Video surveillance, closed circuit TV and IP-camera systems are virtually omnipresent and indispensable for many organizations, businesses, and users. Their main purposes are to provide physical security, increase safety, and prevent crime. However, they’re increasingly Internet connected, demand driven by the desire for remote access and control, integration, and drastically reduced cloud storage costs. Typically, as you increase availability and access to any network device, it potentially increases exposure to cyber threats. As a result the security camera has fast become one of the most vulnerable and prolific IoT devices with approximately 245million cameras operating around the world.
Cyber security vulnerabilities make the device susceptible to sniffing, Man in the Middle Attacks, jamming, spoofing and botnet attacks. Cyber attacks on security cameras can result in events such as switching off motion sensors, remotely opening access control devices (locks), or redirect/switch off of surveillance equipment. More serious breaches are designed to access the network the camera sits on to harvest data, such as passwords, social security numbers, credit card numbers, addresses, telephone numbers, and other personal information. The data is then used for nefarious purposes, such as identity theft, credit card fraud, spamming, website attacks, and malware distribution.
Insufficient authentication and authorization:
Perhaps the largest and certainly most reported vulnerability is the lack of vendor security awareness as shown when products are shipped with default passwords and management interfaces are public facing. Since device owners often fail to change factory default user credentials, these are exposed to hacks. For instance, Mirai malware is designed to scan the Internet for insecure connected devices. Once it identifies an insecure device, the malware tries to log in with a series of common default passwords used by manufacturers. If those passwords don't work, then Mirai uses brute force attacks to guess the password. Once a device is compromised, it connects to C&C infrastructure and can divert varying amounts of traffic toward a Distributed Denial of Service target.
Several powerful, record-setting DDoS attacks were observed in late 2016, and were later traced to the Mirai Botnet. The DDoS traffic was produced by a variety of connected devices, including CCTV cameras.
Insecure web interface:
Security concerns with video surveillance system user interfaces such as persistent XSS, poor session management, weak default credentials and credentials transmitted in clear text.
Device Authority’s KeyScaler™ enables rapid deployment and on-going security management for deployments through automated device registration, certificate generation and provisioning and password management. This includes automated certificate lifecycle management with policy-driven revocation and renewal. For example, KeyScaler™ can automatically revoke and renew credentials when employees leave – eliminating a company’s liability.