X
Get all access to the world's best video surveillance information.
Logo
680-70-2015-free-banner

Is Hacking IP Cameras A Major Risk?

by John Honovich, IPVM posted on Aug 02, 2009 About John Contact John

Fears are rising that IP cameras can and willl be hacked. At Defcon, a demonstration showed an IP camera's feed intercepted and replaced by a fraudulent video, allowing a hypothetical suspect to steal an object right in front of the surveillance camera; thus bringing Hollywood to 'real life.'

What Do You Think?

Demo of the Hack

Here's a demo of the hack (the theft occurs at the end of the clip). Note the company that does the hack sells software to prevent it.

Bigger Risks Routinely Accepted

As titilating as this demo may be, there are far bigger risks that most real-world security organizations accept every day, such as:

  • Most security cameras are not watched live. For all those cameras, there's no need for any fancy hacks. Just walk on in. On the way out, find the recorder and take it with you.
  • When security cameras fail, almost no one responds immediately. At best, a trouble ticket or call is opened and the camera is checked in the next few business days. If the cameras are being monitored live, simply shut down the recorder or the power to the recorder/cameras. Most operations will see this as a nuisance but will not shut down the building (casinos, as always, the exception).
Difficulty to Do in a Real Environment
It's one thing to do this in a demo, it's far harder to pull this off in a real environment. Let's say you are one of the very few organizations who both watches cameras live and takes immediate action to cameras going out. The attacker would still need to:
  • Get access to the internal LAN of the target organization.
  • Pull this hack off against many cameras. These types of organizations are going to have dense camera coverage, which means 3, 5, 10 or more cameras need to be commandeered.
  • The attacker will also have to figure out where these cameras are - which generally is not easy. Steal the CAD drawings? Hack in to the VMS system to see the layout? Certainly theoretically possible but not easy to do.
  • The demo presumes the use of standard signaling protocols and CODECs. IP video surveillance is famous for its lack of standards. The attacker will have to know which proprietary interface each camera uses and have solutions for each variety. Good luck.
If the attacker is this cunning, intelligent and determined, wouldn't there be higher value targets? Steal critical information, access financial accounts, etc. Or do this legally by becoming a quant at an investment bank?
Security Theatre
This type of attack is security theater - the type of risk that sounds exciting and threatening but is simultaneously unrealistic and ignores more fundamental risks that should be addressed. Maybe maximum level security operations should examine this but I suspect even they have more basic flaws in their video surveillance that need to be addressed first.





Most Recent Industry Reports

Gain / AGC for Video Surveillance Guide on Apr 23, 2015
Gain control is a critical, though often overlooked, factor in low light surveillance video. It is generally only noticed when the negative side effective of aggressive gain levels are seen, namely...

Testing Honeywell HQA HD-CVI on Apr 22, 2015
HD analog support continues to expand, with Honeywell now releasing its own HD-CVI offering, awkwardly named "High Quality Analog" (HQA), offering up to 1080p video via analog. The big appeal is g...

Testing Axis Zipstream on Apr 13, 2015
Has Axis found its breakthrough differentiator? Can they demand a premium for this? Axis claims Zipstream can "lower bandwidth and storage requirements by an average 50% or more." We upgrade...

New Products Spring 2015 on Apr 12, 2015
After very poor new releases in 2014 (see Spring 2014 and Fall 2014 directories), 2015 is already much better. Here are new products being announced in 2015: Avigilon First to Demo 7K Cameras ...

FLIR FX Tested on Apr 08, 2015
FLIR is going after the home / consumer surveillance market with their FLIR FX. A few of the notable competitive features offered: Video analytics for search (RapidRecap) Built-in Battery Buil...

IP Network Setup Guide for Surveillance on Apr 06, 2015
In this guide, we teach the fundamentals of setting up an IP video surveillance network, taking factory default cameras through to a fully configured and ready to run network. We explain these topi...

Testing Messoa 3MP LPC Camera on Apr 02, 2015
License plate recognition has historically required specialized cameras with limited general surveillance use. Messoa is aiming to change that with the LPR606, a higher resolution 3MP claiming sce...

Security Integrator Finder Released on Apr 01, 2015
The new Security Integrator Finder's goal is to list every integrator in the world, overlaid on Google Maps. Here's how you benefit: Integrators can more easily be found by end users and manufa...

Milestone LPR Tested on Mar 31, 2015
How well does Milestone's LPR work? Milestone's LPR supports off the shelf IP cameras, integrating license plate recognition with the Milestone Smart Client for live video, playback, and alar...

4K Panasonic Tested (Panoramic) on Mar 25, 2015
Panasonic has released their first 4K cameras, and surprisingly, they are panoramic, which they tout include high sensitivity 1/2" image sensors, true WDR, auto back focus, and other feat...