research-article

PARVP: passively assessing risk of vulnerable passwords for HTTP authentication in networked cameras

Authors:

Arunan Sivanathan,

Hassan Habibi GharakheiliAuthors Info & Claims

DAI-SNAC '21: Proceedings of the 2021 Workshop on Descriptive Approaches to IoT Security, Network, and Application Configuration

Pages 10 - 16

https://doi.org/10.1145/3488661.3494031

Published: 07 December 2021 Publication History

Abstract

Networked cameras continue to be an attractive target of cyber-attacks and therefore present huge risks to organizations. The use of vulnerable credentials (manufacturers default or publicly known) by these devices remains a primary concern for network and cybersecurity teams. This paper aims to assist enterprise network operators to systematically and passively assess the risk of using default credentials or vulnerable authentication schemes for directly accessing connected cameras. Our contributions are two-fold: (1) We analyze HTTP traffic traces of enterprise-grade network cameras (sourced from popular manufacturers including Cisco, Axis, and Pelco), identify the signature of their authentication techniques, including Basic, regular Digest, and Web Service Security (WSS), extracted from request packets, and develop a system with an algorithm (PARVP) for automatic and passive assessment of authentication risks; and (2) We apply PARVP to traffic traces of about 1.4 million HTTP authentication sessions selectively collected from network traffic of more than 1000 cameras (in our university campus network) during three weeks, and draw insights into risks, including cameras that accept default passwords (though hashed) and camera controllers that reveal passwords (though obsolete) by insecure authentication.

References

[1]

ABC News. 2020. Australian security cameras hacked, streamed on a Russian-based website. https://ab.co/3ealY0j.

[2]

Ethan Ace. 2021. IP Cameras Default Passwords Directory. https://ipvm.com/reports/ip-cameras-default-passwords-directory

[3]

Rana Alharbi and David Aspinall. 2018. An IoT Analysis Framework: An Investigation of IoT Smart Cameras' Vulnerabilities. Living in the Internet of Things: Cybersecurity of the IoT (Mar 2018).

[4]

Bloomberg. 2021. Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals. https://bloom.bg/2TalGiG.

[5]

A1 SEcurity Camras. 2021. Default Usernames, Passwords and IP Addresses for Security Cameras. https://bit.ly/2VrH97j

[6]

Canon. 2018. Useful Tips for Reducing the Risk of Unauthorized Access for Network Cameras. https://bit.ly/3yOgIHk

[7]

Digicert. 2015. Replace Your Certificates for Internal Names. https://www.digicert.com/blog/replace-your-internal-name-certificates

[8]

Stephen Farrell, Paul E. Hoffman, and Michael Thomas. 2015. HTTP Origin-Bound Authentication (HOBA). RFC 7486.

[9]

NISt: Joint Task Force. 2020. Security and Privacy Controls for Information Systems and Organizations. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

[10]

John Franks, Phillip Hallam-Baker, Lawrence C. Stewart, Jeffery L. Hostetler, Scott Lawrence, Paul J. Leach, and Ari Luotonen. 1999. HTTP Authentication: Basic and Digest Access Authentication. RFC 2617.

Digital Library

[11]

Genetec. 2021. Omnicast VMS. https://bit.ly/3hSLF6w

[12]

Genivia. 2021. ONVIF examples. https://bit.ly/3xBmegi

[13]

Great, M. Lechtik, and G. Dedola. 2020. Cycldek: Bridging the (air) gap. https://securelist.com/cycldek-bridging-the-air-gap/97157/

[14]

Eran Hammer-Lahav. 2010. The OAuth 1.0 Protocol. RFC 5849.

[15]

Ayyoob Hamza, Hassan Habibi Gharakheili, and Vijay Sivaraman. 2018. Combining MUD Policies with SDN for IoT Intrusion Detection. In Proc. ACM IoT S&P. Budapest, Hungary.

Digital Library

[16]

Ayyoob Hamza, Dinesha Ranathunga, Hassan Habibi Gharakheili, Theophilus A. Benson, Matthew Roughan, and Vijay Sivaraman. 2020. Verifying and Monitoring IoTs Network Behavior using MUD Profiles. IEEE Transactions on Dependable and Secure Computing (May 2020), 1.

Digital Library

[17]

IANA. 2017. HTTP Authentication Schemes. https://bit.ly/3e8AINa

[18]

IoT World Today. 2019. Cybersecurity Lessons Related to IP Security Cameras. https://bit.ly/3rddefa.

[19]

Naor Kalbo, Yisroel Mirsky, Asaf Shabtai, and Yuval Elovici. 2020. The Security of IP-Based Video Surveillance Systems. Sensors 20, 17 (Aug 2020).

[20]

Franco Loi, Arunan Sivanathan, Hassan Habibi Gharakheili, Adam Radford, and Vijay Sivaraman. 2017. Systematically Evaluating Security and Privacy for Consumer IoT Devices. In Proc. ACM IoT S&P. Dallas, Texas, USA.

Digital Library

[21]

Cisco Meraki. 2020. Architecture and Best Practices. https://bit.ly/3xBmgoq

[22]

Neerja Mhaskar, Mohammed Alabbad, and Ridha Khedri. 2021. A Formal Approach to Network Segmentation. Computers & Security 103 (Apr 2021), 102162.

[23]

Trend Micro. 2018. Exposed Video Streams: How Hackers Abuse Surveillance Cameras. https://bit.ly/3yRq9Gg

[24]

Daniel Miessler. 2017. mirai-botnet. https://bit.ly/2VARz4O.

[25]

Daniel Miessler. 2018. probable-v2-top12000. https://bit.ly/3r3fuW1.

