Cloud-based video surveillance company Cloudview has published new research showing that, while the majority of CCTV systems may protect an organisation's physical assets, they provide an open door to cyber attackers.
Back in October, SCMagazineUK.com wrote about IoT botnets gaining popularity with hackers, with CCTV botnets reported to be among the most common. Security experts at Incapsula, a cloud-based application delivery platform, first warned about them in March 2014, when they became aware of a steep 240 percent increase in botnet activity on their network, much of it traced back to compromised CCTV cameras.
As well as increasing the volume of attacks, criminals were found to be using multi-vector attacks. Incapsula's figures showed that 81 percent of all network attacks employed at least two different attack methods, with almost 39 percent using three or more different attack methods simultaneously.
Reports show that in 2014, there were 245 million surveillance cameras operating around the world. These numbers, and the lack of cyber-security awareness on the part of many camera owners, are the reasons why CCTV botnets are some of our oldest enemies in the fight against botnets.
There doesn't seem to have been much of a change since October. The new research was carried out by independent consultant Andrew Tierney on behalf of Cloudview and is published in a new white paper ‘Is your CCTV system secure from cyber attack?'. The findings include major vulnerabilities in both traditional DVR-based CCTV systems and cloud-based video systems.
According to the research, the security flaws inherent in almost all CCTV systems make it all too easy for intruders to hijack connections to the device's IP address, putting people, property, data and entire enterprises at risk while leaving operators in breach of Data Protection regulations.
During the research five routers, DVRs and IP cameras running the latest software were placed on the open internet. One device was breached within minutes and within 24 hours, two were under the control of an unknown attacker, while a third was left in an unstable state and completely inoperable.
The research showed that vulnerabilities in traditional DVR-based systems ranged from their use of port forwarding and Dynamic DNS to a lack of firmware updates and the existence of manufacturer ‘back doors' which are often revealed on the internet. Because DVRs have similar capability to a small web server, they can easily be used to launch an attack against the rest of the network or to extract large quantities of data once an attacker has gained access.
Andrew Tierney, the independent consultant who carried out the research said that “any insecure embedded device connected to the internet is a potential target for attacks, but organisations don't seem to realise that this includes their CCTV system,” he went on to explain that “it can easily provide a gateway to their entire network, enabling anyone with malicious intent to corrupt all their systems or extract huge amounts of data.”
“Distributed denial-of-service (DDoS) attacks are now being triggered through CCTV cameras, showing that cyber criminals have identified them as vulnerable,” added James Wickes, co-founder and CEO of Cloudview.
“Organisations can increase their security immediately by changing user names and passwords from the default to something secure, and they should follow the Information Commissioner's Office and Surveillance Camera Commissioner guidelines by encrypting all their CCTV data both in transit and when it is being stored. I'd also like to see the development of a ‘KiteMark' to give users the assurance that their CCTV supplier had thought about security.”
Commenting on the research from October, Ofer Gayer, security researcher at Imperva spoke with SC and said that, “the issue is not just the growth of CCTV botnets, but that no one is securing those that have already been discovered. The CCTV botnet Imperva researched last year is still active, and we see malware signatures from it every day. We expect to see new signatures not just from CCTVs, but from network attached storage, network video recorders and other connected devices."