CCTV IoT Cameras – Is someone watching you?

IoT CCTV Cameras

IoT CCTV Cameras are witnessing a global surge in installations, aiming to enhance security across personal, business, and government domains. Predictions indicate that by 2021, approximately 1 billion CCTV cameras will be operational, reinforcing the vigilance landscape.

CCTV IoT Devices

In today’s ever evolving world, many home and office security cameras are actually IoT Hardware devices. This means that they are connected to the internet. As with all IoT devices, there are many benefits that come with internet-connected CCTV cameras. Primarily, real-time footage is displayed, and this can be viewed on users’ phones from anywhere in the world via an app, making monitoring efforts much easier. Some cameras support two-way communication – essentially acting like a baby monitor. And, for cameras that are used on front doors, the user can see exactly who is ringing the bell and open it remotely. Ah yes, the various ways in which IoT devices can make us lazier.

But, like all IoT devices, there are also a plethora of IoT security vulnerabilities and risks. Connected devices expand the attack surface, making it easier to conduct cyberattacks. IoT devices have an IP address which can be found by bad actors. And many also have simple default passwords that users do not change. This makes it extremely easy for an attacker to hack the device. Furthermore, being an IoT device, the camera has access to vast amounts of data which makes it an appealing target.
IoT security vulnerabilities are a longstanding issue that require urgent attention. Many IoT devices lack sufficient security measures and often go unprotected due to their seemingly harmless nature. Traditional endpoint and network protection software is ineffective against IoT threats, as it cannot accurately identify, monitor, or secure these smart devices.

IoT Cameras and Hardware Attacks

Cameras are not typically thought of as connected devices; therefore, they are not considered to be an IoT security risk. However, IoT devices are highly susceptible to hardware attacks – either through a spoofed peripheral, or a network implant… And internet-connected IoT CCTV cameras are no exception. They can be used in a variety of ways to harm an organization. The camera can be the target of a hardware attack or could assist in facilitating a future hardware attack.

DDoS Attack

The CCTV camera might be used to conduct a distributed denial of service (DDoS) attack. Not only does this cause major disruptions, but it can also act as a distraction for other, more harmful, attacks. In 2018, the Mirai malware began targeting IoT CCTV cameras to turn them into bots, making up a botnet that caused a DDoS attack which left much of the internet inaccessible on the US east coast (The Mirai botnet explained: How teen scammers and CCTV cameras almost brought down the internet).

Since IoT devices obtain large amounts of data in order to operate efficiently, targeting an internet-connected CCTV camera can provide the attacker with access to usernames, passwords, the camera’s location and time-zone. Additionally, the attacker can use the camera as an entry point to further infiltrate the network, potentially gaining access to further sensitive information. In a 2017 report, it was discovered that CCTV cameras can be compromised to provide entry to air-gapped networks. So, even the most secure networks are not immune to infiltration via IoT CCTV cameras.

Easy Entry into Buildings

By accessing the camera’s footage, bad actors can determine the easiest way to gain entry to a building to carry out further hardware attacks on an organization. The footage can highlight the areas with the fewest guards, when the premises is emptiest and where certain assets are located. Alternatively, perpetrators can manipulate the footage being displayed – either showing a black screen or replaying old footage. This can allow them to gain physical entry to the building without being noticed or identified. Moreover, it can be extremely useful when attempting to conduct additional hardware attacks since physical access is required.

Furthermore, since some cameras allow for two-way communication, the attacker can instruct an employee with insider privileges to conduct an attack via the camera. This can be either as a result of blackmail, or a disgruntled employee looking to harm the organization that wronged them.

So, today, when using IoT CCTV cameras, one must ask: am I using this camera to watch them, or are they using this camera to watch me?

November 22nd, 2020