Most cameras are plugged into Corporate IT networks, potentially opening a backdoor and creating a vulnerable point of entry to an organisation’s IT Systems.
When Tony Porter (UK Surveillance Camera Commissioner) recently addressed the Press Association, he outlined the risks of surveillance cameras as potential hacking targets saying;
“that cameras are potentially your vulnerable point and that firms must ensure that they apply the same level of IT security to their cameras as their mainframe.”
Surveillance cameras of all categories fall within the remit of the Surveillance Camera Commissioner, with their data being subject to the control of the Information Commissioner who can take any appropriate enforcement action and prosecute under the DPA (Data Protection Act) when necessary. The relationship between Commissioners being regulated by a MoU (Memorandum of Understanding).
May 2018 sees the change of regime, with the introduction of the EUGDPR (European General Data Protection Regulation) and potential penalties for a breach transformed to a theoretical €20 million or 4% of annual turnover. More importantly there is no concept of compliance in the EUGDPR, the onus is on the organisation to protect their data. It therefore behoves an organisation to enforce the highest standards of authentication and encryption to ensure the integrity of their systems and data.
Any IP enabled camera linked to the Internet/IoT can be readily discovered using freely available software. Access to the web readily reveals default passwords and flaws to ensure simple access for even a novice hacker. Once access has been obtained, the hacker’s options vary and could result in a complete penetration of the Enterprise systems, the inclusion of the devices in a Botnet, the extraction of personal data, or simply the creation of chaos (traffic lights Donald Trump inauguration). Once any penetration occurs, it may be difficult to detect, with an average intrusion lasting up to 3 months (industry average) before detection.
The regime of two Commissioners is unusual, with the Surveillance Commissioner primarily concerned with compliance with the code of practice for the cameras in use. Compliance is assured by completion of a simple self-certification form, stating that safeguards are in place to ensure the integrity of the images and data, together with an appropriate statement on the organisation’s website. In terms of Cyber Security, this lies outside these terms of reference and Data Protection remains the responsibility of the Information Commissioner. The major risk to organisations is the continued belief that self-certification provides any measure of protection for their organisation and can mitigate in anyway the penalties under the EUGDPR.
From a Cyber Security perspective, a surveillance camera is unique as, unlike other devices, it offers two differing legs to attack. It is no different from any other device connected to the Internet/IoT. Unless fully secured against attacks, like a Man – in – the – Middle, a camera can provide a gateway for a fully – fledged attack on the Enterprise. However, in addition, it offers an outward looking opportunity aimed specifically at a nearby public space, providing very convenient optical access from various directions and angles. Attackers can also use this novel covert channel to communicate with malware inside the organization. An attacker can infiltrate data, transmitting hidden signals via the camera’s IR LEDs. Binary data such as command and control messages can be hidden in the video stream, recorded by the surveillance cameras, and intercepted and decoded by the malware residing in the network.
With cameras which are not fully secure with modern technology, there remains a major security risk and there is no assurance that the feed is the actual live feed taking place. Once a hacker has obtained access it is comparatively easy to replace live feed with a previously recorded feed. Without the ability to authenticate the device and eliminate the risk of impersonation, a camera system becomes highly vulnerable and rather than representing an asset it becomes a major risk.
Compliance Is Not Security, Security Is Not SecureBelieve Nothing, Authenticate Everything