Thousands of Surveillance Cameras Openly Accessible

Thousands of cameras around the world are remotely connected and accessible to view today. I’m watching two men at computers in Hosei University in Tokyo. It’s 6:15 p.m., and one of them is taking a lie-down across three of the office chairs around the table. Now I’m looking at a small airplane waiting by a runway at an airport in Sweden.

Click here to view Figure 1.

Apparently, I’m watching an Axis camera, although the website doesn’t specify the exact model. Something like three quarters of remotely accessible CCTV systems around the world allow free access using no credentials or default logins within the first three months of installation. Figures suggest that over half of all devices connected to the Internet still use default credentials or have no security measures at all after this early stage.

Many default user names (probably something like “admin”) and passwords for remotely accessible cameras are available freely on the Internet, giving people free access to consumer-, and in some instances, professional-level systems.

In a blog written in 2009, one writer shows how simply he was able to use a computer search engine called SHODAN to gain access to more than 700 AVTech-manufactured DVRs.

Many CCTV systems broadcast their presence through Netbios information that will be given out to any device querying them, and they are rarely secured to only allow specific IP addresses to connect to them. If you believe your cameras are hidden, you could be surprised. You can even look through the units by country, ISP, city, or date of installation.

For instance:

• AVTech — More than 150,000 units exposed, with more than 6,000 in the UK and 10,000 in the US
• Hikvision — More than 330,000 units broadcasting
• TeleEye — Around 3,000+ units listed

Let’s say that you’re not too interested in the fact that someone has been able to access your cameras and see a road outside your building that anyone can see at any time anyway. Well, remember that a typical DVR is essentially just a computer, usually based on Linux and charged with recording surveillance images. But if that DVR is insecure, a hacker could gain access to your network through it.

Last year a CCTV module was added to a tool called Metasploit, used by security professionals to test their systems for vulnerabilities. This tool will scan a network for user names such as “admin” and then try known default passwords to access the system. The fact that CCTV systems are often the weakest point of entry on a network is not lost on attackers and those who seek to maliciously access systems using a DVR as a trusted entry point.

Click here to view Figure 2.

Manufacturer, installer, or end user?

So whose fault is it that so many cameras around the world are freely accessible for the world to see? A professional installer may install a DVR and set up a secure user name and password for remote viewing by an alarm response centre. They might also advise the end user to only authorize specific IP addresses and to block Netbios responses to ensure the camera cannot be viewed by unauthorized people.

But a system owner may insist on keeping things simple by using default settings and may choose to not implement the installer’s recommendations on IP blocking. So an installer and an end-user should both have in place a clear contract as to who’s responsibility it is to secure the remote access connection, remembering that in most cases an installer is unlikely to have control over the network that is used for video transmission.

Manufacturers of video surveillance equipment have been locked in a price war for some years, and so it is common to see developers that could have taken responsibility for increased security out of the box being reduced in number.

But if a serious breach occurs and receives widespread media coverage, this will reflect badly on the whole industry.

Default accounts

There is no need to have default accounts on surveillance equipment anymore. A camera system should request a unique user name and password on startup, to be confirmed with a physical action on the unit itself. The newer cameras produced by Axis force a password change on first access, hugely increasing their security. Why isn’t everyone doing this?

I asked support staff at DVR manufacturers why they still use default user names and passwords and was repeatedly told that it is to make their job easier when providing remote support to engineers and system owners.

Manufacturers need to be encouraged to issue firmware updates that will force cameras to be more secure, and this requirement should be backed up with standards that ensure a robust manner of dealing with default credentials.

There are some simple steps the industry must take to stop this problem:

Installers

• Check contractual agreements
• Ensure engineers trained in best-practices
• Audit existing installations
• Verify guidance given to end-users
• Ensure firmware is updated regularly

Manufacturers

• Remove generic default accounts
• Deploy an effective mechanism for security
• Check existing exploits to ensure none affect your units
• Keep up to date with new exploits and check them against your equipment
• Notify your clients when you discover older firmware is at risk
• Maintain a product register to accurately identify clients at potential risk

End-Users

• Protect your own networks by blocking Netbios
• Allow access only to specific IP addresses
• Change and remove default accounts
• Use secure passwords
• Ensure that internal communications to and from the device are restricted