Most CCTV systems are easily accessible to attackers
Posted on 17 May 2012.
The use of CCTV cameras for physical surveillance of all kinds of environments has become so pervasive that most of us don't give the devices a second thought anymore.


But, those individuals and organizations who actually use and control them should be aware that most of them come with default settings that make them vulnerable to outside attacks.

According to Gotham Digital Science researcher Justin Cacak, standalone CCTV video surveillance systems by MicroDigital, HIVISION, CTRing, and many other rebranded devices are not only shipped with remote access enabled by default, but also with preconfigured default accounts and passwords that are banal and easy to guess.

"Many owners of CCTV video surveillance systems may not even be fully aware of the deviceís remote access capabilities as monitoring may be conducted exclusively via the local video console," he pointed out in a blog post.

Add to this the fact that these same owners often fail to change default password for the admin account, or change it to one equally easy to guess, and you have a recipe for disaster.

"Interacting with the standalone CCTV system can be achieved via a Win32 thick client, a mobile device, or an IE ActiveX control in which a user name and password are required," he explains. "Typically, in over 70% of cases the device is still configured with the default vendor password which allows trivial access to real time video, the ability to control PTZ (pan-tilt-zoom) cameras, and access to any archived footage."

Cacak says that video surveillance devices are often overlooked during security audits and vulnerability/penetration tests, but this is likely to change, as the company's researchers have collaborated with Rapid7 developers and have created a new Metasploit module that tests the most popular CCTV systems - including the aforementioned ones.

He also gave good advice to CCTV deployers: change the default vendor passwords to strong ones, filter access to only trusted hosts, and disable the system's remote access if it's not needed.






Spotlight

How to keep your contactless payments secure

Posted on 19 September 2014.  |  Fraudsters can pickpocket a victimís financial data using low-cost electronics that can fit into a rucksack. Here are the top security threats you should be aware of if youíre using a RF-based card, along with our top safety tips to keep your payments secure.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //