It appears that some loser– err, I mean someone going by the handle someLuser(pun intended) presented some fascinating findings based on manipulation of a well known network-enabled security device. Confirmed by Metasploit, someLuser breaks it down and, more importantly, raises even more questions. His clever manipulation is admirable, finding ways to navigate around a number of obstacles, finally enabling him to make the device reveal Usernames, Passwords, remote login and Plug & Play functionality.
Leaving no stone unturned, someLuser has effectively managed to ‘Pwn‘ the device, the fruit of which bears access to any footage recorded by the device as well as metadata pertaining to your birthday, phone number or context clues to crack security questions. Rather than big brother’s watchful eye, miscreants are looking into the lens of a vault, just waiting to be cracked. Isolating the device from your network and placing it on its own would be your best bet for using a security device of this design to best minimize the possibility of a cyber attack. Universal Plug n Play(UPnP) would need to be disabled on your router as well, causing other potential conflicts depending on your specific network setup.
Don’t misinterpret someLuser’s discovery as a discouragement from using such devices; rather, use them to set the bar as to what your priorities and concerns will be in setting up a security infrastructure to truly secure your valuable assets in the proper manner. A comprehensive breakdown of someLuser’s report and Sophos’ explanation can be found here.