[26]

oasis. 2004. UsernameToken Profile. https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf

[27]

Jingjing Ren, Daniel J. Dubois, David Choffnes, Anna Maria Mandalari, Roman Kolcun, and Hamed Haddadi. 2019. Information Exposure From Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach. In Proc. ACM IMC. Amsterdam, Netherlands.

Digital Library

[28]

R. Ross, P. Viscuso, G. Guissanie, K. Dempsey, and M. Riddle. 2021. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-171r1.pdf

[29]

Matthew Rossi. 2020. How to secure a security camera for use over the web. https://www.cctvcameraworld.com/secure-security-camera-for-use-on-web/

[30]

Rifaat Shekh-Yusef et al. 2015. HTTP Digest Access Authentication. RFC 7617.

[31]

Anthony Spadafora. 2021. Default passwords make IP cameras surprisingly easy to hack. https://bit.ly/2UCtFFu

[32]

Lance Whitney. 2020. How to find and fix vulnerable default credentials on your network. https://tek.io/3k7wZmB

[33]

Haitao Xu, Fengyuan Xu, and Bo Chen. 2018. Internet Protocol Cameras with No Password Protection: An Empirical Investigation. In Passive and Active Measurement (PAM). Berlin, Germany.

Cited By

Pashamokhtari ABatista GGharakheili H(2023)Efficient IoT Traffic Inference: From Multi-view Classification to Progressive MonitoringACM Transactions on Internet of Things10.1145/36253065:1(1-30)Online publication date: 16-Dec-2023
https://dl.acm.org/doi/10.1145/3625306
Sullivan HSivanathan AHamza AGharakheili H(2023)Programmable Active Scans Controlled by Passive Traffic Inference for IoT Asset CharacterizationNOMS 2023-2023 IEEE/IFIP Network Operations and Management Symposium10.1109/NOMS56928.2023.10154292(1-6)Online publication date: 8-May-2023
https://doi.org/10.1109/NOMS56928.2023.10154292
Pashamokhtari AOkui NMiyake YNakahara MGharakheili H(2023)Combining Stochastic and Deterministic Modeling of IPFIX Records to Infer Connected IoT Devices in Residential ISP NetworksIEEE Internet of Things Journal10.1109/JIOT.2022.322211610:6(5128-5145)Online publication date: 15-Mar-2023
https://doi.org/10.1109/JIOT.2022.3222116
Show More Cited By

Index Terms

PARVP: passively assessing risk of vulnerable passwords for HTTP authentication in networked cameras
1. Security and privacy
  1. Network security
  2. Security services
    1. Authentication

Recommendations

Public-Key encryption from ID-Based encryption without one-time signature
OTM'06: Proceedings of the 2006 international conference on On the Move to Meaningful Internet Systems: AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET - Volume Part I

Design a secure public key encryption scheme and its security proof are one of the main interests in cryptography In 2004, Canetti, Halevi and Katz [8] constructed a public key encryption (PKE) from a selective identity-based encryption scheme with a ...
Identity-based strong designated verifier signature schemes: Attacks and new construction

A strong designated verifier signature scheme makes it possible for a signer to convince a designated verifier that she has signed a message in such a way that the designated verifier cannot transfer the signature to a third party, and no third party ...
Secure universal designated verifier signature without random oracles

In Asiacrypt 2003, the concept of universal designated verifier signature (UDVS) was introduced by Steinfeld, Bull, Wang and Pieprzyk. In the new paradigm, any signature holder (not necessarily the signer) can designate the publicly verifiable signature ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

DAI-SNAC '21: Proceedings of the 2021 Workshop on Descriptive Approaches to IoT Security, Network, and Application Configuration

December 2021

33 pages

ISBN:9781450391368

DOI:10.1145/3488661

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 December 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Conference

CoNEXT '21

Sponsor:

SIGCOMM

CoNEXT '21: The 17th International Conference on emerging Networking EXperiments and Technologies

December 7, 2021

Virtual Event, Germany

Acceptance Rates

DAI-SNAC '21 Paper Acceptance Rate 6 of 7 submissions, 86%;

Overall Acceptance Rate 6 of 7 submissions, 86%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
88
Total Downloads

Downloads (Last 12 months)24
Downloads (Last 6 weeks)5

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pashamokhtari ABatista GGharakheili H(2023)Efficient IoT Traffic Inference: From Multi-view Classification to Progressive MonitoringACM Transactions on Internet of Things10.1145/36253065:1(1-30)Online publication date: 16-Dec-2023
https://dl.acm.org/doi/10.1145/3625306
Sullivan HSivanathan AHamza AGharakheili H(2023)Programmable Active Scans Controlled by Passive Traffic Inference for IoT Asset CharacterizationNOMS 2023-2023 IEEE/IFIP Network Operations and Management Symposium10.1109/NOMS56928.2023.10154292(1-6)Online publication date: 8-May-2023
https://doi.org/10.1109/NOMS56928.2023.10154292
Pashamokhtari AOkui NMiyake YNakahara MGharakheili H(2023)Combining Stochastic and Deterministic Modeling of IPFIX Records to Infer Connected IoT Devices in Residential ISP NetworksIEEE Internet of Things Journal10.1109/JIOT.2022.322211610:6(5128-5145)Online publication date: 15-Mar-2023
https://doi.org/10.1109/JIOT.2022.3222116
Hamza AHabibi Gharakheili HPering TSivaraman V(2022)Combining Device Behavioral Models and Building Schema for Cybersecurity of Large-Scale IoT InfrastructureIEEE Internet of Things Journal10.1109/JIOT.2022.31893509:23(24174-24185)Online publication date: 1-Dec-2022
https://doi.org/10.1109/JIOT.2022.3189350

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents