is your video surveillance system a cyber-security threat?

Navigate the noise and define the practical steps to protect your enterprise.

Life is good for video surveillance users.  The technology continues to develop even while pricing continues to decline.  As a result video surveillance is projected to grow globally at more than a 15% rate for the next five years.  But while this tool can harden the physical security of the enterprise it also has the potential to expose a hidden underbelly of vulnerability to hacking exploits.

Both the security industry and user community have responded to counter this risk in a number of ways.  Most positive has been the teaming with general IT security specialists to cyber-harden equipment and put in place best
security practices.  Less productive has been the influence of some to blacklist as if they were the primary security threat the leading offshore suppliers who are driving system costs down.

Is surveillance a valuable tool in protecting your operations and people?  How can you use it well and yet not introduce cyber-vulnerabilities?   We will highlight the most substantive steps you can take in response.  Along the way we will consider whether blacklisting has been an effective tool or a dangerous distraction.  A first step, though, is to better know what you are protecting yourself from.

Know How Your IP Surveillance System Can Be Hacked

Illegal computer ‘hacking’ is the unauthorized access of networked data systems, usually by a concerted effort.   The term is reminiscent of how vegetation can be taken down by repeated blows of a machete.  In cyber exploits data system hackers succeed by either multiple attempts and/or a complex combination of tools and maneuvers.   Such exploits have been around for over a century [see side topic: Early Hacking Exploits].

What is the goal of hacking surveillance systems? Here are three:

To compromise the video surveillance systems function
To access live or recorded video
To use the surveillance equipment to further breach the enterprises data systems.

Let’s consider examples of the first two in the next section.

Compromising And Accessing Video Surveillance Function

Megapixel cameras are generally administered via an application level web page across Ethernet networks.  [The new HD analog cameras are different though.  Even so the encoders for these cameras are typically web accessible.]   If the network the cameras are on can be penetrated then camera video and control can usually be gained by a webpage username and password login.  In 2014 the Russian website Insecam caused a sensation by demonstrating how surveillance cameras are often left exposed on the Internet.  The site provided a directory of 73 thousand unsecured security camera locations in 256 countries as well as access to them.  What was disturbing were views of private spaces, even baby cribs.

The site is still online today billed as the largest directory of accessible security cameras but claims to filter what is listed  to avoid invasion of privacy.  How are the camera accessed?  Default or non-existent passwords.  Whose cameras?  As the site explains (May 2017) “You can find here Axis, Panasonic, Linksys, Sony, TPLink, Foscam and a lot of other network video cams available online without a password.”  Therefore no matter what brand, if the camera is exposed to the Internet it is being scanned for vulnerability.

If the camera’s network is properly hidden the video management server(s) may still be a weak point and no brand is safe.  Being accessible to enterprise users the server may be compromised to gain the video or even directly interface with the camera again.  Eight days before the 2017 presidential inauguration the Washington DC surveillance system was hacked and infected with ransomware at the video storage server level.  [Ransomware is malevolent software introduced to hold a system ransom until money is paid, often via convoluted payment schemes.]  123 of 187 storage servers could not record video.  Who was behind the exploit?  Russian hackers or the infamous Chinese cyber-military PLA Unit 61398?  No, a middle-aged pair in London – a Brit and a Swede.  They were arrested a few weeks later, old fashioned greed being the apparent motive.

Surveillance systems have also been compromised by denial of service (DDOS) attacks.  During DDOS attacks the system is overwhelmed by functional calls until services fail.  DDOS attacks are a very popular means of bringing down networks systems.  One mechanism specific to video systems are RTSP requests because RTSP is the video stream protocol normally used in transmitting encoded video.  By overflowing requests for RTSP streams normal function can be overwhelmed denying legitimate service. Many video applications over the last decade have had to be hardened against this weakness.  First it was Apple’s Quicktime and VLC Player and now video surveillance software.

Targeting The Surveillance System To Breach The Enterprise Data Systems

In 2015 a cutting edge financial software company was breached via a poorly installed and unmaintained access control security server running default passwords and out-of-date software.  Fortunately, customer credit card information was not accessed.  This exploit in a high tech startup illustrates that even savvy IT professionals can overlook applying best practices when it comes to their security systems.

