Most users of IP systems are now aware of the need for cybersecurity to protect their camera feeds from hackers. Vendors are often giving clear instructions to protect cameras and network devices from breach. The most common effective steps to limit third-party access to an IP system includes limiting the network’s exposure to the internet using network access control, firewalls, and networks segmentation.

These steps are, for the most part, enough to thwart a normal cyberattack on a video surveillance system. But when the stakes are really high, some hackers may resort to more sophisticated attacks which require more effort, time, and resources. In this article we will see the nature of sophisticated cyberattacks, who may be at risk, and how you can minimize these threats.

What are sophisticated cyberattacks?

Assume that a determined adversary wants to compromise a system by installing some malware. That malware may be used for spying, it may be a ransomware, a system backdoor or some bot waiting for instructions. If there is no network access to the devices or system, he needs to find some other method of installing malware.

Spear-phishing (malware in email, word or excel files) is common attack vector. Luring someone to install a compromised software/firmware is another method.

Placing compromised USB sticks on the parking lot outside the target’s organization worked well for the STUXNET attack. Governments can compromise hardware during supply-chain-shipment for targeted customers. There are also debates over Governments forcing vendors to include malware in their products.

How can you limit sophisticated cyberattack threats?

In a business setting, an employer can get his staff not to insert a USB they find or not opening attachment from unknown recipients. Reducing the network exposure is up to the installer and system owner. Managing configurations, user accounts and patching (over the system life-cycle) is up to the system owner. Protection for compromised software/firmware can be managed by “don’t install software from untrusted sites”.

But it is also often managed with vendor software digital signatures. Some devices can detect if someone tries to install a compromised firmware and reject that installation. Some of these devices are equipped with Secure Boot, detecting if someone compromise the device before it reaches the end-customer. We will see more of that in the future.

If you expose a camera to be accessed from the Internet access you are also giving all the script-kiddies in the world an opportunity to scan and probe the device and see if it has a firmware with a known and exploitable critical vulnerability. Once again, do not poke a hole in your firewall to give this opportunity. This is one of the main reasons why some vendors got the Mirai botnet a few years back (yes, hard-coded hidden passwords found in some Asian vendors devices did help.)

Another important requirement now is network encryption, mostly driven by IT policies and regulations. This is especially relevant for traffic going over unsecure network like Internet and city/community networks. All network traffic going over unsecure networks should be encrypted.

TLS certificates not only provides encryption protection, they are also used to authenticate the end-points. This protects from man-in-the-middle attacks. Assume an adversary has network access. He can compromise the routers to redirect traffic. He redirects traffic to one camera to a PC he controls that impersonates a camera. The VSM gets disconnected and gets reconnected to the PC, assuming it is a camera. This enables false video injection or possible stealing the cameras credentials that the VMS use to login to the camera. A CA-signed certificated would stop such attack.

If you do not have control on what or who is on your network, you should be adding network protection (e.g. 802.1X) and you should be using HTTPS with CA-signed certificates on your local network.

Cameras are often physical exposed, leaving the Ethernet cable exposed. It is recommended to use 802.1X (Network Access Protection) to stop anyone who tries to highjack the cable to gain network access. Adding IP filter on devices, only allowing white listed IP address to access the device will also reduce exposer and thus the risks.

Who is at risk?

If cameras would process financial transactions, they would most likely attract cyber criminals. They do not. The most likely sophisticated adversaries that have the resources and determination for compromising decent/common protected system will be nation-state and cyber terrorists.

The most likely target would be critical infrastructure organizations. Large enterprises would also fall into that category if a successful attack would impact the general public. It is all about the benefits an attacker may have in the relation of the cost of a successful attack. Give someone unlimited time and resources and they can breach any system.

Adapted from a&s Magazine