Security cameras have been the first
step of defense for many organizations, governments, school & colleges.
When it comes to defending against crime. This trend has been around for many
years and using a security camera is still at the top of the list. According to research carried out by the
urban institute, it shows that
indeed there is a drop in the crime rates when such cameras are installed and
used in the “Right way”. Now let us emphasize the words “Right Way”. Nowadays the
traditional close circuit TV’s (CCTV) have been replaced by IP based security
cameras and these give the great functionality of anytime anywhere viewing to
its customers. While many customers may think that it is an advantage to them, it
is actually of just as much benefit to those committing crime.
Now you may wonder why we say so.
In the case of CCTV, all the data,
images etc. would remain ”secured”. Whilst on the other hand in the case of IP
based cameras all the data is transmitted and available on the World Wide Web.
Figure -1 Funny camera sticker
It is quite easy to forget the threats that these IP based cameras could
pose. A simple google search would answer all the queries regarding the threat
scenario of implementing an unsecured IP based camera.
IP based security cameras will have
all the vulnerabilities that any other data networks possess. The issue arises
when anyone is able to install the camera, but not everyone is aware of the vulnerabilities
associated with this installation. As
these are easily available over the internet a lot of privacy issues arise and sensitive
information can be accessed. Apart from these vulnerabilities, the important thing
to look at is that many of these cameras run internal webservers on unsecured
channels rather than a secure channel i.e. https. This enables credentials to
be transmitted in clear text over the network.
Another such issue is that these
cameras also run unsecure file transfer protocol sessions instead of more
secure sessions i.e. SSH. Running a secure session would enable image transfer
between the client and the server in an encrypted format. However, in most
cases the data is not encrypted and is sent over LAN, MAN or WAN, where unauthorized
users can gain access to sensitive information pertaining to the organization.
This information that is collected can then be used to attack more networks in
the organization.
This unauthorized access to cameras
is useful for people who are interested in cam spying. The manufactures of
cameras use a consistent URL string to access the camera, therefore, allowing anyone
with capabilities of using google the ability to access them. If you Google
“inurl :/view/index.shtml” you will find thousands of such insecure IP based
camera. If you are unaware of the search terms to use there are several
websites available that already have a list of terms that can be used.
The criminals can watch all these
while sitting in a coffee shop or sitting in their living room. They would have
ample time to plan their attack and take notes regarding the layout,
dimensions, etc. What is even scarier is that most of these cameras have
features such as pan and tilt which aid the criminal in pointing towards a
specific location and gathering more detailed information regarding the
location. These can also be used to divert the camera view to another location
when an attack is being performed.
Figure-2 Camera in office.
Figure-3 Camera in a zoo.
As this
information is available from a simple google search. Business entities have a legal
and ethical responsibility of not exposing access to such data to the public.
Thus, the entities should take measures on implementing a security procedure.
These procedures should focus on areas such as: only authorized personnel are
allowed to have access to the data that is on the server.
Also as
pointed out earlier one of the problems is the level of knowledge of the person
installing the surveillance equipment. All such equipment has built in password
functionality and some of the more advanced equipment have facilities such as
data encryption. It is the responsibility of the entities to research and
select the equipment which is best suited to the organization according to
their needs. Selecting the equipment is only half the job, as the organization
/ installation company with proper installation knowledge is the other half of
the job that needs to be verified.
The installer
who generally has limited knowledge will install a system with all the default
settings or will leave a weak password i.e. less than 8 characters and not
having upper, lower and special characters. Again by this we return to the
point originally raised i.e. “Right way” of installation. The installation of
such devices has to be combined with network security in order to truly secure
the business.
That’s it for the first part of this blog spot in the second part we would be diving into detailed as to how network intrusion is to be prevented from such devices.