CCTV Security: How to Detect and Eliminate Botnet Attacks

CCTV installationWhat is CCTV or IP Video Surveillance: CCTV is (closed-circuit television) primarily used for surveillance and security. CCTV Security is commonly used for a variety of purposes, including:

  • Maintaining perimeter security
  • Monitoring traffic
  • Obtaining a visual record of human activity
  • Employee safety

CCTV/IP Video is a device connected to your network. Many IT professionals often forget that that camera is an “edge” device. Similar to a PC, Tablet, Wireless Access Point and VoIP Phone, these need to be secured on the network from unauthorized users and potential hackers.

What is Botnet: A botnet (sometimes referred to as a “zombie army”) is a number of internet-connected computers communicating with other similar devices in an effort to complete tasks and objectives. This can be a simple as maintaining control of an internet relay chat (IRC) channel, or it could be used in for more complex tasks – for example, to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robots and network. The term is mostly used with a negative or malicious connoation.

How does a botnet work: Botnets are typically created by tech-savvy criminals who are well-versed in computer programming and software development. The criminals who perpetrate botnets are known as “bot herders” because they control the computers that have been compromised from a remote location. Once the computers are compromised they can communicate over the Internet, which means a botnet can comprise a group of “zombie” computers that is formed anywhere in the world.

Botnet attacks essentially hold a computer captive for the purpose of malicious activity – and there are literally millions of botnets active on the Internet on a regular basis. What’s worse is that the the software behind a botnet is often shared online, where the bot herders can combine their code to create a major denial of service attack to bring down networks and websites.

A Botnet can be used as a platform for a variety of criminal activities, depending on how the bot herder chooses to configure the individual nodes. In addition to identity theft, botnets have many uses, some of which are listed below.

  • Spamming
  • Phishing
  • Denial of Service Attacks
  • Installing Malware
  • Click Fraud
  • Stealing Confidential Data
  • Distributing Malware Honeypots & Darknets

CCTV & Botnet

How Botnet uses CCTV:

Network security firm Incapsula has a new report that sounds … just a little scary. It describes a 240 percent uptick in botnet activity, when multiple connected devices are compromised and used for attacks that overtax servers and shut down websites.

One type of connected device accounted for a large piece of the increase: Closed circuit television cameras (CCTV), used by many companies and individuals for security. While CCTV’s are subject to various rules and regulations, these laws do little to protect against malicious actors.

Ironically, Incapsula says the problem is that many of the security devices haven’t been properly secured, allowing hackers to implant malicious software in the cameras and utilize them in distributed denial of service (DDOS) attacks without the owner knowing.

There are 245 million registered CCTV cameras worldwide, and many of them still have the default login credentials. This vulnerability has been exploited in the past, with one website streaming live footage from unsuspecting CCTV/IP Video Surveillance users around the world by using default login credentials.

In the particular attack highlighted by Incapsula, 900 CCTV cameras were used in an HTTP flood attack, sending repeated requests to a cloud server. Essentially, the cameras (and other botnet devices) called up legitimate URLs on the cloud service website, but did it at such a volume that the servers couldn’t handle the traffic, (potentially) taking the site offline.

How are Internet connected CCTV systems susceptible to botnet attacks?

There are many reasons why a CCTV system may be susceptible to an attack. The most common being:

  • The device responds to Ping requests.
  • It’s using common IP socket ports such as port 80 (HTTP), port 21 (FTP), and port 23 (Telnet), or the default ports.
  • A low strength password is being used, or the password has not been changed from the manufacturer’s default.
  • The system is open to connection from any source.
  • There are vulnerabilities within the NVR/DVR Video Management software/firmware.

This isn’t an exhaustive list, but these are the most common reasons why internet connected CCTV systems are susceptible.

How do I make my Internet connected CCTV systems less susceptible?

In the first instance, it’s worth addressing each of the points above to see if there are immediate issues which can be resolved:

  • Ensure the CCTV system does not respond to Ping requests – Ping is a method used to detect whether an IP device is connected online. If the NVR/DVR (or the router it is connected to) responds to Ping requests, it may alert potential attackers that a device is vulnerable to attack. Turn off Ping response in the Router and NVR/DVR/Video Server to prevent this from happening.
  • Change the IP port that is used to access the unit over the Internet – If the NVR/ DVR is using port 80, 21, or 23, see if these can be changed on the DVR itself. If that is not possible, change the router settings to use Port Forwarding, so that traffic on a specific incoming port number will be forwarded to the correct port of the DVR on the network. For example, you could forward any traffic on port 3080 to the DVR on port 80, so any external connection to the IP address on port 3080 will get through, but connections to port 80 will not.
  • Change the password on the CCTV System – ALWAYS change the manufacturer’s default password. Also, use a mix of uppercase letters, lowercase letters, and digits to strengthen the password.
  • Configure your router’s Firewall – Do you really want to allow anybody on the Internet to have access to your CCTV system? The firewall within your router will allow you to limit access to your CCTV to certain IP address ranges or MAC addresses.
  • Ensure that the firmware on the CCTV System is up to date – For added protection, regularly check that your device(s) have the latest firmware; manufacturers often address any security or vulnerability issues with firmware updates.

A little goes a long way. While more complex methods for securing your Internet-connected IP Video Surveillance/CCTV systems are beyond the scope of this article, implementing these five simple steps will sharply reduce the chances of your CCTV system being compromised.

Also remember is that a IP Video Surveillance/CCTV system is essentially a PC. They may not look or operate like one, but underneath these devices will be running an operating system which may be Windows or Linux based, meaning that they are vulnerable to the same types of threats as desktop PCs.

It’s worth bearing the following in mind the next time you put one of your customers’ CCTV systems online:

  • Do not use default usernames or passwords. Make them complex, do not share them and change them on a regular basis.
  • Update all of the CCTV software and use antivirus software on PCs that operate the system.
  • Segment these systems and control their remote access, including changing ports by default.
  • Ensure encryption of communication in these systems, particularly in wireless communications.
  • Maintain and manage logs, connections, and events detected in the system.

Specifically, CPNI has published an information system physical security guide, which addresses the security of associated systems (switches, routers, etc.) incorporated into CCTV systems, alarms, botnet detection systems, and access control systems, taking into account the different topologies and the advantages and disadvantages of each, including remote access or connections with other networks.

With this information in mind, you should be aware of the potential issues that can arise when connecting devices to your network – as well as steps to reduce their threat. Effective communications between the IP Video Surveillance/CCTV integrator and the client’s IT department can help reduce the odds of future problems such as botnet attacks. If it is connected to your network, it’s susceptible to outside attacks. Be aware and be proactive.