Are our CCTV systems really secure?
We rely on CCTV for security but the same CCTV we trust to protect us may itself pose a major security risk, as defence features writer Mark Lane discovers talking to James Wickes of Cloudview.
Surveillance cameras are a familiar sight in public places, business premises and private buildings, protecting people, premises and vital national infrastructure.
However, according to James Wickes, Chief Executive and co-founder of Cloudview, the systems we trust to improve our security may not themselves be secure.
He points out that in autumn 2016, M16 highlighted that China was Britain’s largest supplier of CCTV equipment and expressed grave concerns about the potential security risk, particularly for internet-connected cameras. Then, in March 2017 a security researcher setting up a camera discovered it had malicious software built into it, a backdoor which allowed remote unauthorised administrative access via the web.
Wickes explains: “Such backdoors are rarely an oversight, but have to be built in by people who know what they are doing. They are often used to make administration and problem solving easier for the manufacturer, but this is of course at the expense of security.”
Whether this was an oversight or deliberate, such backdoors provide a means for hackers to come and go as they please, undetected as they bypass all usual security measures. In fact, they could allow the hacker to reconfigure the device so as to allow front-door entry by unwanted persons to appear legitimate.
He argues that CCTV’s vulnerability has also been demonstrated by recent DDoS (Distributed Denial of Service) attacks, with systems used as a source of botnet [a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge] power to take down the services supporting critical systems and websites.
He says: “Nearly 1.5 million connected cameras were hijacked in September 2016, and just one month later we saw the Dyn cyber attack – the largest DDoS attack so far – which was executed through a botnet consisting of a large number of internet-connected devices, including IP cameras and baby monitors that had been infected with the Mirai malware.
“There are even search engines which allow subscribers to find live video from poorly secured internet-connected webcams, supposedly aimed at highlighting poor internet security but which could easily be used by those with malicious intent. Unless manufacturers embed better security into their connected devices, we will see large-scale attacks of this kind become the norm.”
For Wickes, these examples highlight the inherent insecurity of many CCTV systems. He also argues that the risks go beyond data theft.
“It’s vital to consider cyber protection of infrastructure as well as physical protection,” he says. “CCTV systems which can easily be hacked are no deterrent at all. Have we ever considered that poor Internet of Things (IoT) security might be just a little too tempting for a nosy nation? And for terrorists – why bother with suicide bombs if you can shut down power stations, open dams and look at CCTV footage of major cities and public places at will?”
He suggests that the very name ’Closed Circuit TV’ lulls us into thinking that these systems are secure. Closed circuit implies that the visual data they collect is ‘closed’ to everyone except authorised users viewing dedicated monitors in close proximity to the system.
The great majority of traditional CCTV systems do rely on cameras recording images and storing them on onsite Digital Video Recorders (DVRs) for later review. However, many allow these DVRs to be accessed via a web browser or app so users can view live or recorded footage from another location – one reason why CCTV cameras are one of the most common ‘things’ connected to the IoT. According to Wickes, this combination of internet access to footage stored on DVRs exponentially increases the risk to personal data retained as well as the risk of other malicious intent.
He cites independent research published last year which found major vulnerabilities in both these traditional DVR-based and cloud-based systems.
“DVR-based CCTV systems typically use port forwarding to provide access, which effectively creates a ‘hole’ in the firewall; or Dynamic DNS, which allows an attacker to find hundreds or even thousands of vulnerable devices simply by testing domain names.
“Many DVRs run on distinctive ports, so a cyber attacker knows exactly where to look to find them on a server. There is also a lack of oversight by users because footage may rarely be looked at and the user interface provides no feedback as to what is going on inside. DVRs include a powerful computer and carry lots of network traffic in both directions. This, combined with their large hard drives, makes them an ideal point to extract vast quantities of data from a network.”
To assess the risk, the research ran two experiments. First, five routers, DVRs and IP cameras running the latest available firmware, in their default configuration, were placed onto the open internet. Within minutes, attackers had begun attempting to use common logins. One device fell to this basic intrusion.
Within a few hours each device had been port-scanned, and within 24 hours two had been entirely compromised and were under the control of an unknown attacker. The attacker was free to access the network the device was connected to, install their own software and transfer data back out. Another device was left in an unstable state after an attempted attack, rendering it inoperable.
The researcher then tested 15 DVRs to look for bugs and manufacturer ‘backdoors’, and found that none were free from serious vulnerabilities. Some took many hours to breach, but the majority took less than an hour. Without the ability to update firmware, these vulnerabilities can persist for years, leaving an organisation’s entire network exposed to cyber attack through its CCTV system.
The cloud also has its vulnerabilities.
Wickes adds: “Dedicated cloud-based CCTV systems are designed with built-in internet connectivity and features such as remote video streaming and data back-up, so in principle should provide improved security. However, most IP cameras support incoming connections using Real-Time Streaming Protocol (RTSP). A large number of cloud video providers recommend using port forwarding to allow access to the RTSP stream of the IP cameras from outside the firewall – creating the same problems as arise with DVR-based systems.
“Many cloud systems also make common security mistakes. The independent consultant carried out a passive survey of popular cloud-based video websites which found mistakes including use of insecure protocols, poor configuration of secure protocols and a lack of encryption or digital signatures.”
However, he allows that some cloud-based systems offer well thought-out security and data protection standards, providing better security for a lower cost.
He says: “Organisations should look for authentication, end-to-end encryption with SHA-2 and TLS and a digital signature to ensure data integrity. Cloud-based systems also provide the physical security of holding data in a remote location, provided that it complies with Data Protection regulations.”
Intelligent IoT camera adapters are also available, which only allow encrypted outbound connections to specific cloud-based services, and can be retrofitted to existing analogue and digital cameras, enabling them to be securely connected using regular broadband, 3G or satellite services.
“Authorised users can then access the footage from any device and location using standard internet connections,” explains Wickes. “Such adapters only require a fraction of the processing power of a full DVR, so are much less useful to a potential attacker. This solution is already being used in the housing and care sectors and is the only CCTV product to have received ‘Secured by Design’ accreditation from Police Crime Prevention Initiatives.”
He says that some of these CCTV security issues can be prevented by understanding how risks arise and taking simple security precautions, such as ensuring that usernames and passwords are of a sufficient strength to prevent immediate access. Users should ensure that they comply with the recommendations of the Information Commissioner’s Office and the Surveillance Camera Commissioner by ensuring that all CCTV data is encrypted when in transit and when it is being stored.
He adds: “In the medium term, organisations that use old cameras or those not manufactured in the UK should review their CCTV security and consider whether to retrofit secure adapters or indeed to replace their existing CCTV with a more secure system.”
If you would like to join our community and read more articles like this then please click here