By exploiting webcams and other IoT devices, hackers can spy on private and professional conversations, potentially giving them access to sensitive information, says BitSight.
Imagine a cybercriminal hacking into an internet-facing webcam set up in your organization and spying on a meeting, a manufacturing process or an internal training session. Then imagine what that person could do with the information they obtained. That’s exactly the scenario laid out by cyber risk company BitSight.
For a new report about insecure IoT devices, BitSight discovered that one in 12 organizations with internet-facing webcams or similar devices failed to properly secure them, leaving them vulnerable to video or audio compromise. Specifically, 3% of organizations tracked by BitSight had at least one internet-facing video or audio device. Among those, 9% had at least one device with exposed video or audio feeds, giving someone the ability to directly view those feeds or eavesdrop on conversations.
Which organizations are most at risk to this hacking?
The organizations analyzed included ones in the hospitality, education, technology and government sectors. Out of these, the education area was at the greatest risk, with one in four using internet-facing webcams and similar devices susceptible to video or audio compromise.
Further, Fortune 1000 companies suffered the greatest exposure, including a Fortune 50 technology subsidiary, a Fortune 100 entertainment company, a Fortune 50 telecommunications company, a Fortune 1000 hospitality company and a Fortune 50 manufacturing company.
Which devices were analyzed in this cyber risk survey?
Most of the devices analyzed by BitSight use the Real-Time Streaming Protocol to communicate over the internet, though some use HTTP and HTTPS protocols. With RTSP, users can send video and audio content and run commands to record, play and pause the feed.
Though many of the devices examined for the report were webcams, the analysis also included network video recorders, smart doorbells and smart vacuums. Some devices were actually set up for security purposes.