James Wickes, CEO and co-founder of manufacturer Cloudview, explains the main security risks of CCTV systems and suggests some solutions.
CCTV cameras are a familiar sight in public places, business premises and social housing, designed to protect people, premises and assets. They are also currently the most common ‘thing’ connected to the Internet, so rather than intelligent fridges or controllable heating systems, at present the IoT is largely populated by smart cameras.
However, it is becoming increasingly apparent that many CCTV systems are extremely vulnerable to cyber attack. Some lack even the most basic security protection, making them easy targets for everyone from smart teenagers to cyber criminals and terrorists. There are even search engines which allow subscribers to find live video from poorly secured Internet-connected webcams, supposedly aimed at highlighting poor Internet security, but which could easily be used by those with malicious intent. CCTV cameras are also now being used as a source of botnet power to take down servers.
To find out how risks arise and help organisations address them, Cloudview commissioned an independent consultant to carry out passive research. He found major vulnerabilities in both traditional DVR-based and cloud-based systems.
How DVR based systems are vulnerable
Many of the problems arise through the way DVRs are accessed via a web browser or App to enable users to view footage. This is typically enabled by using port forwarding, which effectively creates a ‘hole’ in the firewall, compromising network security. The firewall can be configured to only allow certain external IPs (IP white-listing) to use a port forwarding rule, but companies still remain vulnerable.
When using port forwarding, many manufacturers recommend using Dynamic DNS, which automatically updates a name server in the Domain Name Server (DNS) to enable the user to find the DVR.
This allows a potential attacker to find hundreds or even thousands of vulnerable devices simply by testing domain names. Many DVRs also run on distinctive ports, so an attacker knows exactly where to look to find them on a server. Further problems are created by manufacturers, who provide few, if any, automatic firmware updates to fix bugs and often include ‘back door’ functionality which is then shared on the web.
To highlight these issues, the independent consultant ran two experiments. First, five routers, DVRs and IP cameras running the latest available firmware, in their default configuration, were placed onto the open Internet.
Within minutes, attackers had begun attempting to use common logins; one device fell to this basic intrusion. Within a few hours, each device had been port-scanned and within 24 hours two had been entirely compromised and were under the control of an unknown attacker. The attacker was free to access the network the device was connected to, install their own software and transfer data back out. Another device was left in an unstable state after an attempted attack, rendering it inoperable.
Secondly, the consultant tested 15 DVRs to look for bugs and manufacturer ‘back doors’ and found that none were free from serious vulnerabilities. Some took many hours to breach, but the majority took less than an hour. Without the ability to update firmware, these vulnerabilities can persist for years, leaving an organisation’s entire network exposed.
There is also a lack of oversight by users because footage may rarely be looked at and the user interface provides no feedback as to what is going on inside the CCTV systems. This means problems may not be discovered until long after a security breach has occurred.
Get off of my cloud!
Not all cloud systems are secure. Dedicated cloud based solutions are designed with built-in Internet connectivity and features such as remote video streaming and data back-up, so in principle should offer improved security. However, most IP cameras support incoming connections using Real-Time Streaming Protocol (RTSP). A large number of cloud video providers recommend using port forwarding to allow access to the RTSP stream of the IP cameras from outside the firewall – creating the same problems discussed earlier.
Data security is also a potential concern. The independent consultant carried out a passive survey of popular cloud-based video websites which found many common security mistakes, including use of insecure protocols, poor configuration of secure protocols and a lack of encryption or digital signatures.
However, many cloud based systems offer well thought out security and data protection standards, providing better security for a lower cost. Organisations should look for authentication, end-to-end encryption with SHA-2 and TLS and a digital signature to ensure data integrity. Cloud based systems also provide the physical security of holding data in a remote location, provided it complies with Data Protection regulations.
Intelligent IoT camera adapters are also available which only allow encrypted outbound connections to specific cloud based services and can be retrofitted to existing analogue and digital cameras. Authorised users can then access the footage from any device and location using standard Internet connections. Such adapters only require a fraction of the processing power of a full DVR, so are much less useful to a potential attacker.
Securing the system
While cloud may offer a medium to long term solution to CCTV security, there are some additional steps that organisations can take immediately to increase the security of their existing systems.
First, they should ensure that usernames and passwords have been changed from the default state and are of sufficient strength to prevent immediate access. Second, they should ensure that they comply with the recommendations of the Information Commissioner’s Office and the Surveillance Camera Commissioner by ensuring that all CCTV data is encrypted when in transit and when stored to prevent it being used for unauthorised purposes.
Finally, they may be able to address some of the security issues outlined above, for example looking proactively for software upgrades, using different ports and avoiding Dynamic DNS. They should also make regular checks to ensure that their system is still working correctly and has not been breached.
Looking to the future, the European Commission is drafting new cybersecurity requirements to increase security around all IoT devices, including web-connected security cameras, routers and digital video recorders (DVRs). So hopefully we will see new CCTV systems with improved security in the next few years.