Locations
On 3 March 2020, the UK's the UK's National Cyber Security Centre (NCSC) published guidance on how to protect 'smart' security cameras and baby monitors from cyber attacks.
The guidance outlines how electronic devices used by millions of people across the UK could pose a threat to personal privacy.
On smart cameras – like the security cameras and baby monitors used to monitor activity in and around the house, which are often connected to home Wi-Fi networks – the NCSC states:
"Smart cameras are often configured so that you can access them whilst you're away from home.
"The problem arises because some cameras are shipped with the default password set by the manufacturer, which is often well-known or guessable (such as admin or 00000).
"Cyber criminals can use these well-known passwords (or other techniques) to access the camera remotely, and view live video or images in your home."
This guidance is a very timely reminder of the importance of changing default passwords and reinforces the message that cyber security is in part a personal, not just a business responsibility.
People should update their passwords, not just for baby monitors, webcams and security cameras, but for all internet-connected devices, the so-called 'Internet of Things' (IoT) – even seemingly innocuous appliances like connected fridges, smart thermostats and doorbells, as soon as they get them home.
In the US, the FBI issued similar guidance in late 2019, which also called out:
"Digital assistants, smart watches, fitness trackers, home security devices, thermostats, refrigerators, and even light bulbs… remote-controlled robots; games and gaming systems; interactive dolls; and talking stuffed animals ...".
The UK government's proposals, to legislate for consumer IoT security, published in January 2020 by the Department for Digital, Culture, Media and Sport, will force manufacturers to set unique passwords, provide a public contact point to receive vulnerability reports and state security 'lifespans' of devices.
They follow on from the government's 2019 Code of Practice for Consumer IoT Security, and represent an excellent first step to regulate the corporate side of cyber risk resilience.
But manufacturers should also be required to act responsibly to fix the vulnerabilities reported, not just record them – as per the Code, which stated that "Disclosed vulnerabilities should be acted on in a timely manner.".
While there is a personal responsibility element to cyber security, few individuals will have access to the kinds of cyber expertise organisations may engage, or have control over elements such as devices' default passwords, so it is important for business to take the lead in this area and take measures to protects consumers as the ultimate users of their products and services.
Investigations by legitimate security researchers to detect and responsibly report on vulnerabilities also need to be encouraged, by reforming the Computer Misuse Act as the Criminal Law Reform Now Network (CLRNN) recently urged.
Continuing to criminalise legitimate research deters the responsible disclosure of cyber security vulnerabilities more generally, not just in relation to IoT.
Dr W Kuan Hon is a cyber security and data protection law expert at European law firm Fieldfisher. For more information on Fieldfisher's cyber expertise, please visit the dedicated cyber pages on our website.