By Miri Ofir, R&D Director, Quantum IoT Protect, Check Point
Internet-connected security cameras are everywhere these days – public spaces, organizations, and even private homes. The market is estimated at around $50B for 2021 and rapidly growing. Every day, hundreds of thousands of security cameras are installed and connected worldwide.
These products are being developed by manufacturers quickly, equipped with smart sensors and advanced software that include features like night vision, distance detection, heat, and motion detection. At the other end of the spectrum are less advanced home cameras that can be managed through smartphone applications.
Today, CCTV (or internet-connected security cameras) are one of the most preferred ways for cyber attackers to penetrate corporate networks, as they are inherently vulnerable and serve as the easiest entry point for attackers. In this article, I will review the risks involved with these internet-connected security cameras and share some advice on how to minimize those risks.
Let us first take a second to understand what kind of information attackers can obtain through these cameras and why they are targeted so often. The security cameras we see in use today by plenty of organizations are higher-quality cameras; equipped with image and sound processing capabilities. Their recording systems offer text decoding and facial recognition capabilities. The information from these cameras is uploaded to the cloud, either for telemetry purposes or to receive the value from analytics capabilities provided by AI services.
The sensitive data that passes through the security cameras can expose operators to various privacy-related issues and raises serious concerns regarding the ability of foreign entities to watch or listen to sensitive information. In the United States, a directive has been issued prohibiting the use of certain security cameras at all federal agency’s sites. The directive refers to communication equipment and cameras and requires the dismantling and replacing of existing equipment. Similar voices are also being heard in several European countries, as examples have surfaced where some cameras can act as an active or dormant agent, used at will.
Attackers know that these security cameras and recording devices contain sensitive information that can be very lucrative in the right hands, making them a huge target.
Why Is It So Difficult to Secure Security Cameras?
Security cameras are connected to both the corporate network and the Internet, capturing, and transferring large amounts of data to recording systems that sit within the organization or in the cloud. A camera’s management system can either be internally created and managed or managed via the device manufacturer’s website. The recording devices (DVR/NVR) process the videos, creating backup files that can be saved on the corporate storage servers (NAS) for varying periods, in accordance with corporate policy. These servers are usually managed under the corporate Domain Controller.
A common practice, recommended by many leaders in this space, is network separation for connected IoT devices (or at the very least implementing network segmentation within the network). However, to accomplish this is extremely difficult for network administrators. In their opinion, the time it would take to do this manually outweighs the value. Plus, doing so involves high costs within the establishment and operation phases. So what we’re left with is by choice or compromise, these cameras stay connected to the internal network. Furthermore, in smaller organizations, we often find a single network that is accessible wirelessly.
Another reason these devices are so difficult to secure is because most IoT devices are installed with the manufacturer’s firmware by default. This presents its own set of weaknesses; like software vulnerabilities originating from bugs or poor software engineering. And to top it off, fixing or updating the firmware always requires a code update. IoT device manufacturers are not security experts by any means and many of them prefer to provide lean software while skipping key principles of writing secured code.
Where Does This Lead Us in Relation to the IoT Sector?
Like I have hinted above, many manufacturers and software providers are not prioritizing the implementation of security requirements within their products. The world of data security is perceived as complex and complicated, and manufacturers prefer to focus on improving and expanding the functional capabilities of their products rather than bothering to add security layers to their products. Sometimes, we find products that lack basic security capabilities, such as user/password management and encrypted communication – not to mention, penetration testing and vulnerability management.
As with all software development, manufacturers use open-source packages and standard third-party components, which can expose the device to known issues emanating from those software packages. Open-source is a huge advantage for developers, but it requires frequent updates whenever a software vulnerability is published. Unfortunately, IoT manufacturers do not necessarily ensure security patches are created for their devices. The truth is – security awareness is insufficient and the demand from users for security within these devices is not strong enough. And even in scenarios where manufacturers take responsibility for the security within their devices and issue periodic security updates, many of their customers rarely ever bother to even update their devices.
There are many reasons why this happens. The first reason has to do with operational efficiency and the effort required to maintain distributed systems. In many cases, updating the firmware on an IoT device is more complicated than updating computer software. There are still devices that rely on updates via USB. There are even cases we have seen where the devices are installed in inaccessible places (i.e., cameras installed on top of fences, high poles, or hundreds of kilometers away from the management team). Furthermore, software updates require rebooting the devices, which can be problematic or very sensitive due to the devices mission critical functions.
The fear of malicious updates is also always present in the mind. There are many real-world examples of attacks originating from software updates, like the famous supply-chain attack we saw via a SolarWinds updates. What we are left with at the end of all this are devices running its original software version…for years!
How Do Attackers Exploit the Software Vulnerabilities?
