Free educational articles for physical security professionals.
IP cameras are essential to physical security. Paradoxically, they’re also a common source of cybersecurity weakness. Unfortunately, IP cameras’ ubiquity and fast growth have come with the cost of overlooked camera vulnerabilities that attackers often discover before patches are released or applied.
This article will explore camera vulnerabilities in detail, including common vulnerabilities and exposures (CVE), how they have appeared in different camera products, and how they are exploited by attackers. We’ll also examine camera vulnerability mitigations and best practices for reducing your exposure to IP camera-related threats.
The table below summarizes the key camera vulnerability concepts this article will cover in more detail.
Concept | Description |
---|---|
Evolution of surveillance cameras | Surveillance cameras have evolved from analog to digital to connected systems. Convenience has increased for both users and hackers. |
Types of vulnerabilities | There are several types of camera vulnerabilities, the severity of which depends on the use case. Common examples include authentication, firmware, application, and data transmission weaknesses. Attackers have exploited IP cameras from well-known manufacturers using these types of vulnerabilities. This article delves into some Common Vulnerabilities and Exposures (CVE). |
Best practices for managing camera vulnerability | Automated device discovery, firmware updates, password rotation, and access control policies are important mitigation techniques for IP camera-related risks. |
Below is a quick overview of the relevant terms you will encounter in this article or related articles during camera vulnerability evaluation.
Monitor the health of security cameras and receive alerts in real-time
Automate firmware upgrades, password rotations & certificate management
Generate ad hoc and scheduled compliance reports
Like many electronics, IP cameras have become increasingly “smart.” let’s use the TV evolution as an analogy. The early security cameras were analog systems, with their feed connected to a dedicated monitor or a Video Cassette Recording (VCR) System near the camera via a coaxial cable. They had low-resolution feeds, and since the video was stored on magnetic tapes, archival and retrieval required manual handling.
Next came the transition from analog to digital. The technology changed: the VCR became a Digital Video Recorder (DVR), image quality and resolution improved, storage and retrieval became easier (hard drive compared to magnetic tapes), and remote viewing of the camera feed was now possible through connected monitors.
Next came the Internet of Things (IoT) revolution and millions of devices connected to the network with an IP address. Wired gradually became wireless. Cameras started talking to each other. Storage moved to the network video recorder (NVR) or the cloud, and remote viewing became the norm. Advanced analytics became possible (including face recognition, motion detection, and object tracking). The camera firmware was now updatable remotely while in service. Convenience became abundant for both users and hackers. This surge in opportunities for hackers is the primary focus of this article.
The evolution of cameras from analog to digital to networked. (Source: SecuriThings)
As the cameras became networked, the attack surface increased drastically. For the first time, the attacker did not need to be near the camera to hack it, eliminating a huge barrier for bad actors. Secondly, the number of entry points for attackers increased. Hackers could now target the camera’s authentication mechanism, data transmission, web interface, or even camera firmware. This required a focus on security and compliance.
When cameras became wireless, every manufacturer defined proprietary software protocols, resulting in multiple incompatible protocols in the IP camera market. Eventually, interoperability between hardware and software became a bottleneck, and the industry needed standardization. That’s how the ONVIF (Open Network Video Interface Forum) standard began in 2008. It covers device discovery and management, media configuration, IP configuration, real-time viewing, event handling, video analytics, storage, and security.
While the comprehensive list of vulnerabilities will include hundreds or even thousands of entries, we will discuss the most common ones here. The severity of the vulnerability greatly depends on the application for which the camera is used. For example, a pet cam’s feed being visible to a malicious user may not be an issue. In contrast, even a few seconds of downtime can be detrimental to a security vault camera.
Improper/weak authentication is the most common camera vulnerability. If an IP camera does not adequately authenticate users, certain users may be able to escalate their privileges on the system and get access to sensitive information.
Here are three examples of vulnerabilities that have affected IP cameras.
This vulnerability allows hackers to execute arbitrary code on your camera. For example, the CVE–2018–10660 vulnerability allowed attackers to execute shell commands on Axis IP cameras with root privileges. When combined with CVE-2018-10661 (access control bypass) and CVE-2018-10662 (exposed insecure interface), an unauthenticated, remote attacker could gain full control over the camera.
Attackers can exploit this vulnerability to crash the camera, leading to service downtimes and potentially valuable camera feed loss.
Some examples of this camera vulnerability are listed below:
Credentials can be exposed to unintended users in several ways. In the IP-camera world, several Hikvision cameras were affected by the ‘password in configuration file’ vulnerability, CVE-2017-7923, which allowed a malicious user to escalate privileges or assume the identity of another user.
This is another common vulnerability that affects several IP cameras, best understood by the examples given below:
XSS is a vulnerability related to the web interface provided to the user. Attackers exploiting XSS vulnerabilities need to send the user a link to the web application infused with malicious scripts. If a user clicks on this link, the requested web application will open, but the malicious script will also be executed if the application is not properly secured. D-Link IP Camera DCS-2103 and cameras by Eyeplusiot.com are examples of vulnerable cameras.
