By James Wickes, founder and managing director, Cloudview
New government research has found that two thirds of large UK businesses were hit by cyber breach or attack in past year. They identified that seven out of ten attacks involved viruses, spyware or malware, but what about the others?
One area of concern is CCTV systems, the very systems organisations trust to protect them, which may by leaving them wide open to cyber attack through their connection to the internet.
This is not just scaremongering; in recent research by an independent consultant, five routers, DVRs and IP cameras running the latest software were placed on the open internet. One device was breached within minutes and within 24 hours two were under the control of an unknown attacker, while a third was left in an unstable state and completely inoperable. So much for the brave new world promised by the Internet of Things (IoT).
The problem arises because any insecure embedded device connected to the internet is a potential target for attacks. Many organisations do not seem to realise that this includes their CCTV system, which is a potential gateway to their entire network.
Almost all CCTV systems have inherent flaws, making it all too easy for intruders to hijack connections to the device’s IP address. What makes this more serious is that DVRs are powerful computers in their own right and carry lots of network traffic in both directions. This, combined with their large disk drives, makes them an ideal point from which to extract vast quantities of data from a network.
There are two areas of risk: first, CCTV systems can be a potential entry point for corruption and distributed denial of service (DDoS) attacks; and second, as already mentioned, they are vulnerable to the extraction of sensitive information.
There have been several cases of DDoS attacks triggered through CCTV cameras, showing that cyber criminals have identified them as vulnerable. January 2016 also saw the introduction of low cost access to a search engine which allows subscribers to find live video from poorly secured internet-connected webcams. It’s aimed at highlighting how bad the state of internet security is, with many widely available webcams having predictable default passwords or even no passwords at all.
All systems at risk
The research showed that all types of CCTV systems – analogue, digital and many cloud-based systems – are at risk. A key vulnerability in traditional DVR-based systems is their use of port forwarding, which effectively creates a ‘hole’ in the firewall, thus compromising the security of the network. The firewall can be configured to only allow certain external IPs (known as IP white-listing), but companies still remain vulnerable to attack.
Many manufacturers recommend using dynamic DNS, which automatically updates a name server in the domain name server (DNS) to enable the user to find the DVR. The problem with this is that it allows a potential attacker to find hundreds or even thousands of vulnerable devices simply by testing domain names. Other problems include a lack of updates to fix bugs identified post-sale and the propensity of manufacturers to include ‘back doors’ which are often revealed on the internet.
Many cloud video solutions also use port forwarding to allow access to RTSP video streams, making them just as vulnerable as DVR-based systems. The other potential risk with cloud-based solutions is data security. The 1998 Data Protection Act outlines the steps that organisations must take to preserve the confidentiality of gathered data. CCTV users need to ensure that their potential providers have strictly defined controls around the access to, and management of, customer data, and do not share that data with a third party without the explicit consent of the user.
Taking simple steps
While cloud may offer a medium to long term solution, to CCTV security, there are two simple steps that organisations can take immediately to increase the security of their CCTV systems. First, they should ensure that usernames and passwords have been changed from the default state and are of a sufficient strength to prevent immediate access.
Secondly, they should ensure that they comply with the recommendations of the Information Commissioner’s Office and the Surveillance Camera Commissioner by ensuring that all CCTV data is encrypted when in transit and when it is being stored to prevent it from being used for unauthorised purposes.
The Information Commissioner provides many useful guidelines about protecting personal information. This now has a new and important relevance in the fight against terrorism and, if they are followed, the guidelines are helpful in ensuring that CCTV systems are secure from hacking and unauthorised use.
Cloudview is dedicated to exploiting new ideas and technologies to design and build infrastructure systems and peripherals that support and enhance the effectiveness, usability and purpose of CCTV, both as a protection and data collection technique.