New research from cloud-based video surveillance company Cloudview suggests that the majority of CCTV systems can be hacked, providing an open door to cyber attackers. The report, entitled Is your CCTV system secure from cyber attack?, says there are “major vulnerabilities” in both traditional DVR-based CCTV systems, as well as cloud-based video systems. Hackers can “easily” hijack connections to the device’s IP address, putting a lot of people, their properties and data at risk.
How did they do it? They placed five routers, DVRs and IP cameras on the open internet. They were all running their latest software and firmware. According to the report, one device was hacked within a few minutes, while the rest were done and dusted within a day. They didn’t say which device was the first, and the last to fall, though. They did say that the traditional DVR-based systems had a problem with port forwarding and Dynamic DNS, as well as a problem with firmware updates, leaving the device open to backdoors.
As for cloud video solutions, port forwarding was also an issue, as well as failure to use secure protocols and the lack of encryption. Any insecure embedded device connected to the internet is a potential target for attacks, but organizations don’t seem to realize that this includes their CCTV system,” said Andrew Tierney, the independent consultant who carried out the research. “It can easily provide a gateway to their entire network, enabling anyone with malicious intent to corrupt all their systems or extract huge amounts of data”.
“Distributed Denial-of-Service (DDoS) attacks are now being triggered through CCTV cameras, showing that cyber criminals have identified them as vulnerable”, added James Wickes, co-founder and CEO of Cloudview. “Organizations can increase their security immediately by changing user names and passwords from the default to something secure, and they should follow the Information Commissioner’s Office and Surveillance Camera Commissioner guidelines by encrypting all their CCTV data both in transit and when it is being stored. I’d also like to see the development of a ‘KiteMark’ to give users the assurance that their CCTV supplier had thought about security”.