As a followup to the last articles; CBC has today published a new take on the security camera incident at a Cape Breton School last week.
“We are actually going to be sending letters and reaching out the manufacturers in the very near future,” said Jennifer Rees-Jones, a senior advisor at the Office of the Privacy Commissioner of Canada.
The office wants all manufacturers to make devices that require users to change the default password when they plug the surveillance camera in. It also said the boxes the cameras come in should have strongly worded warnings about the privacy risks if the device is not secure.
These simple steps would make Canada a world leader in IoT security. They’re not without precedent though; in March of this year, a California Senator introduced a cyber-security bill.
As WCSR reported just last month; the bill would require manufactures to design devices in such a way that they will
– … indicate to the consumer when it is collecting information
– obtain consumer consent (presumably through some form of user interface) before the device collects or transmits information
CBC spoke with experts again;
“Some of them have very strong security. Some have no security at all. Some have very weak and hackable security settings,” said Robert Currie, director of the Law and Technology Institute at the Schulich School of Law at Dalhousie University.
Tom Redford of Wilson’s Security in Dartmouth said … “If it’s just left at factory default, you’re leaving yourself susceptible to being hacked,” he said.
The default is transmit, with no password, and no authentication. It’s working as designed. To call it a “hack” implies those viewing the public feed are at fault.
Redford suspects a lack of passwords may be to blame.
The lack of passwords is an issue, and was certainly relevant. The question is why were there no passwords? The user manual for the device in question recommends setting a password and protecting the video feed.
If the device had defaulted to password protected, as the Office of the Privacy Commissioner of Canada requested in 2015; this may not have been an issue.
Nova Scotia’s privacy commissioner and the Cape Breton-Victoria Regional School Board have launched investigations into how the security camera was left open to the internet.
School officials have not revealed the results of their inquiry, but are calling it an “isolated incident.”
From discussions with another school board; It appears likely that a hole was explicitly opened in the schools firewall to allow it through. That would imply there was a conscious decision to make the cameras available publicly.
I strongly recommend reporters dig a bit deeper on this issue. For example;
- Who requested the cameras?
- For what purpose?
- Who requested they be available publicly?
- Did the IT department read the manual, and make appropriate recommendations?
- If they did, were they overruled, and if so, by whom?
- Who’s responsibility is the security of the devices attached to the network?