Three of the most popular brands of closed-circuit surveillance cameras are sold with remote internet access enabled by default, and with weak password security — a classic recipe for security failure that could allow hackers to remotely tap into the video feeds, according to new research.
The cameras, used by banks, retailers, hotels, hospitals and corporations, are often configured insecurely — thanks to these manufacturer default settings, according to researcher Justin Cacak, senior security engineer at Gotham Digital Science. As a result, he says, attackers can seize control of the systems to view live footage, archived footage or control the direction and zoom of cameras that are adjustable.
“You can essentially view these devices from anywhere in the world,” Cacak said, noting that he and his security team were able to remotely view footage showing security guards making rounds in facilities, “exceptionally interesting and explicit footage” from cameras placed in public elevators, as well as footage captured by one high-powered camera installed at a college campus, which had the ability to zoom directly into the windows of college dorm rooms.
Cacak and his team were able to view footage as part of penetration tests they conducted for clients to uncover security vulnerabilities in their networks. The team found more than 1,000 closed-circuit TV cameras that were exposed to the internet and thus susceptible to remote compromise, due to inherent vulnerabilities in the systems and to the tendency of the companies to configure them insecurely.
The inherent vulnerabilities, he said, can be found in at least three of the top makers of standalone CCTV systems that he and his researchers examined — MicroDigital, HIVISION, CTRing — as well as a substantial number of other companies that sell rebranded versions of the systems.