The security for devices connected to the internet of things (IoT) has been a hot topic, and Internet Protocol (IP) surveillance cameras, in particular, have been the subject of growing scrutiny.
Motivations for targeting IP surveillance cameras
One of the major motivations for hacking IoT devices is financial gain. And when it comes to monetization, IP surveillance cameras are distinct targets for the following reasons:
- Constant connectivity. Like many other devices, IP cameras need to be internet-connected to function properly. However, exposure to the internet also makes it easy for hackers to find the cameras and potentially exploit the devices. Once hacked, the devices will be able to serve the hackers’ needs.
- Low hacking investment. Unlike with hacking a PC, once hackers see a way to break the security of an IoT device such as an IP camera, the same approach can usually be applied to other devices of similar models, resulting in a very low per-device hacking cost.
- Lack of supervision. Unlike PCs, especially those used in offices, IP cameras have low user interaction and are not well-managed in terms of security. Installation of an aftermarket anti-malware application is not available either.
- High performance. The idle computing power of an IP surveillance camera is usually good enough to perform hacking-related tasks such as cryptocurrency mining, and without being noticed by end users at that.
- High internet-facing bandwidth. The always-connected, fast, and huge bandwidth designed for video communications makes for a suitable target for hackers to initiate DDoS attacks.
Typical attack chain
The typical attack chain around IP surveillance cameras consists of the following steps.
2. Command and control. After gaining control of the device, the attacker downloads and executes malicious scripts or samples that report to the command-and-control (C&C) server. That server issues commands instructing the affected IP camera to perform malicious activities such as cryptocurrency mining or DDoS attacks on other devices via User Datagram Protocol floods.
3. Propagation. Depending on its kind, the malware used can scan the network and employ the same infection methods to propagate itself to other vulnerable devices. The attacker can trigger this action automatically (as in the case of wormlike botnets), or manually by receiving instructions from the C&C server.
Risks to public and closed networks
Most home IP cameras offered in the traditional, do-it-yourself (DIY) consumer market are connected directly to the internet. This means that home IP cameras are exposed to the internet at a very similar level as personal computers in homes, but lacking the user capability to install security software. Although home IP cameras amount to only a small portion of all installed devices, they make up a fast-growing market because of their increasing affordability and accessibility to the general public.
On the other hand, many people claim that IP cameras are not exposed to that level of risk because most products are usually designed for enterprises, which basically deploy IP cameras in local area networks and make them unsearchable on the internet. This claim may hold true, but it may overlook several real-world factors:
- The system integrators may not install the IP cameras as expected. In many cases, people just choose whichever approach is more convenient for them to install everything and get the devices working. Ease of maintenance is another incentive for them to do so. This explains why the IP addresses of many IP cameras that are supposed to stay in a local area network can still be found.
- The business model around IP cameras is changing. Service providers are using IP cameras to run customized services (such as elderly care), and making the cameras available on the internet is the easiest way for both users and remote operators to access the cameras as needed at the same time.
- Modern value-adding functions such as video analysis features are often deployed in the cloud to reduce the overall hardware and software costs, with the flexibility to switch specific features on or off, or to add a new feature regardless of the hardware performance of the cameras.
Hooking up IP cameras to the internet at large is a clear trend. Given the considerable numberof IP cameras deployed globally, a small portion of IP cameras that expose themselves on the public domain can serve as a great incentive for hackers.
Another thing to consider is how network isolation is one of the frequently mentioned approaches for cybersecurity. Being in a local area network, though, does not guarantee the protection of IP cameras against hacking. For one thing, well-designed malware can easily spread across the local area network, and any portable device brought into the same local area network can easily turn into an infection vector. Take the infamous Mirai botnet as an example: A Windows-based trojan plays an important role to distribute it, even though the targets are IP cameras that run on Linux.
A layered defense for IP cameras
A complete functionality offered by an IP camera often consists of the camera itself, the network capability, and the cloud services. To offer a secure product, manufacturers need to implement security strategies in an overarching approach — from the device to the cloud:
1. IP camera hardware. Since finding a system vulnerability is one of the most critical factors for hackers to penetrate into an IP camera, leading manufacturers in the industry pay close attention to monitoring the firmware and patching the vulnerable system components of products. However, to raise the bar on security, further enhancements can be applied, such as:
- Enforcing the changing of default credentials.
