IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
James is a co-founder of Cloudview, which leads the way in cloud-based video surveillance with a secure, scalable, user-friendly and affordable platform that can be managed and accessed from a browser using a notebook, tablet or Smartphone from anywhere in the world.
While organisations may not think the information they hold threatens national security, insecure CCTV cameras pose many other risks. A potential entry point for corruption and distributed denial of service (DDoS) attacks, they leave organisations vulnerable to the extraction of sensitive information – which puts them in breach of the Data Protection Act (DPA).
There are already significant fines for DPA breaches, and when the new General Data Protection Regulation (GDPR) comes into force in May 2018 the penalty for serious breaches will rise to €20m or 4%, whichever is higher. In parallel the Culture, Media and Sport Committee has suggested that a portion of CEO compensation should be linked to effective cyber security and executives could face jail as well as fines for breaching regulations.
Many of these issues can be prevented by understanding how risks arise and taking simple security precautions.
During the research, the findings of which were published in ‘Is your CCTV system secure from cyber attack?’, put five routers, DVRs and IP cameras that were running the latest software on the open internet. One device was breached within minutes and within 24 hours two were under the control of an unknown attacker, while a third was left in an unstable state and completely inoperable.
https://youtu.be/l3uCSrOIMnA
Security issues with internet-connected DVRs
DVRs have similar capabilities to small web servers and can easily be used to launch attacks against networks or to extract large quantities of data. Vulnerabilities typically arise when the DVRs can be accessed via a web browser or app to enable footage to be viewed from another location.
This is usually enabled by using port forwarding, which effectively creates a ‘hole’ in the firewall, thus compromising network security. The firewall can be configured to only allow certain external IPs (IP white-listing), but companies still remain vulnerable.
Independent research on a range of popular cloud-based services found insecure protocols, poor configuration of secure protocols and a lack of encryption or digital signatures
Many manufacturers also recommend using Dynamic DNS, which allows a potential attacker to find hundreds or even thousands of vulnerable devices simply by testing domain names. Other problems are created when manufacturers provide few, if any, automatic firmware updates to fix bugs. Many also have a predisposition to include ‘back door’ functionality, which is often then shared on the web.
Users themselves may exacerbate problems. If footage is rarely viewed and the user interface provides no feedback, problems may not be discovered until long after a security breach.
Cloud solutions can be equally insecure
Dedicated cloud-based solutions are designed to provide built-in internet connectivity, rather than having it ‘bolted on’, and offer features such as remote video streaming and data back-up in a more reliable and user-friendly way. In principle, they should offer improved security, but can suffer from similar vulnerabilities to DVRs.
Most IP cameras support incoming connections using Real-Time Streaming Protocol (RTSP). A large number of cloud system providers recommend using port forwarding to allow access to the RTSP stream of the IP cameras from outside the firewall. As discussed earlier, this creates a hole in the network’s security perimeter, effectively opening it to attack.
If system integrators and installers do not help them to improve their security, we can expect an increasingly informed user base to vote with its feet and look for better, more secure solutions
The other potential risk is data security: another area where DPA breaches can occur. Users need to ensure that their cloud providers have strictly defined controls around the access to, and management of, customer data, and do not share that data with a third party without their explicit consent.
Independent passive research on a range of popular cloud-based services found a number of common security mistakes, including use of insecure protocols, poor configuration of secure protocols and a lack of encryption or digital signatures.
To ensure sensitive data is secured both in transit to and while stored in the cloud, organisations need to look for systems that offer authentication, end-to-end encryption with SHA-2 and TLS and a digital signature to ensure data integrity. They also need to find out where the data is held to ensure they are compliant with Data Protection regulations.
Users will vote with their feet
The CCTV industry has traditionally been slow to change, and manufacturers seem to be broadly in denial of any technology that disrupts the current order of things. It is falling to users to improve security by implementing strong passwords and looking for systems in which CCTV data is encrypted both in transit and when it is being stored.
If system integrators and installers do not help them to improve their security, we can expect an increasingly informed user base to vote with its feet and look for better, more secure solutions.
Systems are now available with intelligent IoT camera adapters which only allow encrypted outbound connections to specific cloud-based services. These can connect both analogue and IP cameras securely to cloud using standard internet connections: broadband, 3G or satellite. Authorised users can then access the footage from any device and any location.
Because such adapters only require a fraction of the functionality of a full DVR, they are much less useful to a potential attacker. System integrators and installers would do well to consider whether this type of technology could help them improve their offer.
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
IP CCTV systems, how can I hack thee? Let me count the ways…From DDoS attacks to vulnerabilities in the cloud, Cloudview's founder says the traditional CCTV industry isn't doing enough to make video surveillance systems less attractive to attackers.
James Wickes
IFSEC Insider | Security and Fire News and Resources