Attackers often target the path of least resistance. Each known vulnerability (CVE) becomes a potential weapon for cyber attackers to penetrate an organization. By nature, flaws are usually found after the attackers have exposed them and damage has already been done. At best, vulnerability researchers manage to identify weaknesses in a lab environment as part of a research project or paper. Researchers allow manufacturers a 90-day period to release a software update before publishing the information about the vulnerability publicly. This is a short period of time for the manufacturers – meaning they must halt whatever they are currently working on and issue quick updates before the vulnerability is published.
The most severe CVEs refer to the ability to run code remotely (RCE – Remote Code Execution). This kind of attack allows full control over the device from any remote location, allowing the attacker to steal information, run ransomware, install digital currency miners on the device, plant a bot to allow additional actions down the line, and much more. When attacking a device that is connected to a corporate network, clever attackers gain the ability to reach any computer on the network and run remote commands. We are seeing this method become more and more sophisticated as time progresses. Attackers are even penetrating organizations and deciding to lie dormant for months until deciding the right time to strike.
When a manufacturer’s name is associated with a cyber-attack, it causes significant damage to their reputation and brand. Last April, the US Department of Justice and European officials managed to get their hands on a service called RSOCKS, operated by a Russian group, that gave access to devices as a “Device as a Service”. The infection scanned devices that were connected to the network and tried to login using default username/passwords and brute-force attacks. The attackers managed to create an “army” of roughly 350,000 devices infected with their bot and sold daily access to the devices for amounts ranging from tens to hundreds of dollars. (1)
Law enforcement officials are in a constant battle against cyber attackers. Although they have had some successes, each action requires time. However, the truth is that organizations are still getting attacked regardless.
What About Regulatory Means of Action?
In light of the many recent attacks and threats on IoT devices, regulations and cyber security requirements continue to evolve to try and combat these attacks. The major standardization organizations (ETSI, CISA, and NIST) have issued documents to help guide device manufacturers in implementing protections against cyber-attacks within their devices. The specifications require manufacturers to implement all basic principles like user management, permissions, encryption of information and use of encrypted communication, vulnerability management, and the publication of security updates. The CISA agency recently issued a document with the goal of helping stakeholders incorporate security considerations when acquiring IoT devices, systems, and services. Currently, they are working to establish a reporting system where any organization exposed to a cyber-attack are required to report it.
In consumer IoT, the regulations have yet to enforce cybersecurity standards. However, there are new initiatives entering the market, like the cybersecurity labeling for IoT devices. For example, the American UL Institute published a security rating program for IoT devices requiring manufacturers to communicate how strong their devices are protected against vulnerabilities. (2,3)
What Actions Can Be & Have Been Taken for Security?
There are several ways to minimize cyber risks emanating from IoT devices. The devices can be divided into various categories; and each category contains different risk levels. At the top of the list are devices with “eyes and ears” like cameras, elevators, drones, and even routers. Best practice is to purchase devices from a recognized, proven, and reliable company. The implementation should be strictly planned, including ongoing monitoring, anomaly identification, and formulating update procedures for these devices.
The National Cyber System in Israel recently issued an update to a document called “Recommended Actions for Reducing Cyber Risks from Security Cameras” (4). The document contains important recommendations that should be implemented. These practices are somewhat effective but not impervious and require massive efforts on the part of network managers. In the average organization there are hundreds, or even thousands, of IoT devices with various models, including smart TVs, printers, routers, cameras, elevators, entrance gates, sensors, and more. Even the average household has about nine different IoT devices.
An advanced approach requires manufacturers to implement cyber defenses within their products during the product development phase. In an ideal world, users should require device manufacturers better address cyber-attacks within their products, thoroughly testing each product before connecting it to their corporate or home network.
As mentioned, regulation is continuously evolving. Manufacturers are beginning to understand that they cannot continue to ignore cyber security requirements. However, this change must be backed by a strong demand from the consumers. Consumers need to choose manufacturers willing to invest in embedded security protections that stop attacks from the start. Monitoring is no longer enough. Detecting an attack after it has already happened is too late, and the damage is done.
This is where Check Point steps in. Check Point leads the market in proactively preventing the attack before it wreaks havoc, helping IoT device manufacturers to protect their devices with Quantum IoT Protect.
Quantum IoT Protect offers an intelligent, lightweight Nano Agent® technology that is embedded directly into the IoT device, on top of the device’s firmware. The solution identifies anomalies on the device’s behavior and blocks any attempt to attack the device in real-time. Recently, we partnered with Provision-ISR to embed our Nano Agent into Provision-ISR’s CCTV cameras. The solution brings an entirely new level of cybersecurity to the video surveillance market. In fact, it is the only company today that offers a CCTV product that proactively blocks known and zero-day attacks, providing a huge safety net until software updates are deployed. This is the start of something exciting and new; and other IoT device manufacturers follow suit and are in integration with us.