Security News

What is credential stuffing, and why is my smart security camera vulnerable to it?

Avast Security News Team, 4 May 2019

Protect yourself from one of today’s top threats and keep hackers from your security camera accounts

Imagine that the very security tool you put in place to keep intruders out of your home is suddenly being used as a doorway in. This nightmare is a reality for an increasing number of victims.

As reported by The Washington Post, the California mom of a toddler was horrified by this type of discovery. After hearing her daughter repeatedly talk about “a monster” in her room, the woman uncovered something more disturbing. Hackers had somehow taken over the family’s security cam account and started using the intercom feature to transmit pornographic audio into her 2-year-old’s room.

Unfortunately, this experience is not unique. Hackers hoping to exploit weak security features will try to open the metaphoric doors of consumer products like security cams every chance they can. Also, a technique called “credential stuffing” has evolved into an effortless hack for even a novice cybercriminal.

Why are security cams easy to hack?

Security installed on Nest security cams and other IoT consumer devices can create what Silicon Valley insiders call “friction” – barriers that keep a user from having a smooth and successful experience with the product. Examples of friction include too many screens to tap through, too complicated an assembly instruction, too inconvenient a security procedure, and so on. The less friction a product has, the wider its appeal.

Because IoT tech can intimidate anyone who is not digitally well-versed, new products have to seem easy to set up and easy to use. To draw the most customers, some IoT developers choose not to add even basic security setup features like prompting a default password change or 2-factor authentication (2FA). Weak security like this leaves your home network vulnerable to cyberattacks, including one of today’s most popular exploits — credential stuffing.

What is credential stuffing?

Credential stuffing is one of the simplest cybercriminal exploits, a favorite among hackers. Using this technique, the criminal collects your leaked credentials (usually stolen in a data breach) and then applies them to a host of other accounts, hoping they unlock more.

For example, let’s say you shop online at Target, and hackers breach the company’s database. Using your stolen credentials, they can then use credential stuffing to attempt logins on bank sites, social media sites, email servers, and more. If you’re like the majority of users out there, you reuse credentials. Hackers count on it.

Advancements in technology have made it easier than ever to launch a credential stuffing exploit. As TWP reports:

A new breed of credential-stuffing software programs allows people with little to no computer skills to check the log-in credentials of millions of users against hundreds of websites and online services such as Netflix and Spotify in a matter of minutes.

How do I make sure nobody hacks my security cam?

Check out our 5 tips for protecting your security camera from cybercriminals. Critically, make sure you always use a unique, complex password for logging into accounts, such as for IoT devices.

How do I protect against credential stuffing?

You can foil credential stuffing by taking control of your credentials. Make sure none of them can function as a skeleton key to all your online locks. Also, live by these ABCs:

  • Activate two-factor authentication — Always activate 2FA. This guarantees that even if your login credentials get compromised, the hacker only has half the key. The second factor, like inputting a code sent to your phone or answering a security question, can at first sound inconvenient, but those little extra steps can go a long way when it comes to protecting you and your data.

  • Be breach savvy — Use a site like Avast Hack Check to check your credentials against a database of hacked websites and stolen login details. Just enter the email address you use and instantly learn if it’s been compromised in a data breach. If it has, change your credentials for all accounts affected.

  • Create strong(er) passwords – Make sure each password you use is not only complex, but also unique. Avoid reusing passwords for multiple accounts. Also, use different usernames. The more variation you include amongst your “keys,” the better you are at defending your locks.