X
Get all access to the world's best video surveillance information.
Logo
Free-book-promo-680-70

Is Hacking IP Cameras A Major Risk?

by John Honovich, IPVM posted on Aug 02, 2009 About John Contact John

Fears are rising that IP cameras can and willl be hacked. At Defcon, a demonstration showed an IP camera's feed intercepted and replaced by a fraudulent video, allowing a hypothetical suspect to steal an object right in front of the surveillance camera; thus bringing Hollywood to 'real life.'

What Do You Think?

Demo of the Hack

Here's a demo of the hack (the theft occurs at the end of the clip). Note the company that does the hack sells software to prevent it.

Bigger Risks Routinely Accepted

As titilating as this demo may be, there are far bigger risks that most real-world security organizations accept every day, such as:

  • Most security cameras are not watched live. For all those cameras, there's no need for any fancy hacks. Just walk on in. On the way out, find the recorder and take it with you.
  • When security cameras fail, almost no one responds immediately. At best, a trouble ticket or call is opened and the camera is checked in the next few business days. If the cameras are being monitored live, simply shut down the recorder or the power to the recorder/cameras. Most operations will see this as a nuisance but will not shut down the building (casinos, as always, the exception).
Difficulty to Do in a Real Environment
It's one thing to do this in a demo, it's far harder to pull this off in a real environment. Let's say you are one of the very few organizations who both watches cameras live and takes immediate action to cameras going out. The attacker would still need to:
  • Get access to the internal LAN of the target organization.
  • Pull this hack off against many cameras. These types of organizations are going to have dense camera coverage, which means 3, 5, 10 or more cameras need to be commandeered.
  • The attacker will also have to figure out where these cameras are - which generally is not easy. Steal the CAD drawings? Hack in to the VMS system to see the layout? Certainly theoretically possible but not easy to do.
  • The demo presumes the use of standard signaling protocols and CODECs. IP video surveillance is famous for its lack of standards. The attacker will have to know which proprietary interface each camera uses and have solutions for each variety. Good luck.
If the attacker is this cunning, intelligent and determined, wouldn't there be higher value targets? Steal critical information, access financial accounts, etc. Or do this legally by becoming a quant at an investment bank?
Security Theatre
This type of attack is security theater - the type of risk that sounds exciting and threatening but is simultaneously unrealistic and ignores more fundamental risks that should be addressed. Maybe maximum level security operations should examine this but I suspect even they have more basic flaws in their video surveillance that need to be addressed first.





Most Recent Industry Reports

Rain Surveillance Shootout on Nov 26, 2014
Rain can ruin surveillance video, and your housing choice might be making it worse. In this test, we shot out the five most common form factors of outdoor housing: box, full size dome, minidome, f...

Resolution vs Compression Tested on Nov 24, 2014
They are not the same thing. Unfortunately, too many industry people conflate them. Worse, resolution and compression can silently undermine each other. The Impact Compare the two images below....

Camera DNR (Digital Noise Reduction) Guide on Nov 20, 2014
A significant video problem is night time bandwidth spikes. An IPVM study found 250 - 500% increase in bandwidth from day to night (see: Testing Bandwidth vs Low Light). Digital noise r...

Camera Labor Estimation Standard on Nov 19, 2014
IPVM is proud to release the first ever surveillance camera labor estimation standards. These standards help integrators improve the accuracy and efficiency of their installations, reducing risks ...

Dahua HDCVI 2.0 Tested on Nov 17, 2014
A strong initial reception but can it repeat? Dahua's initial HDCVI analog HD offering, with its super low cost and HD resolution, was extremely well received (see IPVM's HDCVI test results)....

Avigilon Analytic Cameras Tested on Nov 12, 2014
Analytics remains the 'next big thing' But supply of high quality, ease to use analytics remain in short supply. VideoIQ had been the favorite choice of integrators surveyed. But VideoIQ was acqu...

Best & Worst Manufacturer Salespeople on Nov 10, 2014
What manufacturers were rated the worst? Which the best? What do integrators want from their manufacturer salespeople? What offends them the most? New IPVM survey results of 100+ integrators an...

Testing Bandwidth vs Low Light on Nov 07, 2014
Bandwidth and low light can be a bad combination. Despite many assuming / calculating bandwidth as a single 24/7 number, bandwidth can vary dramatically. One of the big drivers of bandwidth chang...

Hikvision Tribrid Recorder Tested on Nov 05, 2014
HD over existing coax, IP and legacy analog cameras, all in a single recorder. A 16 camera 'tribrid' DVR that does all that for less than $400. This is what Hikvision is claiming with its 7200 se...

Camera Finder Released on Nov 03, 2014
The new Camera Finder revolutionizes camera selection. Search across 2100+ cameras for 40 criteria, immediately returning precise matches so you can find the best fit for your specific needs. Thi...