‘Weak security provisions’ of many IoT devices a concern, says S’pore cyber security agency on alleged home cams hacking

• The agency and the police advise users to take precautions to protect themselves
• Consumers can look out for the recently-launched Cybersecurity Labelling Scheme to identify products with stronger security features 
• One expert noted that open hacking tools can be easily downloaded on the internet
   

SINGAPORE — Following media reports that internet protocol (IP) home security cameras have allegedly been hacked, the Cyber Security Agency of Singapore (CSA) on Tuesday (Oct 13) expressed concern over the “weak security provisions” of many Internet-of-things (IoT) devices.

In response to media queries, CSA also advised users to practise good cyber hygiene, “such as changing the default password of these devices to a strong one”.

When not in use, users should also disconnect their IP cameras and disable remote viewing of camera footage via the Internet, it added.

It was reported on Monday that a hacker group accessed 50,000 IP home security cameras, uploading some of it on pornographic websites.

The New Paper reported that “in many videos tagged as being from Singapore, the homes have layouts typical of a Housing Board flat”. However, TODAY has been unable to independently verify claims that the clips were indeed taken from Singapore homes.

TODAY has asked CSA and the police whether they have received any reports from victims here.

Meanwhile, the police have advised members of the public to take precautions to secure their IP cameras at home by using a device “from a trusted brand offering reliable security features”, updating its software as soon as it is available and using a strong password and changing it regularly.

“Do not use the default password that came with the IP camera,” it added.

The police stressed that it is illegal under the Penal Code to “transmit by electronic means any obscene materials, take part in or receive profits from any business where obscene materials are transmitted by electronic means, or advertise the sale of obscene materials”.

The police added: “Members of the public may wish to lodge a police report if they are aware of persons engaging in such activities.”

CSA recently launched a Cybersecurity Labelling Scheme for consumer IoT and smart devices. It uses a four-level rating system to help users identify products with stronger cybersecurity features.

“For a start, the scheme will cover routers and smart home hubs, and will progressively include other IoT devices, including web cameras,” CSA said.

Cybersecurity experts also reminded homeowners who wish to install IP cameras to take extra precautions.

Mr Lim Yihao, a principal analyst at Mandiant Threat Intelligence, said some reasons IP security cameras can be easily hacked include owners using weak or default passwords for their home router wifi network and security camera, and not updating the camera’s firmware.

Hackers may also gain access to all of the devices of a camera manufacturer if the manufacturer’s internal systems were compromised.

Mr Lim said that users should also “exercise placement discretion by placing cameras in areas of your home where it is less ‘sensitive’ and… where you regularly interact with guests such as the dining room”.

Infinity Forensics founder Ali Fazeli reiterated the importance of updating an IP camera’s software.

“If users update the software, then the hackers can’t identify or use those vulnerabilities in older versions of the software to hack into the camera,” he said.

Cybersecurity expert Terence Siau noted that open hacking tools can be easily downloaded on the internet.

“Users should change their passwords every 60 to 90 days, and if you aren’t using the device, just switch it off to minimise the risk of such attacks happening,” said the chief executive of Tindo.