Wednesday, January 29, 2014

Security of Security Cameras - Part 1

Security cameras have been the first step of defense for many organizations, governments, school & colleges. When it comes to defending against crime. This trend has been around for many years and using a security camera is still at the top of the list.  According to research carried out by the urban institute, it shows that indeed there is a drop in the crime rates when such cameras are installed and used in the “Right way”. Now let us emphasize the words “Right Way”. Nowadays the traditional close circuit TV’s (CCTV) have been replaced by IP based security cameras and these give the great functionality of anytime anywhere viewing to its customers. While many customers may think that it is an advantage to them, it is actually of just as much benefit to those committing crime.

Now you may wonder why we say so.

In the case of CCTV, all the data, images etc. would remain ”secured”. Whilst on the other hand in the case of IP based cameras all the data is transmitted and available on the World Wide Web.

Figure -1 Funny camera sticker

It is quite easy to forget the threats that these IP based cameras could pose. A simple google search would answer all the queries regarding the threat scenario of implementing an unsecured IP based camera.

IP based security cameras will have all the vulnerabilities that any other data networks possess. The issue arises when anyone is able to install the camera, but not everyone is aware of the vulnerabilities associated with this installation.  As these are easily available over the internet a lot of privacy issues arise and sensitive information can be accessed. Apart from these vulnerabilities, the important thing to look at is that many of these cameras run internal webservers on unsecured channels rather than a secure channel i.e. https. This enables credentials to be transmitted in clear text over the network.

Another such issue is that these cameras also run unsecure file transfer protocol sessions instead of more secure sessions i.e. SSH. Running a secure session would enable image transfer between the client and the server in an encrypted format. However, in most cases the data is not encrypted and is sent over LAN, MAN or WAN, where unauthorized users can gain access to sensitive information pertaining to the organization. This information that is collected can then be used to attack more networks in the organization.

This unauthorized access to cameras is useful for people who are interested in cam spying. The manufactures of cameras use a consistent URL string to access the camera, therefore, allowing anyone with capabilities of using google the ability to access them. If you Google “inurl :/view/index.shtml” you will find thousands of such insecure IP based camera. If you are unaware of the search terms to use there are several websites available that already have a list of terms that can be used.

The criminals can watch all these while sitting in a coffee shop or sitting in their living room. They would have ample time to plan their attack and take notes regarding the layout, dimensions, etc. What is even scarier is that most of these cameras have features such as pan and tilt which aid the criminal in pointing towards a specific location and gathering more detailed information regarding the location. These can also be used to divert the camera view to another location when an attack is being performed.

Figure-2 Camera in office.
 Figure-3 Camera in a zoo.

As this information is available from a simple google search. Business entities have a legal and ethical responsibility of not exposing access to such data to the public. Thus, the entities should take measures on implementing a security procedure. These procedures should focus on areas such as: only authorized personnel are allowed to have access to the data that is on the server.

Also as pointed out earlier one of the problems is the level of knowledge of the person installing the surveillance equipment. All such equipment has built in password functionality and some of the more advanced equipment have facilities such as data encryption. It is the responsibility of the entities to research and select the equipment which is best suited to the organization according to their needs. Selecting the equipment is only half the job, as the organization / installation company with proper installation knowledge is the other half of the job that needs to be verified.

The installer who generally has limited knowledge will install a system with all the default settings or will leave a weak password i.e. less than 8 characters and not having upper, lower and special characters. Again by this we return to the point originally raised i.e. “Right way” of installation. The installation of such devices has to be combined with network security in order to truly secure the business.

That’s it for the first part of this blog spot in the second part we would be diving into detailed as to how network intrusion is to be prevented from such devices.