Essential Install | Smart Thinking: IP Camera Danger
CCTV Cameras:
Security Device Or Cyber Risk?
James Wickes, CEO and co-founder of manufacturer Cloudview, takes a view.
James Wickes, CEO
and co-founder
of manufacturer
Cloudview, warns
smart cameras may
not be so smart
Unprotected
systems are
vulnerable to
cyber attacks
It is becoming increasingly apparent that many CCTV
systems are vulnerable to cyber attack. Some lack even the
most basic security protection, making them easy targets
for everyone from smart teenagers to cyber criminals
and terrorists. There are even search engines which
allow subscribers to find live video from poorly secured
webcams, supposedly aimed at highlighting poor Internet
security, but which could easily be used by those with
malicious intent. CCTV cameras are also now being used as
a source of botnet power to take down servers.
To find out how risks arise and help organisations address
them, Cloudview commissioned an independent consultant
to carry out passive research which found vulnerabilities in
both traditional DVR-based and cloud-based systems.
How DVR based systems
are vulnerable
Many of the problems arise through the way DVRs are
accessed via a web browser or App to enable users to
view footage. This is typically enabled by using port
forwarding, which effectively creates a ‘hole’ in the firewall,
compromising security. The firewall can be configured to
only allow certain external IPs (IP white-listing) to use a port
forwarding rule, but companies remain vulnerable.
When using port forwarding, many manufacturers
recommend using Dynamic DNS, which automatically
updates a name server in the Domain Name Server
(DNS) to enable the user to find the DVR. This allows a
potential attacker to find hundreds or even thousands of
vulnerable devices simply by testing domain names. Many
DVRs also run on distinctive ports, so an attacker knows
where to look to find them on a server. Further problems
are created by manufacturers, who provide few, if any,
automatic firmware updates to fix bugs and often include
‘back door’ functionality which is then shared on the web.
To highlight these issues, the independent consultant
ran two experiments. First, five routers, DVRs and IP
cameras running the latest available firmware, in their
default configuration, were placed onto the open Internet.
Within minutes, attackers had begun attempting to use
common logins; one device fell to this basic intrusion.
Within a few hours, each device had been port-scanned,
and within 24 hours two had been entirely compromised
and were under the control of an unknown attacker. The
attacker was free to access the network the device was
connected to, install their own software and transfer data
out. Another device was left in an unstable state after an
attempted attack, rendering it inoperable.
Secondly, the consultant tested 15 DVRs to look for bugs
and manufacturer ‘back doors’ and found that none were
free from vulnerabilities. Some took many hours to breach,
but the majority took less than an hour. Without the ability to
update firmware, these vulnerabilities can persist for years.
There is also a lack of oversight by users because
footage may rarely be looked at and the user interface
provides no feedback as to what is going on inside
the CCTV systems. This means problems may not be
discovered until long after a security breach has occurred.
Get off of my cloud!
Not all cloud systems are secure. Dedicated cloud based
solutions are designed with built-in Internet connectivity
and features such as remote video streaming and data
back-up, so in principle should offer improved security.
However, most IP cameras support incoming connections
using Real-Time Streaming Protocol (RTSP). Many cloud
video providers recommend using port forwarding to allow
access to the RTSP stream of the IP cameras from outside
the firewall, creating the same problems discussed earlier.
Data security is also a potential concern. The
independent consultant carried out a passive survey of
popular cloud-based video websites which found many
common security mistakes, including use of insecure
protocols, poor configuration of secure protocols and a
lack of encryption or digital signatures.
However, many cloud-based systems offer well thought
out security and data protection standards, providing
better security for a lower cost. End-to-end encryption with
SHA-2 and TLS and a digital signature ensure data integrity.
Intelligent IoT camera adapters are also available
which only allow encrypted outbound connections to
specific cloud based services, and can be retrofitted to
existing systems. Authorised users can then access the
footage from any device and location using standard
Internet connections. Such adapters only require a fraction
of the processing power of a full DVR, so are much less
useful to a potential attacker.
Securing the future
The European Commission is drafting new cybersecurity
requirements to increase security around all IoT devices,
including web-connected security cameras, routers and
digital video recorders (DVRs). So hopefully we will see new
CCTV systems with improved security in the next few years.
More information: Cloudview +44 (0)203 4361100,
www.cloudview.co
62 | November 2016
IP Cameras.indd 62
22/11/2016 10:27