Can Your Security System Be Used Against You?

By SIA on March 21, 2017 | ISC West, SIA Education@ISC |

As of 2015, nearly 300 million IP cameras have been installed around the world. Many of these cameras have been installed with default usernames and passwords and can be accessed from anywhere in the world.

For years, the question has been: How secure is the video that a system produces? But, that question is changing. Now the question is: Can your security system be used against you?

At ISC West on April 5, 2017 from 10 a.m. to 11 a.m., David Brent, a Technical Trainer at Bosch Security Systems Inc., will discuss how most video surveillance cameras are manufactured with an open operating system, or basic kernel, that gives no real consideration to data or cybersecurity. What are the current fundamental considerations that an organization needs to take into consideration before placing an IP camera on their network?

Given all of the cyberbreaches in the last few years, why aren’t more video cameras manufactured with defenses for cybersecurity?

This is a multilayered answer: The threat vector as it pertains to CCTV devices has changed drastically over the last few years, just as the types of attacks have changed across the board. It is no longer can I get to your video, now it is: Can I use your CCTV devices as weapons platforms to launch attacks against you?

In addition, most of the major vendors have had the based attitude of: “Our cameras are just cameras, we provide video.” It’s your network so it is your responsibility to secure it. Some still have this attitude!

I wrote an article in 2012 that addressed threats to video, and I touched on the base sentiment of the industry. This was looking at the actual threat vector at the time: http://www.securityinfowatch.com/article/10838909/david-brent-examines-the-factors-that-contribute-to-the-security-of-a-video-network.

Are you seeing more interest from end users for surveillance cameras that have cyberdefenses?

It is a growing concern with major customers, which is a good thing, but as with everything else it is a double-edged sword. There are currently two hot catch phrases: Vulnerability Scanning and Pen Testing. There is a big difference between the two, but they are regularly and incorrectly interchanged.

Vulnerability Scanning is only looking for “possible” vulnerabilities, not actually testing the vulnerabilities. There may be a possible vulnerability, but that doesn’t mean there is an exploit written for it. There are several software suites (MetaSploit, Nexpose, Open Canvas), all of which will scan an entire site in a few hours with a range of different tests.

Pen Testing is the actual leveraging of a vulnerability, and depending on what you are pen testing it may take days or weeks, or longer.

And there are issues with false positives: Let’s say you have a unique camera with a TPM (Trusted Platform Module) like the chip on your credit card. It is encrypted and comes default with an “unsigned” certificate. The certificate can be signed by your network system so that it can participate in a secured network. You may have a different low-end camera that has no TPM, and it cannot utilize certificates at all. The typical Vulnerability Scan software would say there is a “Unsigned Certificate” issue with the more secure camera, and the low-end camera had no issues.

Overall, customers are becoming aware of cyberconcerns, but they don’t have all of the details.

Where does a camera manufacturer begin in terms of building cyberdefenses into its security cameras?

Bosch has always been ahead of the curve on this. And some of the key players in the industry are working to meet baselines. But there is a balance between feature rich devices and a brick. It is a balancing act. I know of one camera that has almost no profile on the network at all via scanners, but it is also has no horsepower or features. Cameras need to have a TPM, a Closed OS, and little or no network profile via scanner such as an NMAP.

What is the number one takeaway that attendees of this session will receive?

Hopefully, participants will have a better understanding of the difference between Vulnerability Scans and Pen Tests, Hashing vs Encryption, PKI and Certificates, current threats to CCTV Devices via threat vectors, and how all of this can affect the admissibility of their video system.

The views and opinions expressed in guest posts and/or profiles are those of the authors or sources and do not necessarily reflect the official policy or position of the Security Industry Association (SIA).