A special case of hacking has become of recent concern for security equipment, botnet malware.  [See side topic: IoT hacking :  The Internet of Things becomes a botnet cyberhazard].   Surveillance equipment has been found to be included in hosting such exploits.  Hundreds of thousands of Mirai bots were discovered to be digital video recorders (DVRs).  Many of them were entry level, low cost models of a few years ago, installed with default access and unmaintained.  Devices and modules manufactured by the OEM XiongMai were targeted because of easy access via Telnet passwords.  But access was not limited to these entry level devices, researchers found evidence of the same vulnerabilities across nearly all surveillance commercial product.

‘Zero Day’ Vulnerability

The expression zero days attacks has become popular because of the following cycle occurring now:

– A company’s developers create software, but it contains a vulnerability.

– The hacker or threat actor spots that vulnerability either before the developer or others do and acts on it before the developer or user have a chance to fix it.

-The attacker writes and implements exploit code while the vulnerability is still open and available.

– After releasing the exploit, either the end user or public recognizes it in the form of information theft, denial of service, etc. and then the developer creates a patch or other action is taken to seal off the vulnerability.

The exploit is called a zero-day attack because by the time the weakness is known the developer and end-users have no time to react.  These attacks are rarely discovered right away. In fact, it often takes not just days but months and sometimes years before the vulnerability is discovered that led to an attack.  Conversely, once a vulnerability is discovered, it is sometimes difficult to know if anyone has actually exploited it.  It is a little like coming home and discovering the door is open.  An initial search shows no loss but you may not be sure for some time.

Video surveillance equipment has had its share of such vulnerabilities.  Many times they are reported on but no exploit of this weakpoint is known.  It is important to understand that a report of a vulnerability and the typically rapid response to address it is in itself a healthy thing and a natural process in networked products in general today.    It is necessary as a complement to standard firewalls and other protections based on previously known exploit signatures.

As an example, video surveillance users today often rely on mobile apps dispatched by Apple and Android download sites.  In September 2015 over 50 different mobile apps were affected by malware that got into some Apples XCode developer software environments and was called Xcode Ghost.

Built on CIA techniques reported via Wikileaks earlier in 2015 the malware was designed to retrieve basic user information and upload it to servers.

One affected app was a popular video security mobile app permitting users to view surveillance video on smartphones and tablets.   It took about two weeks for this malware to be discovered.   Less than a week later the infected version of the video app was replaced on global distribution sites.  No one knows if any damage resulted from this brief exposure of some mobile clients to this vulnerability.  Such is the cycle of today’s cybersecurity.

Cybersecurity Policies For Your Surveillance Systems

How do you best secure your network against cyber expoits? Five basic guidelines are listed below.  These and more can be explored in the open literature from leading video and general IT suppliers and institutions. [See sidenote: Useful Resources to Learn More On Cyber-Hardening Surveillance]

  1. Change default passwords to strong ones.
    This is the most basic step and the area most exploited.  Strong passwords are neither default or related to the username or domain.  They usually involve at least 8 characters or more with three of the following attributes;  letters, numbers, special characters, varied upper and lower case.  This applies to both the installer and user passwords. Many suffer from password fatigue as the need for cyberhardening extends across your expanding digital life.   A solution might be the password managers or ‘vaults’ growing in use today.
  2. Turn off and/or change default software ports in place.
    This should include primitive access such as Telnet ports, uPnP etc.  Necessary ports can usually be changed, otherwise it may be possible to protect them by a firewall.   Both the integrator and the enterprise IT staff may need to collaborate on this.
  3. Limit Physical and Network Access.
    Use video servers with dual network cards (NIC) and if possible keep cameras on a private network and NICs.  Alternately keep the camera traffic behind a ‘virtual’ or VLAN barrier.  Physically lock up network closets (perhaps access control) and enforce MAC addressing of legitimate edge devices.  Employ firewalls and intrusion threat detection to protect the enterprise side of surveillance video use.
  4. Regularly Update Firmware and Software.  
    As we’ve noted in this article, video surveillance is catching up to the state of the art and new information on cybersecurity.   Firmware and software updates embody the result of this work.  Suppliers are by no means done.  Now more than ever maintain updates.
  5. Apply general network expertise and techniques.  
    Routers and switches have more common access to enterprises and must also be protected.  In addition clients workstations, mobile devices, integrating systems all rely on general network cybersecurity.  All stakeholders in enterprise security must be involved for the most complete protection.

