Hackers May be Watching You Through CCTV Cameras

CCTV cameras line high streets, offices and government buildings around the world. But the widespread surveillance systems may give cybercriminals a new lens for malicious activity.

That's according to a recent investigation by BBC Panorama, which found that two of the world’s leading CTTV camera manufacturing brands – Hikvision and Dahua – may suffer from security flaws that can be exploited by hackers to infiltrate company systems.

The investigation found that malicious actors could strategically target security cameras in company buildings to compromise confidential data including passwords and usernames of employees and wreak havoc on computer networks.

Panorama worked with the US-based Internet Protocol Video Market (IPVM), one of the world's leading authorities on surveillance technology, to test whether it was possible to hack a Hikvision camera. The research supplied a camera and installed it in a Panorama studio.

The camera Panorama investigated contains a vulnerability discovered in 2017, which IPVM's director Conor Healy described as "a back door that Hikvision built into its own products.”

Hikvision says its devices were not deliberately programmed with this flaw and it points out that it released a firmware update to address it almost immediately after it was made aware of the issue. It adds that Panorama's test is not representative of devices that are operating today.

But Healy says more than 100,000 cameras around the world may be still vulnerable to this security flaw, putting companies around the world at risk.

11 Seconds

Healy and IPVM's research engineer John Scanlan started by locating the camera inside the BBC Broadcasting House, then began attacking its security defences.

Just 11 seconds later, Scalan announces: “we have access to that camera now.” The researchers could see inside the studio, including a panorama employee working on his laptop.

Footage Panaroma BBC — *Footage taken from the hacked security camera. Source: BBC Panaroma*

If we zoom in tight on the keyboard, we can see clearly the keys that he's pressing to put his password in," Scanlan said.

"This is akin to a locksmith giving you a key to your home and secretly making a master key for all of the locks in that community… that's effectively what Hikvision engineers did."

Following BBC Panorama's investigation, Hikvision published a statement that Panaroma’s claims were “farcical.”

“The BBC will broadcast a ‘hack’ of a six-year-old Hikvision camera to exploit a vulnerability that was identified in 2017, but was patched and publicly disclosed less than one week after it was brought to the company’s attention,” the statement reads.

“This test simply cannot be characterised as representative of ‘the cameras lining our streets today’, which would be much better defended than the camera in this so-called ‘test’ the BBC has run,” the statement reads.

Entry points and IoT

Regardless of the vulnerability patch, the investigation provides just one example of hackers exploiting flaws to compromise systems and gain unauthorised access and control.

Earlier this month, the UK government announced that it would be removing Chinese cameras in all government buildings across the country, including the CCTV camera which cause former Health Secretary Matt Harris’ kiss scandal last year – which sparked his eventual resignation for breaking the COVID guidance in place at the time.

An inquiry by Information Commissioner’s Office into the camera footage being leaked to the press was closed without any charges. The regulator said the images were most likely obtained by someone recording the CCTV footage screens rather than a hack into the camera itself.

The incident demonstrates that, with access to footage, cybercriminals can do a lot of damage – from launching malware or committing social engineering attacks to blackmail or fraud by getting hold of sensitive data.

A big part of why CCTV hacks are such a threat lies in the multiple entry points available from IoT or cloud-connected devices.

If a security camera company is subject to a data breach, log-in details for CCTV systems could be made publicly available, providing unfettered access to your network.

And with each new device added to the network, cyber-criminals are presented with a new entry point to carry out an attack.

OpenAI Takes Aim at Google Search With SearchGPT

Beyond the AI Hype: The Challenges AI Brings to the IT Industry

What is a Prompt Engineering? How to Make LLMs Better

What is a Stochastic Parrot? Understanding the Hidden Flaw in LLMs

Data Mastery: Driving Business Growth with MDM and AI Innovations

Breaking Barriers With Accessible Data Visualization

Teradata and The Very Group: Innovating with Analytics to Help Families Get More

Teradata and Brinker: AI and the Cloud Serve Up Sizzling Food

How a Labour Government Will Change UK Tech, According to Experts

Top 10 Best Public DNS Servers for 2024

What is Engagement Farming and is it Worth the Risk?

Meta to Dissolve 'Reality Labs' Division as Layoffs Loom

Top 10 ERP Software and Systems for 2024

Top 10 SD-WAN Providers to Consider in 2024

Top 10 Best DCIM Software Solutions for 2024

Opentelemetry: The Key to Unified Telemetry Data

Secureworks & IDC MarketScape: Worldwide MDR 2024 Vendor Assessment

Secureworks: 10 Security Controls to Reduce Risk

NHS Suffers Blood Shortage as Cyber Attack Disrupts Donations

Why the Cybersecurity Industry Needs Podcasts

1 TB of Disney Data Leaked in NullBulge Cyber Attack

Why did Yik Yak Fail? How the Messaging App Died

What Happened to AltaVista? The Rise and Fall of a Search Pioneer

What is an AI Skeleton Key? Microsoft Warns of New Vulnerability

OpenAI Takes Aim at Google Search With SearchGPT

NHS Suffers Blood Shortage as Cyber Attack Disrupts Donations

What is a Prompt Engineering? How to Make LLMs Better

What is a Stochastic Parrot? Understanding the Hidden Flaw in LLMs

Data Mastery: Driving Business Growth with MDM and AI Innovations

Beyond the AI Hype: The Challenges AI Brings to the IT Industry

Why the Cybersecurity Industry Needs Podcasts

Breaking Barriers With Accessible Data Visualization

Top 10 ERP Software and Systems for 2024

Top 10 MFA Providers and Software Tools for 2024

Top 10 Best Data Quality Tools for 2024

Top 10 SD-WAN Providers to Consider in 2024

Secureworks & IDC MarketScape: Worldwide MDR 2024 Vendor Assessment

Secureworks: 10 Security Controls to Reduce Risk

AuditBoard: Digital Risk Report 2024

AuditBoard: IT Risk and Compliance Platforms

Cybersecurity Luminary Stephen Khan to Receive Prestigious Hall of Fame Award at Infosecurity Europe

Leadership powerhouse Claire Williams OBE reveals how to navigate change and develop a strong team culture at Infosecurity Europe 2024

Digital Transformation Week Unveils Keynote Topics: Empowering Enterprises with Real-World Insights

Generative AI and Deepfake Expert, Henry Ajder to discuss the impact of generative AI on cybersecurity at Infosecurity Europe 2024

"Everyone's Talking About AI in Cybersecurity!" | TG Singham @ Infosecurity Europe

"You Need to Test that Your Backup Plan Actually Works!" | Kim Larsen @ Infosecurity Europe

"There's a Disparity Between Threat Actors and Security Teams" | Koryak Uzan @ Infosecurity Europe

"There's an Information Overload for Cybersecurity Teams!" | James Johnson @ Infosecurity Europe

11 Seconds

Entry points and IoT

More from Ellis Stewart

Ellis Stewart

Recommended for you

OpenAI Takes Aim at Google Search With SearchGPT