Cracked CCTV

CCTV Handbook 2005 Surveillance

Only a few short years ago a CCTV security system was a standalone unit, now it is more than likely to be integrated into the backbone of a building's IT network. With these changes, what are the new risks and vulnerabilities? Jeff Berg assesses the vulnerabilities of network-based CCTV.

Not so long ago the main complaints about CCTV failure were fairly mundane; 'someone's spray painted the camera', 'someone's stolen the camera', 'the VCR has eaten the tape', 'Maureen has spilt tea in the multiplexer'. With a network type system, there are more high tech worries, especially if it shares your internal PC network or has a wireless node or a broadband connection. So when an opportunity to explore these vulnerabilities came along it seemed like a good idea to exploit it.

Hacking and all that

A couple of years back a letter landed on my desk advertising a 'Hacking Course'; it was expensive, more than double normal rates, but we (myself and my software application engineer, Howard) were doing nothing that November so we signed up for it. Well, we arrived at the venue and met the dozen or so attendees on the course. All of them said they were attending to explore the current vulnerability of their computer networks, maybe, but you could tell there were other motives, and was anyone here from MI5?

The course leader had been hacking from a very early age, and admitted to being out playing football when the police arrived at the family home and had very nearly mistakenly carted his father off to the local nick. From that day he turned away from the dark side and earned his money testing the security of companies' networks.

At this point let me explain about hats. In simple terms a hacker might describe himself as a black hat, or a white hat. A black hat hacker is one that will maliciously attack networks causing as much damage as possible. A white hat is a good guy generally working to test the integrity of his systems and hence build better protection against hacking attacks.

I looked across at Howard and his previously white hat was already becoming grey at the edges.

The course itself was worth every penny, we spent all day hacking into a protected network, came away with a CD full of utilities and the realisation that we had learned more about network security in a day than we had done in the last four years.

By the way, if any of you are contemplating a career change, a R1 million-a-year salary is the going rate for this kind of job in London.

The next day at work was testing time, after the childish switching off of PCs at random, finding out how much everyone earned and deleting the holiday lists, it was time to settle down to some real work.

Hacking a video server

The next step was "what can we do with an attack on a video server?" Well you can shut it down, wipe all the images, change the passwords, virtually anything you like. But most dangerous of all we could gain access to the video server, and from there break into the company network, it was wide open. This was a serious security breach as it bypassed the normal firewalls on the network, effectively a perfect back door.

Now we had identified a potential breach in security we just had to try the same thing with our competitor's video servers. Oops - a very similar result, although to tell you who, what and where would most likely involve a very long stay in the type of institution where you do not pick the soap up off the floor in the communal showers.

Implications

So we showed the software development team what could be done by a half-interested hacker. There was literally a stunned silence followed by a string of repeated expletives mostly beginning with 'f'.

One week later we had a fully implemented firewall across the whole range of equipment. The loopholes were closed one by one, the units could be ping disabled making them invisible on the network, logs of every legal and illegal access were made, ports could be individually disabled, access only accepted from named IP addresses. Locked down tight, as they say in the trade.

The big test

So next thing was to try it all out in anger. We put the unit up on a fixed IP address accessible on the Internet and went home, the challenge being to see who could hack into the unit. Well we did try, all weekend, but it was 'locked down tight'. Monday morning we looked at the log file to see if it had recorded the illegal access attempts. We had a big surprise, the log file was huge, our attempts at access were there but so was a third party's - we tracked them down to Singapore, it looked like robotic software that finds a new Internet address and then hammers it automatically until it either breaks in or gives up for want of something better to do. Over 17 000 attempts at breaking in seems like a little too much activity for a casual hacker. But then that is the reality of living on the Internet, it is a dangerous place and one day someone is going to hit you, not for profit, not for gain, just for a little malicious fun.

Conclusions

So the advice is lock everything down, make sure an IP enabled CCTV has its own firewall if it is broadband or wireless connected. Do not forget passwords and the old adage: The only safe PC is one that is unplugged thrown down a 100 m well that is then filled with concrete, and I am not even sure about that one.

Terminology:

Cracked network - A network that has been breached by a hacker/cracker.

Black Hat - malicious hacker.

White Hat - friendly hacker.

Script Kiddie - derogatory term for someone who uses available hacking tools or compiles previously written scripts with no background knowledge of their operation or the damage that they might cause.

Jeff Berg
Jeff Berg

Jeff Berg is currently working for AD Network Video, part of the AD Holdings/Dedicated Micros Group. He can be contacted on 0944 8705 736482, [email protected]





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Identity, Security & Access Alliance focuses on intelligence and integration
SMART Security Solutions Ideco Biometrics BoomGate Systems Bosch Building Technologies Technews Publishing Integrated Solutions Surveillance Access Control & Identity Management
The Identity, Security & Access Alliance (ISAA) hosted several launch events in Johannesburg in August, showcasing the participating companies’ technical solutions with a primary focus on the solutions made possible by integrating high-quality systems to deliver comprehensive solutions.

Read more...
Make BIG and COMPLEX small and manageable
neaMetrics Suprema AI & Data Analytics Surveillance Integrated Solutions
Traditional CCTV and access systems often operate separately, creating gaps in visibility and efficiency. TRASSIR and Suprema have partnered to develop an integrated platform that improves security, operations, and situational awareness.

Read more...
Get the AI fundamentals right
Technews Publishing SMART Security Solutions Leaderware Editor's Choice Surveillance AI & Data Analytics
Much of the marketing for CCTV AI detection implies the client can just drop the AI into their existing systems and operations, and they will be detecting all criminals and be far more efficient when doing it.

Read more...
SMART Surveillance Conference in Johannesburg
Arteco Global Africa Technews Publishing SMART Security Solutions Axis Communications SA neaMetrics Editor's Choice Surveillance Security Services & Risk Management Logistics (Industry) AI & Data Analytics
SMART Security Solutions hosted its annual SMART Surveillance Conference in Johannesburg in July, welcoming several guests, sponsors, and speakers for an informative and enjoyable day examining the evolution of the surveillance market.

Read more...
LiDAR protects railways from new and existing dangers
Surveillance
3D LiDAR (Light Detection and Ranging) sensors are being installed to monitor rail traffic and ensure safety of passengers as well as individuals walking near the tracks, or trying to perform dangerous stunts for social media.

Read more...
Securing South Africa’s logistics sector
Secutel Technologies Products & Solutions Surveillance Logistics (Industry)
Unlike traditional guarding services, Visual Verifier operates on an ‘Always On’ principle, ensuring continuous 24/7 coverage of warehouses, depots, transit hubs, and delivery points.

Read more...
Unlock the future of security operations in Bloemfontein
DeepAlert News & Events Surveillance
Security professionals and business leaders are invited to revolutionise their offsite monitoring operations at the DeepAlert Product Road Show, taking place on 16 – 17 September 2025, at the Schoemanspark Golf Club, Bloemfontein.

Read more...
Your Wi-Fi router is about to start watching you
News & Events Surveillance Security Services & Risk Management
Advanced algorithms are able to analyse your Wi-Fi signals and create a representation of your movements, turning your home's Wi-Fi into a motion detection and personal identification system.

Read more...
Secure, modernise and optimise CCTV
Surveillance Products & Solutions
Industrial and commercial organisations are navigating complex digital transformation processes. With SecuVue, companies can bridge the gap between operational technology and information technology for safer, smarter operations.

Read more...
Eagle Eye Precision Person & Vehicle Detection
Surveillance Products & Solutions AI & Data Analytics
Eagle Eye’s new Precision Person & Vehicle Detection feature detects people and vehicles at long distances with high accuracy and is especially designed for customers who actively monitor for intruders

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.