X
Get all access to the world's best video surveillance information.
Logo
680-70-2015-free-banner

Is Hacking IP Cameras A Major Risk?

by John Honovich, IPVM posted on Aug 02, 2009 About John Contact John

Fears are rising that IP cameras can and willl be hacked. At Defcon, a demonstration showed an IP camera's feed intercepted and replaced by a fraudulent video, allowing a hypothetical suspect to steal an object right in front of the surveillance camera; thus bringing Hollywood to 'real life.'

What Do You Think?

Demo of the Hack

Here's a demo of the hack (the theft occurs at the end of the clip). Note the company that does the hack sells software to prevent it.

Bigger Risks Routinely Accepted

As titilating as this demo may be, there are far bigger risks that most real-world security organizations accept every day, such as:

  • Most security cameras are not watched live. For all those cameras, there's no need for any fancy hacks. Just walk on in. On the way out, find the recorder and take it with you.
  • When security cameras fail, almost no one responds immediately. At best, a trouble ticket or call is opened and the camera is checked in the next few business days. If the cameras are being monitored live, simply shut down the recorder or the power to the recorder/cameras. Most operations will see this as a nuisance but will not shut down the building (casinos, as always, the exception).
Difficulty to Do in a Real Environment
It's one thing to do this in a demo, it's far harder to pull this off in a real environment. Let's say you are one of the very few organizations who both watches cameras live and takes immediate action to cameras going out. The attacker would still need to:
  • Get access to the internal LAN of the target organization.
  • Pull this hack off against many cameras. These types of organizations are going to have dense camera coverage, which means 3, 5, 10 or more cameras need to be commandeered.
  • The attacker will also have to figure out where these cameras are - which generally is not easy. Steal the CAD drawings? Hack in to the VMS system to see the layout? Certainly theoretically possible but not easy to do.
  • The demo presumes the use of standard signaling protocols and CODECs. IP video surveillance is famous for its lack of standards. The attacker will have to know which proprietary interface each camera uses and have solutions for each variety. Good luck.
If the attacker is this cunning, intelligent and determined, wouldn't there be higher value targets? Steal critical information, access financial accounts, etc. Or do this legally by becoming a quant at an investment bank?
Security Theatre
This type of attack is security theater - the type of risk that sounds exciting and threatening but is simultaneously unrealistic and ignores more fundamental risks that should be addressed. Maybe maximum level security operations should examine this but I suspect even they have more basic flaws in their video surveillance that need to be addressed first.





Most Recent Industry Reports

Getting Started With Your IPVM Membership on Feb 01, 2015
Here's how to get started and get the most out of your IPVM membership. Getting Started Video Presentation You can watch the 20 minute video immediately below or scan through the whole post for i...

ioimage HD Analytic Camera Tested on Jan 29, 2015
Four years after acquiring ioimage, DVTel has released new HD analytic cameras, with the promise of higher probability of detection and lower false alarm rates.   Now, the question ...

Testing Integrated IR Cameras In Snow on Jan 28, 2015
'Snowmaggedon 2015' gave us an oppportunity to test cameras in heavy snow conditions. Integrated IR has gained in popularity, improving low light images even in low cost cameras. However,&nbs...

2015 Video Surveillance Guide on Jan 27, 2015
The 250+ page, 2015 Video Surveillance Industry Guide, covering the key events and the future of the video surveillance market, is now available. Table of Contents How To Get It There are 3 ...

How to Hack an ADT Alarm System on Jan 26, 2015
This report explains the key steps in hacking an alarm system, like ADT, as was presented in a Defcon 22 presentation. The risk of such a hack has become major news as a class action lawsuit was f...

Simplicam Facial Recognition Tested on Jan 23, 2015
Facial recognition, available for $150? That's the offer from a startup, Simplicam, who has not only cloned Dropcam setup and user interface but has added in facial detection and recognition....

Bosch 4K Tested on Jan 21, 2015
4K promises more pixels but does it undermine WDR and low light performance? We tested the Axis 4K camera and there were certainly issues. Now, we tested the Bosch 4K camera, the Dinion IP Ultra ...

Largest New Video Surveillance Projects on Jan 19, 2015
140 video surveillance professionals, including integrators and manufacturers, shared the largest video surveillance projects that they have seen in the past year. Key Patterns The survey results...

IP Networking Course - Last Day Save $50 on Jan 18, 2015
[Today is the last day to save $50 - register now.] This is the first networking course designed specifically for video surveillance professionals. IPVM is launching an IP Networking for Video Su...

Bosch Buys $190 Million Integrator on Jan 16, 2015
The big deals continue. This time, Bosch has bought a US integrator, Climatec, that did ~$190 million in 2014 revenue.