More and more, video surveillance systems are based on IP whereby video feeds are transmitted over the network. While this has introduced convenience, the security of the video equipment has also become a concern.
More and more, video surveillance systems are based on IP whereby video feeds are transmitted over the network. While this has enabled further convergence and integration, hackers attacking
video equipment through the network has also become a concern.
According to a
post by Setronics, the goal of
hacking surveillance systems are manifold. The first is to compromise the video surveillance systems function. “Megapixel cameras are generally administered via an application-level web page across Ethernet networks. If the network the cameras are on can be penetrated, then camera video and control can usually be gained by a webpage username and password login,” the post said.
Access live or recorded video and using the surveillance equipment to further breach the enterprise data system are also objectives of hackers, the post mentioned. “In 2015 a cutting-edge financial software company was breached via a poorly installed and unmaintained access control security server running default passwords and out-of-date software,” it said. “Fortunately, customer credit card information was not accessed. This exploit in a high tech startup illustrates that even savvy IT professionals can overlook applying best practices when it comes to their security systems.”
According to the post, hackers can attack video surveillance systems via various methods, including
DDoS attacks, zero-day attacks and through botnets.
“Hundreds of thousands of Mirai bots were discovered to be digital video recorders (DVRs). Many of them were entry-level, low cost models of a few years ago, installed with default access and unmaintained,” the post said. “Devices and modules manufactured by the OEM XiongMai were targeted because of easy access via Telnet passwords. But access was not limited to these entry-level devices, as researchers found evidence of the same vulnerabilities across nearly all surveillance commercial product.”
Cybersecurity policies are key
To make the user’s video system less invulnerable to attacks, cybersecurity policies are key. With that, Setronics suggested the following five guidelines to secure the user’s network against cyber exploits.
Change default passwords to strong ones
According to the post,
strong passwords are neither default or related to the username or domain. “They usually involve at least 8 characters or more with three of the following attributes: letters, numbers, special characters, varied upper and lower case. This applies to both the installer and user passwords. Many suffer from password fatigue as the need for cyberhardening extends across your expanding digital life. A solution might be the password managers or ‘vaults’ growing in use today,” it said.
Turn off and/or change default software ports
This should include primitive access such as Telnet ports and uPnP, the post said. “Necessary ports can usually be changed; otherwise it may be possible to protect them by a firewall,” it said. “Both the integrator and the enterprise IT staff may need to collaborate on this.”
Limit physical and network access
According to the post, the user should use video servers with dual network cards (NIC) and, if possible, keep cameras on a private network and NICs. “Alternately, keep the camera traffic behind a ‘virtual’ or VLAN barrier. Physically lock up network closets (perhaps access control) and enforce MAC addressing of legitimate edge devices,” it said.
Regularly update firmware and software
Video surveillance is catching up to the state-of-the-art and new information on cybersecurity, and firmware and software updates embody the result of this work, the post said, adding more than ever, suppliers are now maintaining updates.
Apply general network expertise and techniques
According to the post, routers and switches have more common access to enterprises and must also be protected. “Clients’ workstations, mobile devices and integrating systems all rely on general network cybersecurity. All stakeholders in enterprise security must be involved for the most complete protection,” the post concluded.