“Adversaries are likely to continue exploring IoT devices (such as CCTV and HVAC units) as an attack vector for air-gapped systems in government and industrial networks.”
Cert Australia – Cyber Security Challenges of 2018
The Internet of Things (IoT) refers to the growing billions of connected devices that are measuring, monitoring, collecting and sharing information, images and data without the need for human interaction. Enabling these otherwise ‘dumb’ devices to be widely connected and automatically communicate has created extraordinary utility, which in turn has seen exponential growth in the breadth of use and the number of connected devices.
However, IoT security has often been shown to be less than adequate, with devices being easily hijacked - enabling a remote hacker to take control of the device, view device data streams, and in some cases gain access to connected private networks. This has been possible because, broadly speaking, device manufacturers have not been used to working in the hostile and security conscious environment of the internet - with a large proportion of IoT devices simply not being designed for these operating conditions. Even with widely publicised IoT security breaches (such as the hacked coffee machine that brought down an industrial plant), the huge numbers of new devices being deployed are providing malicious actors with innumerable new attack vectors on a daily basis.
Given this state of affairs it not surprising that IoT hacking has been unbelievably effective to date. Hackers were able to exploit thousands of insecure connected devices to create a huge botnet which unleashed the second biggest DDoS attack yet seen (the Mirai botnet attack that brought down the likes of Twitter, Reddit, Netflix and CNN). While this hack used exploited devices to attack external networks, an exploited device could just as easily be used as a gateway into deeper levels of an internal network, to seek out and exfiltrate sensitive and valuable private data.
Forbes predicts that by 2025, there will be over 80 billion smart devices on the internet, and with much of the embedded firmware being insecure and highly vulnerable, this potentially exposes an innumerate number of critical systems and private data sources.
Connected IP-Cameras, Digital Video Recorders (DVR) and Video Surveillance Systems (VSS) are a subset of the IoT, and due to the ease with which these devices can be deployed, networked and controlled, an ever-growing number of VSS are joining the IoT. These systems are often built utilising devices from multiple vendors, meaning they either have simple/standardised security protocols covering the system or they possess no end to end security protocols at all.
While security and privacy challenges remain the foremost concerns for IoT in general, for Video Surveillance Systems (VSS) these issues present an even more serious threat to organisations, as they offer an extra layer of abstraction (visual) combined with the often public placement of these devices.
Why is security such a challenge for IoT devices?
Not only are the systems for IoT and associated devices at risk, but those devices and systems are also proving to be a “weak link” that allows hackers to infiltrate a larger IT system. This is especially true if the devices are linked to the overall business network.
More than 80% of the devices involved in the Mirai attack were IP-Cameras and DVRs.
“So long story short, the coffee machines are supposed to be connected to their own isolated WiFi network. However, the person installing the coffee machine connected the machine to the Internal control room network, and then when he didn’t get internet access remembered to also connect it to the isolated WiFi network.”
(Programmable Logic Controller C10H15N1, shared on Reddit, June 2017)
So, what is being done?
Some of the measures being taken include manufacturers adding incremental firmware to improve device authentication and security, and (where possible) encryption of data in transmission. Integrators, installers and monitoring firms are adding firewall appliances to provide blocks to outgoing connection attempts from cameras. When interfacing with analytics and monitoring services, users and integrators may improve the security for allowing human access to the controls or associated data of cameras and systems by adding TwoFactor Authentication for the users. And data being collected by cameras, interpreted by sophisticated analytical engines and stored in specialised or standard memory repositories is being encrypted (in transit or at rest) using standard software encryption methods.
But while measures like these are improving security for cameras and systems, VSS devices are still largely at risk. Embedded/IoT devices represent the new powerhouse for large-scale or sophisticated attacks and VSS systems are particularly exposed due to their number, ease of installation and intended functionality. Current Video Surveillance Systems have little or insufficient security to protect devices and data from increasingly sophisticated cyber crime, and their increasing complexity and integration opens more vectors for cyber criminals to enter, including using the secure camera systems to infiltrate core business applications and exfiltrate data. Current methods of password protection, encryption and increased factors of authentication may not be sufficient to protect an environment, network or data from cyber crime as they all contain inherent vulnerabilities that can be breached. In fact, if a cyber criminal hijacks, steals or emulates the security tokens - taking control of camera’s, networks, servers and/or associated data- the intrusion may even be assumed to be authentic.
With each new published data breach or ransomware story seeming exponentially bigger than the last, now is the time for us all to stop and examine the threats that the IoT enabled VSS pose. And it may also be time to seek out and develop new identity management and security technologies that are capable of keeping up with this ever expanding IoT universe.
About the Author
Nic Nuske, Co-CEO of VeroGuard Systems
Australian based VeroGuard Systems provides world leading cyber security to all levels of business. Developed from the technology underpinning ATM and mobile Eftpos, Vero’s unique system delivers secure cloud data storage, universal digital identity management, ultra-secure online transactions and seamless digital solution integration.
Further Reading
“Additionally, adversaries are likely to continue exploring IoT devices (such as CCTV and HVAC units) as an attack vector for air-gapped systems in government and industrial networks.”
https://www.cert.gov.au/news/cyber-security-challenges-2018
Hackers break into schools' CCTV system and stream footage of pupils live on the internet
http://www.dailymail.co.uk/news/article-5432769/School-CCTV-systems-hacked-broadcast-online.html
Security cameras show 'HACKED' instead of live feed video
The majority of CCTV camera’s can be easily hacked
https://betanews.com/2016/03/10/cctv-cameras-are-easy-to-hack/
Dozens of Canon security cameras hacked in Japan, possibly because factory default passwords weren’t changed
Washington DC’s surveillance cameras hacked… to send spam
https://nakedsecurity.sophos.com/2017/12/22/washington-dcs-surveillance-cameras-hacked-to-send-spam/
Security of CCTV and Video Surveillance Systems: Threats, Vulnerabilities, Attacks, and Mitigations