands. Yet, spying is not limited to the intelligence community. As we have seen again and again, health information is particularly valuable. Devices such as Internet cameras (think security cameras) or perhaps even web cams (the little lens that stares from the top of your laptop) pose risks to health data. Many health entities have not considered the unique risks posed by such devices, but it is a risk the Federal Trade Commission is not ignoring.
On January 5, 2017, the FTC filed a complaint against D-Link, a Taiwan-based computer networking company, alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk. In other words, the bad guy had easy access to the camera’s live feed.
According to the FTC’s complaint and FTC news release, the company failed to take steps to address well-known and easily preventable security flaws, such as:
- “hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed;
- a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
- the mishandling of a private key code used to sign into D-Link software, resulting in exposure of the private key and making it open on a public website for six months; and
- leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.
Any of the above vulnerabilities can be exploited in a number of ways. For example, according to the FTC complaint, an attacker can use a compromised router to obtain consumers’ tax returns or other files stored on the router’s attached storage device. An attacker could also redirect a consumer to a fraudulent website or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances. Even perhaps scarier, an attacker could monitor a consumer’s whereabouts in order to target them for theft or other crimes, or watch and record their personal activities and conversations.
“Hackers are increasingly targeting consumer routers and IP cameras — and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”
Ironically, Rich’s last day at the FTC was February 17; perhaps she was worn down by seeing the same avoidable incursions day after day.
From a HIPAA perspective, this is just another example of how entities must put into place cyber-safe best practices including (in part):
- Encryption: More important than the price or ease of setup is making sure the Internet camera encrypts the data and provides a secure hub or app for viewing the footage
- Camera Passwords: At first glance, camera passwords may seem like too obvious a security measure to discuss. However, most network admins change the factory defaults) for router firewalls, but often overlook other network attached devices, such as surveillance cameras. The default usernames and passwords for Internet cameras is an often overlooked endpoint that can be easily procured by an Internet search on “type of device” plus “default password.”
- Network Security: The wireless network used for viewing should also be secure.
- Update Security Measures: When updates are available, install these at the earliest opportunity in order to keep IP cameras secure.
- Consider Placement of Camera: Unplug the camera or cover the lens when not in use; many newer model webcams come with a privacy shield that slides across the lens.
- Train Personnel: Just as a hacker can gain control of PCs through phishing emails (emails sent to personnel by hackers with a link or attachment), hackers can generally breach webcam safety to seize control via a Remote Access Trojan-type virus (fittingly abbreviated to RATs!). There must be continual training to prevent personnel from unknowingly downloading RATs to computers.
For those of you who have not considered the security of Internet or web cameras, take the FTC’s current action as a reminder of the unique risks posed by these devices and an opportunity to re-evaluate contractual relationships, conduct risk assessments, update technical systems and retrain personnel.