Locking down surveillance cameras
- By Ludovic Rembert
- Feb 10, 2020
Surveillance cameras have been in use for decades, and government agencies have become so accustomed to them that they may overlook the cybersecurity risk cameras present. Newer, flashier issues like voting machine security and internet-of-things devices that flag unreported gunfire tend to make headlines. Hacks of the humble security camera, not so much.
This is unfortunate, because internet-enabled surveillance cameras are among the most commonly deployed IoT devices and generate huge amounts of hugely sensitive data. This makes them a real temptation for hackers and a security risk for the public sector.
Why security cameras are hacked
New types of attacks have recently raised the profile of camera cybersecurity. Last year we witnessed the emergence of a vulnerability that enabled hackers to summon a firehose of network traffic from hundreds of thousands of such devices for distributed denial of service attacks. In truth, though, cybersecurity professionals have long had concerns about the security claims of certain cameras.
One reason why security cameras are an attractive target for hackers is that their design has often prioritized connectivity and ease of use over security. The ability to instantly connect new cameras to a network might be useful when installing a new security system; it is less so if this feature also allows hackers to easily connect to these same cameras and steal the images they produce.
Another reason, of particular importance in the public sector, is that many local governments are shifting to cloud models where data storage and analysis platforms can be more exposed to hackers. Not all cloud service providers put in place security measures – such as encrypted cloud storage – that are necessary to keep data safe. Plus, not all agencies are fully aware of their responsibility to ensure their cloud-based data has been secured. Even worse, internet-enabled cameras make networks more complex, and therefore harder to secure.
Finally, hackers target security cameras because the data they produce is often highly sensitive. It can include images of employees or of the public, which can either be sold on to other hackers via the Dark Web or used to blackmail companies into paying a ransom.
How security cameras are hacked
There are a few ways that security cameras can be hacked. One of the most recent and most powerful takes advantage of security holes in a device-pinpointing protocol called web services dynamic discovery, or WS-Discovery. This specification allows admins to find cameras (and many other devices) on a network. PCs have been equipped with this protocol since the Vista operating system, and it has been installed in networked HP printers since 2008.
WS Discovery is also used widely in CCTV cameras. Chinese manufacturers Hikvision and Dahua and Brazil's Intelbras are among the companies using the protocol to allow customers to connect to their cameras quickly. Unfortunately, if these cameras are connected to the public internet -- most often by misconfiguring them -- the same protocol makes them vulnerable to hacking.
Other methods are available to hackers, as well. Cameras connected via Bluetooth are extremely vulnerable due to well-documented security issues with that protocol, and cameras communicating via unsecured Wi-Fi hubs can be infiltrated if the Wi-Fi network is compromised.
At a broader level, hackers may not even need to gain direct access to a camera to steal the data it produces. Many organizations still don’t use secure online storage for the video, making it vulnerable to being stolen after it has been stored. Indeed, unless the data produced by security cameras is taken as seriously as other forms of sensitive data, it remains susceptible to hacking at every stage of its production, manipulation and storage.
Preventing surveillance camera hacks
Preventing security cameras being hacked requires IT managers consider two main factors: the security of the camera itself, including its hardware and firmware, and the security of the data it produces.
When it comes to the security of the cameras, unfortunately buyers must rely on the manufacturer. One way in which the base level of security of cameras could be improved would be for manufacturers to include an update capability that would automatically scan for updates and download them. Unfortunately, few manufacturers offer this feature.
This doesn’t mean, of course, that users shouldn’t monitor how their cameras are behaving. It’s important to be able to spot the signs of a malware infection, such as a camera sending unusual amounts of data to outside parties, so that malware can be removed as soon as it appears.
At the moment, the best way for system administrators to protect their surveillance systems is to ensure that all of the software around their cameras is secured. The best VPNs today use an encrypted connection between the cameras and the wider network, which stops data from being stolen while in transit. Equally, IT managers should be sure to harden their backup systems to prevent data from being stolen while at rest.
If these recommendations sound familiar, that’s because protecting the data produced by security cameras is very similar to -- and as important as -- securing the data produced by any system. Contemporary IoT devices come with security measures built-in. Older equipment, however, was designed before hacking was much of an issue.
Agencies must recognize their surveillance cameras can be a security vulnerability and take all reasonable steps to protect the data they produce.
Ludovic Rembert is a security analyst, researcher and founder of PrivacyCanada.net.