Researchers from the U.K.-based penetration testing service Pen Test Partners recently attacked a video surveillance system, and they pulled off a fairly scary feat. “We successfully switched video feeds from one camera to another through the cloud service, proving arbitrary access to anyone’s camera,” they wrote.
That pen test is even more concerning when you take into account the fact that the world is in the midst of a widespread proliferation of video surveillance equipment among both private citizens and enterprise security users – which, in fact, we are.
The market for video surveillance systems is expected to grow from $36.89 billion in 2018 to more than $68 billion by 2023, MarketsandMarkets reports. With video surveillance increasingly prevalent, the possibility of cyber flaws in security systems bears strong consideration.
“Historically, camera systems have been fairly isolated on the network, and so people have not lumped them into the cyber realm,” says Jonathan Steenland, a strategic advisor to the U.S. Department of Homeland Security’s National Cybersecurity Center and co-founder of security advisory Zyston. “Now these devices are connected to the same network as mission-critical servers and applications.”
What are the most likely cyber gaps in video systems, and what are the most significant remediations…
Locking it Down
Video surveillance security starts with passwords. Like many IoT-type accessories, cameras can easily be password protected, but end users tend to overlook this basic safeguard.
“These devices come from the manufacturer with a common user ID and password, something like ‘admin’ for both. People don’t bother to change that or they don’t have a complex password policy, so the password is not strong enough,” Sanchez says.
Eastern Datacomm documented this in a recent examination of the caused behind a late 2016 massive distributed denial of service (DDoS) attack that causes outages at Amazon and Twitter. Hijackers took over some 100,000 devices, including network security cameras, gaining entry by using one of 61 default or common weak passwords.
The simple fix: Implement a rigorous password regime straight out of the box.
Encryption of the video feed between camera and the storage site is an equally important first step that often gets overlooked. “Most of these systems don’t activate encryption by default, and a lot of times people will just turn it on to see that it is working. They want to avoid any possible compatibility issues or performance issues at first, so they ignore encryption and then they forget about doing it,” Chesla says.
It takes but a moment to put this basic safeguard into play. “Typically you will get two or three different options for stronger or weaker encryption. Some will consume more compute resources than others and you need to make some choices,” he says. “But it isn’t hard, and if you don’t do it, it can be easy to hijack that stream, to copy the information into another place.”
Along these same lines, basics of cyber governance indicated that video systems should be scanned regularly for vulnerabilities and that patches should be applied in a timely way as dictated by manufacturers and various standards bodies. This is Cyber 101, arguably, but it often gets overlooked in video systems, which may not always be perceived as being truly an “IT” asset.
“You treat your camera like any other end point, treat it like a printer or a laptop, and you’ll resolve many of the points of entry for any malicious actors,” says Joe Gittens, director of standards for the Security Industry Association. “There aren’t really that many standards around video surveillance, but there is no reason why all the basic IT standards would not apply to a video surveillance system. Doing that will probably take care of 80 to 90 percent of your potential vulnerabilities.”
In addition to practicing good cyber hygiene in general, with sound governance and enforceable policies around such basics as passwords, encryption and patches, experts say that more aggressive defensive techniques can be helpful and even necessary in defending video systems.
One such method involves the deployment of decoys, data that resembles real production assets and can be used to misdirect attackers, fooling them into attacking what is essentially a bogus system.
“A customer recently reported that there was an attacker targeting the organization’s video surveillance feeds,” says Carolyn Crandall, Chief Deception Officer for Attivo Networks. “When the decoys responded, the scanning host attempted to gain access to password information and attempted to connect to known video surveillance web page addresses.”
The “deception” solution began recording the suspect activity and then unleashed decoy data, in isolation from true production assets. “The security team subsequently tracked down the system and discovered the video surveillance systems had been infected with malware which allowed an external attacker to access it,” Crandall says. “Because they discovered the attack early, it was a quick and easy remediation process.”