Thousands of cameras around the world are remotely connected and accessible to view today. I’m watching two men at computers in Hosei University in Tokyo. It’s 6:15 p.m., and one of them is taking a lie-down across three of the office chairs around the table. Now I’m looking at a small airplane waiting by a runway at an airport in Sweden.
Click here to view Figure 1.
Apparently, I’m watching an Axis camera, although the website doesn’t specify the exact model. Something like three quarters of remotely accessible CCTV systems around the world allow free access using no credentials or default logins within the first three months of installation. Figures suggest that over half of all devices connected to the Internet still use default credentials or have no security measures at all after this early stage.
Many default user names (probably something like “admin”) and passwords for remotely accessible cameras are available freely on the Internet, giving people free access to consumer-, and in some instances, professional-level systems.
In a blog written in 2009, one writer shows how simply he was able to use a computer search engine called SHODAN to gain access to more than 700 AVTech-manufactured DVRs.
Many CCTV systems broadcast their presence through Netbios information that will be given out to any device querying them, and they are rarely secured to only allow specific IP addresses to connect to them. If you believe your cameras are hidden, you could be surprised. You can even look through the units by country, ISP, city, or date of installation.
For instance:
- AVTech — More than 150,000 units exposed, with more than 6,000 in the UK and 10,000 in the US
- Hikvision — More than 330,000 units broadcasting
- TeleEye — Around 3,000+ units listed
Let’s say that you’re not too interested in the fact that someone has been able to access your cameras and see a road outside your building that anyone can see at any time anyway. Well, remember that a typical DVR is essentially just a computer, usually based on Linux and charged with recording surveillance images. But if that DVR is insecure, a hacker could gain access to your network through it.
Last year a CCTV module was added to a tool called Metasploit, used by security professionals to test their systems for vulnerabilities. This tool will scan a network for user names such as “admin” and then try known default passwords to access the system. The fact that CCTV systems are often the weakest point of entry on a network is not lost on attackers and those who seek to maliciously access systems using a DVR as a trusted entry point.
Click here to view Figure 2.
Manufacturer, installer, or end user?
So whose fault is it that so many cameras around the world are freely accessible for the world to see? A professional installer may install a DVR and set up a secure user name and password for remote viewing by an alarm response centre. They might also advise the end user to only authorize specific IP addresses and to block Netbios responses to ensure the camera cannot be viewed by unauthorized people.
But a system owner may insist on keeping things simple by using default settings and may choose to not implement the installer’s recommendations on IP blocking. So an installer and an end-user should both have in place a clear contract as to who’s responsibility it is to secure the remote access connection, remembering that in most cases an installer is unlikely to have control over the network that is used for video transmission.
Manufacturers of video surveillance equipment have been locked in a price war for some years, and so it is common to see developers that could have taken responsibility for increased security out of the box being reduced in number.
But if a serious breach occurs and receives widespread media coverage, this will reflect badly on the whole industry.
Default accounts
There is no need to have default accounts on surveillance equipment anymore. A camera system should request a unique user name and password on startup, to be confirmed with a physical action on the unit itself. The newer cameras produced by Axis force a password change on first access, hugely increasing their security. Why isn’t everyone doing this?
I asked support staff at DVR manufacturers why they still use default user names and passwords and was repeatedly told that it is to make their job easier when providing remote support to engineers and system owners.
Manufacturers need to be encouraged to issue firmware updates that will force cameras to be more secure, and this requirement should be backed up with standards that ensure a robust manner of dealing with default credentials.
There are some simple steps the industry must take to stop this problem:
Installers
- Check contractual agreements
- Ensure engineers trained in best-practices
- Audit existing installations
- Verify guidance given to end-users
- Ensure firmware is updated regularly
Manufacturers
- Remove generic default accounts
- Deploy an effective mechanism for security
- Check existing exploits to ensure none affect your units
- Keep up to date with new exploits and check them against your equipment
- Notify your clients when you discover older firmware is at risk
- Maintain a product register to accurately identify clients at potential risk
End-Users
- Protect your own networks by blocking Netbios
- Allow access only to specific IP addresses
- Change and remove default accounts
- Use secure passwords
- Ensure that internal communications to and from the device are restricted
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
I watched a interview with the creator of shodan and he talked about being able to find all kinds of things on the internet with default login info, which for some products is readily findable on the internet as well. This article just throws more fuel on the fire of the idea that we need to be sure to change those default passwords and even usernames if that is an option to keep these systems protected.
Thank you Joe for highlighting this. Some of you may have seen an article in Reuters which looks at some of the other IT Security vulnerabilites in Video Surveillance. http://www.reuters.com/article/2013/06/17/us-surveilance-hackers-idUSBRE95G10520130617 Worth a look. It is up to many in the Physical Security field to secure their systems. It is therefore essential to maintain an ongoing relationship with IT Security and not just the IT department in the early days of implementation and forget about these issues. Who will be accountable for the failure to do this? If the evidence Joe has shown is anything to go by then many are going… Read more »
Great offer of help, thanks James. It’s extremely concerning, certainly, and I was really pleased to see this article highlighting some of the problems. The industry cannot bury their heads in the sand either. Should there be a serious breach in security and the manufacturer of the camera puts their hands up and says ‘we knew about the vulnerability, but it’s up to the end user or installer to change the defaults,’ while that may be true, it’s cold comfort. Potentially someone could sweep up if they addressed the issue head on.
Hello Joe, Great article. As you know this is a subject close to my heart and hopefully will help change they way the industry operates by highlighting the vulnerabilities that Installers may be inadvertently leaving their customers open to. We audited many CCTV systems that are monitored using our CheckMyCCTV maintenance monitoring software and found that just under 80% are using the default username/password. When asked why, the feedback I often get from Installers is that Manufacturers often make it too difficult to change the password, especially the administrator password. There also appears to be a reluctance to change passwords… Read more »
Rob, thanks. You are welcome. There are some leading experts in this field but few I think who really understand all the IT security issues involved across the business at every level. I would urge the senior management of IP video surveillance technologies to address this and those Physical Security managers reading, who use these systems, to give the matter urgent attention.
A camera system should request a unique user name and password on startup, to be confirmed with a physical action on the unit itself.
@JOE AWUNI, thanks for the post. I totallya gree with your opinion that a camera system shoudl reqest a unique username and password. I think they should put some kind of restrictions like minimum character password. This will definitely help secure the surveillance cameras.