Written by Sean Lyngaas
In a world of hackable things, protocols in surveillance cameras sometimes get overlooked. The cameras used in commercial buildings aren’t necessarily a priority for researchers looking for the next big intrusion, and the devices are often seen as one-dimensional targets that only yield the data they collect.
But that misses the point of how a camera can be a gateway to other devices in a building. Hacking an internet-connected camera could give an attacker a pathway to a device controlling physical access to a facility, for example.
That concern prompted researchers at Forescout Technologies to dissect surveillance cameras in their test lab in the Netherlands. What they found were widely used cameras using weak communication protocols to transmit data over unencrypted channels.
The researchers were able to carry out a “man-in-the-middle attack,” which intercepts and manipulates data, to replace footage recorded by the camera with their own. Altering security footage at an airport, for example, would be of immense interest to anyone wanting to attack the facility.
The four-month research project shines a light on the security practices of surveillance-camera vendors.
“It comes down to awareness,” Elisa Costante, a senior director at Forescout, told CyberScoop. “The customer needs to start demanding certain things so that vendors will actually provide this as the default configuration.”
It’s a pressing matter. The number of Internet of Things (IoT) devices on enterprise networks grows by the day, Costante pointed out. And there are plenty of real-world examples in which hackers have exploited insecure cameras.
Last September, a Romanian woman pleaded guilty to a conspiracy to use police cameras in Washington, D.C., to distribute ransomware in January 2017. More famously, the Mirai botnet took control of a slew of IoT devices, including closed-circuit TV cameras, to temporarily cut off access to the websites of Twitter, PayPal, and others in October 2016.
Policymakers are trying to raise awareness of the problem. A report last year from the departments of Commerce and Homeland Security warned that IoT vendors do not have the cost incentives to build more security into their products. In the United Kingdom, officials are trying to prevent another Mirai by issuing minimum security requirements to surveillance camera vendors.
There are secure versions of the data-transfer protocols used by the cameras, but Forescout researchers said they are rarely implemented. As of mid-July, there were 4.5 million internet-connected devices that were using a streaming protocol that did not encrypt data, according to Forescout.
“The technical solution is there,” Costante said. “It’s about adoption.”
The Forescout analysts, who also examined smart lights and other IoT devices, will present their findings next month at the ICS Village at Def Con in Las Vegas.