While XSS exploits the user’s trust in the application, CSRF exploits the application’s trust in an authenticated user. This vulnerability forces an authenticated user to submit an unintended request to a web application they are authenticated against.
The attacker sends the request to the application on your behalf. This vulnerability affected Bosch IP Cameras with CVE-2021-23849. If the victim was successfully tricked into clicking on a malicious link while logged into the camera, the attacker could successfully trigger actions on the camera on behalf of the user.
This vulnerability allows an attacker to traverse directories of the camera’s file system, potentially accessing sensitive files. An example is CVE-2010-4231, which affected Camtron and TecVoz IP cameras. In this vulnerability, attackers could exploit a “..” traversal sequence in the URI. For example, exploiting a directory traversal vulnerability to obtain the root password for a Genie Access WIP3BVAF IP camera.
Directories like /tmpfs or /log can be accessible without authentication, potentially revealing sensitive information in plain text format. CVE-2013-2574 is an example that affected certain FOSCAM IP cameras. The reporters of the above vulnerability accessed sensitive information, including access credentials (usernames and plaintext passwords, stored in the config_backup.bin file in the ‘tmpfs’ folder) and Wi-Fi credentials.
If operations within the bounds of a memory buffer are not properly restricted, it can lead to memory corruption with unpredictable consequences, including downtime. An example is the CVE-2018-10664 vulnerability in multiple models of Axis IP cameras, wherein there was an issue in the HTTPS process. Another example is CVE-2018-19036, which affected several Bosch IP cameras. The out-of-bounds memory operation allowed an unauthorized attacker to execute code on the device.
This section will discuss a few practices for managing the vulnerabilities mentioned above.
The first step toward managing your IP cameras is understanding the management scope. It is crucial to identify how many devices are present on your enterprise network, what specifications these devices have, and what firmware version they are running. Whether these devices are internet-facing or only communicating on the intranet can also be checked. Use tools like Shodan to identify if an intranet device inadvertently leaks data to the Internet.
Devices that are end-of-life (EoL) may still be supported by the vendor but have been designated as unfit for long-term use. As such, they should be treated as high-risk and prioritized for replacement. Furthermore, as EoL devices enter the End of Service-Life (EoSL) stage, they will no longer receive patches or updates, which makes them easy targets for attackers due to the certainty of successful exploitation of identified vulnerabilities. Over time, managing these devices becomes a manual effort, and they can be easily overlooked in an enterprise system containing hundreds or thousands of devices. A vulnerability in any of these devices can remain persistent and have long-term consequences on the overall health of your security system.
SecuriThings offers a software solution that simplifies the management of physical security devices. It offers centralized control, automation, and real-time monitoring. Upon deployment, the platform delivers complete visibility into the end-of-life (EOL) timeline for your entire device fleet. Additionally, it recommends suitable replacement models to ensure a smooth transition during device upgrades.
You can fix most of the vulnerabilities discussed in the above section via firmware updates, and manufacturers regularly release patch updates to fix the reported issues. Automating the firmware update process ensures that the vulnerabilities are fixed as soon as a fix is available.
You can set up an automated firmware upgrade routine by setting up a custom service to check with the camera manufacturer for an update (e.g., using an API) and then deploying it in a phased manner across your fleet. Alternatively, you can use enterprise solutions like those provided by SecuriThings to manage the firmware updates.
First, you should change the default password once the camera is set up. Next, you should enforce a strong password policy to protect against a brute-force dictionary search attack. Next, rotate passwords regularly (preferably in an automated manner). Rotation ensures that the extent of damage caused by a compromised password is limited. Finally, complement password rotation with other features, like multi-factor authentication (MFA). To limit the scope of impact in the event of password compromise or leakage, you should avoid using the same password, despite the complexity, across your IoT estate.
Ensure that all communication with the camera is encrypted, locally or via the cloud. Disable services like Telnet and FTP that send data in cleartext if they are not required so that your attack surface is reduced.
Strict access control policies based on the principle of least privilege further help reduce the attack surface. Every unnecessary access is a potential vulnerability source. Human carelessness can be an important enabler for attackers to exploit vulnerabilities, and minimizing access to the bare minimum required provides protection against it.
As discussed in the above section, these vulnerabilities are related to the web interface provided by the camera. The best practices when using the web interface are listed below:
Secrets, keys, and certificates are key to IoT device security, as they secure authentication, communication between devices, and management solutions. Unmanaged certificates, self-signed certificates, low-complexity keys, high TTL tokens, and insecure storage are common issues attackers use to compromise devices. As organizations deploy a greater number of IoT devices, manual management becomes impractical. Automated management provides clear cost savings and greater value through continuous certificate visibility to enable rotation and provide avenues for efficient issue resolution and decision-making.
A holistic and automated device management setup is essential for protecting fleets of IP cameras deployed for critical applications. While there are many vulnerabilities, following the best practices in your device management setup gives you a strong defense against most of the major camera vulnerabilities.