Remotely accessing surveillance systems is key in 2020, with more and more users relying on mobile apps as their main way of operating the system. However, remote access brings unique challenges with system security, ease of access, and configuration difficulty all needing to be weighed against each other.
Five Remote Access Options for Video Surveillance
In this report, we explain how the four most common remote access options for video surveillance work:
Before putting any surveillance system on the internet, it is critical that users understand the risks involved. Several major vulnerabilities were reported in major manufacturers' cameras, including:
May 2020 - Dahua Critical Cloud Vulnerabilities - Dahua and 22 OEMs including Panasonic and Stanley had hard-coded cloud keys / passwords which were shared and could be used to ultimately gain full access to cloud connected equipment.
March 2020 - LILIN Vulnerabilities Used by DDoS Botnets - 3 Vulnerabilities: command injection vulnerabilities with NTUpdate, FTP, and NTP, hardcoded credentials, and arbitrary file reading vulnerability with LILIN DVRs.
February 2020 - Chinese NVR/DVR Vulnerability - Huawei (HiSilicon) backdoor uses a combination of port knocking to open enable telnet along with hardcoded root credentials.
February 2020 - Bosch, Multiple Self-Reported Vulnerabilities: two 10.0 critical vulnerabilities along with 8.6 and 7.7 rated vulnerabilities. The first 10.0 vulnerability affects Bosch BVMS and uses deserialization of untrusted data which attackers can use to remotely execute code. The other 10.0 vulnerability applies to their Video Streaming Gateway and is also remotely exploitable due to the VSG services missing authentication for critical functions.
January 2020 - Honeywell Maxpro VMS & NVR Vulnerability - Attackers are able to remotely execute code and via SQL injection vulnerability an attacker can could gain unauthenticated access to the web user interface with admin rights.
Because of the severity of these incidents and their increasing frequency, it is critical that users understand the basics of cybersecurity for surveillance systems, and how to protect against simple attacks at the very least.