Remotely accessing surveillance systems is key in 2020, with more and more users relying on mobile apps as their main way of operating the system. However, remote access brings unique challenges, with system security, ease of access, and configuration difficulty all needing to be weighed against each other.
Five Remote Access Options for Video Surveillance
In this report, we explain how the five most common remote access options for video surveillance work:
- Port forwarding
- Universal Plug and Play (UPnP)
- Dynamic DNS
- Cloud / 'Phone Home' (e.g., Hikvision EZVIZ, Axis AVHS, Nest Cam)
- Virtual Private Networks (VPNs)
(Related: Network Addressing for Video Surveillance Guide and Converged vs. Dedicated Networks For Surveillance).
2020: Cyber Security Is Critical
Before putting any surveillance system on the internet, it is critical that users understand the risks involved. Several major vulnerabilities were reported in major manufacturers' cameras, including:
Wyze Massive Data Leak - Millions of users' account data was exposed publicly including email addresses, usernames, WiFi SSIDs, and more.
Bosch VDOO 2018 Vulnerability - A critical vulnerability that is difficult to discover and requires sophisticated hacking skills to exploit.
Hikvision IP Camera Critical Vulnerability - Exploiting the vulnerability allows attacks to either take over the device or crash the camera.
Sony Talos 2018 Vulnerabilities - Allows commands to be executed without Admin credentials, however attacker needs to know what commands to execute so it is more complex than some other, simpler vulnerabilities.
Axis VDOO 2018 Vulnerabilities - Results in root access, however the attack process is very complex, requires multiple steps and requires advanced linux knowledge and hacking skills.
GeoVision's Unprecedented Vulnerabilities: 15 critical security vulnerabilities. This includes root access as well as printing / displaying all credentials in clear text.
Hikvision Backdoor Exploit: Hikvision included a magic string that allowed instant access to any camera, regardless of what the admin password was, with the actor only needing to copy and paste.
Vivotek Remote Stack Overflow Vulnerability:Very easy to exploit; no special accounts, passwords, or device-specific strings/hashes are required to execute an exploit against an affected camera. Simply sending a long URL with the malicious content.
Hikvision Cloud Security Vulnerability: A critical vulnerability in Hikvision's global cloud servers allowed an attacker to remotely take over the server and get access to sensitive customer data.
See our Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits for more information on these and other issues, including new ones as they occur.
Because of the severity of these incidents and their increasing frequency, it is critical that users understand the basics of cybersecurity for surveillance systems, and how to protect against simple attacks at the very least.
We strongly recommend reviewing Network Security for IP Video Surveillance before proceeding.