The Internet of Things (IoT) refers to the growing billions of connected devices measuring, monitoring, collecting and sharing information, images and data without the need for human interaction. Enabling these otherwise dumb devices to be widely connected and automatically communicate has created extraordinary utility, which in turn has seen exponential growth in the breadth of use and number of connected devices.
IoT security has recently been shown to be less than adequate with devices being easily hijacked enabling a remote hacker to take control of the device, view device data streams, and in some cases gain access to private networks. This has been made possible due to the fact that, broadly speaking, device manufacturers have not been accustomed to working in the hostile and security-conscious environment of the internet, leaving a large proportion of IoT devices simply not being designed for these operating conditions. Even with widely publicised IoT security breaches such as the hacking of coffee machines bringing down industrial plants, the huge numbers of new devices being deployed are providing malicious actors with innumerable new attack vectors on a daily basis.
Given this state of affairs it not surprising that IoT hacking has been unbelievably effective to date. Hackers were able to exploit thousands (if not millions) of insecure connected devices, to create a huge botnet which unleashed the biggest DDoS attack yet seen (the Mirai botnet attack brought down the likes of Twitter, Reddit, Netflix and CNN). While this hack used exploited devices to attack external networks, an exploited device could just as easily be used as a gateway to deeper levels of a network to seek out and extract sensitive and valuable private data.
Forbes predicts that by 2025, there will be over 80 billion smart devices on the internet, and with much of the embedded firmware being insecure and highly vulnerable, this potentially exposes an innumerate number of critical systems and private data sources.
Employing connected IP-Cameras and Digital Video Recorders (DVR), Video Surveillance Systems (VSS) are a subset of the IoT, and due to the ease with which these devices can be deployed, networked and controlled, an ever-growing number of VSS are joining the IoT. These systems are often built utilising devices from multiple vendors meaning that, at best, there are only simple standardised end to end security protocols covering the system.
While security and privacy challenges remain the foremost concerns for IoT in general, for Video Surveillance Systems (VSS) these issues present an even more serious threat to organisations as they offer an extra layer of abstraction (visual) combined with the often public placement of these devices.
Why is Security Such a Challenge for IoT Devices?
Not only are the systems for IoT and the associated devices at risk, the devices and systems are proving to be a “weak link” that allows hackers to infiltrate an IT system. This is especially true if the devices are linked to the overall business network.
Devices of all types across all industries have been hacked. Home devices such as baby monitors and fridges, implanted devices such as pacemakers and drug infusion pumps, and even webcams and coffee machines, have all been compromised posing risks to individuals, companies and nations alike. There are several reasons for the lack of security and increasing risk of cyber threats of smart and connected machines through the growing inter-connectedness of the Internet of Things.
Security was never contemplated in the design or development stages for many of the Internet-connected devices.
IoT devices are generally short on processing power and memory and therefore lack the ability to embed robust security solutions and encryption protocols.
Networks and protocols that connect them don’t have any or a robust end-to-end hardware-based encryption mechanism.
Search engines for IoT devices exist that offer hackers an entrée into webcams, routers and security systems.
Many IoT devices have default passwords (some of which cannot be changed!) that hackers can look up online.
Organisations are not prepared for IoT management, not tracking inventory or centralising management.
The devices often have “backdoors” that provide openings for hackers to obtain control over or inject malicious code.
Internet Protocol Addresses (IP) and Machine Identities (MIDs) are often getting miss-directed by network managers (such as large telecoms) allowing data and images to be accessed by the wrong users.
Compounding these inherent problems with the weak (or in some cases non-existent) security of devices is the added challenge to keep up with and make timely firmware upgrades (where the device is capable) across these mixed environments. This often requires physical access making the task extremely difficult or near on impossible.
Humans. Simply put, the human element for potential sabotage needs to be removed or at least restricted and monitored.
"So long story short, the coffee machines are supposed to be connected to their own isolated WiFi network. However, the person installing the coffee machine connected the machine to the Internal control room network, and then when he didn’t get internet access remembered to also connect it to the isolated WiFi network."
OK so all IoT devices can suffer the same vulnerabilities – why the focus on VSS then?
While the security issues identified previously are definitely true for VSS components, they also have some unique issues over and above the obvious data integrity and risks of being an attack vector for other business systems.
VSS devices have been shown to be massively insecure/ exploitable, and with the growing number of devices deployed in publicly accessible places the threat is almost visceral.
Despite improving attention from camera and system manufacturers to security, the devices themselves remain physically vulnerable to exploitation.
Often the published factory default passwords are not changed when cameras are installed, or easily guessed passwords are used, leaving cameras exposed to intrusions including network attacks.
Vulnerabilities and attack vectors increase with the growing number of elements to solutions and the exposure of each element to other systems and cloud services. As organisations add artificial intelligence, monitoring and business intelligence, and transmit, match and store more sensitive data, risks increase exponentially.
