Three of the most popular brands of closed-circuit surveillance cameras are sold with remote internet access enabled by default, and with weak password security – a classic recipe for security failure that could allow hackers to remotely tap into the video feeds, according to new research.
Wired.com reports that according to researcher Justin Cacak, senior security engineer at Gotham Digital Science, the cameras, used by banks, retailers, hotels, hospitals and corporations, are often configured insecurely – thanks to these manufacturer default settings,. As a result, he says, attackers can seize control of the systems to view live footage, archived footage or control the direction and zoom of cameras that are adjustable.
Cacak and his team were able to view footage as part of penetration tests they conducted for clients to uncover security vulnerabilities in their networks. The team found more than 1,000 closed-circuit TV cameras that were exposed to the internet and thus susceptible to remote compromise, due to inherent vulnerabilities in the systems and to the tendency of the companies to configure them insecurely.
The inherent vulnerabilities, he said, can be found in at least three of the top makers of standalone CCTV systems that he and his researchers examined – MicroDigital, HIVISION, CTRing – as well as a substantial number of other companies that sell rebranded versions of the systems.
CCTV video surveillance systems are deployed at entrances and exits to facilities as well as in areas considered to be sensitive, such as bank vaults, server rooms, research and development labs and areas where expensive equipment is located. Typically, the cameras are easily spotted on ceilings and walls, but they can also be hidden to monitor employees and others without their knowledge.
Obtaining unauthorized access to such systems could allow thieves to case a facility before breaking into it, turn cameras away from areas they don’t want monitored or zoom in on sensitive papers or prototype products at a workstation. The cameras could also be used to spy on hospitals, restaurants and other facilities to identify celebrities and others who enter.
To help companies determine if their CCTV systems are vulnerable, Cacak’s team worked with Rapid7 to produce a module for its Metasploit software targeting CCTV systems made by MicroDigital, HIVISION and CTRing or sold by other companies under a different name.
Metasploit is a testing tool used by administrators and security professionals to determine if their systems are vulnerable to attack, but it’s also used by hackers to find and exploit vulnerable systems.
