Misconfigured City CCTV Systems Under Attack: Hackers Could Modify Video Feeds in CCTV Systems
Security examination of a working city video surveillance system by Kaspersky Lab has revealed that networks designed to help protect people from criminals and terrorists could be misused by a third party exploiting system configuration flaws.
It is no secret that police departments and governments have been monitoring city streets for years, with security cameras proving invaluable in crime investigation and prevention. However, as a result of research conducted by Kaspersky Lab researcher Vasilios Hioureas and his fellow researcher Thomas Kinsey from Exigent Systems Inc., these systems could also be used in a harmful way.
As part of their research, the authors examined the security video surveillance network in one city. Surveillance cameras were connected via a mesh network – a type of network in which nodes are connected with each other and serve as stepping stones for data (video feed in this particular case) on its way from a node to the control centre. Instead of using a Wi-Fi hotspot or wired connection, nodes in such networks simply transmit data to the closest node which transmits it further through other nodes right to the command centre. Should an intruder connect to just a single node in the network, they will be able to manipulate the data transmitted through it.
Mesh-network based video surveillance systems are, in general, an inexpensive alternative to surveillance systems which require either multiple hotspots throughout a city, or miles of wires. But the security of such networks is heavily dependent on how the whole network is set up. In the case investigated by the researchers, the network of cameras used no encryption at all. After purchasing equipment similar to that used in the city, Kaspersky Lab researchers discovered that sufficient encryption tools are provided, but they were not being used correctly in this case. As a result, clear text data was being sent though the network and made freely available to any observer who joined.
The researchers quickly realised that creating their own version of the software used in the network would be enough to manipulate the data traveling across it. After recreating the network and software in the lab, they were able to intercept the video feeds from any node and also modify them e.g. exchange the real video from the camera with a fake one.
The researchers shared their findings with the company that had set up the surveillance network in the city last summer. Since then, the necessary changes have been made to the vulnerable network.
“We undertook this research to highlight that cybersecurity also affects physical security systems, especially critical public systems like video surveillance. When building a smart city, it is extremely important to not only think about the comfort, energy and cost efficiency that the new technologies will bring, but also about the cybersecurity issues that might arise. Although the findings of this research were presented last august we have reasons to believe that its findings are still useful for city authorities that are planning to implement mesh-network based surveillance systems or implemented it already,” – said Vasilios Hioureas, Junior Malware Analyst at Kaspersky Lab and a co-author of the research.
In order to avoid the security vulnerabilities associated with mesh-networks, Kaspersky Lab recommends the following measures:
Although still potentially hackable, Wi-Fi Protected Access with a strong password is the minimum requirement needed to stop the system from being an easy target.
Hidden SSID (public names of a wireless network) and MAC filtering (that allows users to define a list of allowed devices on the Wi-Fi network) will also weed out unskilled hackers.
Make sure that all labels on equipment are concealed and enclosed to deter attackers who do not have insider information.
Securing video data using public-key cryptography will make it almost impossible to manipulate video data.
The research was originally presented at DefCon 2014. It has been published as part of Kaspersky Lab’s contribution to the knowledge base of Securing Smart Cities – a global not-for-profit initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, not-for-profit initiatives and individuals across the world.
The full text of the research is available on Securelist.com and this report was first published by Kaspersky Lab.