Compared to other IoT systems, VSS have an additional level of abstraction i.e., the visual layer, making it possible to carry out novel attacks on the VSS that take advantage of the imagery semantics and image recognition.
Exploited VSS can also be hijacked to extract data from networks, by modulating LEDs, camera movements or the images themselves to create a bridge between air-gapped networks and the internet.
The number of VSS devices is estimated to be around 245 million units with circa 20% (i.e., ~50 million) being IP-based and at least 38% of VSS devices have been shown vulnerable to default credentials attacks.
It has been shown that devices infected with malicious code can be triggered to blur parts of images such as number plates or faces, or to send commands back to the control centre such as “freeze frame” or “stop recording”. The triggers for this exploit can be as simple as a QR code printed on a T-Shirt.
So what is being done about it?
Whilst there is improving security for cameras and systems, they are still largely at risk.
Industry Response
Manufacturers (in many cases) are adding incremental firmware to improve device authentication and security and, where possible, encryption of data in transmission.
Integrators, installers and monitoring firms may add firewall appliances to provide blocks to outgoing connection attempts from cameras.
Users and integrators, when interfacing with analytics and monitoring services, are sometimes improving security for human access to the controls or associated data from cameras and systems by adding Two-Factor Authentication for the users.
Finally, data being collected by the cameras, interpreted by sophisticated analytical engines and being stored in specialised or standard memory repositories, is being encrypted in transit or at rest using standard software encryption methods.
Why is VeroGuard a revolution in online and IoT security?
One Unified Platform: VeroGuard is a single platform that guarantees the identity of machines and users to ensure communications can only take place by verified actors. It improves and extends the closed-circuit nature of the network.
Prevention: VeroGuard is designed to prevent cybercriminal acts by utilising bank-to-bank/military-grade security for every communication and every device.
Interoperability and Flexibility: VeroGuard is transparent to operating system and device types allowing enabled devices and associated servers the ability to participate without significant changes to applications. VeroGuard allows others to plug in to the most secure solution available over the internet and protects both communications and data.
Identity Guarantee: VeroGuard uses a non-repudiable, out-of-band, multi-factor means of authentication developed for the banking industry. It applies to both machines and humans.
Information protection for your network and data: After verifying and validating parties to transactions, VeroGuard provides the communication its own encrypted tunnel irrelevant of the carriage for that communication. VeroGuard provides the most secure, data protection available at point of capture, in transit and at rest for the internet.
In Summary
Embedded/IoT devices represent the new power-house for large-scale or sophisticated attacks and VSS systems are particularly exposed due to their number, ease of installation and intended functionality.
Current Video Surveillance Systems have little or insufficient security to protect devices and data against increasingly sophisticated cybercrime.
Current methods of password protection, encryption and increased factors of authentication are being breached and will not help protect your environment, networks or data from cybercrime as the intrusion will be assumed to be authentic when the cybercriminal hijacks, steals or emulates the tokens, taking control of cameras, networks, servers and/or associated data.
Increasing complexity and integration opens more vectors for cyber criminals to enter, including using the secure camera systems to infiltrate core business applications, and extract your data.
Further Reading
IoT Reaper has the potential to be much more powerful than Mirai," warned Ken Munro, partner at Pen Test Partners, which has been tracking the threats posed by web-connected cameras of late. "IoT Reaper is also a bit simple - I suspect others will refine it shortly and make it even more effective." - https://www.forbes.com/sites/thomasbrewster/2017/10/23/reaper-botnet-hacking-iot-cctv-iot-cctv-cameras/#1a6e040638f7
“Additionally, adversaries are likely to continue exploring IoT devices (such as CCTV and HVAC units) as an attack vector for air-gapped systems in government and industrial networks.” - news/cyber-security-challenges-2018
Under the terms of GDPR, not only will organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners - or face penalties for not doing so. - https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/
Hackers break into schools' CCTV system and stream footage of pupils live on the internet - http://www.dailymail.co.uk/news/article-5432769/School-CCTV-systems-hacked-broadcast-online.html
Security cameras show 'HACKED' instead of live feed video - https://www.csoonline.com/article/3227609/security/security-cameras-show-hacked-instead-of-live-feed-video.html
The majority of CCTV cameras can be easily hacked - https://betanews.com/2016/03/10/cctv-cameras-are-easy-to-hack/
Dozens of Canon security cameras hacked in Japan, possibly because factory default passwords weren’t changed - https://www.scmp.com/news/asia/east-asia/article/2144960/dozens-canon-security-cameras-hacked-japan-possibly-because
Washington DC’s surveillance cameras hacked… to send spam. - https://nakedsecurity.sophos.com/2017/12/22/washington-dcs-surveillance-cameras-hacked-to-send-spam/
Security of CCTV and Video Surveillance Systems: Threats, Vulnerabilities, Attacks, and Mitigations - http://s3.eurecom.fr/docs/trusted16_costin.pdf