Two-thirds of the Washington D.C. Metropolitan Police Department’s outdoor surveillance cameras were taken over by Romanian hackers just before the inauguration of President Trump. This attack could have had a catastrophic impact on the security of the 2017 Presidential Inauguration. Fortunately, the attackers used the compromised systems to send spam emails that contained ransomware malware and were apparently uninterested in using the control of the cameras in connection with a physical attack.[note]Weiner, Rachel “Romanian hackers took over D.C. surveillance cameras just before presidential inauguration federal prosecutors say” Washington Post, 28 Dec. 2017; see also the Criminal Complaint in United States v. Isvanca and Cismaru, United States District Court for the District of Columbia, 11 Dec. 2017.[/note]
On October 21, 2016, a massive distributed denial of service (DDOS) attack made Twitter, Netflix, Amazon, and many other online services unavailable for millions of users. The culprit – hundreds of thousands of compromised surveillance cameras that had been taken over by attackers using the Mirai malware. The cameras had been taken over by the attacker who in turn used them to flood major internet sites with junk traffic causing the sites to be overloaded and inaccessible to legitimate users. Attackers often commit these types of attack to demand a ransom payment to allow the sites to return to normal operation.[note]Krebs, Brian “Hacked Cameras, DVRs Powered Today’s Massive Internet Outage“ 21 Oct. 2016, KrebsonSecurity, krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/; see also, Fruhlinger, Josh, “The Mirai botnet explained: How teen scammers and CCTV cameras almost brought down the internet” 9 Mar. 2018, CSO, www.csoonline.com/article/3258748/security/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html[/note]
These attacks demonstrate the danger of a lack of attention to information technology security during the deployment of security devices intended to enhance physical security. The internet of things (“IoT”) is revolutionizing physical security. Remote guarding systems rely upon internet connectivity in order to function. The cameras, sensors, recording devices, and monitoring stations function as a remote guarding system through the use of internet connections and IoT devices. Security cameras that previously operated in isolated environments are now connected to the world. In fact, the name, “closed circuit television” — CCTV — contemplates a closed system where viewing was limited to those who had access to the wired cables run from the cameras to the viewing screens. Organizations that want to harness the benefits of remote guarding and other IoT systems designed to enhance physical security assume that these devices are secure and can be deployed without much expertise. It is certainly counter-intuitive to think that security devices may be unsafe if the deployment of the devices is not carefully integrated into a robust overall information technology security strategy. As the previous headline making stories demonstrate, even sophisticated municipal IoT systems can be vulnerable to attack.
The internet is a dangerous place. Any device connected to the internet is subject to remote attack. Legions of cyber criminals scan the internet for vulnerable systems and devices. It is not uncommon for new devices connected to the internet to be under attack within seconds of being first connected. There are a variety of tools used to detect vulnerable IoT devices connected to the internet. For example, the website known as “Shodan” operates as “the search engine for the internet of things.” Shodan searches can be used to generate lists of known vulnerable devices that have been discovered on the internet. In preparation for this article I ran a quick scan of Shodan for surveillance cameras that have default credentials. The Shodan report located 8,411 cameras installed in the United States that are operating with default credentials. Figure 1 is a screenshot of the Shodan report summarizing the details of these devices. To further illustrate the point, I ran a second search of surveillance cameras with the username set to “admin” and the password set to “admin” – a very guessable configuration. Figure 2 demonstrates the summary of the 1,855 devices I found in the United States that fit that profile. An attacker with very little skill could easily access these cameras and take control of them.
Cyber crime journalist Brian Krebs wrote a number of articles about Mirai, and documented how poor security in the implementation of many IoT security devices played a huge role in the magnitude of the attack. He included a spreadsheet of the default credentials of many IoT security cameras, which I have included as Figure 3.[note]Krebs, Brian “Who Makes the IoT Things Under Attack?” 3 Oct. 2016, KrebsonSecurity, krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/ (The author is grateful to Mr. Krebs for giving permission for the use of the graphic in Figure 3.)[/note] It is trivially easy for attackers to use these credentials to take control of the devices.
Where do we start?
The purpose of this article is to establish that careful attention to information technology security is a critical component of the deployment of a remote guarding system. In addition, this article will establish some basic guidelines to use in safely deploying remote guarding systems. Fortunately, there are a number of key factors and tools that can be used to meet this goal. First, be aware of the threat. Second, follow information technology best practices in the deployment of any remote guarding system. Third, check the integration of the system to make sure that it meets well-established standards.
Be aware of the threat
Any time new technology is deployed executives must ask a key question – “what can go wrong?” Surprisingly little thought is given to the consequences of a breach of the security caused by the deployment of a new device or system of devices. Executives and their teams should think carefully about the consequences of a breach of the security of the device. What is at stake? How could this device be used against us or our community? Could an attacker use remote access to this resource to enable or enhance the effectiveness of a physical attack? In most instances attention to these details will demonstrate a need to ensure that the device is properly secured. The counterweight to these considerations is usually convenience. Convenience and security are always in tension with one another.
A quick and basic example of this tension is useful for demonstrating the concept. Should you set a password on your smartphone? Many people do not set a password on their smartphone because they don’t like to be inconvenienced or bothered when they pick up their phone. While people are free to make this (unwise) choice for their own personal security, it is totally unacceptable for a work smartphone. Anyone who finds or steals the device would be able to get instant access to confidential information that may prove devastating to their organization’s operations. This tension between security and convenience plays a role in decisions about implementing technology at all levels of an organization. Think about the smartphone example and apply the same sort of decisions that need to be made about complex systems. In many instances security suffers as a result of decisions made in favor of convenience.
I hope that it is clear that the internet is an extremely dangerous environment and attackers are constantly on the lookout for unsecured or poorly secured resources to attack. Executives need to be wary of the risks posed by the deployment of new technology in this extremely dangerous environment. They also must be aware of the tension between security and convenience and how that tension may influence decisions made in the implementation of new systems.
Use Best Practices to Achieve Defense-in-Depth
The good news is that a tremendous amount of effort and research has been conducted in how to secure resources that communicate over the internet. As a result a number of best practices have been developed that serve as guide for the implementation of any system. The basic concepts behind these best practices help to promote robust security. The key to robust security is defense in depth. Remote guarding systems and other critical IoT devices should have multiple overlapping security features. This ensures that even if one safeguard should fail, the device will remain secure.
Some familiar examples of best practices include the following:
- Inventory and control of hardware assets – It is surprising how many organizations lack information about the devices that are installed on their networks. A robust security plan includes keeping a careful inventory and requiring that every device meets the organizations security requirements.
- Require multifactor authentication (MFA) – this best practice requires that a user’s access to a system needs more than just a password. This provides an extra layer of defense in the case of a stolen password.
- Enforce password security – by ensuring that passwords meet complexity requirements and ensuring no weak or default passwords are used. This best practice provides protection against easily guessed, brute forced, or cracked passwords.
- Keep devices and software up to date with the latest software and firmware patches.
- Use of Virtual Private Networks (VPN) – many organizations utilize VPN technology to ensure that all remote access to a resource occurs over an encrypted connection. In addition, the requirement that devices cannot be remotely accessed without using the VPN prevents outsiders from being able to connect to or even scan the protected assets.
These are some examples of basic best practices that should be considered when deploying IoT security devices.
It is often difficult for executives to determine whether newly deployed systems meet the security standards that our organizations expect. In most cases, executives lack the training and experience to determine whether the information technology staff members are using best practices and are implementing a robust information technology security plan. Unfortunately, leaders typically do not discover that security has been lacking until there is a breach of security.
The answer to this dilemma is the adoption of standards. There are several extremely well-developed standards that can be used to guide an organization towards robust information technology security. I recommend the Center for Internet Security’s 20 Critical Security Controls. These controls, which are listed in order of priority, “collectively form a defense-in-depth set of best practices that mitigate most common attacks against systems and networks.”[note]Center for Internet Security “CIS Controls V7” 19 Mar. 2018, available at www.cisecurity.org/[/note] According to several studies, adopting the first five controls will stop 85% of all attacks, while implementing all 20 controls will prevent 97% of attacks.[note]See for example: Smith, Travis, “Foundational Controls Work – A 2017 DBIR Review” 1 May 2017, Tripwire, www.tripwire.com/state-of-security/featured/foundational-controls-work-a-2017-dbir-review/; and Perez, Juan C., “Implementing the CIS 20 Critical Security Controls: Slash Risk of Cyber Attacks by 85%” 14 Nov. 2017, Qualys Blog, blog.qualys.com/news/2017/11/14/implementing-the-cis-20-critical-security-controls-slash-risk-of-cyber-attacks-by-85.[/note]
It is also critical to vet potential vendors to ensure that they meet well established industry standards. Underwriter Laboratories (UL) has issued standards for remote guarding providers. The certification requirements are found in UL 827 and 827B. Elite Interactive Solutions was the first remote guarding provider to be UL certified.
About the Author
Justin Feffer is currently a law enforcement officer commanding the Cyber Crime Investigation Section of a large law enforcement agency in Southern California. He has been assigned to the investigation of cyber crime since 2004.
As a sworn law enforcement officer in Southern California since 1988, and a California attorney since 1994, Justin has instructed thousands of law enforcement officers, prosecutors and public officials throughout the United States and internationally in cyber security, cyber crime and high technology threats.
Justin is a graduate of information technology crimes investigation programs conducted by the SANS Institute, Carnegie Melon’s CERT-CC, FBI, HTCIA, and the California Department of Justice. He is also a member of the High Technology Crimes Investigation Association (HTCIA) and is the sole instructor of the FBI-LEEDA Advanced Identity Theft courses. He holds Global Information Assurance Certifications as a Penetration Tester (GPEN), Security Analyst (GSEC), and Forensic Analyst (GCFA). Justin also serves on the Elite Interactive Solutions Law Enforcement Advisory Board (“LEAB”), where his insight and passion for Remote Guarding benefit both Elite’s clients and law enforcement partners.