Visual surveillance is more integral to society than ever before, helping organisations to safeguard their most valuable assets. However, the DVR systems traditionally employed in CCTV networks can make those very organisations vulnerable. This paper will explore the ways in which even well known DVR systems are exposed to external cyberattack, often acting as a potential entry point for wider corruption or extraction of network information.
Many DVRs allow users to view live or recorded footage remotely using a web browser or app, typically using ‘port forwarding’ to enable this functionality. At the heart of most organisations’ security protocols is their firewall. This works by preventing all inbound connections to a device, so there is no way for the DVR to form a direct connection to the Internet. To get around this and enable port forwarding, a hole is punched in the firewall, and connections are forwarded to the DVR. The browser or app can now reach through the firewall and access the DVR, allowing users to connect remotely. However, with an open hole in the security perimeter, anyone can get in.
The security of the network is now entirely compromised by the DVR.
A number of DVRs automatically set up port forwarding rules without notifying the user. The DVR simply asks the router to set up port forwarding. This makes set-up easier, but at the expense of weakened security.
Some DVRs recommend running on a non-standard port. Although this may reduce the number of automated attacks, it does make finding vulnerable DVRs easier.
Finding vulnerable devices
Everything connected to the Internet is identified by an IP address. So when using port forwarding to access the DVR, its IP address needs to be known. As a result, many manufacturers recommend using Dynamic DNS, which automatically updates a name server in the Domain Name Server (DNS).
However, Dynamic DNS also allows an attacker to quickly find hundreds, or even thousands of vulnerable devices relatively easily. They simply need to test as many names as possible until they get a response; an IP address will only be returned when there is a valid domain. In the case of specifically targeting DVRs, an attacker does not need to scour the entire Internet but need only search the domains used by known brands.
Nowadays, everyone is familiar with companies releasing software updates. When a bug or vulnerability is found, the software company will develop a fix and deploy it to users, often using an automated mechanism.
However, automatic DVR firmware updates are almost unheard of. For a large number of devices, there may only be a couple of firmware updates to fix the most serious of bugs. Once the DVR is a few months old, and of no commercial interest to the manufacturer, updates generally cease, leaving companies vulnerable to attack.
Even when manufacturers do update the firmware, it is often only a small subset of the entire system. This means that they update the programs developed to handle the DVR functionality, but not the underlying operating system. An analogy would be running an up-to-date web browser on a Windows 95 machine. The browser may be secure, but the underlying operating system is so riddled with holes that it does not matter. You have locked the door, but left the windows wide open.
Generally, the first signs of a malware infection on a PC are unwanted pop-ups, a general slow-down, continuous network and disk activity, strangely-named processes or alerts from anti-virus software. Now imagine that the PC is rarely used, and when it is used, it runs a cut-down user interface with no anti-virus software. How can problems be detected? The simple answer is that they can’t.
The same issues exist with a DVR. It will rarely be used; live footage might be looked at now and then, and recorded footage even less frequently. The user interface provides no feedback as to what is going on inside.
Vulnerabilities are common
Any complex system will have some vulnerabilities, whether obvious or very subtle. Unfortunately, the majority of DVR software is not built by highly skilled developers. Many manufacturers only require that the software works immediately. Often, the mistakes are avoidable: common errors such as unbounded memory access, SQL injection, and default credentials.
Security, then, is often an afterthought. Consequently, many systems acquire security features as and when their weak points are uncovered by third parties. In over 15 DVRs tested by an independent consultant, none was free from serious vulnerabilities. Some took many hours to breach, but the majority took less than an hour. Without the ability to update firmware, backdoor vulnerability can persist for years, leaving businesses’ entire network exposed.
Inside a DVR is a powerful and highly capable computer, normally running a full operating system. There is little difference between a DVR and a small web server; this makes DVRs ideal machines for launching an attack against your network. In comparison, a router or internet-connected thermostat is far more limited, while many IoT devices have slow network connections, limited processing power and very little storage space.
This ability of a DVR to be used to launch an attack against the rest of a network makes the use of a cloud-based system even more compelling.
Insecurity of cloud video solutions
Cloud video solutions are a newer breed of video surveillance systems which are beginning to replace traditional DVRs. Unlike DVR systems which have bolted on Internet features along the way, dedicated cloud video solutions have been built to take advantage of the Internet from day one, offering features such as remote video streaming and data back-up in a more reliable and user-friendly way. However, they often suffer from the same vulnerabilities as those found in traditional DVRs.
Inbound RTSP connections to IP cameras
Most IP cameras support incoming connections using Real-Time Streaming Protocol (RTSP). This allows video from the camera to be viewed from another machine. RTSP is very widely used; a scan of the Internet shows that there are about 2.4 million devices running RTSP. Approximately 1.3 million of these have no authentication at all, with many allowing an attacker to freely view live video remotely.
Just as with most traditional DVRs, a large number of cloud video providers recommend port forwarding to allow access to the RTSP stream from outside the firewall.
Poor website security
Cloudview’s recent passive survey of 24 popular cloud-based video websites showed that many of them were making common security mistakes. These include:
1. Use of insecure protocols: A number of the sites did not use secure protocols to ensure that communication between the user and the site was secure. Using standard web protocol (HTTP) allows an attacker to either passively monitor, or actively tamper with, communications. Usernames and passwords can be gathered, or videos viewed.
2. Poor configuration or implementation of secure protocols: While some sites did use secure protocols, they made mistakes in their configuration, massively reducing security. A significant number of sites were still found to support options that are known to be insecure. These allow an attacker to downgrade the user’s connection, giving the impression that the connection is secure when it is not.
3. No encryption or digital signatures: Encrypting the communication link is only part of the picture. Once that data has reached the cloud, how is it protected from unauthorised access, and what happens if the cloud system itself is breached?
Further to this, few cloud-based providers ensure the integrity of the data. How can users be sure that the video they are viewing is not from two weeks ago? How can the police be sure the video has not been tampered with? This is where digital signatures are required. A digital signature, which is difficult to copy yet easy to verify, proves that a certain device has handled a piece of data. However, few cloud-based providers use digital signatures.
4. Common website vulnerabilities: Nearly all the surveyed sites were also found to have one or more other vulnerabilities.
5. No controls around access to customer data.
Beyond this, many cloud-based providers have clauses allowing them to share data with third parties. However, when we are talking about sensitive data such as CCTV stored on a server as part of a paid-for service, there should be no need to share user data with a third party without the explicit consent of the user.
It should be clear that neither traditional DVRs nor newer cloud video systems provide the high levels of security necessary for the protection of sensitive data gathered by visual surveillance operators. Not only are such systems vulnerable to attack from external forces – compromising the security of the entire network – but the operators themselves are also in danger of failing to comply with data protection legislation. Indeed, very few operators currently reach the standards required, due to the failure of manufacturers to provide adequate access and storage controls, implement protocols or defend against malevolent intrusions.
As visual surveillance grows ever more important, companies must move away from inherent vulnerabilities in DVRs and IP cameras and embrace the technology of the cloud – provided that the cloud solution has the necessary security safeguards to mitigate the common flaws outlined on previous pages. Security cannot be bolted on. Services must be designed to be secure from the ground up; and if organisations are to protect their assets effectively, transparent security must be at the top of the agenda.
This white paper has been shortened. The full version is available at http://www.cloudview.co/dls/white/cyber-attack-white-paper.pdf (short URL: http://goo.gl/SFpp9v).
© Technews Publishing (Pty) Ltd | All Rights Reserved