IP security
SPECIAL FEATURE updates a name server in the Domain Name Server ( DNS ) to enable the user to find the DVR . This allows a potential attacker to find hundreds or even thousands of vulnerable devices simply by testing domain names . Many DVRs also run on distinctive ports , so an attacker knows exactly where to look to find them on a server . Further problems are created by manufacturers , who provide few , if any , automatic firmware updates to fix bugs and often include ‘ back door ’ functionality which is then shared on the web .
To highlight these issues , the independent consultant ran two experiments . First , five routers , DVRs and IP cameras running the latest available firmware , in their default configuration , were placed onto the open Internet . Within minutes , attackers had begun attempting to use common logins ; one device fell to this basic intrusion . Within a few hours , each device had been port-scanned , and within 24 hours two had been entirely compromised and were under the control of an unknown attacker . The attacker was free to access the network the device was connected to , install their own software and transfer data back out . Another device was left in an unstable state after an attempted attack , rendering it inoperable .
Secondly , the consultant tested 15 DVRs to look for bugs and manufacturer ‘ back doors ’ and found that none were free from serious vulnerabilities . Some took many hours to breach , but the majority took less than an hour . Without the ability to update firmware , these vulnerabilities can persist for years , leaving an organisation ’ s entire network exposed .
There is also a lack of oversight by users because footage may rarely be looked at and the user interface provides no feedback as to what is going on inside the CCTV systems . This means problems may not be discovered until long after a security breach has occurred .
Get off of my cloud !
Not all cloud systems are secure . Dedicated cloud based solutions are designed with built-in Internet connectivity and features such as remote video streaming and data back-up , so in principle should offer improved security . However , most IP cameras support incoming connections using Real-Time Streaming Protocol ( RTSP ). A large number of cloud video providers recommend using
More secure systems should be on the way .
port forwarding to allow access to the RTSP stream of the IP cameras from outside the firewall – creating the same problems discussed earlier .
Data security is also a potential concern . The independent consultant carried out a passive survey of popular cloud-based video websites which found many common security mistakes , including use of insecure protocols , poor configuration of secure protocols and a lack of encryption or digital signatures . However , many cloud based systems offer well thought out security and data protection standards , providing better security for a lower cost . Organisations should look for authentication , end-to-end encryption with SHA-2 and TLS and a digital signature to ensure data integrity . Cloud based systems also provide the physical security of holding data in a remote location , provided it complies with Data Protection regulations .
Intelligent IoT camera adapters are also available which only allow encrypted outbound connections to specific cloud based services , and can be retrofitted to existing analogue and digital cameras . Authorised users can then access the footage from any device and location using standard Internet connections . Such adapters only require a fraction of the processing power of a full DVR , so are much less useful to a potential attacker .
Securing your system
While cloud may offer a medium to long term solution to CCTV security , there are some additional steps that organisations can take immediately to increase the security of their existing systems .
First , they should ensure that usernames and passwords have been changed from the default state and are of sufficient strength to prevent immediate access . Second , they should ensure that they comply with the recommendations of the Information Commissioner ’ s Office and the Surveillance Camera Commissioner by ensuring that all CCTV data is encrypted when in transit and when stored to prevent it being used for unauthorised purposes .
Finally , they may be able to address some of the security issues outlined above , for example looking proactively for software upgrades , using different ports and avoiding Dynamic DNS . They should also make regular checks to ensure that their system is still working correctly and has not been breached .
Looking to the future , the European Commission is drafting new cybersecurity requirements to increase security around all IoT devices , including web-connected security cameras , routers and digital video recorders ( DVRs ). So hopefully we will see new CCTV systems with improved security in the next few years .
23