Video Surveillance Vulnerabilities
On August 13, 2018, the US Government signed the 2019 NDAA into law, banning all use of Dahau and Hikvision (and their OEMs) video surveillance equipment from being used for the US government, for US government-funded contracts and possibly for 'critical infrastructure' and 'national security' usage.
More on that later and why it matters to you…
During a recent investigation of slow Internet performance for one of our clients, we stumbled across some anomalous traffic logged in their firewall from a neighboring IP address/ system. It seemed that the system was sending out broadcast storms as well as multicast requests. A broadcast storm is a network condition in which so many broadcasts are occurring (for example, for IP address verification purposes) that normal communication is disrupted.
We decided to dig a little into this and traced it to a host system, through a local ISP, with a dynamic IP address. Digging a little further, we determined this was a video surveillance system DVR appliance that was connected to the Internet. We were also able to obtain the device make, model and who the local vendor was that installed the equipment. We determined that the device had been compromised and it appeared to be scanning for other vulnerable systems, which was causing excessive traffic on the Internet Wi-Fi network this client was attached to.
Our research into this uncovered a plethora of information about the vulnerabilities in video surveillance equipment. Most of this type of equipment runs on operating systems like a computer, with the vast majority running on some version of Linux. Linux systems, like Windows, requires management and maintenance to keep them secure. What we have found is that there have been several breaches because of:
- Use of default admin or login accounts
- Unmanaged, unpatched equipment
- Equipment that is directly exposed to the public Internet community
- Security related flaws and lack of proper support from equipment manufacturers
More research into this and general vulnerabilities with video surveillance systems uncovered a whole slew of security issues. One of the biggest concerns was a vulnerability in equipment from Dahau that allows anyone with a simple script to hack into a DVR or NVR unit. It was described as - “This is like a damn Hollywood hack, click on one button and you are in...” From user bashis, the person that originally discovered the wide-spread vulnerability.
So, you may be saying right now, Whew, I don’t have any Dahau equipment, so I’m safe. Hold that thought because Dahau is a Chinese OEM manufacturer for brand names such as:
FLIR & FLIR Cloud
Security Camera King
And many, many more. We found similar issues from brands such as HikVision, Raysharp, Swann, TRENDnet, Ozvision and others.
This has been a major concern in the IT community for years and we have all been yelling and screaming that eventually it is going to become a widespread issue. The main reason we are seeing these issues in our area is that there is lack of proper IT training by the people and vendors installing the equipment.
Miller Technologies has been installing and managing video surveillance equipment for 20 years and we know the potential IT related security issues that come with them if they are not properly installed, setup and maintained. Security cameras are not a set it up and forget it type of system, yet many have been by other local vendors.
So back to the ban…
It’s easy for the Government to just ban something, but what do the rest of us do?
We have a lot of work to do to clean up the security mess that is out there. New industries, such as the Cannabis industry are indirectly contributing to the problem, because they are required by law to have surveillance systems in place. This has led to widespread sales and use of lower cost, vulnerable systems that are setup by untrained and inexperienced people. There are things Miller Tech can do to avoid having to replace your existing equipment. If you are looking at new video surveillance equipment, we highly recommend considering at least involving an IT professional in the decision process if not having them specify, install and manage it for you.
Full Disclosure story about video surveillance vulnerabilities: