A Defense Playbook for Diffusing CCTV Cybersecurity Threats

As long as IoT and CCTV devices can be hacked, the danger is present. Here’s how to tackle threats.

November 8, 2022

In the eternal battle against cyber criminals, every technological advance comes with fresh new avenues for cybercriminals to ply their trade. Camellia Chan, CEO and founder of X-PHY, looks closely at CCTV cybersecurity threats and how vulnerabilities can be better protected.

It can be especially vexing when criminals turn our own security technologies against us, as they are doing in closed circuit television (CCTV), IoT, and other video security devices. In 2021, a hacker collective gained access to 149,000 security camera footage in their invasion of cloud video security startup Verkada’s systems. In June and September of this year, groups of Iranian dissidents hacked thousandsOpens a new window of Iranian surveillance cameras in two separate attacks, both motivated by political dissent. Hackers do not stop at making political statements. They also target smaller stakes CCTV sources to steal identities or stalk victims, targeting ATMs, residential doorbell cameras, or traffic cameras. Let’s look at the vulnerabilities of CCTV threats and how we can counter them to keep our finances, identities, and ourselves safe.

See More:   Cybersecurity Awareness Month: Eight Security Insights That You Should Know

CCTVs are Everywhere, and So Are Vulnerabilities 

As far as IoT and CCTV devices can be hacked, accessed, watched and acted upon, the danger is present. Hackers have easy access to home security and can monitor the coming and going causing invasion of privacy which can result to burglaries, robberies, stalking etc. Retail stores, banks, and other CCTV business breaches can lead to stolen identities, bank accounts, or credit card numbers. Cybercriminals are matching security experts in the sophisticated ‘arms race.’ Similar to how law enforcement uses CCTV footage to identify criminals, cybercriminals can do the same with stolen footage. 

Today, many cameras are equipped with facial recognition technology. If cybercriminals hack into the server that stores and analyses video footage using such tech, they can gain unfettered access to your identity and any other stored data. The Verdaka hack exposed video footage of scores of businesses, including Equinox gyms, Tesla, various banks, schools, and jails. On an even larger scale, CCTVs offer another channel into which hacktivists, rival governments, and terrorists can foist potentially catastrophic threats to corporate or national security in accessing video within military bases or other institutions.

Hackers Find CCTV Security Exposures through Hardware and Software

Much like other vulnerabilities across the entire framework, CCTVs also suffer from cloud-based and network security vulnerabilities that can be easily hacked and infiltrated. While software-based solutions may provide cyber protection, we have seen numerous high-profile hacks in the last quarter alone where hackers can get around these defenses – especially through human error. Breaches can come from the device through the network that it operates on or the server where the information is stored. 

For instance, physical intrusions and alterations to server rooms also remain an issue. In August, a researcher exposed SpaceX’s Starlink satellite system vulnerability in its satellite dish hardware, using off-the-shelf parts to make a $25 homemade attacking circuit board. The Chinese company, Hikvision,  maker of video surveillance cameras, has come under fire on two of the worst possible fronts. 

Not only has the beleaguered Hikvision failed to adequately patch a critical security bug on 80,000 internet-facing IP cameras, including home cameras, but it also has been fielding inquiries into possible sanctions from the US governmentOpens a new window based on suspected human rights surveillance abuses. Manufacturers and data centers must start to integrate hardware-based cybersecurity measures to protect the data at its core while also adopting zero-trust frameworks.  

Physical Security and Cybersecurity Teams Combine Forces to Battle CCTV Hackers

Like most cybersecurity threats, most CCTV intrusions are preventable. The rapid growth of connected devices means that it takes the whole village to secure our data. Everybody from the manufacturer to the end user and cybersecurity teams to vendors must do their part to maintain the devices’ integrity. Organizations’ physical security teams should collaborate closely with CISOs and internal cybersecurity teams to create a united and holistic front to stave off such attacks. Many criminal incursions result from preventable errors in fundamental best practices, such as not changing the factory set password upon setup, using the same password for all devices, connecting to a poorly protected network, or a lack of dynamic authentication or unencrypted video protocols to access the live stream of stored footage. 

Cyber Hygiene At Home to Protect Doorbells and Security Cameras

Cameras are everywhere to protect us against crime, yet cybercriminals are using our own security programs to their advantage. At home, people with security camera systems such as Ring or SimpliSafe should practice simple cyber hygiene techniques that prevent most breaches, starting with ensuring the device they buy is from a reputable source and manufacturer. In 2021, Consumer ReportsOpens a new window found that four of the 13 video doorbells/home security cameras had vulnerabilities, exposing their owners to hacking and leaks of personal data, including email addresses and Wi-Fi passwords. Upon setting up the device, you should always change the default password, use complex passwords that are harder to crack and change the passwords regularly. 

See More: Why Security Matters for Marketers? 

Don’t Underestimate Cybersecurity Education 

The National CyberSecurity AllianceOpens a new window (NCA) reported that in 2022, only thirty-six percent of people reported that they changed their passwords every few months, with 29% saying they do not change them unless they are forced to do so. For organizations, minimizing human interaction is key to reducing the possibility of human error in allowing hackers into the system through phishing attacks or social engineering attacks. But companies should not underestimate the necessity for cybersecurity awareness and education. 

The NCA revealed that more than half (58%) of the participants who had received training said they were better at recognizing phishing messages, while 45% had started using strong and separate passwords. On the technology side, cybersecurity teams should take proactive measures to fortify hardware-based cybersecurity measures, adopting zero-trust frameworks. Additionally, they should implement regular patching, compromise assessments, red teaming, and penetration testing, in which a security expert like the one who exposed the SpaceX issue — aka an ethical hacker — is enlisted to execute a simulated attack on the CCTV system. 

CISOs, Device Manufacturers, and the US Combine Efforts to Secure IoT and CCTV Cameras 

CISO and individual vigilance via procedures and education can offer stout protection against threats, but the securing of IoT and CCTV devices is undoubtedly a challenging undertaking, with numerous internet-facing touchpoints of potential exposure across hardware, software, and humans.

Manufacturers also need to step up their hardware and firmware security game. The White House is working with private sector businesses, associations and government partners on a plan for a labeling system to rate the cyber resilience of Internet of Things (IoT) devicesOpens a new window which will be similar to the appliance Energy Star rating system. While it’s impossible to thwart all cyber threats, we would be foolish not to take every precaution available to make life harder for the bad actors seeking to invade our privacy.

How are you managing CCTV cybersecurity threats? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

Image Source: Shutterstock

MORE ON CYBERSECURITY

Camellia Chan
Camellia Chan

CEO and Founder, X-PHY, a Flexxon Brand

Camellia Chan is the CEO and founder of X-PHY, a Flexxon brand. Since its inception in 2007, Camellia has grown Flexxon into an international business with a presence in over 50 cities. With Camellia’s passion for innovation and tech for good, Flexxon continues to expand its essential suite of cybersecurity services through its flagship X-PHY brand.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.