Majority of CCTV systems “leave organisations open to cyber attack” reports new Cloudview study

Cloud-based video surveillance specialist Cloudview has just published the results of new research showing that, while the majority of CCTV systems may protect an organisation’s physical assets, they also provide an open door to cyber attackers.

The research – carried out by independent consultant Andrew Tierney on behalf of Cloudview and published in a new White Paper entitled: ‘Is Your CCTV System Secure from Cyber Attack? found major vulnerabilities in both traditional DVR-based CCTV systems and cloud-based video systems.

The security flaws inherent in almost all CCTV systems make it all-too-easy for intruders to hijack connections to the device’s IP address, in turn putting people, property, data and entire enterprises at potential risk while leaving operators in breach of the Data Protection regulations.

During the research five routers, DVRs and IP cameras running the latest software were placed on the open Internet. One device was breached within minutes. In less than 24 hours, two were under the control of an unknown attacker, while a third was left in an unstable state and completely inoperable.

Vulnerabilities in traditional DVR-based systems ranged from their use of port forwarding and Dynamic DNS to a lack of firmware updates and the existence of manufacturer ‘back doors’ which are often revealed on the Internet.

Due to the fact that DVRs have similar capability to a small web server, they can easily be used to launch an attack against the rest of the network or extract large quantities of data once an attacker has gained access.

Many cloud video solutions also use port forwarding to allow access to RTSP video streams, making them as vulnerable as DVR-based systems.

Other issues include failure to use secure protocols effectively, a lack of encryption, poor cookie security and insecure user and credential management.

Potential target for attacks

“Any insecure embedded device connected to the Internet is a potential target for attacks, but organisations don’t seem to realise that this includes their CCTV system,” said Andrew Tierney. “It can easily provide a gateway to their entire network, enabling anyone with malicious intent to corrupt all their systems or extract huge amounts of data.”

James Wickes, co-founder and CEO of Cloudview, explained: “DDoS attacks are now being triggered through CCTV cameras, showing that cyber criminals have identified them as being vulnerable. Organisations can increase their security immediately by changing user names and passwords from the default to something secure. They should also follow the Information Commissioner’s Office and Surveillance Camera Commissioner’s guidelines by encrypting all of their CCTV data both in transit and when it’s being stored. I’d also like to see the development of a ‘KiteMark’ to give users the assurances that their CCTV supplier has thought about security.”

*The full White Paper can be downloaded here:

The research was conducted last December. Many tests were performed, including (but not limited to):

*Passive monitoring of all traffic in and out of each device, with the aim of both working out how the device communicates and uncovering any hidden or undesired functionality

*Active scanning of all ports and services using nmap to find hidden services and insecurities

*Manual and automated testing of any web interfaces using Burp Suite to find vulnerabilities and hidden functionality

*Decompilation of Android and iOS applications available to understand operation

*Obtaining firmware via downloading, intercepting firmware updates or recovery from a given device

*Analysis of firmware using various tools to find hidden functionality, vulnerabilities and passwords

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts