Blog: Opinions

Testing the security of CCTV systems

Ken Munro 30 Oct 2024

TL;DR

  • CCTV is often overlooked; ‘shadow tech’ whose security isn’t as carefully reviewed as core IT assets
  • It is often a responsibility for facilities managers who may have little experience of cyber security
  • Security of the hardware and software of some CCTV camera brands is sorely lacking
  • A breach of the camera system is one thing. A pivot from it on to corporate networks is another

CCTV systems have been the cause of major internet outages, together with significant privacy invasion. Their complexity makes ensuring good cyber security challenging for some manufacturers.

The complexity and security challenges come from a number of areas:

API security: the link between the on site digital video recorder (DVR) for storing footage, then to the vendors cloud platforms, then back to the owners smartphone is a common source of security flaws. These are generally the most serious security issues for privacy, as it allows for anyone with some technical skill to remotely access video and audio feeds.

We would assess the risk by carrying out a very thorough test of the API security. The most common API security flaws we discover are to do with user and device authorisation, allowing anyone to access any feed.

CCTV camera hardware: in most cases, the camera itself it a relatively ‘dumb’ device if hard wired to the DVR. Exploitation via this type of camera is fairly pointless. However, if the camera has a Wi-Fi or similar RF connection, it creates an interesting point of attack. It may be possible to recover secret keys from the camera hardware, or extract personal data from it

We typically carry out a hardware security review, hooking up to the various chips on board in the camera in an effort to extract data. This may include firmware extraction and analysis, together with non volatile storage.

Cloud platform: many CCTV vendors offer storage on cloud platforms as a form of backup. Security of cloud platforms varies significantly, particularly where vendors have ‘rolled their own’ rather than relying on proven secure platforms.

A thorough cloud platform review is carried out, though will probably require permission from the CCTV vendor involved, as it is their property.

DVR hardware: the storage device located on the customer premises has been the source of some very significant security flaws. Whilst they should be well secured and protected from external access over the internet, some vendors have ‘punched holes’ in the protection offered by the ISP router and exposed their devices to compromise.

A review of a DVR would involve testing the security of the local operating system, together with extracting firmware and analysing it for security flaws.

Mobile and web apps: the apps used by the customer to access their CCTV feeds remotely can also be a security risk. Typically Android devices are more exposed to compromise than iOS owing to the ‘walled garden’ nature of the Apple operating system, but security issues do creep in.

A mobile application would typically be decompiled and reverse engineered to discover security flaws.

Conclusion

Some vendors, particularly those who operate at the ‘higher end’ of the market have excellent security controls and development practices. Mid-market vendors have distinctly variable security issues. Those at the low end, at a price point where it is hard to drive strong investment in cyber security, are where we have found some depressingly simple compromises.

Putting a CCTV solution in to your office buildings is supposed to improve your physical security. Without good oversight and security assurance, a CCTV system can actually weaken your security.

Wider research

More detail of the various research projects we have done around CCTV are linked here. They include a project where we were the first in the world to correctly identify the source of the Mirai botnet as being a result of a security failure by a CCTV DVR software vendor. This botnet was used to take various social networks offline via DDoS attack against their DNS provider.

https://www.pentestpartners.com/security-blog/filling-in-gaps-in-mirai-its-about-dvrs-not-cameras/

https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/

https://www.pentestpartners.com/security-blog/domestic-cctv-and-audio-recording/

https://www.pentestpartners.com/security-blog/what-did-mirai-miss-making-a-better-bigger-botnet/

https://www.pentestpartners.com/security-blog/hacking-swann-home-security-camera-video/