Security Assessment of CCTV
What is CCTV?
Closed Circuit TV (CCTV), also known by the name video surveillance, is the utilization of camcorders to transmit a flag to a particular place, on a constrained arrangement of screens. It varies from the general communication of TV in that the flag is not straightforwardly transmitted; however, it might utilize Point 2 point (P2P), Point 2 multipoint (P2MP), or work wired or remote connections. Despite the fact that all camcorders fit this definition, the term is frequently connected to those utilized for observation in territories that may require checking, for example, bars, banks, gambling clubs, schools, lodgings, airplane terminals, healing centers, eateries, army bases, accommodation stores and different ranges where security is required.
Need for securing CCTV
In March 2014 Incapsula noted 240 percent hike in the number of botnet around the globe. There were 245 million CCTV cameras working the world over. Furthermore, this records for the professionally introduced ones. There are likely millions increasingly that were introduced by unfit experts, with even less security safety measures.
These numbers and the absence of cybersecurity mindfulness on numerous camera proprietors are the reasons why CCTV botnets came into existence.
FREE role-guided training plans
Sucuri has reported an incident that was related to DDoS on Jewelry shop. The amount of request the server was thrown with was 35000 HTTP-requests/second.
It is not new that attackers have been using IoT devices to start their DDoS movements, though, the one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long. As the geolocation from the IP addresses generating the DDoS was analyzed, Sucuri saw that they were originating from everywhere throughout the world in various nations and systems. An aggregate of 25,513 one of a kind IP addresses came extremely close to hours.
-
Default username password
Severity: High
Description:
Default username and password allows an attacker to access the CCTV controller. After login, the CCTV and its configuration can be manipulated, changed, disabled so that the malicious activity goes undetected
Solution:
Make sure you have changed the default username and password of the controller.
-
CCTV Console over the internet
Severity: High
Description:
If CCTV controller console is over the internet, then an attacker can access it by using default credential or brute force and perform a malicious activity or use it as a bot or use it to launch a DDoS attack.
Solution:
Make sure CCTV controller is not present over the internet. No public IP is assigned to the controller.
-
Shodan appearance
Severity: High
Description:
If any of the CCTV URL default location/folder or response header contains a default value or default headers that identify the vendor, then it may be shown in Shodan search, and it is a risk. Shodan is a search engine that lookups in header whatever the user search for. An attacker used these search engines to get access to vulnerable CCTV. (If on the internet)
Solution:
Remove server banner, vendor name, version, etc. from the headers so that it does not come in Shodan search. Rename default folder path.
-
Brute force prevention of controller
Severity: Medium
Description:
If brute force prevention is not implemented, then an attacker can brute force the credentials of the controller.
Solution:
Many of the controllers provide CAPTCHA facility. Implement CAPTCHA, or account lockout or brute force protection in the configuration.
-
Access control matrix
Severity: Medium
Description:
If a user/anyone in the LAN network can access the CCTV controller then, he may try to compromise the controller by changing the configuration or may backdoor the controller.
Solution:
Maintain a single server admin access (Only admin has access from the particular system) or Maintain a separate VLAN and give permission to that users only and restrict others.
-
Vendor name disclosure
Severity: Low
Description:
If vendor name is disclosed, then an attacker can exploit the known and existing flaws. With the help of vendor name, an attacker can find exploits, default credentials, bypass, publicly available vulnerability, etc
Solution:
Do not disclose the vendor name. Remove the tag lines used by the vendor.
-
Access Log management
Severity: Low
Description:
If access logs are not maintained, then it will be difficult to trap any unusual activity. Logs should be maintained of accessing, changing the configuration and other important activities.
Solution:
Make sure logging is enabled and capture details like who logged in, what time, from which IP, duration of the session, etc.
-
Role based access control
Severity: Low
Description:
If role base access control is not enforced, then the lower level staff such as (security guard, etc.) can do the malicious activity.
Solution:
Security person should be given limited rights. Admin has full rights. Make sure that only admin has access to all the console, log, configuration settings, etc.
-
Storage backup
Severity: Low
Description:
If storage is full then-then overwriting takes place. So previously captured videos will be lost. If storage is crashed, then it will be difficult to recover the footage.
Solution:
Make sure you have a backup of your storage and make sure your storage size is sufficient enough.
-
Change the default URL
Severity: Low
Description:
If the URL is 10.10.10.10/index.html, then it is predictable. Also, if the IP 10.10.10.10 is entered, then it redirects to the default page. Finding the console is an important part of the attack. If an attacker can predict the URL, then he can try enumerating and exploiting further.
Solution:
Disable redirection to the controller console. Change the default path to something like 10.10.10.10/SomeDirectoryWithCOmplexname/myorg123.html
-
FTP SMTP connection for CCTV
Severity: Low
Description:
Some CCTV footages are stored using FTP or SMTP to another server. Their credentials are stored in the CCTV controller console. If an organization has one FTP or SMTP storage where all important organization data is stored along with CCTV footage then, it can be accessed by CCTV admin.
Solution:
Make a different segregation for FTP, SMTP storage. Also, only admin should have access to the configuration and credentials.
-
Data storage
Severity: Low
Description:
If the OS crash then all the footages will be lost as the default setting to store data (footage) is C: drive
Solution:
Store footages on D: drive
-
Improper password setting
Severity: Low
Description:
If the configuration accepts a weak password, then a user may set a weak password for admin or another user account that may be guessed, brute forced by the attacker.
Solution:
An organization should maintain standard password policy or at least implement the following:
- Length of the password should be more than eight character
- Password should contain alphanumeric + special character
-
Password cannot be same as username
- Length of the password should be more than eight character
-
Patch management
Severity: Low
Description:
If a critical vulnerability is reported to CCTV vendor, then he may release a patch to address those vulnerabilities. If an organization fails to update patches on the system, then it may lead to compromise of the CCTV or system.
Solution:
Enable auto update if possible or make sure you have an update/upgrade cycle every month.
Conclusion:
Considering all the checks properly implemented will reduce the attack surface in much better way. Still, we cannot underestimate the attackers. A beautiful 0day Remote code execution affecting 70 CCTV vendors was discovered, and it is not yet patched.
Researcher says "Since there are many vendors who redistribute this software it is hard to rely on vendors patch to be released. There are few more vulnerabilities being exploited in the wild against CCTV. Lastly about the responsible disclosure process. We tried to contact TVT for quite some time with no response, so they left us with no choice but to disclosure." http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html
References:
https://www.incapsula.com/blog/cctv-ddos-botnet-back-yard.html
FREE role-guided training plans
https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-ddos-attacks.html
In this Series
- Security Assessment of CCTV
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security