After months of headline-grabbing attacks on smart cameras and baby monitors, the National Cyber Security Center (NCSC) has stepped in to remind everyone with a device of the simple steps “to protect it from common cyber attacks.” This is intended, above all, to advise parents who have baby monitors or home cameras in view of their kids how they stay safe.
No story was more alarming than the apparent hack of a Ring camera in a child’s bedroom last year. That incident highlighted two things: The common reuse of usernames and passwords across multiple accounts gives hackers in possession of breached data a potential way in to other accounts, and the value of two-factor authentication (2FA). If I have your username and password from one account and then try my luck on scale platforms, like Ring, I may get lucky. Random and opportunistic, but effective. And killed in its tracks by 2FA.
NCSC is the U.K. government’s preeminent cyber authority and reports into spy agency GCHQ. In an advisory notice published on March 3, the agency warns that the convenience of these cameras, enabling us to access them when away from home, is the clear weakness. “As with any ‘smart’ device that can connect to the internet, you should take a few steps to protect yourself.”
In truth, this issue is simply an extension of the much broader IoT cyber risk issue that I have reported on multiple times before. We now have so many connected devices in our homes and offices, each of which is a potential risk, that we do need to follow some simple steps to stay safe. And while advisory notices such as these can appear humdrum and blatantly obvious, I promise you’ll be amazed how many people overlook the basics when it comes to cybersecurity.
For any IoT device—smart cameras and baby monitors included—there are two pieces of advice that trump all others. First, change the default password. If the device has multiple passwords—perhaps the endpoint and the admin account, then change them all. And use a complex password—a random passphrase is current best practice. Whatever you do, do NOT reuse a password from elsewhere. If the device and its viewing platform has a 2FA option then enable it.
And then, second, ensure that the option to enable automatic firmware updates is selected. If there is no such option, then make sure you check for updates regularly. I’d say weekly, but that’s overkill. You should do this at least once a month.
NCSC also advises owners of cameras to consider whether they need the option to view the feeds from outside the house. That’s good advice, but, let’s be honest, that’s half the value in the device. So, realistically, just make sure you keep the device secure and locked down and then remote viewing will be fine. What you can do, though, is consider whether a baby monitor needs outside access. These are usually viewed from inside the house. Unless you want to check on the babysitter, of course.
All three points of advice relate to ALL your IoT devices. We now think nothing of buying cheap electronics and immediately giving them access to our home networks—toys, speakers, kitchen and office appliances, gadgets. The sensible advice is to limit these and to enable separate networks, to keep computers and phones away from IoT devices. It all seems overkill to many, but even lightbulbs can be hacked.
NCSC also advises users to disable UPnP and port forwarding on their routers, the quick option to seamlessly allow devices on your network to find others. This is a contentious point, and disabling UPnP might make some streaming services more complicated to set up. But it is a weakness and has been highlighted as such for years. My advice would be to disable it and then see what stops working.
As cyber expert Mike Thompson says on the subject of UPnP: “If you want you router and LAN pwned, enable it. The end.”
The reality of our new world, with our thirst to keep everything connected all of the time, means we need these common sense steps to become second nature. It’s all very simple. Buy a device, then follow the golden rules. If you don’t, if you find yourself having to go around later and try to remember setup passwords and instructions, then life becomes much harder.
Again, nothing surprising here—common sense and cyber best practice. But millions never bother with 2FA, keep default passwords as they are, keep UPnP enabled and firmware as it shipped. And that’s why it’s a hackers’ paradise out there.