Current Filter: Network>>>>>Feature>

   

The Internet of Things (IoT) is making an impact on CCTV surveillance and monitoring. Systems such as Digital Video Recorders (DVRs) allow stored footage to be accessed using a web browser or app and users can view live and recorded footage from any location. Dedicated cloud solutions are also available. Convenience and capability aside, opening up CCTV systems to the internet can create a point of entry for intruders unless effective security is implemented. Recent DDoS attacks and research has confirmed that the majority of systems are extremely vulnerable.

DVR-BASED IOT WELCOMES THE CYBER CRIMINAL
Two factors put DVRs at risk. First, they typically use port forwarding to enable IoT functionality. This means punching a hole in the firewall to enable the browser or app to access the DVR, in turn compromising security. Some DVRs recommend using a non-standard port, which may reduce automated attacks, but it makes finding vulnerable DVRs easier, even with white-listing. Many manufacturers recommend Dynamic DNS which automatically updates the Domain Name Server (DNS), but this allows an attacker to find vulnerable devices relatively easily by testing names until they obtain a response.

Secondly, DVRs - often unmonitored black boxes with a reasonable amount of CPU and considerable storage space - provide an ideal platform for mounting attacks and data theft once hacked. Installed systems are largely left to their own devices with few automatic firmware updates, and many manufacturers provide software 'back doors' - which are usually revealed on the internet.

All of these factors combine to make it easy for intruders to hijack connections to a device's IP address. As part of a recent research white paper by Andrew Tierney titled "Is your CCTV system secure from cyber-attack?," five routers, DVRs and IP cameras, running the latest software, were placed on the open internet. One device was breached within minutes and within 24 hours two were controlled by an unknown attacker. A third was left in an unstable and inoperable state. Meanwhile, in October 2015, a major DDoS attack was triggered by malicious requests from around 900 CCTV cameras.

CLOUD SYSTEMS WITH SIMILAR VULNERABILITIES
Dedicated cloud video solutions offer features including remote video streaming and data back-up in a more reliable and user-friendly way. However, they often have the same vulnerabilities as DVRs, using port forwarding to allow access to RTSP video streams. Other issues include failure to use secure protocols effectively, a lack of encryption, poor cookie security and insecure user and credential management.

Data security is another concern. The 1998 Data Protection Act outlines the steps that organisations must take to preserve the confidentiality of gathered data. CCTV users need to ensure that their potential providers have strictly defined controls around their access to and management of customer data. They must not share that data with a third party, without explicit consent.

Andrew Tierney carried out a passive survey of popular cloud-based video websites and identified a number of common security mistakes. These included the use of insecure protocols, poor configuration of secure protocols, and a lack of encryption or digital signatures.

Concerned organisations can take steps immediately to increase CCTV system security. First, they should ensure that user names and passwords have been changed from the default and that they are sufficiently strong to resist immediate access. Next, they must comply with the recommendations of the Information Commissioner's Office and the Surveillance Camera Commissioner, with all CCTV data encrypted while in transit and when stored.

I would also like to see the development of a Kitemark to give customers the assurance that their CCTV supplier has thought about their security, and maybe this will come as reputations are built and customer choice is excercised. NC