My question in follow up to this article, is there even much that can be done to prevent this type of stuff from happening?
I think there are a few things that are easy and help reduce the problem:
- Manufacturers can disable telnet and SSH by default (to be fair, it seems like this is much more common now).
- User authentication methods could be updated to not allow remote login if a secure password has not been set (this would allow local login for setup/configuration, but deny remote access until a better password was used).
- Installers can help by not forwarding excess ports, and also putting services on non-standard ports. Using non-standard ports makes it slightly harder to scan for services to find devices that can be further probed.
- Firmware updates can be done as part of the installation process to ensure products are running latest code, which in most cases should have reduced vulnerabilities, though it is always possible that new vulnerabilities have been introduced, but this should be rare.
- Installers can also select and recommend products based on their ability to be secured, and the vendor having a good track record of responding to and fixing reported issues quickly.
Manufacturers could make a huge leap in reducing device exploitability if they were willing to make it a priority, and willing to invest proper effort into building more robust devices, by adding secure boot capabilities.
Some SoC suppliers, such as Ambarella, have been adding secure boot functionality into their chips, but it does not appear that security manufacturers are doing anything with it.
In short, secure boot can be utilized to ensure that even if an attacker could gain access to a root shell, they could not load/run unauthorized code.
Secure boot would make it several orders of magnitude more difficult to create botnet's, as the hackers could not just download software to make the camera/recorder do whatever they want. This is roughly similar in concept to how an iPhone cannot run software that has not been officially vetted by Apple, meaning that manufacturers like Axis would not have to give up the ability to run 3rd party apps on their cameras.
Like most things, creating software that is more secure and goes through additional authentication processes would take more effort on the manufacturers or developers part, but the result would be significantly increased security, and trustability, of recorders and cameras. But, the manufacturers are only likely to add this in if there is financial benefit to doing so, either by customers requesting it, or the support headaches of hacked devices becoming significant.
