Recently I chanced upon a website that was streaming live CCTV camera footage from thousands of locations around the world. On the list, which had the US and the UK on top, there were over 1,800 CCTVs from India too. I could see inside a Maruti workshop in Mangalore, a restaurant in Bangalore, a textile shop in a Gujarat town and into hundreds of homes. There was soon a furore over the website with even the BBC, Washington Post and the Guardian writing about it. The Russian programmer, or hacker if you prefer that term, was forced to first reduce the number of cameras and then take them all off.
While this might appear as a small blip from the dark side of the internet, it is a reminder of how some of us invest in technology without really taking control of the same. As I said, most of the Indian cameras on the site belonged to businesses who would have paid a good sum to someone to set up a CCTV camera network inside their premises. The intention is always good, but in the process these companies just provide the world a sneak peek of how they work. I am sure none of them want to be that transparent with their accounts or day-to-day functioning.
But how good was the Russian programmer who gained access to so many CCTVs at one point of time—at one point, there were over 50,000 cameras on the site. It took me just over a minute to understand that it was not rocket science. Then it took me just about the same to learn how to do it. A simple Google search showed me that I could hack into any CCTV camera if I was good at one thing. No, I did not mean code, but guessing. A simple Google search could open up a long list of CCTV cameras, all I needed to do was guess the password. And since most of us use the impossible-to-guess PASSWORD as the password, that shouldn’t be all that tough. What the Russian programmer did was create a programme that would look up for vulnerable CCTV IP addresses and feed them with multiple commonly used passwords.
“As the internet takes control of every aspect of our life, it has been leveraged for the crucial role it can play in our physical security as well. Even though Closed-Circuit Television (CCTV) help many secure their spaces, when connected to the internet, they can easily be exploited by remote attackers to gain unauthorised access to users’ personal and sensitive video/audio feeds,” says Tarun Kaura, Director for Technology Sales India at Symantec. He says that some of the internet connected security cameras run on Linux OS and Symantec has identified a worm Linux.Darlloz that utilises an old vulnerability in scripting language PHP to gain access to a computer. “This worm attempts to gain administrative privileges by trying a series of commonly used usernames and passwords and propagates itself by searching for other computers. As a result, the worm leaves a backdoor on the infected computer, allowing the attacker to issue commands to it,” he adds. Kaura says many users may not be aware that the devices in their homes and offices have a vulnerability. “Even when users notice using a vulnerable device, updates are not provided to some products by the vendor either due to outdated technology or hardware limitations such as not having enough memory or a CPU that is too slow to support new versions of the software.”
So how can you stay protected if you cannot avoid your CCTV not being connected to the internet? Symantec suggests these tips:
* Perform an audit of what devices you own. Just because a device doesn’t possess a screen or a keyboard, doesn’t mean that it isn’t vulnerable to attacks.
* If something you own is connected to your home network, there is a possibility that it accessible over the internet and thus needs to be secured.
* Pay attention to the security settings on any device you purchase. If it is remotely accessible, disable this feature if it isn’t needed. Change any default passwords to something only you know. Don’t use common or easily guessable passwords such as “123456” or “password”. A long combination of letters, numbers and symbols will generate a strong password.
* Regularly check the manufacturer’s website to see if there are updates to the device’s software. If security vulnerabilities are discovered, manufacturers will often patch them in new updates to the software.
These guidelines shouldn’t be tough to follow. Just remember that someone with voyeuristic access to your business could cause reasonable damage by understanding work patterns, processes and even recognising key people in the process. Also, don’t forget that if you have vulnerable CCTV cameras at home, the damage might not just be of a monetary nature.