Locking down surveillance cameras

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Ludovic Rembert
 

Connecting state and local government leaders

By Ludovic Rembert

|

To prevent security cameras from being hacked, IT managers must consider the security of the camera itself -- including its hardware and firmware -- and the security of the data it produces.

Surveillance cameras have been in use for decades, and government agencies have  become so accustomed to them that they may overlook the cybersecurity risk cameras present. Newer, flashier issues like voting machine security and internet-of-things devices that flag unreported gunfire tend to make headlines. Hacks of the humble security camera, not so much.

This is unfortunate, because internet-enabled surveillance cameras are among the most commonly deployed IoT devices and generate huge amounts of hugely sensitive data. This makes them a real temptation for hackers and a security risk for the public sector.

Why security cameras are hacked

New types of attacks have recently raised the profile of camera cybersecurity. Last year we witnessed the emergence of a vulnerability that enabled hackers to summon a firehose of network traffic from hundreds of thousands of such devices for distributed denial of service attacks. In truth, though, cybersecurity professionals have long had concerns about the security claims of certain cameras.

One reason why security cameras are an attractive target for hackers is that their design has often prioritized connectivity and ease of use over security. The ability to instantly connect new cameras to a network might be useful when installing a new security system; it is less so if this feature also allows hackers to easily connect to these same cameras and steal the images they produce.

Another reason, of particular importance in the public sector, is that many local governments are shifting to cloud models where data storage and analysis platforms can be more exposed to hackers. Not all cloud service providers put in place security measures – such as encrypted cloud storage – that are necessary to keep data safe. Plus, not all agencies are fully aware of their responsibility to ensure their cloud-based data has been secured. Even worse, internet-enabled cameras make networks more complex, and therefore harder to secure.

Finally, hackers target security cameras because the data they produce is often highly sensitive. It can include images of employees or of the public, which can either be sold on to other hackers via the Dark Web or used to blackmail companies into paying a ransom.

How security cameras are hacked

There are a few ways that security cameras can be hacked. One of the most recent and most powerful takes advantage of security holes in a device-pinpointing protocol called web services dynamic discovery, or WS-Discovery. This specification allows admins to find cameras (and many other devices) on a network. PCs have been equipped with this protocol since the Vista operating system, and it has been installed in networked HP printers since 2008. 

WS Discovery is also used widely in CCTV cameras. Chinese manufacturers Hikvision and Dahua and Brazil's Intelbras are among the companies using the protocol to allow customers to connect to their cameras quickly. Unfortunately, if these cameras are connected to the public internet -- most often by misconfiguring them -- the same protocol makes them vulnerable to hacking. 

Other methods are available to hackers, as well. Cameras connected via Bluetooth are extremely vulnerable due to well-documented security issues with that protocol, and cameras communicating via unsecured Wi-Fi hubs can be infiltrated if the Wi-Fi network is compromised. 

At a broader level, hackers may not even need to gain direct access to a camera to steal the data it produces. Many organizations still don’t use secure online storage for the video, making it vulnerable to being stolen after it has been stored. Indeed, unless the data produced by security cameras is taken as seriously as other forms of sensitive data, it remains susceptible to hacking at every stage of its production, manipulation and storage.

Preventing surveillance camera hacks

Preventing security cameras being hacked requires IT managers consider two main factors: the security of the camera itself, including its hardware and firmware, and the security of the data it produces. 

When it comes to the security of the cameras, unfortunately buyers must rely on the manufacturer. One way in which the base level of security of cameras could be improved would be for manufacturers to include an update capability that would automatically scan for updates and download them. Unfortunately, few manufacturers offer this feature.

This doesn’t mean, of course, that users shouldn’t monitor how their cameras are behaving. It’s important to be able to spot the signs of a malware infection, such as a camera sending unusual amounts of data to outside parties, so that malware can be removed as soon as it appears.

At the moment, the best way for system administrators to protect their surveillance systems is to ensure that all of the software around their cameras is secured. The best VPNs today use an encrypted connection between the cameras and the wider network, which stops data from being stolen while in transit. Equally, IT managers should be sure to harden their backup systems to prevent data from being stolen while at rest.

Final thoughts

If these recommendations sound familiar, that’s because protecting the data produced by security cameras is very similar to -- and as important as -- securing the data produced by any system. Contemporary IoT devices come with security measures built-in. Older equipment, however, was designed before hacking was much of an issue.

Agencies must recognize their surveillance cameras can be a security vulnerability and take all reasonable steps to protect the data they produce.

NEXT STORY: Mapping the cyber threats of Air Force base control systems

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.