Despite numerous warnings from cybersecurity experts and camera manufacturers alike, the fact remains that many security end users and installers have failed to address significant cyber vulnerabilities inherent in some surveillance system deployments. Case in point, researchers at IT security firm Imperva, who were recently looking into repeated HTTP flood attacks against one of their clients, discovered in the list of attacking IP addresses that some of them were originating from network cameras.
According to Ofer Gayer, security researcher for Imperva Incapsula, the attack, which peaked at around 20,000 requests per second, leveraged approximately 900 surveillance cameras spread around the globe. Gayer said the reason that hackers are using IP cameras to carry out these types of attacks is due to the fact that basic security measures, such as changing default login credentials and passwords, are oftentimes not undertaken on surveillance equipment. Once the hackers are in, they can not only access the camera feed but also turn it into botnet for their own benefit which is what happened in this case.
“Cyber criminals are like scavengers in a sense. They just try to find as many soft and easy targets that they can use for their benefit,” explained Gayer. “What they try to do is compromise machines. A camera, for instance, is connected to some sort of device like a low-power computer. It’s not very strong, but it’s strong enough to create a certain amount of traffic… and when you combine them, it’s quite a large amount of traffic. And when you have cameras spread around the world it also creates a nice diversity or sources.”
Once hackers have compromised one machine, Gayer said they will upload malware that will begin to spread itself throughout devices on the network the compromised machine is connected to. Gayer said that IP cameras are a particularly attractive target for cyber criminals because they were never intended to be connected to the internet publicly.
“This is what happens when you take something that isn’t supposed to be connected publicly to the internet and then you connect it to the internet,” added Gayer. “If you have a gun inside a case that’s ok, but if you just leave it out on the street that’s very dangerous. The same goes for a camera. If you have a camera on a closed network that’s only accessible to privileged individuals then that’s ok, but if you connect it to the internet that’s bad and vendors are either unaware or don’t care enough to change that.”
Also, unlike a server or personal computer where a user may notice that something is amiss with the device, Tim Matthews, vice president of marketing for Imperva Incapsula, said that’s simply not the case with surveillance cameras.
“In this instance, the camera is working perfectly fine, doing what it is supposed to do for the owner and, unbeknownst to them, they are being a carrier, so to speak, for a cyber-attack. It is the perfect instrument because the person who owns the camera doesn’t even know what is happening,” said Matthews.
Gayer said that default credentials should never be used under any circumstances and should be immediately changed upon installation. Additionally, Gayer said that end users or their systems integrators should regularly check for and install firmware updates for their surveillance equipment as they become available.
“Somehow we’ve got to get to the manufacturers of these devices and let them know that even if you can’t steal someone’s credit card number through a device, it can still be used as a weapon and we’ve got to figure out a way to make credentials stronger because it is going to be a really big problem pretty soon,” said Matthews.
Given the already large existing install base of IP cameras, which is only expected to continue to increase in the coming years, Geyer believes that securing surveillance networks against cyber vulnerabilities will be an issue that the industry can expect to hear more about moving forward.
“I personally believe we will see what we call the botnet of things or botnet of everything where any device that has any use for hackers will be compromised and used to carry out attacks,” said Gayer. “It could be spam, it could be extortion or it could be mining bitcoin. Whatever the bad guys can get their hands on, they will and they will find a way to take advantage of that.”