With IP cameras, monitoring the security of a premise has become easier to track, record and analyse. However, due to its integration with network setup, it has become prone to hacks and malicious attacks. Even with widespread coverage on the dangers posed by networked security devices, there seems to be very less understanding of the various concerns that may affect your IP camera based security system. Knowing about these threats is the first step to devise a course correction strategy with the aid of security technology experts like Hutaib InfoTech Solutions.
The impact of the Security Breach
Hacks can happen either due to configuration problems, error/oversight by user, problems with the hardware equipment, or the software behind it. Because of these flaws, hackers gain easy access to your networked security systems comprising of multiple gadgets like web cameras and under surveillance systems. These happen majorly because the user didn’t change the default password that came with the security device.
Because of this lapse, scores of cameras are kept in default mode, leaving them vulnerable to hacked broadcast of content. This problem is magnified when these dirty hacks are posted online for other would-be hackers to try their hand.
A real life scenario waspresented by the Security News Desk website. It has posted live feeds of hacked private security cameras in Northern Ireland, without the owners’ permission1. The hack was carried out because factory settings and default passwords weren’t changed for the security equipment upon installation.
No matter how sophisticated the firewall between your networked security systems and the outside world may be, one shouldn’t let his/ her guard down. Take the example of the recent Hack in the Box conference held in Amsterdam. IT experts showcased how they could enter the administrative mode of numerous IP cameras across the world – simply by typing in the user name as ‘admin’. They carried this hack with the help of a search engine, that found nearly 3000 wireless IP cameras to hack into and change administrative settings of the device.
Even when the passwords were changed, hackers could run it through brute force attack, where the attacker runs the password fields through some million or so commonly used words, until it finds the right password. There is a very high probability of entering the system illegally yet successfully simply because the users didn’t care to choose a strong enough password to overwrite the default one. Other instances like proxy hacks and path traversals are also employed by the hacker to gain access to web camera based security systems.
How elementary flaws in design, setup or configuration encourage hacking
Unwanted security breach can also happen because of the inherent design and basics of hardware or software behind the networked security systems. Such flaws in the architecture of either the device or the architectural bridge between servers and device leaves the entire system susceptible to external attacks.
Learning from a live example
We will now look at two of the most rampant attacks on security systems to have happened in recent times that has worldwide impact – Heartbleed and Bash
- Heartbleed – Most of the communication security over Internet is handled by Transport Layer Security(TLS) and its predecessor, Secure Sockets Layer (SSL). These protocols help to authenticate the recipient of the message securely so that the communication happened only between the sender and intended recipient or client and server. As per heartbleed.com vulnerability in the OpenSSL protocols allows hackers to steal sensitive information and passwords that are normally protected by the TLS/SSL encryption methods for Internet based communication.
In order to stay protected from the data breach, you would need to check if your enterprise web camera equipment uses OpenSSL communications or some other form of encrypted communication amongst the devices, network and servers.
In order to ensure total servicing in these venerable times, many companies like Pelco have themselves taken the onus of using a more secure Windows SSL encryption system on their devices and security systems. However, on the other hand, companies like Cisco and D-Link that use the OpenSSL system have taken care of ‘heartbleed’ with appropriate enterprise level notification and patches for the vulnerability. This calls for a double checking of presence of appropriate updates against latest known security hacks with the camera manufacturer by the user.
- Bashdoor – Just like Heartbleed, another reported hack has been causing global alarm with its potential to affect millions of unpatched servers or systems. This is the Bashdoor or Shellshock vulnerability. It uses ‘environment variables’ stored in Unix command processing shells. Reference to these variable in the ‘Bash’ command causes the unintentional execution of unwanted commands, most of which facilitate backdoor entry into the systems to hackers.
Just like Heartbleed, some systems may be open to this while some may not. For instance Axis Communications, Mobotix, Arecont and Panasonic were some of the companies that didn’t use the ‘Bash’ command and hence weren’t affected. Others like QNAP and NUUO that use the command have issued patches and got the firmware updated.
With the help of an IT networking engineer, it will be easy to determine if your system is left vulnerable to security breaches or hacks. They can also help with remedial patches.
Security experts cite that prevention is better than cure. They recommend not integrating your cameras to an external network. However, if this is mandatory then make sure you keep its security high with enhanced firewalls and strict rules. Lastly you can turn off remote configuration facility so that hackers do get access to your enterprise level security systems.