Light Dark
January 28, 2022 By David Bisson 4 min read
Risk Management
Security Services

Earlier this year, an enterprise security camera system maker suffered a data breach. The incident, which involved the compromise of a Jenkins server, enabled a group of attackers to bypass the company’s authorization system, including its two-factor authentication processes. Those responsible for the compromise then abused their access to release the photos and videos of approximately 150,000 Internet of Things (IoT) cameras made by the company, affecting carmakers, jails, schools, hospitals, a security firm and an untold number of other customers in the process.

The attackers also stole a list of client account admin names and email addresses, a list of sales orders and a tool that allowed the attacker to run shell commands on some customer cameras.

Other IoT security incidents involving smart cameras

The incident described above wasn’t the first time where malicious actors preyed on IoT cameras. In October 2020, for instance, WeLiveSecurity shared the news of a threat actor collective having breached more than 50,000 home cameras. The attackers went on to steal the cameras’ footage of people living in Singapore, Thailand, South Korea and Canada. They then uploaded the videos on adult websites and shared them with their members for a price. They even went so far as to sell access for the cameras to ‘VIP members’.

In December 2020, dozens of people sued another smart camera maker over “horrific” invasions of privacy that show a weak point in IoT security. The lawsuit alleged that the cameras came with lax security measures, allowing remote actors to take control of the devices. They further claimed the attackers misused the cameras to harass over 30 people in 15 families. The plaintiffs alleged that the attackers screamed obscenities, demanded ransoms and even threatened murder in some cases.

How organizations can boost IoT security on their cameras

Organizations can continue to implement several best practices as a means of avoiding security incidents such as those discussed above. For example, they’ll want to make sure that they’re maintaining an inventory of all the IoT cameras and other smart devices deployed in their environments. Doing this will help them preserve their visibility over all of their IoT devices. That makes it easier to apply more defensive measures without having to worry about having missed a forgotten asset. It will also help them to learn more about their smart products, such as the assets with which they might be paired. (IoT cameras, for example, might be connected to the wireless network. However, there’s also the chance that they might be paired with an employee’s phone.)

Next, change the default password on any IoT devices in the environment(s). Many IoT passwords are easily guessable or the same across all instances of that same device. This can make it easy for attackers to compromise a device instance that they find running in a corporate network. That’s why it’s important to change the password on an IoT device. Consider using something unique like three random words in a row.

Behavior-based anomaly detection

Finally, organizations need to have some means of detecting potential smart device breaches before they become IoT security incidents. One of the ways they can do that is by using the power of behavior-based anomaly detection. This creates a baseline of normal behavior in and around each device and flags any changes.

With the addition of regular device profile updates, security teams could use any anomaly alerts to hone in on an affected IoT device. They could then disable the device or take other action to shut down a potential attack chain.

Don’t forget about procurement

Looking ahead, organizations need to be careful with their security for IoT devices when they bring new ones into their environments. That’s because the procurement process is fraught with potential threats. In the context of health care, the European Union Agency for Cybersecurity found five primary threat sources related to smart procurement. These are as follows:

  • Natural phenomena such as fires and floods can damage devices and thereby undermine related businesses.
  • Organizations might decide to use a third-party cloud service with their IoT devices. If they do, they need to account for the prospect of a supply chain failure. An outage could prevent those IoT devices from talking with one another, as an example.
  • The events of 2020 gave new meaning to bring your own device by shifting many employees to working from home. Some employees connected personal IoT devices to the corporate network in the months that followed. But without proper IoT security oversight, those employees could commit human errors. These leave their employer exposed to malware outbreaks or data breaches, among other threats.
  • Malicious actions can take on various forms. What if the communication channels between IoT devices and their servers aren’t secured? Threat actors can use those weaknesses to conduct man-in-the-middle attacks and tamper with the information being transmitted.
  • Last but not least, a lack of security measures can lead to system failure. This is even more likely if they don’t have a process for updating firmware in place. Digital attackers can abuse those shortcomings to plant a backdoor and access critical information.

A risk-based approach

In response to those IoT security threats, organizations should consider creating what the National Institute of Standards and Technology calls “a risk-based approach to procurement.” This plan should include working with legal, sourcing and subject matter experts from IT, security, engineering and operations to develop procurement processes. They can also work together on including relevant security standards into potential contracts. If vendors don’t meet those standards, organizations can then exclude their devices.

IoT security as a life cycle

Organizations need to consider the procurement best practices discussed above if they want to defend their IoT devices. This highlights the fact that IoT security is a life cycle. From procurement to retirement, organizations need to monitor the security of their IoT cameras. Keeping track of smart devices is an important part of a comprehensive security program.

 |  |  |  | 
David Bisson

More from Risk Management
January 28, 2025

4 trends in software supply chain security

4 min read - Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was probably the most well-known, but it was not alone. Incidents against companies like Equifax and tools like MOVEit also wreaked havoc for organizations and customers whose sensitive information was compromised.Expect to see more software supply chain attacks moving forward. According to ReversingLabs' The State of Software Supply Chain Security 2024 study, attacks against the software…

January 24, 2025

How cyberattacks on grocery stores could threaten food security

4 min read - Grocery store shoppers at many chains recently ran into an unwelcome surprise: empty shelves and delayed prescriptions. In early November, Ahold Delhaize USA was the victim of a cyberattack that significantly disrupted operations at more than 2,000 stores, including Hannaford, Food Lion and Stop and Shop. Specific details of the nature of the attack have not yet been publicly released.Because the attack affected many digital systems, some stores were not able to accept credit/debit cards, while others had to shut…

January 23, 2025

Taking the fight to the enemy: Cyber persistence strategy gains momentum

4 min read - The nature of cyber warfare has evolved rapidly over the last decade, forcing the world’s governments and industries to reimagine their cybersecurity strategies. While deterrence and reactive defenses once dominated the conversation, the emergence of cyber persistence — actively hunting down threats before they materialize — has become the new frontier. This shift, spearheaded by the United States and rapidly adopted by its allies, highlights the realization that defense alone is no longer enough to secure cyberspace.The momentum behind this…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature