IP cameras for video surveillance has been a trending topic amongst enterprises across the world due to rising concerns for security and safety. IP CCTV cameras are revolutionizing security measures, and technology has evolved to allow for a more diverse security monitoring system through high resolution, larger digital storage options and compatibility for integrated analytical software.

According to Global CCTV Market Forecast 2022, analysts expect the market for global CCTV to grow at a CAGR of around 11% during 2018-2022. 

Clearly, a successful hack of an enterprise security camera system could lead to a range of implications. Amongst the main ones is unauthorized access to video and audio streams of data, as well as to the archive, violation of confidentiality, HIPPA, PII and potential leaks of personal and corporate information, possible copying, unauthorized distribution and duplication of such data.

“Most Enterprise video surveillance systems are vulnerable to hackers. According to our studies, more than half of companies and organizations, both large and small, do not take sufficient precautions when it comes to preventing their security cameras from being hacked. Be it ignorance or just careless approach to security of their network in general, the results of hacking can be disastrous,” says Chris Ciabarra, the CTO and co-founder of Athena Security.

With the increasing number of surveillance cameras installed in homes, offices and public places, hacking incidents related to these devices happen more and more often. 

The ease of hacking surveillance cameras

It’s not a secret that surveillance cameras, like many other Internet of things (IoT) devices, are full of vulnerabilities that can be exploited by hackers. 

A hacker can find hundreds of potentially vulnerable IoT devices to hack into

Cameras, just like all other devices connected to the Internet, have IP addresses that are easy to find using Shodan, a search engine for Internet-connected devices. With this simple tool, a hacker can find hundreds of potentially vulnerable IoT devices to hack into, including cameras, especially when most companies use default passwords. 

The solution

Below are basic recommendations on how to protect your camera network, and what actions you should take to minimize the chance of hacking.

  • Change the default username and password 

You should start by changing the default password and username of your camera network. Even though this may seem obvious, not everyone does it, practically leaving the door for hackers wide open. 

Use a strong password that is hard to guess. When setting up the password use numbers, symbols, both uppercase and lowercase letters. Do not use simple and commonly used passwords, such as the ones in SplashData's list of 100 worst passwords of the year.

Do not use the same password you are already using for other online accounts. According to a recent survey on data privacy conducted in May 2019, 13% of respondents with at least one online account say they use the same password for all their accounts. Using a password manager to generate a strong random password may be a good idea. 

  • Update your camera firmware regularly

Keeping cameras firmware up-to-date is very important as it allows you to prevent hackers from exploiting vulnerabilities and bugs that are already patched by manufacturers in a new firmware update. 

Despite the fact that most modern cameras will automatically download and install firmware updates, some require the user to check for updates and install them. 

  • Set up two-factor authentication 

Set up the two-factor authentication if your cameras support it. With two-factor authentication on, the camera manufacturer will send you a randomly generated passcode via text message or phone call, as an addition to username and password, during each log in to the account. Two-factor authentication prevents hackers from accessing the camera system even if they were able to crack username and password. 

Not all surveillance camera systems support two-factor authentication, though. 

Technical recommendations

  • Prevent cameras from sending information to third parties

Companies that use surveillance cameras very often do not put enough effort into protecting their cameras and the data they transmit, despite the fact that this footage is of great importance to many people.

The firmware of most cameras from different manufacturers is programmed in a way to keep a connection with the manufacturer’s server without knowledge of the end-user. Most users, both private and corporate, are not aware of this and therefore do not take any steps to protect themselves from this potential vulnerability, which could result in footage leak to a third party or a successful hacker attack.

To prevent your camera network from transmitting, the following steps should be taken.

Step 1: Statically assign an IP address

Statically assign IP address for each camera, subnet mask and leave gateway blank or, if this is allowed in gateway fields to be entered. If the firmware does not allow blank or 127 subnets, just point gateway to an unused dedicated IP address.  

This way, cameras will not be able to send the information off the local company network.

Step 2: Assign DNS servers

Assign DNS servers that are local to cameras and force only your domain to be present with zero forwarding DNS servers. 

This way, if a camera tries to do name resolution, it will come up blank. Not being able to find the IP address of the main server (mother ship), cameras won’t be able to connect to it.   

To stay safe you can order your own DNS servers, locked down to your addresses only.

  • Block your camera network’s access to the Internet 

Blocking your camera network’s access to the Internet is a good way to make sure hackers won’t be able to get access to the footage and other confidential data. Any dual-homed system touching your camera network should be blocked from Internet access. This way all systems in the same subnet won’t have access to the Internet from that box.

Always use DNS because firewall rules tend to be easy to hack, while DNS that is internal is not expected and stops systems from resolving names you do not wish to be translated, like talking back to the mothership of a bad program. 

  • Monitor your system for traffic spikes 

One of the tricky things about hacker attacks is that there are no warnings. In most cases hackers would penetrate your system without any signs or symptoms of an attack, and it isn’t until you face consequences (like leaked footage or hackers manipulating cameras) when you realize something is wrong. It may be days or even months between the hacker attack and the time you realize the system has been compromised. 

Monitoring dual-homed systems for bandwidth spikes could be a good way to spot a hack resulting in the leakage of confidential data like images or video. There are a number of traffic monitoring tools available to private and corporate users that can manage and sniff the network or just monitor them.

  • Facial blur in archived footage 

Blurring people’s faces when archiving in surveillance camera video streams is a great tool, allowing you to comply with privacy laws and make the footage useless to hackers even if they manage to successfully hack your system.

These recommendations will allow you to lower the risk of hackers breaking into your security camera network, detect the hack if it has occurred already, and to protect yourself from possible consequences if camera footage was stolen.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Christopher Ciabarra CTO, Athena Security, Inc.

Chris is a serial entrepreneur and security expert with over 20 years experience using technology to detect and prevent threats. He has dedicated his career to building proactive solutions to security threats. He is an anti-hacking expert who pioneered network security solutions during the dot-com boom, and mobile payment security during the rise of mobile computing. Chris is an award-winning innovator, published author, and member of the Forbes Technology Council. But above all he is an inventor dedicated to making the world a better place.

From 2010 – 2017 he co-founded and was the CTO of Revel Systems, helping grow it from 0 to 800 employees and a $500 million evaluation. Chris developed the technology behind the company’s iPad point-of-sale system. When everyone said it was impossible, Chris made it happen. Chris also designed Athena to create a safer world - one where real threats are quickly identified and neutralized, and where the innocent wouldn’t be profiled as a threat without just cause. 

Christopher is also a certified Thermographer, which is the study of infrared devices and how they work and should be operated.

In case you missed it

How Can Remote or Internet-Based Training Benefit Security?
How Can Remote or Internet-Based Training Benefit Security?

Internet-based training has long provided a less-expensive alternative to in-person classroom time. There are even universities that provide most or all of their instruction online. However, the COVID-19 pandemic has expanded acceptance even more and increased usage of internet-based meeting and learning tools. We asked this week’s Expert Panel Roundtable: How can remote or Internet-based training benefit the physical security market?

How is AI Changing the Security Market?
How is AI Changing the Security Market?

Artificial intelligence is more than just the latest buzzword in the security marketplace. In some cases, smarter computer technologies like AI and machine learning (ML) are helping to transform how security operates. AI is also expanding the industry’s use cases, sometimes even beyond the historic province of the security realm. It turns out that AI is also a timely tool in the middle of a global pandemic. We asked this week’s Expert Panel Roundtable: How is artificial intelligence (AI) changing the security market?

Moving to Sophisticated Electric Locking
Moving to Sophisticated Electric Locking

