X
Get all access to the world's best video surveillance information.
Logo
680-70-2015-free-banner

Is Hacking IP Cameras A Major Risk?

by John Honovich, IPVM posted on Aug 02, 2009 About John Contact John

Fears are rising that IP cameras can and willl be hacked. At Defcon, a demonstration showed an IP camera's feed intercepted and replaced by a fraudulent video, allowing a hypothetical suspect to steal an object right in front of the surveillance camera; thus bringing Hollywood to 'real life.'

What Do You Think?

Demo of the Hack

Here's a demo of the hack (the theft occurs at the end of the clip). Note the company that does the hack sells software to prevent it.

Bigger Risks Routinely Accepted

As titilating as this demo may be, there are far bigger risks that most real-world security organizations accept every day, such as:

  • Most security cameras are not watched live. For all those cameras, there's no need for any fancy hacks. Just walk on in. On the way out, find the recorder and take it with you.
  • When security cameras fail, almost no one responds immediately. At best, a trouble ticket or call is opened and the camera is checked in the next few business days. If the cameras are being monitored live, simply shut down the recorder or the power to the recorder/cameras. Most operations will see this as a nuisance but will not shut down the building (casinos, as always, the exception).
Difficulty to Do in a Real Environment
It's one thing to do this in a demo, it's far harder to pull this off in a real environment. Let's say you are one of the very few organizations who both watches cameras live and takes immediate action to cameras going out. The attacker would still need to:
  • Get access to the internal LAN of the target organization.
  • Pull this hack off against many cameras. These types of organizations are going to have dense camera coverage, which means 3, 5, 10 or more cameras need to be commandeered.
  • The attacker will also have to figure out where these cameras are - which generally is not easy. Steal the CAD drawings? Hack in to the VMS system to see the layout? Certainly theoretically possible but not easy to do.
  • The demo presumes the use of standard signaling protocols and CODECs. IP video surveillance is famous for its lack of standards. The attacker will have to know which proprietary interface each camera uses and have solutions for each variety. Good luck.
If the attacker is this cunning, intelligent and determined, wouldn't there be higher value targets? Steal critical information, access financial accounts, etc. Or do this legally by becoming a quant at an investment bank?
Security Theatre
This type of attack is security theater - the type of risk that sounds exciting and threatening but is simultaneously unrealistic and ignores more fundamental risks that should be addressed. Maybe maximum level security operations should examine this but I suspect even they have more basic flaws in their video surveillance that need to be addressed first.





Most Recent Industry Reports

The Prox Reader Shootout on Aug 27, 2015
In this report, we put eight readers of the popular 125 kHz contactless format head to head and see which one rises to the top. Over a third of integrators call 125 kHz 'favorite', and tens of t...

Axis WDR Zipstream Low-Cost M1125 Tested on Aug 26, 2015
Axis has been busy promoting speciality devices like IP horns and video intercoms. However, they have quietly released a new series of low-cost HD cameras with true WDR and Zipstream support, spec...

IPVM Launches Live Chat Room on Aug 24, 2015
Now you can get help or talk with colleagues any time with IPVM's new Live Chat. Chat is as old as AOL chat rooms and as hot as mega-startup Slack. Benefits of Chatting Ask a question anytime,...

SMB Market Video Surveillance Guide on Aug 20, 2015
This 13-page guide explains the key uses, design factors, and players in the small-medium business surveillance market. A global group of 90 integrators responded, each offering insigh...

The $100 Intrusion System Korner Tested on Aug 18, 2015
Multi-year contracts at $30 per month are the norm. Now a startup is offering an intrusion system for $59 up front and just ~$3 monthly. The company, Korner, has billed itself as the "Home S...

Panasonic 4K / 12MP Camera Tested on Aug 17, 2015
We bought the new Panasonic 4K / 12MP WV-SFV781L dome camera and tested it against the:  Axis P1428E Bosch NBN-80122 Dahua IPC-HFW4800E In this in-depth report, we tested: ...

Testing Petzi, The Pet Cam That Shoots Treats on Aug 14, 2015
Do you love dogs? Do you love the Internet of Things? Then we have a product for you. Half camera, half remote-controlled pet treat dispenser, Petzi lets you shoot treats at your dog. That'...

Genetec Cloud Tested on Aug 12, 2015
Not since Axis public and prolonged agony with AVHS, has a major manufacturer bet as heavily as Genetec is now doing on the cloud. Genetec started with Stratocast, which took a similar small ...

Samsung AHD Tested on Aug 11, 2015
Not long ago, an individual MP camera was commonly $300 and a DVR was commonly $300. Now, Samsung is offering (4) MP cameras plus a DVR for ~$330 all-in. We bought the Samsung SDH-...

Favorite Large Scale VMSes 2015 on Aug 10, 2015
If you have 100+ cameras in your system, what should you use for recording? What is used for recording? This report shares the results of IPVM's integrator survey focused on integrators deploying ...