Ghost in the machine...

With around three quarters of remotely accessible CCTV systems allowing intruders free access to invade privacy and compromise entire corporate computer networks, is it time to say 'enough is enough' to manufacturers and insist upon firmware changes to improve security control?

This is not isolated to consumer level CCTV platforms only. Many 'professional' DVRs & NVRs are installed with default administrator accounts unchanged or additional accounts created and system owners given control over the default account (which they then fail to change).

This means that anyone who is able to connect to the unit remotely can simply enter the default username & password (which can be found within seconds through a simple google search in almost all cases) and then have access to the system as completely as if they were standing in front of the unit.

To compound matters further CCTV systems are rarely secured to only allow specific IP addresses to connect to them and at the same time they broadcast their presence through banner information given out to any device that queries the unit (This means it is easy to find such devices in the wild).

In ~80% of installations the default passwords remain in place for the first three months. This drops to an average of ~70% after three months as some systems are made more secure by their removal.

This still leaves vast numbers of units out there which can be listed by country / ISP / city, or date of installation and more which are openly accessible to any IP address.

Some examples:

• AVTech - Over 420,000 units exposed - (14,000 in Great Britain / 12,000 in America)
  
• Hikvision - Over 710,000 units broadcasting - (10,000 in Great Britain / 16,000 in America)
  
• Dedicated Micros - Over 18,000 units detected - (8,000 in Great Britain / 7,000 in America)
  

You might be thinking, so what, it's just CCTV - what's the worst that can happen? It should be remembered at all times that modern DVRs are in effect computers in most cases. Usually based on linux these machines are carrying out a specific task but can be put to use for other non DVR activity with ease.

Each compromised DVR is in effect an open computer allowing anyone and everyone access to a corporate network potentially. If security of the DVR is poor then it is possible that network security within a corporation is equally lax.

Last year a CCTV module was added to a tool called Metasploit, widely used in the blackhat community this tool allows users to attack a DVR, testing default access and brute forcing passwords. The fact that CCTV systems are often the weakest point of entry on a network is not lost on attackers and those who seek to maliciously access systems.

Whose fault is it really?...

It can sometimes be difficult to pin down exactly where the fault lies as there is a blurring of responsibilities in some contractual agreements.

A professional installer may fit a DVR and put in place a secure username and password combination for remote management or viewing by a remote RVRC or ARC. They may also advise the system owner to put in place ACL (Access control lists) so that only authorised IP addresses are allowed to connect to the device as well as giving advice on blocking netbios responses and port forwarding. However, if a user insists on being able to access the device remotely and chooses to keep the simple to remember default account and not to implement such measures then the machine can remain vulnerable.

Often the company responsible for installing, maintaining or monitoring the system does not have control over the network used by the device for transmission.

Even if the password is changed there exist a large number of exploits on known DVRs and in many cases these and similar exploits can be applied to other DVRs as the programming code is sometimes not as secure as it ought to be.

The CCTV hardware sector has been under intense price pressure in recent years and with a downward spiralling price index it has been common to see a reduction in the number of developers and code writers employed by some companies which could potentially increase the risk of security holes remaining in a product.

In the event that a breach receives widespread mainstream media coverage it does not just reflect badly upon an end user themselves as the security industry on the whole would receive bad press even if not at fault.

How do we fix it?...

In part this may require some contract review to ensure that clear definitions are in place by all businesses as to the responsibility that both they and the client hold. Clear understanding must be given as to the potential risks and good practise should be recommended in securing the unit.

Perhaps a move towards mobile broadband and IPv6 will mean that we can take back control of securing the communication channel?

We must however tackle the issue of default user accounts existing in the first place.

There is no need to have such accounts any more. Even if such accounts could be made unique to each device it would be an improvement, but in an ideal world the units would prompt for a unique username and password combination on first powering up with an option to default the unit only by an physical action on the unit itself in some secure manner. Dedicated Micros units for example come configured with up to five seperate default accounts of which three have admin level access and allow full control over a unit. Are your engineering teams ensuring that all of these accounts are removed?

I recently asked the technical support staff at several DVR manufacturers why they still use default accounts despite the huge risks involved when they are regularly left in place? I was repeatedly advised that it made their job much easier when providing remote support to users and engineers.

Newer Axis cameras feature the technique of forcing a password change on first access and it is much more secure as a result.

We should be hammering the doors of manufacturers to ask them to indtroduce this approach in their new firmware revisions (no hardware change should be required in most cases). We should also be encouraging the standards to push towards a more robust approach to handling default accounts.

Manufacturers often boast of how much value is protected by their devices (it's a safe boast that does not reveal how many units they sold) - It is this same value that is potentially at risk.

The next time you are presented with new CCTV equipment or a new manufacturer, ensure that you ask them how they ensure that their products remain secure as it is your reputation at stake.

Action to be taken:

Installers

• Check contractual agreements
  
• Ensure engineers trained in best practise
  
• Audit existing installations
  
• Verify guidance given to end users
  
• Ensure firmware is updated regularly
  

Manufacturers

• Remove generic default accounts
  
• Deploy an effective mechanism for security
  
• Check existing exploits to ensure none affect your units
  
• Keep up to date with new exploits
  
• Notify your clients when you discover older firmware is at risk
  
• Maintain a 'risk register' of some kind for trade members to be aware of potential risks
  

End Users

• Protect their own networks by blocking Netbios
  
• Allow access only to specific IP addresses
  
• Change / Remove default accounts!!
  
• Use secure passwords (6 Characters or more / Alphanumeric / Mixed case)
  
• Ensure that internal communications to and from the device are restricted