Avatar photo

Founder, Cloudview

Author Bio ▼

James is a co-founder of Cloudview, which leads the way in cloud-based video surveillance with a secure, scalable, user-friendly and affordable platform that can be managed and accessed from a browser using a notebook, tablet or Smartphone from anywhere in the world.
November 1, 2016

Sign up to free email newsletters


The Video Surveillance Report 2022

IP CCTV systems, how can I hack thee? Let me count the ways…

Security concept: Cctv Camera and Security on computer keyboard backgroundThe BSIA’s CCTV section recently urged operators of IP surveillance systems to do more to safeguard their systems against cyber attack following a Times investigation into the vulnerabilities of UK infrastructure.

While organisations may not think the information they hold threatens national security, insecure CCTV cameras pose many other risks. A potential entry point for corruption and distributed denial of service (DDoS) attacks, they leave organisations vulnerable to the extraction of sensitive information – which puts them in breach of the Data Protection Act (DPA).

There are already significant fines for DPA breaches, and when the new General Data Protection Regulation (GDPR) comes into force in May 2018 the penalty for serious breaches will rise to €20m or 4%, whichever is higher. In parallel the Culture, Media and Sport Committee has suggested that a portion of CEO compensation should be linked to effective cyber security and executives could face jail as well as fines for breaching regulations.

Many of these issues can be prevented by understanding how risks arise and taking simple security precautions.

Research carried out by independent consultant Andrew Tierney found major vulnerabilities in both traditional DVR-based CCTV systems and cloud-based systems.

During the research, the findings of which were published in ‘Is your CCTV system secure from cyber attack?, put five routers, DVRs and IP cameras that were running the latest software on the open internet. One device was breached within minutes and within 24 hours two were under the control of an unknown attacker, while a third was left in an unstable state and completely inoperable.

Security issues with internet-connected DVRs

DVRs have similar capabilities to small web servers and can easily be used to launch attacks against networks or to extract large quantities of data. Vulnerabilities typically arise when the DVRs can be accessed via a web browser or app to enable footage to be viewed from another location.

This is usually enabled by using port forwarding, which effectively creates a ‘hole’ in the firewall, thus compromising network security. The firewall can be configured to only allow certain external IPs (IP white-listing), but companies still remain vulnerable.

Independent research on a range of popular cloud-based services found insecure protocols, poor configuration of secure protocols and a lack of encryption or digital signatures

Many manufacturers also recommend using Dynamic DNS, which allows a potential attacker to find hundreds or even thousands of vulnerable devices simply by testing domain names. Other problems are created when manufacturers provide few, if any, automatic firmware updates to fix bugs. Many also have a predisposition to include ‘back door’ functionality, which is often then shared on the web.

Users themselves may exacerbate problems. If footage is rarely viewed and the user interface provides no feedback, problems may not be discovered until long after a security breach.

Cloud solutions can be equally insecure

Dedicated cloud-based solutions are designed to provide built-in internet connectivity, rather than having it ‘bolted on’, and offer features such as remote video streaming and data back-up in a more reliable and user-friendly way. In principle, they should offer improved security, but can suffer from similar vulnerabilities to DVRs.

Most IP cameras support incoming connections using Real-Time Streaming Protocol (RTSP). A large number of cloud system providers recommend using port forwarding to allow access to the RTSP stream of the IP cameras from outside the firewall. As discussed earlier, this creates a hole in the network’s security perimeter, effectively opening it to attack.

If system integrators and installers do not help them to improve their security, we can expect an increasingly informed user base to vote with its feet and look for better, more secure solutions

The other potential risk is data security: another area where DPA breaches can occur. Users need to ensure that their cloud providers have strictly defined controls around the access to, and management of, customer data, and do not share that data with a third party without their explicit consent.

Independent passive research on a range of popular cloud-based services found a number of common security mistakes, including use of insecure protocols, poor configuration of secure protocols and a lack of encryption or digital signatures.

To ensure sensitive data is secured both in transit to and while stored in the cloud, organisations need to look for systems that offer authentication, end-to-end encryption with SHA-2 and TLS and a digital signature to ensure data integrity. They also need to find out where the data is held to ensure they are compliant with Data Protection regulations.

Users will vote with their feet

The CCTV industry has traditionally been slow to change, and manufacturers seem to be broadly in denial of any technology that disrupts the current order of things. It is falling to users to improve security by implementing strong passwords and looking for systems in which CCTV data is encrypted both in transit and when it is being stored.

If system integrators and installers do not help them to improve their security, we can expect an increasingly informed user base to vote with its feet and look for better, more secure solutions.

Systems are now available with intelligent IoT camera adapters which only allow encrypted outbound connections to specific cloud-based services. These can connect both analogue and IP cameras securely to cloud using standard internet connections: broadband, 3G or satellite. Authorised users can then access the footage from any device and any location.

Because such adapters only require a fraction of the functionality of a full DVR, they are much less useful to a potential attacker. System integrators and installers would do well to consider whether this type of technology could help them improve their offer.



Free Download: The Video Surveillance Report 2022

Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2022 Video Surveillance Report. Responses come from installers and integrators to consultants and heads of security, as we explore the latest trends including AI, software and hardware most in use, cyber security challenges, and the wider economic and geopolitical events impacting the sector!

Download for FREE to discover top industry insight around the latest innovations in cameras and video surveillance systems.

The Video Surveillance Report 2022
Notify of
Inline Feedbacks
View all comments