Internet-facing CCTV systems need protection from cyberattacks...

WITH cyberattacks on CCTV systems making news headlines on a weekly basis of late, there is a good deal of concern and uncertainty about how at risk these systems are, as well as why they are being attacked. In this article, Simon Pollak takes a closer look at some of these attacks; how they are carried out, the likely motivations behind them.

IN May, 2018, over 60 Canon cameras in Japan were hacked with “I’m Hacked. bye2” appearing in the camera display text. How did the attack take place? Simple. IP cameras were connected to the internet and were left on default credentials. It appears that the hackers logged into the cameras and changed the on-screen display. What was the impact? Other the defacement of the camera displays and some reputational damage, there doesn’t seem to have been much impact from these attacks.

What was the attacker’s motivation? The most likely explanation was they did it for the LOLZ, a hacker term implying the attack was done for laughs, however there’s no guarantee that this wasn’t cover for a more sinister attack.

How bad could it have been? While this sort of attack is relatively innocuous, having a hacker gain control of a network device could have a catastrophic impact. Once a hacker has gained control of a device, they could use the camera for hostile reconnaissance, they could inject their own video stream in a Mission Impossible style attack, or they could use the device to pivot into other devices on the same network all of which would make for a really bad day.

In October 2016, 600,000 internet connected cameras, DVR’s, routers and other IoT devices were compromised and used to for a massive Bot Net to launch what was the largest Denial Of Service (DOS) attack the internet had experienced to date.

How did the attack take place? Yet again, devices were left connected to the internet and were left on default credentials. In this case, the attackers developed software that scoured the internet searching for vulnerable devices, which they then took control using their own malicious software.

What was the impact? The Mirai attacks significantly compromised the internet resulting in Dyn, one of the largest service providers going offline and taking many web sites offline including Twitter, Amazon, and Netflix.

What was the attacker’s motivation? The perpetrators of Miriai were charged with conspiracy to violate the Computer Fraud and Abuse Act in the US courts in Anchorage. It turns out that they were a group of college students who ran a Minecraft server and they had built the Bot Net to degrade the performance of competing servers to gain more users for their service. They have been sentenced to between 5-10 years in prison and fined up to $US500,000.

How bad could it have been? Once the Mirai source code was released into the wild, there were many variants developed including Bricker Bot that similarly scoured the internet then bricked devices so that they had to be factory reset to regain control and functionality. A more determined attacker could have done far more damage to the devices or launched more damaging attacks using the same techniques.

In 2014, a US ally observed a malicious actor attacking the US State Department computer systems. In response the NSA traced the attacker’s source and infiltrated their computer systems gaining access to their CCTV cameras from where they were able to observe the hackers’ comings and goings.

How did the attack take place? Not surprisingly, details of the hack back have been withheld from media coverage. Given this was carried out by professionals, we can assume that the attack was both sophisticated and stealthy.

What was the impact? For the Russian hackers who were identified, this will have put a damper on any travel plans they may have as they are likely to be arrested if they holiday in a country with an extradition arrangement with the US.

What was the attacker’s motivation? In this instance, the hackers are the good guys, so they carried out the attack in order to defend their systems. How bad could it have been? If the attackers hadn’t been on the right side of the law, and their target had been a bank, a celebrity, or any place that privacy is important, the attack could have caused a lot of harm.

In the lead up to the 2017 US Presidential inauguration, 65 per cent of the recording servers for the city of Washington CCTV system were infected with ransomware. How did the attack take place? Whilst unknown, it most likely occurred by the same means as other common PC hacks such as infected USB keys, malicious web sites, or phishing attacks.

What was the impact? The system administrators had to wipe the infected systems and reinstall the video management system so it’s entirely possible a good deal of footage was lost, and the system was rendered inoperable for a time.

What was the attacker’s motivation? As with any ransomware attack, the attackers’ motivation is to hold the compromised system to ransom and only restore control once the ransom has been paid. It is important to note that ransomware can be used to conceal more malicious or targeted attacks by keeping defenders distracted combatting the more visible attack.

How bad could it have been? Whilst functionality was restored, we may never know just how much important footage was lost or what other systems could have been compromised.

What lessons can we learn from these attacks?

Don’t connect your devices directly to the Internet. If you need to have a camera or CCTV system be remotely accessible, port forwarding all inbound traffic to your system is just asking to be attacked. Use a VPN, use non-standard network ports, enable 2 factor authentication, or use a remote access service. While these measures won’t guarantee your security, they will certainly make you less of a target for attackers that are scouring the internet for vulnerable systems.

Change Default Passwords. It’s like the Australian road safety advertisements from the 1990’s which asserted that “If you drink and drive, you’re a bloody idiot”. Same goes for credentials:     “If you don’t change the passwords, you’re a bloody idiot”

Don’t forget that it’s a computer. Just because it connects to a bunch of cameras, doesn’t mean that your NVR isn’t a computer. All the cyber security advice that is applicable to traditional IT is just as applicable when said computer is used as part of a CCTV system.

While we aren’t seeing the flood of attacks that have been predicted in CCTV systems, they are a ripe target. If a determined attacker starts attacking these systems, there will not be the time to re-mediate very many of these systems before the damage spreads.

References

* Hackers Deface Canon Security Cameras in Japan

https://www.bleepingcomputer.com/news/security/hackers-deface-canon-security-cameras-in-japan/

* OMG!: Mutating Malware Mirai Turns IoT Devices Into Proxy Servers

https://sputniknews.com/science/201803011062116679-mutating-malware-mirai-proxy-servers/

* How a Dorm Room Minecraft Scam Brought Down the Internet

https://www-wired-com.cdn.ampproject.org/c/s/www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/amp

* New details emerge about 2014 Russian hack of the State Department: It was ‘hand to hand combat’

https://www.washingtonpost.com/world/national-security/new-details-emerge-about-2014-russian-hack-of-the-state-department-it-was-hand-to-hand-combat/2017/04/03/d89168e0-124c-11e7-833c-503e1f6394c9_story.html

* Two Arrested in London for Infecting Washington’s CCTV Network with Ransomware

https://www.bleepingcomputer.com/news/security/two-arrested-in-london-for-infecting-washingtons-cctv-network-with-ransomware/

The views expressed in this article are those of the author only and do not represent those of any organisation, or necessarily reflect the position or policies or any organisation or entity. Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology). Simon contributes to SEN discussing all things cyber and converged security. You can follow him at https://twitter.com/SimonPollak or https://au.linkedin.com/in/simonpollak

#securityelectronicsandnetworks #cybersecurity