4 Creative Ways to Secure Video Surveillance Cameras from known Vulnerability
Corporate systems are categorized into two:
- Internally developed
- Developed by a vendor
Internally developed systems are the exact tailor fit solutions that meet the requirement of the organization. It is labor intensive, as the developer team members are hired by the company directly or through contractors. Internally developed systems are very flexible when it comes to the meeting the needs of the organization in its different stages of usage. This means that an internally developed system will always be a “work-in-progress”, as it will continue improving for the entire duration of its lifetime.
Due to the cost incurred with maintaining a specialized developer team, more and more organizations choose to purchase systems from a vendor. Through a vendor lock-in contract, a certain level of support with compliance to agreed upon KPIs (Key Performance Indicators) is expected by the enterprise. As the SLA (Standard-level Agreement) is negotiated between the vendor and the enterprise in order to arrive at a common level of expectation and results. This enables the organization to have a semblance of peace-of-mind, as 24/7 support is promised by the vendor as being available if support is required.
Video surveillance systems connected to the Internet for remote viewing is one of the corporate systems that are often overlooked. A typical company just purchase one from a vendor, install it physically, then forget it’s needed for maintenance such as firmware upgrade for its entire lifetime. However, such practice is highly discouraged since any device on the Internet can be at risk anytime, especially if the company is visible or on the radar of cybercriminals.
The possibility of the video cameras, IP Cams and Internet-connected CCTVs are subject to external hacks are due to things people often overlook when operating surveillance equipment:
Non-updating of firmware
As mentioned earlier, hardware manufacturers regularly develop and publish firmware upgrades for the entire duration of the device’s lifetime. The firmware upgrades should not be ignored, as they correct known flaws, bugs and security weakness in the software end of the hardware. The device can be penetrated by 3rd parties from the Internet if a known exploit that was fixed by the manufacturer was not installed timely.
Some users leave the default password upon installation of the equipment. This is serious negligence, as default passwords for devices are documented in the product website of the vendor itself as part of their online documentation for the device. The device admin has a job to change the default password (and even the default username if applicable) to a unique password and record it in a secure password vault.
Using non-optimized configuration
Video surveillance cameras, IP cams, and CCTV come with unique features accessible through its webpage control panel. Configurations for the equipment must be in order to acclimate it to the environment. By using an optimized configuration, the device will be used based on how it was planned to be used, as defined by the manufacturer.
Connection via the non-firewalled Internet line
Video surveillance devices need to be installed in a relatively secure network, we recommend not to use DMZ connection for the device, as that will expose the device to possible DoS attacks.
Julia Sowells318 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.