Is Hacking IP Cameras A Major Risk?
by John Honovich, IPVM posted on Aug 03, 2009 About John Contact JohnFears are rising that IP cameras can and willl be hacked. At Defcon, a demonstration showed an IP camera's feed intercepted and replaced by a fraudulent video, allowing a hypothetical suspect to steal an object right in front of the surveillance camera; thus bringing Hollywood to 'real life.'
What Do You Think?
Demo of the Hack
Here's a demo of the hack (the theft occurs at the end of the clip). Note the company that does the hack sells software to prevent it.
Bigger Risks Routinely Accepted
As titilating as this demo may be, there are far bigger risks that most real-world security organizations accept every day, such as:
- Most security cameras are not watched live. For all those cameras, there's no need for any fancy hacks. Just walk on in. On the way out, find the recorder and take it with you.
- When security cameras fail, almost no one responds immediately. At best, a trouble ticket or call is opened and the camera is checked in the next few business days. If the cameras are being monitored live, simply shut down the recorder or the power to the recorder/cameras. Most operations will see this as a nuisance but will not shut down the building (casinos, as always, the exception).
Difficulty to Do in a Real Environment
It's one thing to do this in a demo, it's far harder to pull this off in a real environment. Let's say you are one of the very few organizations who both watches cameras live and takes immediate action to cameras going out. The attacker would still need to:
- Get access to the internal LAN of the target organization.
- Pull this hack off against many cameras. These types of organizations are going to have dense camera coverage, which means 3, 5, 10 or more cameras need to be commandeered.
- The attacker will also have to figure out where these cameras are - which generally is not easy. Steal the CAD drawings? Hack in to the VMS system to see the layout? Certainly theoretically possible but not easy to do.
- The demo presumes the use of standard signaling protocols and CODECs. IP video surveillance is famous for its lack of standards. The attacker will have to know which proprietary interface each camera uses and have solutions for each variety. Good luck.
If the attacker is this cunning, intelligent and determined, wouldn't there be higher value targets? Steal critical information, access financial accounts, etc. Or do this legally by becoming a quant at an investment bank?
Security Theatre
This type of attack is security theater - the type of risk that sounds exciting and threatening but is simultaneously unrealistic and ignores more fundamental risks that should be addressed. Maybe maximum level security operations should examine this but I suspect even they have more basic flaws in their video surveillance that need to be addressed first.
Most Recent Industry Reports
30 vs 60 FPS Shootout on May 22, 2013
30 frames per second used to be the maximum practical limit for surveillance cameras. Now, it is becoming increasingly common for IP cameras to support double that, 60 frames per second. (For backg...
#1 IP Camera Benefit on May 20, 2013
Megapixel was, far and away, the number #1 cited benefit in going to IP cameras / video. We asked over 100 integrators to name the "3 biggest reasons" they found, allowing them to name whatever the...
Testing VSaaS / Dropcam HD on May 15, 2013
Dropcam is pretty clearly the strongest upstart in the VSaaS market. While Axis has pushed their hosted service offering for years, it is beset by poor ROI and weak performance. There are dozens of...
Testing Panoramic Cameras Outdoors on May 13, 2013
Outdoors, PTZs tend to be a favorite for covering large open areas but they only see whatever they are currently pointed at. Panoramics are an emerging alternative but how well do they perform and ...
Testing CarCam on May 08, 2013
Dash cams are getting a lot of attention for the amazing video they inadvertently capture, like a crashing 747 in Afghanistan, a meteor explosion, Russian crazy fights and accidents, etc. Moreov...
#1 IP Camera Problem on May 07, 2013
Cost was, far and away, the number #1 cited problem in going to IP cameras / video. We asked over 100 integrators to name the "3 biggest problems / barriers" they found, allowing them to name whate...
Testing Covert Cameras on May 02, 2013
Covert cameras are regularly referenced in TV shows and undercover reporting. We ordered two of the most frequently sold covert cameras on Amazon - a Car Key cam and a PenCam, as shown below: We...
Stop The Lying and Crazy Claims on Apr 29, 2013
The last few weeks have been an embarrassment for surveillance, with a small number of companies turning this into a despicable marketing campaign perpetuating lies and crazy myths about what surve...
Panoramic Camera Shootout on Apr 22, 2013
Panoramic cameras are one of the hottest growing markets within surveillance. The combination of multi-megapixel resolution and super wide FoVs claims to deliver greater coverage than conventional ...
Top Trends in Access Control on Apr 17, 2013
All of a sudden, Access Control has momentum? After a long period of apparent stagnation and staleness, new technologies and devoted marketing campaigns have breathed life into the segment. Indeed,...