The majority of CCTV systems may protect an organisation’s physical assets - but they may also provide an open door to cyber attackers.
Research carried out by independent consultant Andrew Tierney on behalf of a firm called Cloudview has found "major vulnerabilities" in both traditional DVR-based CCTV and cloud-based video systems.
The flaws are claimed to make it "all too easy" for intruders to hijack connections to the device’s IP address, putting people, property, data and entire enterprises at risk while leaving operators in breach of Data Protection regulations.
During the research, for example, five routers, DVRs and IP cameras running the latest software were placed on the open Web.
One device was breached within minutes - and within 24 hours two were under the control of an unknown attacker, while a third was left in an unstable state and completely inoperable, says Tierney.
Vulnerabilities in traditional DVR-based systems ranged from their use of port forwarding and Dynamic DNS to a lack of firmware updates and the existence of manufacturer ‘back doors’ which are often revealed on the internet.
And because DVRs have similar capability to a small web server, they can easily be used to launch an attack against the rest of the network or to extract large quantities of data once an attacker has gained access, says the study.
Many cloud video solutions also use port forwarding to allow access to RTSP video streams, making them as vulnerable as DVR-based systems, it adds, while other issues include failure to use secure protocols effectively, a lack of encryption, poor cookie security and insecure user and credential management.
“Any insecure embedded device connected to the Internet is a potential target for attacks, but organisations don’t seem to realise that this includes their CCTV system,” said Tierney.
“It can easily provide a gateway to their entire network, enabling anyone with malicious intent to corrupt all their systems or extract huge amounts of data.”
“Distributed denial-of-service (DDoS) attacks are now being triggered through CCTV cameras, showing that cyber criminals have identified them as vulnerable,” added James Wickes, co-founder and CEO of the company that sponsored his probe.
“Organisations can increase their security immediately by changing user names and passwords from the default to something secure, and they should follow the Information Commissioner’s Office and Surveillance Camera Commissioner guidelines by encrypting all their CCTV data both in transit and when it is being stored.
"I’d also like to see the development of a ‘KiteMark’ to give users the assurance that their CCTV supplier had thought about security," he added.
The company behind the research, Northampton-based CloudView, claims to offer the world’s first corporate-grade, secure, cloud-based video surveillance system.
The full whitepaper can be downloaded here.