Hacker sells 800,000 VND for access to 15 cameras in Vietnam

At the seminar "Basic network information security standards for surveillance cameras", organized by VietNamNet newspaper in collaboration with the Department of Information Security (Ministry of Information and Communications) on the morning of May 22, Mr. Vu Ngoc Son, Head of Technology Department - National Cyber ​​Security Association, Technical Director of NCS company, shared his perspective on surveillance cameras from the perspective of network security. He commented that cameras can be considered as special computers, because they can listen, see, think (if integrated with AI), detect objects and spaces that they observe. Cameras never turn off, are always online 24/7, are rarely patched, and are almost never updated with patches or anti-virus software. Therefore, if attacked, there will be no one to protect them.

Sharing the same view, Mr. Nguyen Viet Bang, Deputy General Director of VNPT Technology said that although the camera is small and simple, it is complex, consisting of optical, broadcasting - WiFi and LAN parts. With two such network interfaces, the camera can become a device to collect information. A camera placed in the house will be like a computer with an operating system, recording sound, images and almost having an extra person in the house but running silently. Therefore, if there is a vulnerability, the camera device can completely send information out.

Despite being such a popular and important device, users are still not aware of protecting information security for surveillance cameras. Expert Vu Ngoc Son mentioned a number of recent large-scale attacks on camera systems. In 2023, many Hikvision customers received hacker attack warning messages on the screen when viewing cameras. It is worth noting that hackers attacked Hikvision cameras through an old vulnerability from 2021, even though the manufacturer had provided a patch.

In Vietnam, there have been no major attacks, but the situation is alarming. In 2020, according to a survey in Vietnam, the number of cameras with unupdated passwords was up to 70%. In 2023, some hackers sold access to cameras in Vietnam, with systems of up to 100,000 cameras. The amount of money spent to view is also modest, only about 800,000 VND to access 15 cameras.

Mr. Vu Ngoc Son pointed out 6 main reasons leading to information insecurity for cameras. These are users setting weak passwords, sharing passwords, using other accounts to manage the camera system such as Facebook, Google... Not changing the password when receiving the handover from the technician; Camera has zero day vulnerability; Not updating the patch; The storage server has vulnerabilities and is attacked by hackers; Decentralization is not strict, for example sharing with the construction unit but then not revoking the rights.

Discussing this issue, Mr. Tran Dang Khoa, Deputy Director in charge of the Department of Information Security, Ministry of Information and Communications, said that currently, the awareness of users in general and Vietnamese users in particular about network safety and security is still limited. Although they know about the risks and need to change passwords and update patches, many people do not care and do not do so. This is a point that the Department of Information Security focused on when building a set of criteria on basic network information security requirements for surveillance cameras. On May 7, the Ministry of Information and Communications issued this set of criteria.

According to expert Vu Ngoc Son, if a surveillance camera is hacked, users will face serious consequences. For households, the first problem is the violation of privacy, followed by the risk of being blackmailed for private images, sensitive sounds or other criminal acts. For example, hackers can use images and sounds collected through surveillance cameras to create deepfakes to scam. Another consequence is being monitored remotely.

Therefore, to avoid the risk of information security loss and data leakage from surveillance cameras, Mr. Vu Ngoc Son made some recommendations for users; That is, it is necessary to choose cameras with clear origin, announce the video storage location, data security policy for users; Change passwords immediately upon handover, use two-factor authentication; Choose a suitable installation location, avoid installing in sensitive locations, in important areas, it is mandatory to install standard cameras, avoid cases of important information leakage, minimum access configuration; Regularly monitor and update patches.

According to Mr. Tran Dang Khoa, in order for users to have awareness and skills, it is necessary to propagate so that they see that they must also be aware of protecting themselves and their organizations. First of all, users need to change the device password, not use the default password; Determine where to place the device, whether it is necessary to place it there or not.