More than ever, cybersecurity has become a key issue, with published vulnerabilities, hacks, and botnets on the rise. Lawyers are rubbing their hands with glee as the debate over video images of people being classified as personal data continues. If images are considered personal data then regulations such as GDPR and other consumer protection laws will apply, meaning fines, litigation and loss of reputation. While regulations such as GDPR are there to govern permission, companies forget that they are based upon the principle that personal data is:
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).”
That means you have to ensure those images are secure. In just the past 2 years, major vulnerabilities (and their effects) were reported in multiple manufacturers, including:
Hikvision Backdoor Exploit: A hardcoded backdoor which allows attackers full control of Hikvision IP cameras.
Dahua Hard-Coded Credentials Vulnerability: Hard-coded credentials were found in firmware for cameras and NVRs, allowing for rogue firmware uploads.
Geovision 15 Backdoors and Vulnerabilities, including remote root access and clear text credentials
TVT Backdoor, Hardcoded authentication to download remote system configuration - including login and password in clear text
Axis Critical Security Vulnerability: A vulnerability allows attackers to remotely initiate a telnet connection, allowing the attacker to take over the device, reboot it, power it down, etc.
Hacked Dahua Cameras Drive Massive Cyber Attack: As part of the Mirai botnet, hacked Dahua cameras (and others) took down major internet sites and even an entire country.
Because of the severity of these incidents and their increasing frequency, it is critical that users understand the basics of cyber security for surveillance systems, and how to protect against simple attacks at the very least. Two cornerstones of every cyber security standard are secure access control and firmware updates (vulnerability patching). Poor management of passwords and failure to update firmware are still the two main causes of security breaches. According to reports from Unit42 and Verizon, 80% of hacking-related breaches still involve compromised and weak credentials while 29% of all breaches, regardless of attack type, involved the use of stolen credentials. Physical security because it is “connected” has to be at the same level as IT systems.
See IPVM’s Listings of Video Surveillance Cybersecurity Vulnerabilities and Exploits for more information on these and other issues, including new ones as they occur. https://ipvm.com/reports/security-exploits#
Comments