Major security vulnerabilities have been discovered in CCTV systems.
Independent research conducted for cloud-based surveillance company Cloudview found that both traditional DVR-based systems and cloud-based systems were vulnerable to cyber attacks.
The security flaws, which exist in almost all CCTV systems, could allow hackers to hijack connections to the device’s IP address, putting people, property and data at risk and leaving operators in breach of data protection regulations.
During tests five routers, DVRs and IP cameras running the latest software were connected to the internet. One device was breached within minutes, while another two fell under the control of an unknown attacker within 24 hours. A fourth became unstable and completely inoperable.
James Wickes, co-founder and CEO of Cloudview, said he would “like to see the development of a ‘KiteMark’ to give users the assurance that their CCTV supplier had thought about security.”
The research is analysed in a white paper called ‘Is your CCTV system secure from cyber attack‘?
Port forwarding
Vulnerabilities identified in traditional DVR-based systems arose from their use of port forwarding and Dynamic DNS, a lack of firmware updates and the potential dissemination online of manufacturer ‘back doors’. Possessing similar capacity as a small web server, DVRs can be readily used to launch an attack against the rest of the network or to steal large volumes of data.
Cloud video solutions, many of which also use port forwarding to obtain access to RTSP video streams, were found to be just as vulnerable. Other problems included poor use of secure protocols, a lack of encryption, substandard cookie security and insecure user and credential management.
“Any insecure embedded device connected to the internet is a potential target for attacks, but organisations don’t seem to realise that this includes their CCTV system,” said Andrew Tierney, the independent consultant who conducted the research. “It can easily provide a gateway to their entire network, enabling anyone with malicious intent to corrupt all their systems or extract huge amounts of data.”
“Distributed denial-of-service (DDoS) attacks are now being triggered through CCTV cameras, showing that cyber criminals have identified them as vulnerable,” said Cloudview’s James Wickes, who recently defended cloud-based systems as alternatives to traditional DVR-based systems on IFSEC Global.
“Organisations can increase their security immediately by changing user names and passwords from the default to something secure, and they should follow the Information Commissioner’s Office and Surveillance Camera Commissioner guidelines by encrypting all their CCTV data both in transit and when it is being stored. I’d also like to see the development of a ‘KiteMark’ to give users the assurance that their CCTV supplier had thought about security.”
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
I’ve encountered scenarios where the Bank ATMs and the ATM CCTV System are on the same network, same switch. These are the same CCTV Owners who never do firmware updates.
OmbongiMoraa This is not really surprising. The lack of understanding around security (from installers of CCTV systems, from those running the bank ATMs and from those making the CCTV systems in the first place) is scary. Current CCTV technology is not secure. IP cameras are not secure and the DVR storage technology is not secure. Network connected DVRs provide a perfect hiding place for hackers looking to exploit your networks and your networked assets as well as a perfect black box storage location for any information the want to steal. It is not in the interests of organisations selling you… Read more »
Adam I read your article with real interest and also a sense of dejavu. A US retail Chain had their network hacked through a networked air conditioning unit – so it is understandable that it is completely plausible that someone with the relevant technical know how could hack into a closed IP CCTV system. We also miss here the risk of your cameras being hacked so that people can monitor your sites and steal your IP and spy on your business! However I feel that I should point out that some of your information is inaccurate. There is a manufacturer… Read more »
Paul Richard Williams OmbongiMoraa the technology exists – check out the solutions from Dedicated Micros – part of AD Holdings.