James Wickes, CEO and co-founder, Cloudview
The proposed acquisition of GKN by Melrose Industries has rekindled discussions about whether technology from foreign companies should be used in areas where national security is involved. Engineering giant GKN’s products include parts for fighter jets, bombers and military cargo planes.
One area where the security services have not only raised concerns but identified specific threats is CCTV – which is surprising, as it is not traditionally associated with leading edge technology and hence usually not front of mind as a security risk. First, MI6 highlighted that Chinese company Hikvision is Britain’s largest supplier of CCTV equipment and expressed grave concerns about the potential security risk, particularly for internet connected cameras. A few months later the US followed suit, with their Department of Homeland Security highlighting specific vulnerabilities in these cameras and issuing a security advisory notice.
One of the concerns is based around the potential existence of back doors in these products which allow unauthorised administrative access via the web. Researchers have reported back doors in cameras from various manufacturers. They are often used to make administration and problem solving easier for the manufacturer, but also provide a means for unauthorised people to come and go undetected, bypassing all usual security measures. They could even allow the hacker to reconfigure the device to allow front door entry by unwanted persons to appear legitimate.
With an inbuilt back door, access to secure locations and networks via these cameras might be a little too tempting for some nations. And for those who wish the UK harm, shutting down national infrastructure would be as potent and demoralising as suicide bombing.
CCTV’s security problems have also been demonstrated by DDoS attacks, where they have been used as a source of very substantial botnet power to take down services supporting critical systems and websites. In one attack hackers used two networks made up of around 980,000 and 500,000 hacked devices, mostly internet connected cameras, to generate more than 660Gb/s of traffic. In the Dyn DDoS cyberattack (1.2Tb/s), the botnet consisted of a large number of internet connected devices, including IP cameras and baby monitors that had been infected with the Mirai malware. Unless manufacturers embed better security into their connected cameras, such attacks could become commonplace.
Traditional DVR systems have major vulnerabilities
The first step in ensuring security is to understand how the risks arise. Independent research found several major vulnerabilities in both DVR-based and cloud-based CCTV systems which enable them to provide a gateway to an organisation’s entire network, allowing anyone with malicious intent to corrupt all their systems or extract huge amounts of data.
Vulnerabilities in DVR-based systems include use of port forwarding to provide access, which effectively creates a ‘hole’ in the firewall, and Dynamic DNS, which many manufacturers recommend when using port forwarding and which allows an attacker to find hundreds or even thousands of vulnerable devices simply by testing domain names. Many DVRs run on distinctive ports, so a cyber attacker knows exactly where to look to find them on a server. Other concerns include a lack of firmware updates and, as already mentioned, manufacturer back doors. There is also a lack of oversight by users because footage may rarely be looked at and the user interface provides no feedback as to what is going on inside. Because DVRs have similar capability to a small web server, they can easily be used to launch an attack against the rest of the network they are attached to or to extract large quantities of data once an attacker has gained access.
To assess the risk, the researcher ran two experiments. First, five routers, DVRs and IP cameras running the latest available firmware, in their default configuration, were placed onto the open internet. One device was breached within minutes and within 24 hours two were under the control of an unknown attacker, while a third was left in an unstable state and completely inoperable.
The researcher then tested 15 DVRs to look for bugs and manufacturer ‘back doors’ and found that none were free from serious vulnerabilities. Some took many hours to breach, but the majority took less than an hour. Without the ability to update firmware, these vulnerabilities can persist for years, leaving an organisation’s entire network exposed to cyber-attack.
Not all cloud systems are secure
Dedicated cloud-based CCTV systems are designed with built-in internet connectivity and features such as remote video streaming and data back-up, so in principle should provide improved security. However, most IP cameras support incoming connections using Real-Time Streaming Protocol (RTSP). Some cloud video providers recommend using port forwarding to allow access to the RTSP stream of the IP cameras from outside the firewall – creating the same problems as with DVR-based systems.
Many cloud systems also make common security mistakes. The independent consultant carried out a passive survey of popular cloud-based video websites and found problems including use of insecure protocols (HTTP rather than HTTPS) and mistakes in configuration. A significant number of sites were still found to support options that are known to be insecure. These allow an attacker to ‘downgrade’ the user’s connection, giving the impression that the connection is secure when it is not. There was a lack of encryption or digital signatures to protect data in the cloud from unauthorised access, and nearly all the surveyed sites were found to have one or more other vulnerabilities – cross-site request forgery, cookie and session token security misconfigurations. Some cloud providers had no controls around access to customer data, although others offer well thought out security and data protection standards, providing better security for a lower cost.
Simple steps to reduce risks
To avoid falling victim to these issues, security professionals need to understand the potential risks from apparently innocuous CCTV systems and take appropriate precautions. Some can be prevented by simple security measures, such as ensuring that usernames and passwords are of sufficient strength to prevent immediate access. Because cameras are often outside the scope of an organisation’s IT department, and run by the facilities or building maintenance team, it is all too easy for even basic security precautions to be overlooked. Users should also ensure that they comply with the recommendations of the Information Commissioner’s Office and the Surveillance Camera Commissioner by ensuring that all CCTV data is encrypted when in transit and when it is being stored.
Organisations choosing cloud-based CCTV should look for authentication, end-to-end encryption with SHA-2 and TLS and a digital signature to ensure data integrity. Such systems can now be retrofitted to existing analogue and digital cameras, enabling them to be securely connected using regular broadband, 3G or satellite services. Authorised users can then access the footage from any device and location using standard internet connections. Cloud-based systems also provide the physical security of holding data in a remote location. They should of course comply with the forthcoming General Data Protection Regulation (GDPR).
Organisations using traditional CCTV systems can not only improve their security by connecting them to cloud-based systems but can also reap the benefits of consolidating their CCTV data, enabling it to be more available to those that need it at the time that they need it.