A log in the eye: what vulnerabilities do CCTV systems have

Finding a piece of the earth’s surface that does not fall into the field of view of any camera is becoming increasingly difficult when it comes to more or less large cities. It seems a little more, and there will come that very bright future in which criminals cannot escape from vigilant justice, and people will live happily and carefree, because back in 2009, in 95% of cases, Scotland Yard used video surveillance cameras as evidence of the murderers' guilt . Unfortunately, this utopia is far from reality. And not least because surveillance cameras have vulnerabilities. Let's talk about what vulnerabilities are most common in video surveillance systems, discuss their causes and consider ways to make the operation of such devices safer.



The number of CCTV cameras is growing rapidly around the world. In the UK, there are about 185 million eyes of Big Brother . More than half a million of them are watching the inhabitants of London. For 14 people there is one camera . In second place among European cities is Moscow. During 2019, the number of cameras will exceed 174 thousand, and some of them are already connected to the face recognition system. By the end of the year, more than 100 thousand video streams will be sent to automated recognition.

At the same time, CCTV cameras are not only optics and memory. Each of them actually contains a minicomputer with an operating system and utilities. If the cameras are connected to the Internet, it means that they have a TCP / IP network stack with all known and not very vulnerabilities. Developers who use vulnerable versions of the OS or who specify the SSID and password in the code without the possibility of changing the code deserve the most severe punishment, but unfortunately, this will not help to make their company's products safe. The situation is aggravated by the appearance of intelligence in cameras, and it does not matter if it is built into the camera itself or works in a data center to which video data is transmitted. In any case, a vulnerable device will become a source of problems, and the higher the intelligence of the system, the more diverse these problems.



Security cameras are becoming more technically advanced, which cannot be said about the quality of their software. Here are just a few of the vulnerabilities recorded in the cameras of various manufacturers by the IPVM research company in 2018:

• in December 2018, a buffer overflow CVE-2018-19036 was detected in the Bosch IP camera that allowed an attacker to execute code without authorization on the device;
• in August 2018 , a vulnerability was fixed in Hikvision IP cameras that provided an attacker with privileged access to the device and its use for attacks;
• July 2018 brought news of an error in Sony IPELA E cameras: a specially designed HTTP GET request led to unauthorized execution of commands ;
• June 2018 - VDOO publication on seven zero-day vulnerabilities in Axis IP cameras , allowing to take control of cameras and gain root access.
• Camera vulnerabilities can be divided into two large groups - production vulnerabilities and use vulnerabilities.

Production vulnerabilities

This includes all the problems associated with the implementation of the functionality of IP cameras. The main one is that the cost of the hardware of the cameras is much less than the cost of developing firmware. The result of companies' desire to save money is the strangest decisions, for example,

• non-renewable firmware or firmware without automatic updating,
• the ability to access the web interface of the camera by repeatedly trying to enter the wrong password or clicking the "Cancel" button
• open access to all cameras from the manufacturer’s website,
• non-disconnect factory service account with or without a standard password (this vulnerability was used in 2016 by the hacker group Lizard Squad to create a DDoS botnet with attack power up to 400 GB / s from surveillance cameras),
• the possibility of unauthorized changes to settings even when authorization is enabled and anonymous access is denied,
• lack of encryption of the video stream and / or transfer of credentials in clear form,
• Using a vulnerable GoAhead web server
• replication of vulnerable firmware (common among Chinese device manufacturers),
• vulnerabilities of video storage devices - for example, recently information was published about the penetration of malware that removes or encrypts files and extorts ransom on network drives of Synology and Lenovo Iomega .

Use Vulnerabilities

Even if camera manufacturers correct all errors and issue cameras that are ideal from a security point of view, this will not save the situation, because man-made vulnerabilities will not go away, the reason for which is the people who service the equipment:

• use of default passwords if you can change them;
• disable encryption or VPN if the camera allows it to be used (in fairness, we say that not all cameras have sufficient performance for this mode of operation, turning this method of protection into a clear declaration );
• disabling automatic updating of camera firmware;
• forgetfulness or negligence of an administrator who does not update the firmware of a device that does not know how to do this automatically.

