Open Mobile Menu

Blog

Is Your Security Camera System A Security Risk?

Views: 4797

Written By: Scott Johnson September 09, 2015

Is your security camera system a security risk?

 

Corporations, small business owners, and home-owners alike all have a variety of valid reasons to deploy surveillance systems. There are many options with just as many price points making surveillance practical for just about everyone. This convenience can come at price for those who are not technologically or security savvy. Deploying a surveillance system is supposed to provide security, not introduce vulnerabilities. Unfortunately this is exactly the case with certain DVR security camera systems. Comparable to IP cameras that have received a lot of press for vulnerabilities, these DVR systems, if accessible from the Internet, can allow a malicious user to freely monitor all video (live and recorded). If a camera’s functions such as panning, zooming, or audio are enabled, an attacker can control these as well.

In 2013 a security camera DVR vulnerability, CVE-2013-6023, was published documenting a vulnerability in select firmware revisions of TVT DVR security camera systems. This vulnerability makes it possible to read system files through a directory traversal vulnerability, which allows an attacker to take full control of the security camera system. Surprisingly this vulnerability has received very little attention and virtually none in the mainstream press. This is a very simple vulnerability to exploit allowing malicious persons to take full control of these security camera systems commonly deployed in homes and businesses. A person can view live feeds or review recorded video at their discretion. If a system has motorized cameras, a user could control them by panning and zooming.

The Internet meta-data service Shodan.io reports that it has knowledge of about 33,000 of these vulnerable DVR systems around the world. Shodan is a search engine that allows users to search the types of computers found on the Internet. Like search engines such as Google, Yahoo, and Bing, users can create custom filters in their searches to refine the search results. The vulnerable DVR systems utilize a web server that transmits a distinctive string or text in its responses to user requests. This string was used to create a filter in a Shodan search which produced the 33,000 plus results.

A random sampling of about 50 targets from Shodan concludes that these servers are indeed DVR systems. The random sampling was accomplished simply by using a browser to connect to the IP address port combination and viewing the login page. Then a test script was initiated to test whether or not the directory traversal vulnerability existed. In all 50 test cases, the vulnerability did indeed exist. In order to ensure no one’s privacy was compromised during this research an actual exploit of the sample servers was not conducted.

This seemingly “Peeping Tom” vulnerability can lead to much more than an invasion of one’s privacy. Many of these DVR systems have cameras fixed on points of entry. If these entry points use simple keypad codes to access a building, it would be trivial to document these codes and access the building at a time of choosing. Alarmingly it has been two years since this vulnerability was reported and the manufacturer has yet to release a patch or a procedure to mitigate this vulnerability.

Fortunately there are measures to secure these vulnerable DVR systems. The application does have the ability to limit access by designating a white list of MAC addresses but most deployments tested did not implement this. Placing these systems behind a VPN would also provide a bit of protection, as it would limit exposure. But again this is not widely used as is evident in Shodan’s report of over 33,000 vulnerable systems. Each and every one of these systems could be protected by configuring the existing security features and deploying a second layer of mitigating controls such as placing these DVR systems behind a VPN.

It’s more likely than not that these systems are vulnerable because the users implicitly trusted these devices were secure because it’s a “security system”.  Like these DVR systems, it must be assumed that any device directly accessible from the Internet poses a security risk. The question to ask after this assumption is what is at stake if this device is compromised. In the case of this DVR vulnerability, answering this question and acting on the answers would likely reduce the number of systems Shodan reports dramatically.

 

Note:

Shodan only reports on common HTTP(s) ports such as 80, 81, and 443. The actual number of vulnerable systems is likely higher as the system’s port is configurable.

The exploitation is for the application with administrative access. At this time a full system compromise has not been achieved although only a useable point of entry is required since the system root password is accessible and in most cases easily cracked.

Scott Johnson

Scott Johnson is a Senior Application Security Consultant with AppSec Consulting with more than 12 years experience in Information Security.  He has held the CISSP and CEH certifications and has expertise in all aspects of ethical hacking / penetration testing and security operations.  Scott’s expertise is both technical and non-technical. In the soft non-technical areas, he has performed security awareness training to new hires, presented security briefings to senior management, acted as security liaison to non-security IT groups, and given presentations on current security topics. Additionally, he has written many policies and procedures, written and presented hundreds of vulnerability assessments, led several request for proposals to acquire new technologies, and coordinated with law enforcement on several forensic cases.  

In the technical realm, Scott has several years experience as a security analyst and as an ethical hacker. As a security analyst he used and administered tools such as: IPS systems, forensic tools, Anti-virus tools, security information management suites (SIMS), and web content management systems. For the past 5 years he has focused on ethical hacking. During this time Scott has performed hundreds of vulnerability assessments covering mobile devices, web applications and infrastructure systems. 

Scott’s IT career started after graduating from Georgia College and State University in the US Army Military Intelligence Corp. where he worked as an engineer on top-secret electronic warfare systems. Scott is active in his community by serving as a board member of his church and volunteering his time for community out reach projects.

read more articles by Scott Johnson