Globally, the number of surveillance cameras being installed is increasing in an effort to improve security; whether that be in the personal, business or government realm. It is predicted that by 2021, there will be around 1 billion CCTV cameras in operation.
In today’s ever evolving world, many home and office security cameras are actually IoT devices, meaning that they are connected to the internet. As with all IoT devices, there are many benefits that come with internet-connected CCTV cameras. Primarily, real-time footage is displayed, and this can be viewed on users’ phones from anywhere in the world via an app, making monitoring efforts much easier. Some cameras support two-way communication – essentially acting like a baby monitor. And, for cameras that are used on front doors, the user can see exactly who is ringing the bell and open it remotely. Ah yes, the various ways in which IoT devices can make us lazier.
But, like all IoT devices, there are also a plethora of security risks. Connected devices expand the attack surface, making it easier to conduct cyberattacks. IoT devices have an IP address which can be found by bad actors. And many also have simple default passwords that users do not change. This makes it extremely easy for an attacker to hack the device. Furthermore, being an IoT device, the camera has access to vast amounts of data which makes it an appealing target.
Cameras are not typically thought of as connected devices; therefore, they are not considered to be a cybersecurity risk. However, IoT devices are highly susceptible to hardware attacks – either through a spoofed peripheral, or a network implant… And internet-connected CCTV cameras are no exception. They can be used in a variety of ways to harm an organization; the camera can be the target of a hardware attack or could assist in facilitating a future hardware attack.
The CCTV camera might be used to conduct a distributed denial of service (DDoS) attack. Not only does this cause major disruptions, but it can also act as a distraction for other, more harmful, attacks. In 2018, the Mirai malware began targeting CCTV cameras to turn them into bots, making up a botnet that caused a DDoS attack which left much of the internet inaccessible on the US east coast.
Since IoT devices obtain large amounts of data in order to operate efficiently, targeting an internet-connected CCTV camera can provide the attacker with access to usernames, passwords, the camera’s location and time-zone. Additionally, the attacker can use the camera as an entry point to further infiltrate the network, potentially gaining access to further sensitive information. In a 2017 report, it was discovered that CCTV cameras can be compromised to provide entry to air-gapped networks. So, even the most secure networks are not immune to infiltration via CCTV cameras.
Easy Entry into Buildings
By accessing the camera’s footage, bad actors can determine the easiest way to gain entry to a building to carry out further hardware attacks on an organization. The footage can highlight the areas with the fewest guards, when the premises is emptiest and where certain assets are located. Alternatively, perpetrators can manipulate the footage being displayed – either showing a black screen or replaying old footage. This can allow them to gain physical entry to the building without being noticed or identified. Moreover, it can be extremely useful when attempting to conduct additional hardware attacks since physical access is required.
Furthermore, since some cameras allow for two-way communication, the attacker can instruct an employee with insider privileges to conduct an attack via the camera. This can be either as a result of blackmail, or a disgruntled employee looking to harm the organization that wronged them.
So, today, when using CCTV cameras, one must ask: am I using this camera to watch them, or are they using this camera to watch me?