How to find vulnerabilities?

Easily. Many owners of IP cameras believe that if they do not publish information about them anywhere, no one will know about them and will not try to crack them. Surprisingly, such carelessness is a fairly common occurrence. Meanwhile, there are many tools that automate the search for cameras available via the Internet.



Shodan







It has its own query language and allows, among other things, to find cameras in any city or country. When you click on a host, it displays detailed information about it.



Zoomeye







Search service on IoT. Search for IP cameras - “device: media device”.



Censys







Another advanced service for finding a wide variety of network devices. The query “metadata.manufacturer:“ axis ”will list Internet-connected cameras released by Axis.



Google



The main search engine of the planet at the height and in the search for IP cameras. By specifying something like “inurl:“ viewerframe? Mode = ”” or “inurl:“ videostream.cgi ”” in the search bar, you can also get a list of cameras available via the Internet.

Exploitation of vulnerabilities

Of course, cybercriminals do not manually search for bugs. All the black work is performed by scripts that select cameras from the list, breaking them will bring financial benefits. For example, you can create a botnet to conduct custom DDoS attacks or direct extortion , as the authors of the malware Mirai, who took control of half a million vulnerable IoT devices around the world, did.



Botnet creation



A botnet is a group of several computers and / or devices combined under the control of one or more command servers. Special software is installed on the devices, which, upon command from the center, performs various tasks. This can be spamming, traffic proxying, DDoS and even cryptocurrency mining.



Blackmail



The seizure of control over cameras and video recorders makes it possible to observe the private lives of people, among which there may be statesmen and simply famous personalities. Publishing a video with their participation can cause a scandal and damage the reputation of the owner, which means that the threat of disclosure is a serious motive for demanding a ransom.



Concealment of Crimes

Films often show how criminals swap the video stream on cameras to rob a bank or infiltrate a secret base. It would seem that with the transition to digital technology, image substitution should become impossible, but this is not so. To replace the recording on the IP camera, enough

1. get the RTSP link for the camera whose stream you want to replace,
2. using this link, record the stream to a video file,
3. play recorded video in streaming mode,
4. protect against secondary flow swapping.

Obviously, having a recorded video file, you can do a lot of interesting things with it, for example, remove “extra” fragments or add new ones.



Separately, it is worth mentioning modern smart cameras with facial recognition. Such systems are successfully operated in China, Russia and other countries.



In 2017, a BBC journalist found out that in order to apprehend a criminal using the Chinese face recognition system, only seven minutes are enough .



Depending on the implementation, the image can be compared with the reference database on a special server or directly on the camera. Both methods have their advantages and disadvantages:

• cameras with built-in recognition have a more powerful hardware base and therefore are much more expensive than ordinary cameras, but they do not transmit a video stream to the server, but only metadata with recognition results;
• recognition on the server requires the transmission of the entire video stream, which means it requires a wider communication channel and limits the number of cameras that can be connected, but each camera is several times cheaper.

From the point of view of criminal exploitation, both options are equivalent, since hackers can:

• intercept the stream and replace the video data,
• intercept the stream and replace metadata,
• hack the recognition server and falsify images in a reference database,
• hack the camera and modify its software, or change the settings.

Thus, even intelligent recognition does not exclude the possibility of achieving a false positive system, or, conversely, to make the criminal remain invisible.

How to protect yourself

Update firmware



Outdated firmware is most likely to contain vulnerabilities that can be exploited by hackers to take control of the camera or infiltrate the video storage.



Enable Encryption



Encryption of traffic between the camera and the server protects against MiTM attacks and interception of credentials



Turn on OSD



If your cameras cannot handle encryption, turn on the date and time stamp on the video. Then changing the picture will become more difficult.



Filter IP



Limit the range of addresses from which you can connect to your video surveillance system. White lists and ACLs will limit freedom of action for attackers.



Change default passwords



Let this be the first step when installing new cameras or installing a system.



Enable mandatory authorization



Even if it seems that at the setup stage the lack of authorization will simplify the work, turn it on immediately.



Do not put cameras on the Internet



Think about whether you really need access to surveillance cameras over the Internet. If not, let them work inside the local network.