Recently disclosed vulnerabilities in Foscam and Axis cameras have underlined the ongoing security concerns in the burgeoning IoT space

Earlier this month, Israeli cybersecurity firm VDOO disclosed a series of major vulnerabilities in internet-connected security cameras developed by Foscam.

Less than two weeks after publishing its research, VDOO came forward with another report – this time drawing attention to flaws in almost 400 models of IoT cameras from Axis Communications.

In both cases, Foscam and Axis users were urged to update their firmware to avoid falling victim to exploit chains that could give an attacker unfettered root access to their devices.

(After working closely with both manufacturers, these firmware updates were available well ahead of the public disclosure.)

Project Vizavis

It’s been a busy month for VDOO, but we can expect to hear of more critical vulnerabilities in other major IoT camera brands over the coming weeks, as the Tel Aviv-based company releases additional findings under what has been named ‘Project Vizavis’.

Throughout 2018, VDOO has been undertaking broad-scale research into leading IoT products. According to Alon Levin, vice president of product management, the project is aimed at highlighting the need for improved security in connected devices.

“Project Vizavis is a project that is focused on cybersecurity of devices in the fields of safety and security,” Levin told The Daily Swig.

“VDOO’s mission is to promote security in connected devices, helping manufacturers to secure their devices at the development stage, as well as post-release, and helping users to efficiently and securely use their connected devices.”

IoT regulation: easier said than done?

The IoT space is expected to witness sustained growth over the coming years, with Ericsson projecting the number of connected devices around the world to reach 18 billion by 2022.

In light of these figures – which would average out at two IoT devices for every person on the planet – it’s clear that security, too, will remain a growing concern. Is regulation the key to ensuring this unbridled growth takes place in as secure manner as possible?

“Based on our ongoing engagements with the ecosystem, we strongly believe that it is merely a matter of time before regulation becomes a driving force in the IoT market,” said Levin.

“Having said that, I don’t see regulation being able to ensure the right level of security per device, but rather provide the answer to the ‘ownership question’. We believe that there cannot be a single unified standard due to the diversity of the devices.”

Due to the fact that IoT is a very broad term, the VDOO executive said it would be extremely difficult to be able to cover the sector with one broad set of standards.

Taking this challenge of regulation into consideration, Levin said the vendor community needs to “step up” and provide manufacturers with tools to help them implement the right security for the devices they produce.

“This is why VDOO focuses on automated device-specific analysis technologies, to provide the necessary protection to the device in scope rather than trying to solve the entire IoT with one standard,” he explained.

Keeping a close watch

VDOO’s recent Foscam and Axis vulnerability disclosures have gone a long way to helping protect thousands of businesses and consumers who use these devices against unauthorized third-party access.

However, the company’s aim of raising awareness and helping promote security in the IoT space does not end here, as Project Vizavis gets into full swing.

“Foscam and Axis are firsts in a bigger series of reports with the same objective,” said Levin. “These devices are critical to the business continuity in many different scenarios, and we are planning to publish several additional blog posts and vulnerability reports as part of the project.”