Millions of Security Cameras Vulnerable

Supply chain attacks seem to be the thing these days.

In two separate stories today, security cameras are the intrusion point. This is really hard to either detect that you have a weakness or mitigate that weakness without a Software Bill of Materials. You buy a security camera from company ‘A’. They buy a controller board from company ‘B’, who buys software from company ‘C’. You have no visibility to B or C.

Today’s stories.

Mandiant says that CCTV camera vendor Dahua SmartPSS had their website compromised and the hackers replaced the software used to configure and control the cameras with malicious software which gave the hackers full control of the user’s network. Credit: The Record

In the second case, CISA issued an alert that says a bug in a software component made by ThroughTek and used by a number of IoT devices like cameras, baby and pet monitors, and robotic and battery devices is vulnerable. The average user would have no clue as to whether a device they own uses this software. The vulnerability is in a software development kit that is installed on millions of devices. Credit: ThreatPost

The point here is to understand your supply chain risk. In the first case, we have an intentional attack. In the second case, we have a bug. Is one worse than the other? Not if either is being exploited!

Could either have a critical impact on your systems, your network, your company’s data or your customer’s data? Absolutely.

Worse yet, if the bug *WAS* not being actively exploited yesterday, you can bet it *WILL BE* actively exploited in the next few days.

Please do not think about this as a problem with some camera or some baby monitor. This is a systemic supply chain problem and it requires a systemic solution.