In part one of this feature, we introduced the shotbolt – a solenoid actuator – as the workhorse at the heart of most straightforward electric locking systems. Shotbolts remain at the core of most sophisticated electric locking solutions as well. But they are supplemented by materials and technologies that provide characteristics suited to specialist security applications. Here we look at some more demanding electric locking applications and contemporary solutions. Preventing forced entry Where the end of the shotbolt is accessible, the electric holding force can be overcome by physical force. That’s why anti-jacking technology is now a frequent feature of contemporary electric solenoid lock actuators. Anti-jacking, dead-locking or ‘bloc’ technology (the latter patented by MSL) is inherent to the way the locking assembly is designed to suit the requirements of the end application. The patented bloc anti-jacking system is highly effective and incorporated into many MSL shotbolts deployed in electric locking applications. The bloc technology uses a ring of steel balls in a shaped internal housing to physically jam the actuated bolt in place. A range of marine locks is widely used on Superyachts for rapid lockdown security from the helm Real life applications for MSL anti-jacking and bloc-equipped shotbolts include installation in the back of supermarket trucks to secure the roller shutter. Once locked from the cab, or remotely using radio technology, these shutters cannot be forced open by anyone with ‘undesirable intentions’ armed with a jemmy. A range of marine locks is widely used on Superyachts for rapid lockdown security from the helm. While anti-jacking features are an option on these shotbolts, consideration was given to the construction materials to provide durability in saltwater environments. Marine locks use corrosion-proof stainless steel, which is also highly polished to be aesthetically pleasing to suit the prestigious nature of the vessel while hiding the innovative technology that prevents the lock being forced open by intruders who may board the craft. Rotary and proportional solenoids sound unlikely but are now common A less obvious example of integrated technology to prevent forced override is a floor lock. This lock assembly is mounted beneath the floor with round-top stainless-steel bolts that project upwards when actuated. They are designed to lock all-glass doors and are arguably the only discreet and attractive way to lock glass doors securely. In a prestigious installation at a historic entranceway in Edinburgh University, the floor locks are remotely controlled from an emergency button behind the reception desk. They act on twin sets of glass doors to quickly allow the doors to close and then lock them closed with another set of subfloor locks. No amount of stamping on or hitting the 15mm protruding bolt pin will cause it to yield, thus preventing intruders from entering. Or leaving! Explosion proofing In many environments, electric locking technology must be ATEX certified to mitigate any risk of explosion. For example, remote electric locking is used widely on oil and gas rigs for stringent access control, general security and for emergency shutter release in the event of fire. It’s also used across many industrial sectors where explosion risks exist, including flour milling, In many environments, electric locking technology must be ATEX certified to mitigate any risk of explosionpowder producers, paint manufacture, etc. This adds a new dimension to the actuator design, demanding not only intrinsically safe electrical circuits and solenoid coils, but the careful selection of metals and materials to eliminate the chance of sparks arising from moving parts. Resilience under pressure The technology boundaries of solenoids are always being pushed. Rotary and proportional solenoids sound unlikely but are now common. More recently, while not directly related to security in the traditional sense, proportional solenoid valves for accurately controlling the flow of hydrogen and gases now exist. Magnet Schultz has an extensive and somewhat innovative new range of hydrogen valves proving popular in the energy and automotive sectors (Fig. 2-6). There’s a different kind of security risk at play here when dealing with hydrogen under pressures of up to 1050 bar. Bio security Less an issue for the complexity of locking technology but more an imperative for the effectiveness of an electric lock is the frequent use of shotbolts in the bio research sector. Remote electric locking is commonplace in many bioreactor applications. Cultures being grown inside bioreactors can be undesirable agents, making 100% dependable locking of bioreactor lids essential to prevent untimely access or the unwanted escape of organisms. Again, that has proven to be topical in the current climate of recurring coronavirus outbreaks around the world. More than meets the eye In part one, I started by headlining that there’s more to electric lock actuation in all manner of security applications than meets the eye and pointed out that while electric locking is among the most ubiquitous examples of everyday security, the complexity often involved and the advanced technologies deployed typically go unnoticed.Integrating the simplest linear actuator into a complex system is rarely simple For end users, that’s a very good thing. But for electro-mechanical engineers designing a system, it can present a challenge. Our goal at Magnet Schultz is to provide a clearer insight into today’s electric locking industry sector and the wide range of locking solutions available – from the straightforward to the specialized and sophisticated. Integrating the simplest linear actuator into a complex system is rarely simple. There’s no substitute for expertise and experience, and that’s what MSL offers as an outsource service to designers. One benefit afforded to those of us in the actuator industry with a very narrow but intense focus is not just understanding the advantages and limitations of solenoid technology, but the visibility of, and participation in, emerging developments in the science of electric locking. Knowing what’s achievable is invaluable in every project development phase.