Laurens Leemans, cofounder and lead developer and co-owner of SignIPS, was surprised to learn he had purchased a Bruno Mars MP3.
It was one of several oddities Leemans found in a device meant to count users going in and out of stores known as the FootfallCam 3D Plus, shortcomings that ranged from security to advertising claims.
During COVID-19, several retail chains and others raced to install devices meant to count occupancy as customers came and left to comply with local social distancing rules. That rush led one of SignIPS's customers to hurridly install the FootFall system, and for SignIPS to ultimately follow suit.
"They were desperate for a solution to be able to use their restaurant here in The Netherlands and a different supplier brought this in. Since we provide the narrowcasting displays at that location, they asked us if we could integrate that data into the video feed. I wanted to test the device itself first," Leemans said, via email.
FootfallCam isn't the only maker of these devices, and people counters aren't the only quickly-purchased product companies have been confronted with to deal with the realities of in-person work during the pandemic. Companies market everything from ventilation systems to fever-detecting devices all meant to maintain physical work environments. But the rush to purchase these devices, and fly-by-night operators to bring them to market, means security can fall to the wayside.
That said, FootfallCam is not a fly-by-night company. According to its website, the London-headquartered firm has been operating since 2002 and counts a wide range of users, from L’Occitane to Levis, casinos to libraries. Yet, there was still a bevy of security surprises for anyone who installed the system without first testing the device.
As Leemans detailed in a Thursday morning Twitter thread, he discovered the 3D Plus opened a WiFi network with an unchangeable, easy-to-guess, default password, that could offer anyone in the parking lot access to the network it was connected to.
The 3D Plus was built on a Raspberry Pi running the Raspbian (and only Raspian, said Leemans, despite a website claim it had three built-in operating systems). The Raspbian installation contained an odd assortment of files both related and unrelated to the camera, including an MP3 of the 2011 Bruno Mars hit "The Lazy Song."
"We’ve first notified them of several potential issues at the end of December 2020," he told SC Media. "We got a reply that they’ve forwarded them to the people responsible and after that it went quiet. We contacted them 3 more times over the past weeks to get a response, but haven’t heard back from them other than that first time."
For its part, FootfallCam immediately responded to our request for comment, saying, "yes, we are aware and already working on it."
After initial release of this story Feb. 4, FootfallCam reached out to SignIPS to coordinate remediation of the issues. In a call with SC Media, FootfallCam acknowledged a communication failure in its disclosure process and noted: "[SignIPS] did the right thing by raising concerns."
FootfallCam told SC Media that the Bruno Mars MP3 file was part of its testing for a loudspeaker feature, and various aspects of the file system would be cleaned up in the future. The company added that penetration testing is, and will continue to be, a core component of its security process.
The lesson for network security staff extends beyond a single IoT device that might have a vulnerability — lots of devices do. The lesson is that COVID-19 created an immediate demand for social distancing, which in turn created demand for devices to ensure compliance. Security and testing, however, might fall to the wayside. That could be true for established products like FootfallCam, or less established profiteers who swooped in to take advantage of a potential IoT device boom.
"All over the world many stores, restaurants and offices want to have a solution now," said Leemans. "They see this, it’s pretty decently priced, they slap it in their network. Most people don’t even give it a second thought. It’s a solution for their problem."
"Companies don’t always think about security first, or maybe not even at all," he added.
Upstanding IoT manufacturers have been better in recent years about creating patchable, security-hardened devices and listening to researchers' complaints. This was not always the case and often still isn't the case for the cheapest vendors in any category. Internationally, there are several efforts to legally enforce standards, offers for third party certification, as well as industry-driven groups working on standards of their own. All of those may provide consumers better insight as to what they are buying, and in many cases redefine how engineers approach security design.
Brad Ree is the chief technology officer of the industry group the ioXt Alliance, which is working on several product standards. He described the industry approach as the carrot in creating standards.
"The big stick is laws and regulations," he said.
Recent U.S. legislation requires minimal security standards for federal purchases of IoT equipment. Those standards, he said "will 100% blend into commercial IoT" as vendors may want to avoid creating separate federal and commercial products.
Ree said the easiest way to mitigate much of the danger of a hastily purchased IoT device is to segment the network, restricting its access to the business network. Another solution is to limit the features of the product to what you need — don't allow it to collect more information than you would be willing to see stolen.
But, security starts at vetting products, he said. That means testing and weeding out players unlikely to stand behind their work.
"Whenever you see a mad rush to develop a product, you have to question if its a company you've never heard of, if they've taken security to heart," he said.
This story was updated 2/5 to include additional comment from FootfallCam, and reflects events after the publication of the original story.