Adam Bannister

Editor, IFSEC Global

Author Bio ▼

Adam Bannister is editor of IFSEC Global. A former managing editor at Dynamis Online Media Group, he has been at the helm of the UK's leading fire and security publication since 2014.
March 14, 2016

Sign up to free email newsletters

Download

Mobile access case study: University of Hull students impressed with HID Global upgrade

Major Security Flaws Found in Surveillance Systems – Both DVR and Cloud-Based

Major security vulnerabilities have been discovered in CCTV systems.

Independent research conducted for cloud-based surveillance company Cloudview found that both traditional DVR-based systems and cloud-based systems were vulnerable to cyber attacks.

The security flaws, which exist in almost all CCTV systems, could allow hackers to hijack connections to the device’s IP address, putting people, property and data at risk and leaving operators in breach of data protection regulations.

During  tests five routers, DVRs and IP cameras running the latest software were connected to the internet. One device was breached within minutes, while another two fell under the control of an unknown attacker within 24 hours. A fourth became unstable and completely inoperable.

James Wickes, co-founder and CEO of Cloudview, said he would “like to see the development of a ‘KiteMark’ to give users the assurance that their CCTV supplier had thought about security.”

The research is analysed in a white paper called ‘Is your CCTV system secure from cyber attack‘?

Port forwarding

Vulnerabilities identified in traditional DVR-based systems arose from their use of port forwarding and Dynamic DNS, a lack of firmware updates and the potential dissemination online of manufacturer ‘back doors’. Possessing  similar capacity as a small web server, DVRs can be readily used to launch an attack against the rest of the network or to steal large volumes of data.

Cloud video solutions, many of which also use port forwarding to obtain access to RTSP video streams, were found to be just as vulnerable. Other problems included poor use of secure protocols, a lack of encryption, substandard cookie security and insecure user and credential management.

“Any insecure embedded device connected to the internet is a potential target for attacks, but organisations don’t seem to realise that this includes their CCTV system,” said Andrew Tierney, the independent consultant who conducted the research. “It can easily provide a gateway to their entire network, enabling anyone with malicious intent to corrupt all their systems or extract huge amounts of data.”

“Distributed denial-of-service (DDoS) attacks are now being triggered through CCTV cameras, showing that cyber criminals have identified them as vulnerable,” said Cloudview’s James Wickes, who recently defended cloud-based systems as alternatives to traditional DVR-based systems on IFSEC Global.

“Organisations can increase their security immediately by changing user names and passwords from the default to something secure, and they should follow the Information Commissioner’s Office and Surveillance Camera Commissioner guidelines by encrypting all their CCTV data both in transit and when it is being stored. I’d also like to see the development of a ‘KiteMark’ to give users the assurance that their CCTV supplier had thought about security.”

Complete our Video Surveillance Survey for the Chance to Win £100 Worth of Amazon Vouchers(End users only, please – responses from installers/integrators will be deleted)

 

Free Download: The State of Surveillance Storage

From the growing quantity of data to new innovations like Artificial Intelligence (AI) and machine learning, the surveillance and security landscape is changing. The Seagate Surveillance Storage Survey 2018 is a look at what the industry challenges really are—and what businesses, security industry professionals, installers and integrators need from their storage moving forwards. Discover the challenges now by clicking here.

Related Topics

Leave a Reply

4 Comments on "Major Security Flaws Found in Surveillance Systems – Both DVR and Cloud-Based"

avatar
  Subscribe  
newest oldest most voted
Notify of
OmbongiMoraa
Guest

I’ve encountered scenarios where the Bank ATMs and the ATM CCTV System are on the same network, same switch. These are the same CCTV Owners who never do firmware updates.

Paul Richard Williams
Guest
Paul Richard Williams
OmbongiMoraa This is not really surprising. The lack of understanding around security (from installers of CCTV systems, from those running the bank ATMs and from those making the CCTV systems in the first place) is scary.  Current CCTV technology is not secure. IP cameras are not secure and the DVR storage technology is not secure. Network connected DVRs provide a perfect hiding place for hackers looking to exploit your networks and your networked assets as well as a perfect black box storage location for any information the want to steal.  It is not in the interests of organisations selling you… Read more »
Peter Marsh
Guest
Adam I read your article with real interest and also a sense of dejavu.  A US retail Chain had their network hacked through a networked air conditioning unit – so it is understandable that it is completely plausible that someone with the relevant technical know how could hack into a closed IP CCTV system. We also miss here the risk of your cameras being hacked so that people can monitor your sites and steal your IP and spy on your business! However I feel that I should point out that some of your information is inaccurate.  There is a manufacturer… Read more »
Peter Marsh
Guest

Paul Richard Williams OmbongiMoraa the technology exists – check out the solutions from Dedicated Micros – part of AD Holdings.