General security

Security Assessment of CCTV

Hashim Shaikh
May 9, 2017 by
Hashim Shaikh

What is CCTV?

Closed Circuit TV (CCTV), also known by the name video surveillance, is the utilization of camcorders to transmit a flag to a particular place, on a constrained arrangement of screens. It varies from the general communication of TV in that the flag is not straightforwardly transmitted; however, it might utilize Point 2 point (P2P), Point 2 multipoint (P2MP), or work wired or remote connections. Despite the fact that all camcorders fit this definition, the term is frequently connected to those utilized for observation in territories that may require checking, for example, bars, banks, gambling clubs, schools, lodgings, airplane terminals, healing centers, eateries, army bases, accommodation stores and different ranges where security is required.

Need for securing CCTV

In March 2014 Incapsula noted 240 percent hike in the number of botnet around the globe. There were 245 million CCTV cameras working the world over. Furthermore, this records for the professionally introduced ones. There are likely millions increasingly that were introduced by unfit experts, with even less security safety measures.
These numbers and the absence of cybersecurity mindfulness on numerous camera proprietors are the reasons why CCTV botnets came into existence.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Sucuri has reported an incident that was related to DDoS on Jewelry shop. The amount of request the server was thrown with was 35000 HTTP-requests/second.

It is not new that attackers have been using IoT devices to start their DDoS movements, though, the one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long. As the geolocation from the IP addresses generating the DDoS was analyzed, Sucuri saw that they were originating from everywhere throughout the world in various nations and systems. An aggregate of 25,513 one of a kind IP addresses came extremely close to hours.

  1. Default username password

    Severity: High

    Description:

    Default username and password allows an attacker to access the CCTV controller. After login, the CCTV and its configuration can be manipulated, changed, disabled so that the malicious activity goes undetected

    Solution:

    Make sure you have changed the default username and password of the controller.

  2. CCTV Console over the internet

    Severity: High

    Description:

    If CCTV controller console is over the internet, then an attacker can access it by using default credential or brute force and perform a malicious activity or use it as a bot or use it to launch a DDoS attack.

    Solution:

    Make sure CCTV controller is not present over the internet. No public IP is assigned to the controller.

  3. Shodan appearance

    Severity: High

    Description:

    If any of the CCTV URL default location/folder or response header contains a default value or default headers that identify the vendor, then it may be shown in Shodan search, and it is a risk. Shodan is a search engine that lookups in header whatever the user search for. An attacker used these search engines to get access to vulnerable CCTV. (If on the internet)

    Solution:

    Remove server banner, vendor name, version, etc. from the headers so that it does not come in Shodan search. Rename default folder path.

  4. Brute force prevention of controller

    Severity: Medium

    Description:

    If brute force prevention is not implemented, then an attacker can brute force the credentials of the controller.

    Solution:

    Many of the controllers provide CAPTCHA facility. Implement CAPTCHA, or account lockout or brute force protection in the configuration.

  5. Access control matrix

    Severity: Medium

    Description:

    If a user/anyone in the LAN network can access the CCTV controller then, he may try to compromise the controller by changing the configuration or may backdoor the controller.

    Solution:

    Maintain a single server admin access (Only admin has access from the particular system) or Maintain a separate VLAN and give permission to that users only and restrict others.

  6. Vendor name disclosure

    Severity: Low

    Description:

    If vendor name is disclosed, then an attacker can exploit the known and existing flaws. With the help of vendor name, an attacker can find exploits, default credentials, bypass, publicly available vulnerability, etc

    Solution:

    Do not disclose the vendor name. Remove the tag lines used by the vendor.

  7. Access Log management

    Severity: Low

    Description:

    If access logs are not maintained, then it will be difficult to trap any unusual activity. Logs should be maintained of accessing, changing the configuration and other important activities.

    Solution:

    Make sure logging is enabled and capture details like who logged in, what time, from which IP, duration of the session, etc.

  8. Role based access control

    Severity: Low

    Description:

    If role base access control is not enforced, then the lower level staff such as (security guard, etc.) can do the malicious activity.

    Solution:

    Security person should be given limited rights. Admin has full rights. Make sure that only admin has access to all the console, log, configuration settings, etc.

  9. Storage backup

    Severity: Low

    Description:

    If storage is full then-then overwriting takes place. So previously captured videos will be lost. If storage is crashed, then it will be difficult to recover the footage.

    Solution:

    Make sure you have a backup of your storage and make sure your storage size is sufficient enough.

  1. Change the default URL

    Severity: Low

    Description:

    If the URL is 10.10.10.10/index.html, then it is predictable. Also, if the IP 10.10.10.10 is entered, then it redirects to the default page. Finding the console is an important part of the attack. If an attacker can predict the URL, then he can try enumerating and exploiting further.

    Solution:

    Disable redirection to the controller console. Change the default path to something like 10.10.10.10/SomeDirectoryWithCOmplexname/myorg123.html

  2. FTP SMTP connection for CCTV

    Severity: Low

    Description:

    Some CCTV footages are stored using FTP or SMTP to another server. Their credentials are stored in the CCTV controller console. If an organization has one FTP or SMTP storage where all important organization data is stored along with CCTV footage then, it can be accessed by CCTV admin.

    Solution:

    Make a different segregation for FTP, SMTP storage. Also, only admin should have access to the configuration and credentials.

  3. Data storage

    Severity: Low

    Description:

    If the OS crash then all the footages will be lost as the default setting to store data (footage) is C: drive

    Solution:

    Store footages on D: drive

  4. Improper password setting

    Severity: Low

    Description:

    If the configuration accepts a weak password, then a user may set a weak password for admin or another user account that may be guessed, brute forced by the attacker.

    Solution:

    An organization should maintain standard password policy or at least implement the following:

    1. Length of the password should be more than eight character
    2. Password should contain alphanumeric + special character
    3. Password cannot be same as username
  5. Patch management

    Severity: Low

    Description:

    If a critical vulnerability is reported to CCTV vendor, then he may release a patch to address those vulnerabilities. If an organization fails to update patches on the system, then it may lead to compromise of the CCTV or system.

    Solution:

    Enable auto update if possible or make sure you have an update/upgrade cycle every month.

Conclusion:

Considering all the checks properly implemented will reduce the attack surface in much better way. Still, we cannot underestimate the attackers. A beautiful 0day Remote code execution affecting 70 CCTV vendors was discovered, and it is not yet patched.

Researcher says "Since there are many vendors who redistribute this software it is hard to rely on vendors patch to be released. There are few more vulnerabilities being exploited in the wild against CCTV. Lastly about the responsible disclosure process. We tried to contact TVT for quite some time with no response, so they left us with no choice but to disclosure." http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html

References:

https://www.incapsula.com/blog/cctv-ddos-botnet-back-yard.html

https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-ddos-attacks.html

Hashim Shaikh
Hashim Shaikh

Hashim Shaikh currently works with Aujas Networks. Possessing a both OSCP and CEH, he likes exploring Kali Linux. Interests include offensive security, exploitation, privilege escalation and learning new things. His blog can be found here: http://justpentest.blogspot.in and his LinkedIn Profile here: https://in.linkedin.com/in/hashim-shaikh-oscp-45b90a48