Video surveillance, using security cameras by organizations and individuals, is a popular security measure that helps detect unusual incidents, such as acts of violence in educational institutions and events, burglary of private homes and shared buildings, and security or safety incidents.
Security cameras are commonly referred to as Internet of Things (IoT) devices when many users connect these devices to the Internet. As a result, these devices may be accessed at any time, any place, which makes them an attractive destination for attackers in cyberspace.
Unfortunately, security cameras are subject to several cyber threats and attacks, in which threat actors can take control of the cameras to produce valuable information about the activities of forces and people. In this post, we focus on some of the common threats deriving from attacks on surveillance cameras.
- A takeover of the management interface: This occurs when a vulnerability or misconfiguration allows an attacker to take control of the management interface. The common causes of this abuse include using default passwords, weak password policies, or identical passwords on multiple sites/ services, which increases the likelihood of high exposure due to password leakage. The takeover of the management interface can also occur due to the lack of temporary account locking in the event of an attack such as a Brute Force Attack. Another cause is the direct exposure of a web management interface (including HTTP, HTTPS, SSH), which makes the camera likely to be targeted. Other reasons include the lack of MFA realization, failure to implement an existing security update, or working with outdated old browsers without the ability to upgrade to the latest version due to technological incompatibility.
- User session hijacking: An attacker could hijack a user session, gaining access to the camera system. This can occur by inserting malware into the user’s computer (including a browser plug-in), which in turn will allow the theft of identification information that the user types or sending SSRF requests or using an XSS \ CSRF vulnerability to send user traffic to a destination under the attacker’s control.
- Man-in-the-Middle Attack (MITM): Man-in-the-Middle attack for unauthorized viewing of data – the ability to connect to the system, take over, or eavesdrop and view materials or photographic products.
- Using the camera as a gateway for intrusion into the organization: Vulnerability or misconfiguration may allow intrusion into the organization and further attacks.
- Use of the camera as a gateway for intrusion into a mobile phone in which a management application is installed: Vulnerability or misconfiguration in the camera may allow intrusion into a mobile phone with a management application installed, and further attacks.
- Use of the viewing station as a gateway between networks with different trust levels: A user may connect the viewing station to networks with different trust levels, creating a security gap and an opportunity for validity.
- Illegal publication of the mobile application for “Camera Management”: An attacker could illegally publish a mobile “camera management” app to fool users into installing malicious software.
- Data Leakage: An attacker who has gained access to cameras or storage systems may be able to leak sensitive/ confidential information via the IT network or a mobile device connection, for example. An attacker who has gained access to the cameras may use a sensor (such as an IR lamp or a camera aperture) to leak information. Installation in the wrong location or lack of adequate sensor direction may result in documentation of sensitive/confidential information.
- Receiving remote commands using the sensor: An attacker who had previously gained a foothold in the camera system might use the sensor’s input system to receive remote activation commands from the malware he installed.
- Disrupting or deleting recordings: This occurs with unauthorized access, making changes to images, changing the value of a clock so that the recording system will rewrite historical information, and so on. This, in turn, may harm legal evidence serving the organization or other relevant entities.
- Improper operation leading to system errors, which could lead to human rights violations, or system errors that could lead to lack of evidence/results required for legal proceedings: This refers to the lack of ability to determine an accurate indication of event cold time, which may result from a poor time synchronization process. It should be noted that this issue may have admissibility and evidentiary weight in legal proceedings.
- Physical theft: Physical theft of a camera or storage unit that contains sensitive/ confidential information, such as a recording.
- Physical damage: Damage to the camera lens, physical deflection of the camera from its viewing segment, spraying the surface of the lens with paint, or other damage.
- Online attacks to disable or prevent system access: Hostile takeover and hacking to disable security camera activity. In many incidents, the attacker took over cameras, disabled activities, and changed their access passwords. In other cases, ransomware attacks were carried out on the camera.
- Utilizing camera infrastructure in favor of third-party attack / cyber epidemic: An attacker could exploit a vulnerability to turn a camera into a bot that can be activated in favor of a third-party cyberattack, such as a distributed denial of service (DDoS) / cyber epidemic attack.
- Embedding false information in the recording: An attacker could embed false information in a photo/ recording repository to indict a person or for another purpose.
- Eavesdropping: An attacker could intercept information that passes over a public network (such as the Internet) and then perform various actions to decrypt it.
- The exploitation of Vulnerability in Software Update Mechanisms: An attacker could exploit a vulnerability in a software update mechanism.
In the next post, we will present a list of recommended courses of action to help reduce cyber risks from security cameras. Stay tuned.