Blacklisting Is Not A Substitute For Substantive Work

We indicated at the outset that some seem to focus entirely on blacklisting Asian offshore product for cybersecurity.   In both network technology in general and video surveillance in particular this should not be the first priority.  It can even be a fatal distraction.

Consider the recent exploits we discussed in this article, they almost entirely involve either Western threat actors or techniques.   In almost all cases the simple guidelines also discussed would have avoided the exploits.   Commercial mudslinging is not a substitute for the substantive work required to strengthen your enterprise’s cybersecurity.

Focus on blacklisting can cause one to overlook the benefits of a product line or even be a fatal distraction.  Our “Featured Technology” articles maintain product neutrality but we will illustrate this point with the recent history of the Asian supplier most often referenced in cybersecurity – Hikvision.

Hikvision is of Chinese origin.  The company is now the largest manufacturer of commercial cameras in the world and is considered one of the top 3 electronics security corporations in the world along with Bosch and Honeywell, publicly valued at roughly 20 billion dollars.  The company grew rapidly based on its OEM contracts for many name brand camera suppliers as well as the Chinese internal market.

Hikvision is the company that most in the industry would list as responsible for making quality surveillance affordable in recent years.  Although being late to the North American market Hikvision is the 2nd most popular camera line of US integrators.  However, recently, competitors and some others have suggested Hikvision must be viewed with suspicion, a possible cyber security hazard.

We would encourage the end user to consider the evidence provided for these claims.  When the full story is considered the situation is more clearly understood.  The accusations as well as the fuller detail are tabulated below.  Once you review this table, you will most likely agree that Hikvision is acting responsibly.

Recall the inauguration hack described earlier?  There is an ironic backstory to this exploit.  The video management software provider for that system publicly responded to incomplete reports against an Asian supplier by limiting support needs for their models.   A few months later their licensed DC metropolitan system was brought down and held ransom just before the inauguration.  The software vendor admitted that it was not due to a ‘backdoor’ related to a specific camera brand but because the hacked system did not implement and maintain basic network security policies.  Attention to basic best practices by suppliers and resellers serves the customer base, far better than blacklisting brands which have common vulnerabilities.

Hopefully the below chart illustrates the need to proceed carefully and not respond to sensationalized reports when making design choices.  When the vulnerabilities are shared by all products are attributed to ony a few suppliers, this is not balanced reporting.

Don’t Confuse CyberSecurity With ‘Buy American’

Since the 60s and 70s with transistor electronics and low cost foreign cars, offshore supply has been an issue.  Today,  the globalization of supply is the standard.  Ironically many of the Hikvision chipsets are of American design (US companies like Ambarella).  Their version of the new HD analog trend is based on the American firm Techpoint’s designs.

When American manufactured product is required by law some offshore suppliers will use a technique called “substantive transformation’.  Basically this involves final assembly in the US.  When this is done it does not further cyber-harden the product.

What About GeoPolitically Motivated Vulnerabilities

This is a murky area concerning all of Information Technology since much of the hardware is manufactured in China or elsewhere.   Some observations can be made however.   No nefarious video surveillance backdoors have been found to date.  This is true even despite growing scrutiny.   As discussed above, the majority of surveillance related exploits have involved Western actors or techniques or at least very general vulnerabilities common to all IT equipment.   The exploits reported to date are easily safeguarded using the guidelines provided above.  Consider the following.  Would a supplier be tempted by geopolitical pressures to insert a flaw and risk its global business if this is detected?   Would a foreign government be inclined to pursue this and take the economic risk of notorious disrepute when there are general techniques clearly available?

Enforcing Substantive Cybersecurity Guidelines Should Be The Focus

We spoke of the dynamic growth of surveillance technology but also of the need for caution so as to not expose the enterprise to hacking exploits.   There is the real danger of data theft, video misuse and operational interruptions if we do not cyber-harden security installations.  Hopefully this article provides a better understanding of the nature of the threat and explains the protections even basic and deliberate safeguards will provide.  There is a lot of sensational talk in the industry now.  By looking a little deeper, hopefully you are convinced of what are the true substantive steps which will harden and protect your enterprise from unwanted cyber threats.■

Comments are closed.