Hacker attacks on the network surveillance systems.
The main purpose of the surveillance system is to ensure security while following the general privacy and confidentiality policy of the monitored company or facility. A properly designed and configured system will fulfil its main purpose only when it is protected and secured, i.e. configured for operation, in particular in networks with Internet access.
The companies are witnessing an increase in hacker attacks on autonomous security system devices, including network connected IP cameras and DVRs/NVRs. The devices are targeted due to the lack of security or neglected issues related with the configuration of network security protections. The configuration of access devices (e.g. router) at the output of the local network with a surveillance system connected, providing access to the system via Internet is also important.
Fig. 1. The hacking software tools will use any security loophole in your system...
In many cases, the reason for hacking is not an error or a firmware security loophole, but leaving the “door open” by using the default security configuration.
For IP cameras connected to the Internet and visible online, an unauthorized personnel may gain access to the image stream or camera configuration. An example used as a warning is www.insecam.org where the authors did not even have to hack any devices.
Fig. 2. If your camera is not secured the whole world might be watching!
All that was needed, was a script searching for the camera addresses in the Internet and checking whether those cameras were accessible using a default username and password. The image from all accessed cameras is displayed on the website without the owner’s knowledge. As it turns out, there are thousands of unsecured monitoring cameras everywhere, in offices, warehouses, stores and private homes. When configuring the camera after purchase, the user need to change the default password to prevent the image from being publicly accessible (changing the default configuration and password removes the camera image from the website).
More and more hacker attacks target CCTV recording devices used in the surveillance systems. The attacks may cause a malfunction and delete or damage the device memory. The malware (virus) may transform the device into a robot attacking other computer system or equipment intended for other purposes (e.g. Bitcoin miner). A recording device is a specialized single-board computer for recording video, and is a potential hardware resource that can be used as a “zombie” device to perform malicious tasks.
Fig. 3. Recording device board. A recording device is a fully functional dedicated single-board computer.
A hacker software tool or a virus attacking the device may not only use the default passwords, but also attempt to access the devices protected by weak passwords, changing the default password from “admin” to “admin1” does not improve security and can be predicted by the attacker. Another problem is posed by the service password set by the manufacturer for unlocking the devices if the user password is lost. The service passwords can get into the wrong hands or might be generated randomly, and can be exploited by the attacker (i.e. backdoor).
Thus, besides the configuration of the recording devices, a dedicated network for should be created, including a configuration of all access devices (disabling DMZ function providing unrestricted access to the devices, changing the default communication ports, enabling address filtering) and installation of the latest firmware addressing the latest faults and improving the security level.
Observe the following rules:
Set/change the default password to a strong password (do not use generic passwords i.e. “admin1”, “111111” or ”123456”).
The password should not be easy to guess and should combine different characters and digits. The password should be available to authorized users only. It might be worth considering regularly changing the passwords, to provide additional protection (when assigning a new authorized user or in case of a confidential data leak). Check Onvif authentication settings. Some video cameras may require changing Onvif account password along with the system password.
Disable router’s DMZ function – if required, redirect the ports required for connection only.
A DMZ is a demilitarized zone which allows access from external network to all ports open in a default configuration of the device (the device is outside the router’s firewall). It is not recommended, since most configuration has a TELNET port, most often used during the attacks, open by default. Redirect the ports which are required for device communication only (HTTP, TCP). Do not redirect multiple ports and redirect ports required for specific functions only. If network connected cameras are coupled with a recording device, there is no need to redirect the surveillance system ports for communication purposes, however the recording device ports must be redirected.
The default port 80 is the most attacked port. Changing the default ports makes the attack more difficult.
Enable IP / MAC filter if available.
IP filter indicates specific addresses (network IP or physical MAC addresses) of trusted devices which can remotely connect to the device.
Use CLOUD computing.
A secure cloud guarantees protection of the devices operating in the cloud.
Take a sensible approach to managing your accounts - do not use the same settings/passwords for multiple purposes.
Do not use automatic login function for client applications, in particular, if the PC has multiple users. Username and password should be unique. Using the same passwords for different services and accounts creates a risk in case of a data breach or data theft. These are the additional steps improving the security and preventing unauthorized access. If the system has multiple users, make sure the authorization of every user is relevant for the task performed (not higher than required).
Create dedicated network for CCTV system.
The surveillance system devices should be connected to a dedicated network without any devices with a free access to and from the Internet, as a security measure preventing unauthorized access. If a separate physical network cannot be created, a subnetwork with a pool of IP addresses other than currently used (e.g. 10.10.10.xxx) should be created and the subnetwork mask range should be narrowed to 255.255.255.0). The subnetwork should be accessible via an additional router redirecting all connections between the networks.
Install the latest firmware.
Always check firmware version and available updates. The latest firmware improves security by removing any issues found in the previous versions.
Many network connected cameras and recording devices use a built-in HTTPS with SSL to encode all communication between the devices and prevent password snooping.
Always read the device documentation which contains useful information on the device functions, including the default functions. It is recommended to disable all the functions you are not familiar with. Disable any protocols which will not be used, e.g. UPnP, SNMP, MULTICAST.
If an unauthorized access is suspected, refer to the system logs for relevant information (login date, IP address, functions used).
Remember to install the recording device in a secure location to prevent unauthorized physical access (cabinets, racks, server rooms).
Following the security rules by the surveillance system engineer will guarantee a secure system, where safe and problem-free operation of the system is the best recommendation.