Secure By Default
Updated: Jul 6, 2020
In September 2019, Tony Porter the UK Surveillance Camera Commissioner launched “Secure by Default”. Porter believes the Home Office and industry must ensure that only technologies compliant with relevant standards should be installed in public and private spaces.
With the cyber threat growing, Secure by default is a set of baseline standards for manufacturers of video surveillance systems. Apart from covering areas such as pen-testing their equipment, encryption and remote access it also includes two cornerstones of cybersecurity. Password management and firmware updates. While this is a good start, the password and firmware management sections of the standard demonstrates that security camera manufacturers and video management system (VMS) vendors are failing to ensure their security devices are not the weak link allowing criminals access into an organization.
One issue is the lack of cybersecurity tools that are readily available in IT systems. A camera manufacturer may provide a password management facility on its cameras but it is not the same as the password management system for the VMS. The same applies to the firmware update process. Two different administration systems that are not integrated means they can only operate one camera at a time. They are not fit for purpose in large installations leaving users to wrestle with a cumbersome, manual, time consuming process.
Another issue is the human element. Do the integrator’s engineers installing the cameras use a strong password or are they all using Sysadmin1? When they have personnel changes, do they change the administrator password? The same goes for the end user? Is the organization adhering to the same password policy that the organization has for its connected IT devices?
Organizations might be able to manage passwords on a hundred cameras but what about thousands of cameras? The same applies to firmware updates. If a critical firmware update is required to patch a known security vulnerability how is this implemented in large installations when you have to use two separate admin systems? Cybersecurity is a continual process. Firmware updates are constantly released and devices and personnel continually change meaning changing the default password and installing the latest firmware is the first step of a continual process.
Criminals now see physical security devices as the low hanging fruit for an attack. They know that many cameras are focused on simplicity of use and deployment over security. Recognizing IT is more advanced in security tools and more proactive in its processes, physical security devices are seen as the weak spot for a cyberattack. This borne out by a recent Unit42 survey that showed security cameras making up 5% of enterprise IoT devices but accounting for 33% of all security issues.
Cybersecurity for camera manufacturers and VMS vendors is not their core discipline. Like IT, customers are going to be reliant upon third party organizations who monitor and understand constantly changing cyber-attacks, government and industrial cybersecurity standards to develop the tools required to ensure their physical security devices are as secure as connected IT devices.
What can an attacker do with a security camera? In 2016, teen scammers initiated the large scale Mirai attack, involving more than 600,000 CCTV cameras, to scan big blocks of the internet for open telnet in an attempt to log in using default passwords.
· In the UK criminals hacked into street cameras to spy on people using ATMs to obtain the pin numbers that were then passed onto nearby pick pockets.
· In Washington DC a cyberattack infected the video recording devices which were recording evidence from 123 security cameras out of the total of 187. As a result of this ransomware attack, law enforcement officials could not record video evidence from 4:00 am January 12th, 2017 to 23:16 Pm on January 15th,2017.
· In December 2019 the security camera system at Lang Suan prison in the southern province of Chumphon was hacked and footage showing inmates living in overcrowded conditions posted on YouTube.
· Criminals can use networked physical security devices as stepping stones in lateral movement to gain access into targeted corporate systems. The Target breach of their EPOS systems resulting in shoppers credit card details being stolen was the result of criminals gaining access through the refrigeration monitoring systems.