Major security vulnerabilities have been discovered in CCTV systems.
Independent research conducted for cloud-based surveillance company Cloudview found that both traditional DVR-based systems and cloud-based systems were vulnerable to cyber attacks.
The security flaws, which exist in almost all CCTV systems, could allow hackers to hijack connections to the device’s IP address, putting people, property and data at risk and leaving operators in breach of data protection regulations.
During tests five routers, DVRs and IP cameras running the latest software were connected to the internet. One device was breached within minutes, while another two fell under the control of an unknown attacker within 24 hours. A fourth became unstable and completely inoperable.
James Wickes, co-founder and CEO of Cloudview, said he would “like to see the development of a ‘KiteMark’ to give users the assurance that their CCTV supplier had thought about security.”
The research is analysed in a white paper called ‘Is your CCTV system secure from cyber attack‘?
Port forwarding
Vulnerabilities identified in traditional DVR-based systems arose from their use of port forwarding and Dynamic DNS, a lack of firmware updates and the potential dissemination online of manufacturer ‘back doors’. Possessing similar capacity as a small web server, DVRs can be readily used to launch an attack against the rest of the network or to steal large volumes of data.
Cloud video solutions, many of which also use port forwarding to obtain access to RTSP video streams, were found to be just as vulnerable. Other problems included poor use of secure protocols, a lack of encryption, substandard cookie security and insecure user and credential management.
“Any insecure embedded device connected to the internet is a potential target for attacks, but organisations don’t seem to realise that this includes their CCTV system,” said Andrew Tierney, the independent consultant who conducted the research. “It can easily provide a gateway to their entire network, enabling anyone with malicious intent to corrupt all their systems or extract huge amounts of data.”
“Distributed denial-of-service (DDoS) attacks are now being triggered through CCTV cameras, showing that cyber criminals have identified them as vulnerable,” said Cloudview’s James Wickes, who recently defended cloud-based systems as alternatives to traditional DVR-based systems on IFSEC Global.
“Organisations can increase their security immediately by changing user names and passwords from the default to something secure, and they should follow the Information Commissioner’s Office and Surveillance Camera Commissioner guidelines by encrypting all their CCTV data both in transit and when it is being stored. I’d also like to see the development of a ‘KiteMark’ to give users the assurance that their CCTV supplier had thought about security.”
Complete our Video Surveillance Survey for the Chance to Win £100 Worth of Amazon Vouchers! (End users only, please – responses from installers/integrators will be deleted)
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
