Housing providers rely on CCTV to protect their residents and properties. So many property managers will be worried after reading in the national press last month that MI6 is concerned that some CCTV cameras pose a potential threat to national security.
The article highlighted that China is Britain’s largest supplier of CCTV equipment and expressed grave concerns about the potential security risk, particularly for internet-connected cameras. As a result, the CCTV section of the British Security Industry Association (BSIA) urged operators of IP-connected surveillance systems to do more to safeguard their systems against cyber attacks.
This story reminds us that many CCTV systems are inherently insecure. Independent research (see link at the end of this article) published earlier this year found that several CCTV systems connected to the internet were successfully controlled by an unknown attacker in just 24 hours and had worrying security flaws, providing an open door to the rest of an organisation’s network. It found that both analogue and digital systems are at risk, as are many cloud-based systems.
While the information held by housing providers may not in itself threaten national security, insecure CCTV cameras pose other risks. They are a potential entry point for corruption and Distributed Denial of Service (DDoS) attacks, and make organisations vulnerable to the extraction of sensitive information, breaching the Data Protection Act (DPA). However, the good news is that many of these risks can be prevented by understanding how they arise and taking simple security precautions.
A key vulnerability in traditional DVR-based systems is their use of port forwarding, which effectively creates a ‘hole’ in the firewall, thus compromising the security of the network. The firewall can be configured to only allow certain external IPs (known as IP white-listing), but companies still remain vulnerable to attack.
Many manufacturers recommend using Dynamic DNS, which automatically updates a name server in the Domain Name Server (DNS) to enable the user to find the DVR. The problem is that this allows a potential attacker to find hundreds or even thousands of vulnerable devices simply by testing domain names. Other problems include a lack of updates to fix bugs identified post-sale and the propensity of manufacturers to include ‘back doors’ which are often revealed on the internet.
Users themselves may exacerbate problems because footage may rarely be looked at and the user interface provides no feedback, so problems may not be discovered until long after a security breach.
Dedicated cloud based solutions are designed to provide built-in internet connectivity, rather than having it ‘bolted on’, and offer features such as remote video streaming and data back-up in a more reliable and user-friendly way. In principle, they should offer improved security, but can suffer from similar vulnerabilities to DVRs. However, many cloud video solutions also use port forwarding to allow access to RTSP video streams, making them just as vulnerable as DVR-based systems.
The other potential risk with cloud-based solutions is data security. Users need to ensure that their cloud providers have strictly defined controls around the access to, and management of, customer data, and do not share that data with a third party without their explicit consent. To ensure sensitive data is secured both in transit to and while stored in the cloud, organisations need to look for systems that offer authentication, end-to-end encryption with SHA-2 and TLS, and a digital signature to ensure data integrity. They also need to find out where the data is held to ensure they are compliant with data protection regulations.
Intelligent IoT camera adapters are now available which only allow encrypted outbound connections to specific cloud-based services, and can be retrofitted to existing analogue and digital cameras. They connect both types of cameras securely to the cloud using standard internet connections − broadband, 3G or satellite. Authorised users can then access the footage from any device and any location. Because such adapters only require a fraction of the functionality of a full DVR, they are much less useful to a potential attacker.
While these offer a more secure solution to CCTV security, there are two simple steps that organisations can take immediately, whatever system they have installed. First, they should ensure that usernames and passwords have been changed from the default state and are of a sufficient strength to prevent immediate access.
Secondly, they should ensure that they comply with the recommendations of the Information Commissioner’s Office and the Surveillance Camera Commissioner by ensuring that all CCTV data is encrypted when in transit and when it is being stored to prevent it from being used for unauthorised purposes.
James Wickes is CEO and co-founder of Cloudview.
To download a copy of the independent research, visit http://bit.do/cyber_attack.
For more information visit www.cloudview.co