- Applying secure boot to prevent compromised devices from functioning.
- Implementing firmware over-the-air (FOTA) updates to patch issues if necessary.
- Employing the principle of least functionality by minimizing open ports on the device if not necessary.
2. Networking. Deploying IP cameras within a closed network is already a highly adopted mechanism to ensure a better level of security. Virtual private networks (VPNs) can be used to enable remote access with a secure connection. Other network-related security implementations include:
- Encrypting connections to deter attempts at compromise.
- Connecting with a security tunnel.
- Using a hardware component to store encryption keys.
3. Cloud. The more features provided by cloud services there are, the more critical cloud security becomes. On the upside, many, if not most, service providers are already aware of this. Most leading service providers have adequate protection on their cloud infrastructures. Highly integrated security products including those from Trend Micro also play an important role for cloud environments.
IoT security accountability and shared responsibility
As with other IoT devices, there are a lot of moving parts in a complete IP camera-based application. Accordingly, no one could and should be held solely responsible in the event of a security incident. From a cybersecurity standpoint, we believe everyone plays a role in making security fully realized.
The traditional business model for an IP surveillance system is a one-time payment. In a DIY market, the end users simply purchase the IP cameras and install them in the existing network environment. More complicated cases will introduce system integrators, who basically handle everything for the users, including selecting the right hardware, fixing them at desired locations, wiring them to outgoing routers, and setting up the network. It’s also a one-time payment if the maintenance contract is not figured in.
As more parties are trying to monetize on the basis of IP surveillance services, many different business models crop up to fulfill different needs. Surveillance service providers now charge users monthly fees instead of a one-time payment, and so do internet service providers (ISPs). New players in this business not only provide video surveillance systems for users, but also offer value-added services such as cloud recording and all sorts of smart features. To this point, the lines between the involved parties in this industry are getting blurred. For example, Nest is not only the manufacturer of the Nest Cam™ security camera, but it’s also the service provider that facilitates the associated cloud recording service.
Regardless of all the working components in the industry, there are groups of people and entities that play critical roles in the cybersecurity of surveillance systems:
- Device Manufacturers. Responsible manufacturers should always bear the security considerations in mind for every feature designed and delivered. One may argue that users often ignore or forget to adopt basic security measures, and that may just be the root cause of widespread malware across the world today. Governments are paying attention to this now and are working to enforce a certain level of security implementation with their authority. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), operated by the U.S. government, discloses system vulnerabilities of existing IP camera products from time to time in order to create more visibility around cybersecurity issues. In addition, the government of Taiwan, where at least a quarter of IP cameras shipped around the world are produced, is drafting a series of regulations aimed at ensuring the cybersecurity of the devices. Safety science companies like UL are also working on their cybersecurity verification programs to create further visibility on cybersecurity implementations.
- Service Providers. Those who build the system and operate their services with IP cameras should be responsible for the cybersecurity on a system level. By integrating the essential features of IP cameras and other premium features, service providers basically shape the whole system — from the device to the network to the cloud. Service providers, along with integrators, not only put things together, but they also make sure the devices and systems operate as intended during the entire service life. As they should, service providers have to prioritize cybersecurity along with promised features.
- System integrators. Those who set up the hardware and the software and initiate everything to start the service of the surveillance system also play a role in employing security. The principle of least functionality is the key guideline here, and enabling just as many features as needed is the goal. Unused features, especially the network functions such as open ports, are normally the shortcut for hackers.
- End users.There is typically a security guideline or a user manual that goes with an IP camera product. Reading through it and setting up the cameras as instructed play a crucial role in cybersecurity. Mirai’s success, for instance, can be attributed mainly to failure in changing default passwords.
I am providing a simple Video of hacking online CCTV Camera just for awareness purposes and please don’t use this information for any kind of blackhat hacking activities.
I have got this Information from “https://www.trendmicro.com” and saying thanks for making us aware about protection of modern cctv security systems.