X
Get all access to the world's best video surveillance information.
Logo
680-70-2015-free-banner

Is Hacking IP Cameras A Major Risk?

by John Honovich, IPVM posted on Aug 02, 2009 About John Contact John

Fears are rising that IP cameras can and willl be hacked. At Defcon, a demonstration showed an IP camera's feed intercepted and replaced by a fraudulent video, allowing a hypothetical suspect to steal an object right in front of the surveillance camera; thus bringing Hollywood to 'real life.'

What Do You Think?

Demo of the Hack

Here's a demo of the hack (the theft occurs at the end of the clip). Note the company that does the hack sells software to prevent it.

Bigger Risks Routinely Accepted

As titilating as this demo may be, there are far bigger risks that most real-world security organizations accept every day, such as:

  • Most security cameras are not watched live. For all those cameras, there's no need for any fancy hacks. Just walk on in. On the way out, find the recorder and take it with you.
  • When security cameras fail, almost no one responds immediately. At best, a trouble ticket or call is opened and the camera is checked in the next few business days. If the cameras are being monitored live, simply shut down the recorder or the power to the recorder/cameras. Most operations will see this as a nuisance but will not shut down the building (casinos, as always, the exception).
Difficulty to Do in a Real Environment
It's one thing to do this in a demo, it's far harder to pull this off in a real environment. Let's say you are one of the very few organizations who both watches cameras live and takes immediate action to cameras going out. The attacker would still need to:
  • Get access to the internal LAN of the target organization.
  • Pull this hack off against many cameras. These types of organizations are going to have dense camera coverage, which means 3, 5, 10 or more cameras need to be commandeered.
  • The attacker will also have to figure out where these cameras are - which generally is not easy. Steal the CAD drawings? Hack in to the VMS system to see the layout? Certainly theoretically possible but not easy to do.
  • The demo presumes the use of standard signaling protocols and CODECs. IP video surveillance is famous for its lack of standards. The attacker will have to know which proprietary interface each camera uses and have solutions for each variety. Good luck.
If the attacker is this cunning, intelligent and determined, wouldn't there be higher value targets? Steal critical information, access financial accounts, etc. Or do this legally by becoming a quant at an investment bank?
Security Theatre
This type of attack is security theater - the type of risk that sounds exciting and threatening but is simultaneously unrealistic and ignores more fundamental risks that should be addressed. Maybe maximum level security operations should examine this but I suspect even they have more basic flaws in their video surveillance that need to be addressed first.





Most Recent Industry Reports

Super Low Cost Chinese Camera Shootout on Feb 25, 2015
The 'Chinese' are the industry's #1 threat (or opportunity depending on one's perspective). IPVM has extensively covered the rise of Dahua and Hivkision (see test results). But those tw...

Warning: Case Studies Can Get You Sued on Feb 24, 2015
What do 24 Hour Fitness, Barnes and Nobles and multiple hospitals have in common? They have all been sued in the past few months, with their manufacturer case studies used as evidence.  They...

Genetec AutoVu LPR Camera Tested on Feb 23, 2015
License plate video is one of the most requested elements of video surveillance. IPVM has done many tests on license plate cameras, including the: License Plate Capture Shootout Low Cost Licen...

Shootout: 4K vs PTZ Cameras on Feb 19, 2015
Resolutions continue upwards, with 4K cameras hitting the street. Meanwhile, PTZ usage continues its downward trend, with fewer and fewer integrators choosing them. The question is: how does this ...

Testing FLIR IR PTZ on Feb 17, 2015
FLIR's integrated IR PTZ, the DNZ30TL2R claims a whopping 150m (~500') IR range and HD resolution. Distances like these have historically been possible only with expensive high-end positioning syst...

Canon to Buy Axis, Will Own Axis and Milestone on Feb 10, 2015
This is the biggest deal in video surveillance ever. Just 8 months after buying Milestone, Canon is set to buy Axis. Canon has offered $2.8 billion USD for Axis, a ~50% premium over Axis stock pr...

BestMatch Camera Software Released on Feb 09, 2015
Our new camera comparison algorithm, BestMatch, enables you to find the best camera for your needs at up to 70% lower price. Watch this quick 2 minute video that shows how you will benefit from th...

Hikvision HDTVI Long Distance Problem Tested on Feb 05, 2015
Hikvision's HDTVI cameras performed poorly over low quality or long coax and UTP cables in our original tests. This was a major issue as a key selling point of analog HD technol...

Network Monitoring / SNMP for Video Surveillance Guide on Feb 02, 2015
Surveillance systems typically rely on the the VMS to report issues, but this most often just means knowing a camera is "down" with no warning or detailed information. Network monitoring syst...

Getting Started With Your IPVM Membership on Feb 01, 2015
Here's how to get started and get the most out of your IPVM membership. Getting Started Video Presentation You can watch the 20 minute video immediately below or scan through the whole post for i...