Researchers from the U.K.-based penetration testing service Pen Test Partners recently attacked a video surveillance system, and they pulled off a fairly scary feat. “We successfully switched video feeds from one camera to another through the cloud service, proving arbitrary access to anyone’s camera,” they wrote.
That pen test is even more concerning when you take into account the fact that the world is in the midst of a widespread proliferation of video surveillance equipment among both private citizens and enterprise security users – which, in fact, we are.
The market for video surveillance systems is expected to grow from $36.89 billion in 2018 to more than $68 billion by 2023, MarketsandMarkets reports. With video surveillance increasingly prevalent, the possibility of cyber flaws in security systems bears strong consideration.
“Historically, camera systems have been fairly isolated on the network, and so people have not lumped them into the cyber realm,” says Jonathan Steenland, a strategic advisor to the U.S. Department of Homeland Security’s National Cybersecurity Center and co-founder of security advisory Zyston. “Now these devices are connected to the same network as mission-critical servers and applications.”
What are the most likely cyber gaps in video systems, and what are the most significant remediations?
Researchers at Kaspersky Lab report finding multiple potential fail points in security cameras commonly incorporated into some enterprise security systems. These flaws could give attackers access to video streams and could even enable remote control over the cameras.
By leveraging these weakensses, Kaspersky reports, malicious users could:
- Access video and audio feeds from any camera connected to a cloud service;
- Remotely upload and execute malicious code; or
- Remotely “brick” vulnerable cameras.
Beyond interrupting camera operations, hackers could use a compromised camera as an entry point to compromise an entire network. “The port that the camera is using can be used to hop to other segments of the network,” notes Mike Sanchez, CISO of United Data Technologies. “They start in the surveillance system and go from there to the data center, and from there, to the accounting department.”
In the past, when a surveillance system was a self-contained network, such concerns might have sounded alarmist. But with IP-enabled security, everything’s connected, and everything is therefore fair game.
“As the physical and network security worlds continue to converge…adding even one IP-based camera or other IoT device that is not properly hardened can expose a corporate network to a hacker,” says Tom Galvin, CEO of Razberi Technologies. As a result, “the growth of connected devices and video surveillance applications – IP cameras, sensors, machine learning, facial recognition, etc. – is a complicating factor for many security professionals.”
There is perhaps a small irony in the notion that it is now our security cameras that are making us less secure. “The very technology they are using to secure their infrastructures is becoming more vulnerable to cyber threats,” Galvin notes.
Still not convinced that a hacker could really make with access to a video camera? Experts suggest two considerations: Where does a company put cameras? And how much compute power does a camera have? These two factors together ring alarm bells for Avi Chesla, co-founder and CEO of cyber solutions provider empow.
“Imagine a web camera in the boardroom that’s collecting confidential information during a board of directors meeting and sending it off somewhere else,” he says. “Or you can install malware and use the cameras as bots in a denial of service attack. They can send signals and messages, and because there are so many of these cameras, a person could create an entire army of bots based just on these cameras.”
How to cyber-harden all that vulnerable infrastructure? A number of fixes are readily available.
Locking it Down
Video surveillance security starts with passwords. Like many IoT-type accessories, cameras can easily be password protected, but end users tend to overlook this basic safeguard.
“These devices come from the manufacturer with a common user ID and password, something like ‘admin’ for both. People don’t bother to change that or they don’t have a complex password policy, so the password is not strong enough,” Sanchez says.
Eastern Datacomm documented this in a recent examination of the caused behind a late 2016 massive distributed denial of service (DDoS) attack that causes outages at Amazon and Twitter. Hijackers took over some 100,000 devices, including network security cameras, gaining entry by using one of 61 default or common weak passwords.
The simple fix: Implement a rigorous password regime straight out of the box.
Encryption of the video feed between camera and the storage site is an equally important first step that often gets overlooked. “Most of these systems don’t activate encryption by default, and a lot of times people will just turn it on to see that it is working. They want to avoid any possible compatibility issues or performance issues at first, so they ignore encryption and then they forget about doing it,” Chesla says.
It takes but a moment to put this basic safeguard into play. “Typically you will get two or three different options for stronger or weaker encryption. Some will consume more compute resources than others and you need to make some choices,” he says. “But it isn’t hard, and if you don’t do it, it can be easy to hijack that stream, to copy the information into another place.”
Along these same lines, basics of cyber governance indicated that video systems should be scanned regularly for vulnerabilities and that patches should be applied in a timely way as dictated by manufacturers and various standards bodies. This is Cyber 101, arguably, but it often gets overlooked in video systems, which may not always be perceived as being truly an “IT” asset.
“You treat your camera like any other end point, treat it like a printer or a laptop, and you’ll resolve many of the points of entry for any malicious actors,” says Joe Gittens, director of standards for the Security Industry Association. “There aren’t really that many standards around video surveillance, but there is no reason why all the basic IT standards would not apply to a video surveillance system. Doing that will probably take care of 80 to 90 percent of your potential vulnerabilities.”
In addition to practicing good cyber hygiene in general, with sound governance and enforceable policies around such basics as passwords, encryption and patches, experts say that more aggressive defensive techniques can be helpful and even necessary in defending video systems.
One such method involves the deployment of decoys, data that resembles real production assets and can be used to misdirect attackers, fooling them into attacking what is essentially a bogus system.
“A customer recently reported that there was an attacker targeting the organization’s video surveillance feeds,” says Carolyn Crandall, Chief Deception Officer for Attivo Networks. “When the decoys responded, the scanning host attempted to gain access to password information and attempted to connect to known video surveillance web page addresses.”
The “deception” solution began recording the suspect activity and then unleashed decoy data, in isolation from true production assets. “The security team subsequently tracked down the system and discovered the video surveillance systems had been infected with malware which allowed an external attacker to access it,” Crandall says. “Because they discovered the attack early, it was a quick and easy remediation process.”
Behind the scenes, IT security leaders also can pursue structural means to safeguard video.
What makes surveillance data vulnerable? It’s not the video network per se but rather the fact that that network touches onto other digital properties within the enterprise. As noted, bad actors can leverage those touch points as a means to gain access to a wide set of valuables across the organizational footprint. One solution: Limit the touch points.
“When you deploy a video system on the network, you want to separate that network with a logical or physical segmentation of the video network from the other data,” Chesla says.
“That allows two things. First, it’s better for performance when you have a separate network with its own quality of service,” he says. “On the security side, you may have other services that you want to be open and available to everyone, and you want to apply different access policies to those. Once you separate the network, you can better enforce access controls on the video network, and you can afford more strict policies.”
It’s worth noting, too, that video doesn’t live strictly in the IT shop, and hence may not fall strictly under the embrace of cyber teams. This can further complicate an already sticky situation.
“Many security pros lack the knowledge, tools and time needed to adequately defend these assets,” Galvin says. “This is even more challenging when there’s little communication or collaboration between IT and physical security teams.”
That being the case, a little cooperation can sometimes go a long way. “IT and physical security pros must work together to ensure that the entire video surveillance ecosystem – from the edge to data center servers – is protected,” he says.
In fact, it can reasonably be argued that physical security is cybersecurity when it comes to video systems.
If your cameras are physically accessible to potential villains, then anyone with a handful of cables and some know-how can possibly turn physical access into cyber intrusion, says Bud Broomhead, CEO of Viakoo.
“The security situation around video can be worse than for other systems, because parts of the system – the cameras – are in public places outside the firewall,” Broomhead says. “They may be in readily accessible locations where you can climb a ladder or go over a fence and you can get to those exposed points. With a data center you don’t have that: It’s all contained within your walls and you control who goes in and out of your facility.”