A Defense Playbook for Disseminating CCTV Cyber Security Threats
In the eternal battle against cybercriminals, all technological advances bring new opportunities for cybercriminals to ply their trade. Camellia Chan, CEO and founder of X-PHY, takes a close look at CCTV cybersecurity threats and how vulnerabilities can be better protected.
It can be especially annoying when criminals turn our own security technologies against us, as they do in closed-circuit television (CCTV), IoT and other video security devices. In 2021, a the hacker collective gained access to 149,000 recordings from security cameras in their invasion of cloud video security startup Verkada’s systems. In June and September this year, groups of Iranian dissidents hacked thousands of Iranian surveillance cameras in two separate attacks, both motivated by political dissent. Hackers don’t stop at making political statements. They also target CCTV sources with less effort to steal identities or stalk victims, targeting ATMs, residential doorbell cameras or traffic cameras. Let’s look at the vulnerabilities of CCTV threats and how we can counter them to keep our finances, identity and ourselves safe.
See more: Cybersecurity Awareness Month: Eight security insights you should know
CCTVs are everywhere and so are vulnerabilities
As far as IoT and CCTV devices can be hacked, accessed, viewed and acted upon, the danger is present. Hackers have easy access to home security and can monitor comings and goings causing invasions of privacy that can lead to burglaries, robberies, stalking, etc. Retail stores, banks and other business CCTV breaches can lead to stolen identities, bank accounts or credit. card number. Cybercriminals match security experts in sophisticated “arms race”. Similar to how law enforcement uses CCTV footage to identify criminals, cybercriminals can do the same with stolen footage.
Today, many cameras are equipped with facial recognition technology. If cybercriminals hack into the server that stores and analyzes video recordings using such technology, they can gain unfettered access to your identity and other stored data. The Verdaka hack exposed video footage of many businesses, including Equinox gyms, Tesla, various banks, schools and prisons. On an even larger scale, CCTVs offer another channel through which hacktivists, rival governments and terrorists can pose potentially catastrophic threats to corporate or national security by accessing video inside military bases or other institutions.
Hackers find CCTV security exposures through hardware and software
Like other cross-framework vulnerabilities, CCTVs also suffer from cloud-based and network security vulnerabilities that can be easily hacked and infiltrated. While software-based solutions can provide cyber protection, we’ve seen many high-profile hacks in the last quarter alone where hackers can get around these defenses – particularly through human error. Breach can come from the device through the network it operates on or the server where the information is stored.
For example, physical break-ins and changes to server rooms are also a problem. In August, a researcher exposed SpaceX’s Starlink satellite system vulnerability in the dish hardware, using off-the-shelf hardware to create a $25 home-made attacking circuit board. The Chinese company Hikvision, manufacturer of video surveillance cameras, has come under fire on two of the worst imaginable fronts.
Not only has the beleaguered Hikvision failed to patch a critical security flaw on 80,000 Internet-facing IP cameras, including home cameras, but it has also raised questions about possible sanctions from the US government based on suspected violations of human rights monitoring. Manufacturers and data centers must begin integrating hardware-based cybersecurity measures to protect the data at the core, while adopting zero-trust frameworks.
Physical security and cyber security teams combine forces to fight CCTV hackers
Like most cyber security threats, most CCTV intrusions are preventable. The rapid growth of connected devices means that it takes a village to secure our data. Everyone from the manufacturer to the end user and cybersecurity teams to suppliers must do their part to maintain the integrity of their devices. Organizations’ physical security teams should work closely with CISOs and internal cybersecurity teams to create a unified and holistic front to ward off such attacks. Many criminal intrusions result from mistakes that can be prevented with basic best practices, such as not changing the factory-set password at setup, using the same password for all devices, connecting to a poorly protected network, or lacking dynamic authentication or unencrypted video protocols to gain access to the live stream of stored footage.
Cyber hygiene at home to protect doorbells and security cameras
Cameras are everywhere to protect us from crime, but cybercriminals use our own security programs to their advantage. At home, people with security camera systems like Ring or SimpliSafe should practice simple cyber hygiene techniques that prevent most breaches, starting with making sure the device they buy is from a reputable source and manufacturer. In 2021, Consumer Reports found that four of the 13 video doorbells/home security cameras had vulnerabilities, exposing their owners to hacking and leaks of personal data, including email addresses and Wi-Fi passwords. When setting up your device, you should always change the default password, use complex passwords that are harder to crack, and change passwords regularly.
See more: Why is security important to marketers?
Don’t underestimate cybersecurity education
The National Cyber Security Alliance (NCA) reported that in 2022, only thirty-six percent of people reported changing their passwords every few months, with 29% saying they don’t change them unless forced to. For organizations, minimizing human interaction is key to reducing the possibility of human error by allowing hackers to enter the system through phishing attacks or social engineering attacks. But companies should not underestimate the necessity of cybersecurity awareness and education.
The NCA revealed that more than half (58%) of participants who had received training said they were better at recognizing phishing messages, while 45% had started using strong and separate passwords. On the technology side, cybersecurity teams should take proactive steps to strengthen hardware-based cybersecurity measures by adopting zero-trust frameworks. In addition, they should implement regular patching, compromise assessments, red teaming and penetration testing, where a security expert like the one who exposed the SpaceX problem – also known as an ethical hacker – is enlisted to perform a simulated attack on the CCTV system.
CISOs, device manufacturers and the US are combining efforts to secure IoT and CCTV cameras
CISOs and individual vigilance via procedures and education can offer solid threat protection, but securing IoT and CCTV devices is undoubtedly a challenging task, with many Internet-facing touchpoints of potential exposure across hardware, software and people.
Manufacturers must also step up their hardware and firmware security game. The White House is working with private sector companies, associations and government partners on a plan for a badge system assess the cyber resilience of Internet of Things (IoT) devices which will be similar to the appliance’s Energy Star rating system. While it is impossible to prevent all cyber threats, we would be foolish not to take every precaution available to make life more difficult for the bad actors trying to invade our privacy.
How do you deal with CCTV cyber security threats? Share with us on Facebook, Twitterand LinkedIn.
Image source: Shutterstock
