A new incident of surveillance systems vulnerable to cyberattacks
Cybersecurity and ethical hacking experts from the International Institute of Cyber Security have reported the presence of critical vulnerabilities in some security camera models developed by the company Guardzilla that would allow a malicious user without advanced hacking skills access files or videos stored by users of these devices.
According to the reports of the specialists, the error in question is a problem with the firmware of the Guardzilla systems. Experts say they found that all of these security devices use the same encrypted keys, so passwords are easy to crack. “Getting these keys must be easy for any hacker with minimal skills”, researchers said.
Guardzilla works with the Amazon S3 service to store the customers’ data sent from each device. According to the investigators, because of this seemingly weak security protocol, all users of the Guardzilla All-In-One security system could access the recordings and images of other users.
The researchers detected this vulnerability during a cybersecurity event last September, and informed Guardzilla about the error a month later. Through a blog, the specialists mentioned that the company has not made any statement regarding this investigation.
“Guardzilla could simply update the passwords and firmware of those devices, but the vulnerability could be re-exploited using the same attack techniques”, the researchers mentioned in their blog. “The only way to fix this problem is by changing the keys, installing a proxy and updating the firmware,” they added.
Evidence proving that surveillance cameras are vulnerable is nothing new. Cameras used by police bodies, baby monitors, and other similar devices have been shown to have elementary safety flaws. According to a research carried out a couple of years ago, the three main manufacturers of these devices presented notable security flaws.
Despite the multiple researching papers on security errors in these systems, these vulnerabilities keep appearing despite experts in cybersecurity considering that with the knowledge level this kind of mistakes should stop coming.
Guardzilla is still expected to make an official statement on this research, and on possible software upgrades for its surveillance systems.