Most CCTV systems are easily accessible to attackers
The use of CCTV cameras for physical surveillance of all kinds of environments has become so pervasive that most of us don’t give the devices a second thought anymore.
But, those individuals and organizations who actually use and control them should be aware that most of them come with default settings that make them vulnerable to outside attacks.
According to Gotham Digital Science researcher Justin Cacak, standalone CCTV video surveillance systems by MicroDigital, HIVISION, CTRing, and many other rebranded devices are not only shipped with remote access enabled by default, but also with preconfigured default accounts and passwords that are banal and easy to guess.
“Many owners of CCTV video surveillance systems may not even be fully aware of the device’s remote access capabilities as monitoring may be conducted exclusively via the local video console,” he pointed out in a blog post.
Add to this the fact that these same owners often fail to change default password for the admin account, or change it to one equally easy to guess, and you have a recipe for disaster.
“Interacting with the standalone CCTV system can be achieved via a Win32 thick client, a mobile device, or an IE ActiveX control in which a user name and password are required,” he explains. “Typically, in over 70% of cases the device is still configured with the default vendor password which allows trivial access to real time video, the ability to control PTZ (pan-tilt-zoom) cameras, and access to any archived footage.”
Cacak says that video surveillance devices are often overlooked during security audits and vulnerability/penetration tests, but this is likely to change, as the company’s researchers have collaborated with Rapid7 developers and have created a new Metasploit module that tests the most popular CCTV systems – including the aforementioned ones.
He also gave good advice to CCTV deployers: change the default vendor passwords to strong ones, filter access to only trusted hosts, and disable the system’s remote access if it’s not needed.