Popular Surveillance Cameras Open to Hackers
In a world where security cameras are nearly
as ubiquitous as light fixtures, someone is always watching you.
But the watcher might not always be who you
think it is.
Three of the most popular brands of
closed-circuit surveillance cameras are sold with remote internet access
enabled by default, and with weak password security — a classic recipe for
security failure that could allow hackers to remotely tap into the video feeds,
according to new research.
The cameras, used by
banks, retailers, hotels, hospitals and corporations, are often configured
insecurely — thanks to these manufacturer default settings, according to
researcher Justin Cacak, senior security engineer at Gotham Digital
Science. As a result, he says, attackers can seize control of the systems to
view live footage, archived footage or control the direction and zoom of cameras
that are adjustable.
“You can essentially view these devices from
anywhere in the world,” Cacak said, noting that he and his security team were
able to remotely view footage showing security guards making rounds in
facilities, “exceptionally interesting and explicit footage” from cameras
placed in public elevators, as well as footage captured by one high-powered
camera installed at a college campus, which had the ability to zoom directly
into the windows of college dorm rooms.
Cacak and his team were able to view footage
as part of penetration tests they conducted for clients to uncover security
vulnerabilities in their networks. The team found more than 1,000
closed-circuit TV cameras that were exposed to the internet and thus susceptible
to remote compromise, due to inherent vulnerabilities in the systems and to the
tendency of the companies to configure them insecurely.
The inherent vulnerabilities, he said, can be
found in at least three of the top makers of standalone CCTV systems that he
and his researchers examined — MicroDigital, HIVISION, CTRing — as well as a
substantial number of other companies that sell rebranded versions of the
systems.
CCTV video surveillance systems are deployed
at entrances and exits to facilities as well as in areas considered to be
sensitive, such as bank vaults, server rooms, research and development labs and
areas where expensive equipment is located. Typically, the cameras are easily
spotted on ceilings and walls, but they can also be hidden to monitor employees
and others without their knowledge.
Obtaining unauthorized access to such systems
could allow thieves to case a facility before breaking into it, turn cameras
away from areas they don’t want monitored or zoom in on sensitive papers or
prototype products at a workstation. The cameras could also be used to spy on
hospitals, restaurants and other facilities to identify celebrities and others
who enter.
Remote access capability is a convenient
feature in many of CCTV systems because it allows security personnel to view
video feed and control cameras via the internet with laptops or mobile phones.
But it also makes the systems vulnerable to outside hackers, particularly if
they’re not set up securely. If the feature is enabled by default upon purchase,
customers may not know this is the case or understand that they should take
special steps to secure the systems as a result.
“All the ones we found have remote access
enabled by default,” Cacak says. “Not all the customers may be aware [of
this]…. Because most people view these via console screens, they may not be
aware that they can be remotely accessed.”
Compounding the problem is the fact that the
systems come deployed with default easy-to-guess passwords that are seldom
changed by customers. They also don’t lock-out a user after a certain number of
incorrect password guesses. This means that even if a customer changes the
password, an attacker can crack it through a bruteforce attack.
Many of the default passwords Cacak and his
team found on CCTV systems were “1234″ or “1111.” In most cases the username
was “admin” or “user.”
“We find about 70 percent of the systems have
not had the default passwords changed,” Cacak said.
Because many customers who use the systems
don’t restrict access to computers from trusted networks, nor do they log who
is accessing them, Cacak said owners often cannot tell if a remote attacker is
in their system viewing video footage from outside the network.
To help companies
determine if their CCTV systems are vulnerable, Cacak’s team worked with Rapid7
to produce a module for its Metasploit software targeting CCTV systems made by
MicroDigital, HIVISION and CTRing or sold by other companies under a different
name. Metasploit is a testing tool used by administrators and security
professionals to determine if their systems are vulnerable to attack, but it’s
also used by hackers to find and exploit vulnerable systems.
The module can determine if a specific user
account, such as “admin,” exists on a targeted CCTV system, and it can also
conduct automatic log-in attempts using known default passwords, brute force a
password crack on systems using unknown passwords, access live as well as
recorded CCTV footage, and redirect cameras that are adjustable. HD Moore,
chief security officer at Rapid7, said they’re working on a scanner module that
will help locate CCTV systems that are connected to the internet.
Earlier this year,
Moore and another researcher from Rapid7 found similar vulnerabilities in video-conferencing systems.
The researchers found they were able to remotely infiltrate conference rooms in
some of the top venture capital and law firms across the country, as well as
pharmaceutical and oil companies and even the boardroom of Goldman Sachs — all
by simply calling in to unsecured videoconferencing systems that they found by
doing a scan of the internet.
They were able to listen in on meetings,
remotely steer a camera around rooms, as well as zoom in on items in a room to
read proprietary information on documents.
Cacak said that customers using CCTV systems
should disable remote access if they don’t need it. If they do need it, they
should change the default password on the systems to one that is not easily
cracked and add filtering to prevent any traffic from non-trusted computers
from accessing the systems.