Eyes on IZON Surveilling IP Camera Security

Mark Stanislav

Tue, 19th August 2014


Speaker Bio 1:
Mark is the Security Evangelist for Duo Security, an Ann Arbor, Michigan-based startup focused on two-factor authentication and mobile security. With a career spanning over a decade, Mark has worked within small business, academia, startup, and corporate environments, primarily focused on Linux architecture, information security, and web application development.

Mark has spoken nationally at over 70 events including RSA, ISSA, B-Sides, GrrCon, Infragard, and the Rochester Security Summit. Mark’s security research has been featured on web sites including CSO Online, Security Ledger, and Slashdot. Additionally, Mark is an active participant of local and nationals security organizations including ISSA, Infragard, HTCIA, ArbSec, and MiSec.

Mark earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University. During his time at EMU, Mark built the curriculum for two courses focused on Linux administration and taught as an Adjunct Lecturer for two years. Mark holds CISSP, Security+, Linux+, and CCSK certifications. Mark is currently writing a book titled, Two-Factor Authentication (published by IT Governance).

Learning Objectives:

Mark will explain:

  • Critical vulnerabilities found in the Stem Innovation “IZON” IP camera.
  • Lessons for Internet of Things Security best practices.
  • How security researchers are trying to improve IoT security through the initiative, BuildItSecure.ly

Resources and materials:

Questions and answers

Max, Concise Courses:
We have a lot of people that watch this that aspire to be in positions like you, with the expertise that you have. Let me just kick off with a question: ‘what would you advise viewers in regards to milestones and educational milestone, what led you to where you are?’

Mark:
Sure, that’s a great question. I’ve done penetration testing professionally, I’ve been a web developer and SysAdmin – and typically my advice is ‘be as broad as you can’, learn as much as you can. It sounds really sexy to break hardware and software but until you have actually written software and deployed servers and have someone try and break into them you don’t understand that‘red-team/ blue-team’ aspect. of that scenario. My advice, is – get a career that is not just ‘security’ rather be the guy that gets attacked because you will learn a lot about how to do things the right way and what not to do. Certainly, a lot of people on this video chat probably already have devices in their home, so set up Wirehark and monitor your own network and ask yourself ‘is it encrypted, are the API calls secure?’ and see what ports are listening.

Max, Concise Courses:
Typically where does the chain break-down when it comes to R&D and Launching a product from a security perspective?

Mark:
In the IoT (Internet of Things) space you have a lot of companies that are good at technologically making products but not Internet connected products. So these companies are good at making the latest cool designs and making ‘small-form’ factors but they are really not that good at making these devices mobile or WiFi enabled. They are using the same techniques they have always used and they are not actually applying the same security controls that you need around a network connected.

A lot of it is the ‘maturity’ of vendors as they move into the IoT space. What’s interesting is that if you look at the IZON Camera as a Generation 1, which is now 2 or 3 years old, you have a company coming back and saying, ‘hey listen, we have improved and are doing these better, we are already up to a second generation of IoT security’, so things are moving fast and I have confidence that vendors are becoming better at security.

Max, Concise Courses:
What sort of response did you get from the vendor?

Mark:
Well to start with it was kinda like ‘pulling teeth’, I sent them information over emails and I had to follow-up with them – and I spent a lot of time trying to hunt them down saying that I wanted to publish my research and findings. I got no initiative that they wanted to interact with me. However, fast forward a year, they have new blood in their team and they are more security conscious and they saw that the findings of my presentation had all been fixed.

I published my research two months before I gave my presentation, and certainly my caveat for any research would be to try and co-ordinate with the vendor. Surprising people only hurts consumers: you should try and give some time to fix these issues. But, if vendors are unresponsive; just because you found these issues does not mean you are the first people to ever find these vulnerabilities.

You might actually be protecting consumers by giving them the information. It is a bit like having a car recall….would you like to know that the brake pedal sticks so often or not be told that? Knowledge is power. So, initially bad response but now they are much more security orientated.

Max, Concise Courses:
What is the Number One Cyber Threat for devices that are within the IoT?

Mark:
I would say at this point that default credentials are the main worry, i.e. default servers in hardware or a web server etc., or a mobile password – we are seeing bad day-to-day security procedures. If these products and devices are Internet connected then that is one thing that ships with that defect [any hacker] can access the devices and that is something that worries me today.