Security camera hack highlights vulnerability in connected devices and systems
Without proper safeguarding, internet-connected cameras and digital video recorders face the potential of being compromised.
A recent hacking incident involving as many as one million Chinese security cameras anddigital video recorders highlights the fact that internet-connected cameras—without proper safeguarding—face the potential of being compromised.
Attackers used Chinese-made, consumer security cameras, digital video recorders, and other devices to generate webpage requests and data that knocked various targets offline, according to a Wall Street Journal article. Those affected by the attack included OVH, a French web hosting provider, and U.S security researcher Brian Krebs, whose website was disabled temporarily. Krebs noted that the issue is a "clear and present threat not just to censorship, but to critical infrastructure."
Among the various applications and markets within the purview of Vision Systems Design coverage, the vulnerability of security and surveillance cameras comes to mind. Tim Matthews, vice president of marketing for the Incapsula product line at Imperva—a company that specializes in web security and mitigating DDoS attacks—notes that last year, his company revealed major vulnerabilities in CCTV cameras as a result of not taking the proper steps to protect against threats.
"Last year, the Imperva research revealed that CCTV cameras in popular destinations, like shopping malls, were being turned into botnets by cybercriminals, as a result of camera operators taking a lax approach to security and failing to change default passwords on the devices," he said. "CCTV cameras are among the most common Internet-of-Things (IoT) devices and Imperva first warnedabout CCTV botnets in March 2014 when it became aware of a steep 240% increase in botnet activity on its network, much of it traced back to compromised CCTV cameras."
He continued, "As we now know, these attacks are happening more often, and millions of CCTV cameras have already been compromised. Whether it be a router, a Wi-Fi access point or a CCTV camera, default factory credentials are only there to be changed upon installation. Imperva recommends following this security protocol of changing default passwords on devices."
Tim Erlin, senior director of IT security and risk strategy at cyber security company Tripwire echoes this sentiment, and notes that in order to use network-connected cameras, regardless of the application, companies should be taking precautionary measures.
"The use of network connected cameras in a recent large scale Distributed Denial of Service (DDoS) attack is a clear example of how a seemingly innocuous connected device might be used for malicious purposes," he said.” Security researchers have been demonstrating attacks against IP cameras for a long time.”
"Preventing attacks against connected devices," he added, "requires effort from both the industry and users. Vendors need to adhere to best practices for built-in security measures, including secure remote access, basic encryption, and patching known vulnerabilities. These systems can’t be deployed without consideration for future security updates, ideally automated updates."
In addition to companies or organizations deploying vision systems or cameras, consumers should also be mindful of potential threats, he suggested.
"Consumers need to deploy systems with security in mind as well. If there are default credentials for access, they need to be changed. Connected devices shouldn’t be deployed directly on the Internet without adequate access control in place. Attackers will find open and accessible systems if they’re available."
Furthermore, a representative from Arbor Networks Inc., a security firm that defended several websites affiliated with the Rio Olympics against similar attacks this summer, told The Wall Street Journal that they found cable set-top boxes and home routers used to bombard the websites with data, and that these attacks reached as much as much as 540 gigabits a second.
Most major companies, organizations, and so on; likely go to great lengths to protect themselves against such an attack. But for those that do not, these examples serve as a lesson that being proactive can pay off in the long run.
Learn more: search the Vision Systems Design Buyer's Guide for companies, new products, press releases, and videos