On this episode of the Koorsen Fire & Security Chat, we talk with Brian Smith, Director of Security at Koorsen Fire & Security about security cameras and cyber security.
While many of us are aware of cyber security risks to computers and smart phones, there are other devices, including security cameras, that are also at risk.
In this episode, we talk about how hackers exploit vulnerabilities in today's IoT devices which include security cameras, wifi routers, smart speakers, smart TVs, and smart appliances. We learn about the common vulnerabilities to IoT devices and what can be done to reduce and/or eliminate the risk of hacking. We also learn why a hacker would hack into a security camera and what steps to take to make sure a hacker can't access other servers and systems on your home or business network. You can listen to the episode right below or click on your favorite podcast player to listen to it from there.
Subscribe to the Koorsen Fire & Security Chat in your favorite podcast player:
LEARN MORE ABOUT SECURITY CAMERA SYSTEMS
If you’re interested in learning more about commercial security camera solutions, contact the security professionals at Koorsen Fire & Security. Our highly trained technicians can design, install, service and maintain a cctv security camera system that fits your business’s exact needs.
Aaron: Welcome to the Fire and Security Chat brought to you by Koorsen Fire and Security where we talk about the technology and equipment used to protect and secure life and property. I'm your host, Aaron Whitaker. And today I'm with Brian Smith, Director of Security at Koorsen Fire and Security. All right. Today's topic is cybersecurity and security cameras. It seems like every day when you turn on the news, there's a story about some system being hacked, whether it's cell phones, computers, smart home devices, Wi-Fi routers or security cameras. While I think most people kind of know how people hack into computers and cell phones. It tends to be the user who accidentally lets their system be hacked through malware they download or email attachments or links they click. But I want to focus on the security cameras being hacked. How does that, how does it happen?
Brian: Sure. Well, there's a couple of different hacks that you may hear about. A lot of the hacking or the vulnerabilities that you hear about in a lot of cases are what we call white hat hackers that are actually out in their full time job is to attempt to exploit vulnerabilities in systems to gain access to them so that they can have manufacturers repair those, those vulnerabilities so that somebody else can't get into maliciously. So a lot of times in the news, some of these things that you'll hear about are simply white hat events that are, are made public once the repair has been made. So the life cycle of that would be somebody would find a vulnerability, they would report it to the manufacturer, give the manufacturer x amount of time to repair that vulnerability before they go public with it.
Brian: And then if, if everything aligns, then the fix has made before it goes public. And then there's a public release that a vulnerability was found. And, and this is what the manufacturer has done to repair that vulnerability. So it's more of a notification, hacking. So it lets consumers know that hey, this was, , this was found, here's how it's fixed and here's the firmware release to update the fix. Now in occasion you hear about the bot nets and things that were, that had exploited different vulnerabilities that were discovered possibly by black hat hackers that were actually trying to do malicious activities. And really from, from that side, it's somebody finding a vulnerability in a piece of software someplace or exploiting a manufacturers tool or something to that degree. And they may be doing one of two things.
Brian: They may be trying to, trying to utilize the manufacturers horsepower or resources of the processors as we saw with a lot of the embedded Linux devices. You heard about routers and in certain manufacturers NVRs and DVRs that were hacked, there really wasn't any data breach there. It was more of a malicious activity to use the high power processors that are in those devices to mine bitcoin and, and things like that. So they're using the processor power, they're to hacking the devices using the processor power to their advantage. And then the other type of malicious hacking would be to try to export data. So, and that's where you see corporations would be concerned about trade secrets and things like that, that if somebody worked to get into their network that they would be able to retrieve sensitive information, personal information, they could use that personal information to then in turn do a phishing attack against the employees.
Brian: So there's stages to that they could incorporate multiple aspects to gain access to a company. So it's not like there's just one way to hack a system. There's multiple reasons to have different systems and multiple degrees that somebody might take that hack, to gain information. So, it's important for us to keep everything as locked down as we can to avoid any step in that process. If you break any part of that chain, it makes it much more, infinitely more difficult for somebody to actually get any real world benefit out of. Out of that attempt.
Aaron: Okay. Okay. So you kind of described the two things that a hacker is after when they hack into a security camera or smart home. It's either to use the processor speed, to you talked about that bitcoin and mining and stuff like that or to access data in the system, beyond the smart home system. How, what are the mistakes, I guess, what are the common mistakes that people make to allow their cameras or to allow their data to be accessed.
Brian: So to allow data to be accessed is typically going to be a secondary or second phase of the attack. The primary attack typically is going to be to access the device. In a lot of these cases, it, let's say a hard Linux device, they may have access to the information that's contained with on that individual device. If the customer uses their personal email and a password that they normally use to access their banking information or their, their work information, then that could give the hacker, certainly some, some relevant details into that person's life that they could use against them potentially in a phishing attack or something to gain more information that maybe they, they send them an email to that email address and that email contains a piece of malware or something on it that would then install itself on the end user's computer.
Brian: And then from that point they have full control over their computer and they can see every keystroke and they can access every file on their computer. So you can see that it can escalate very, very quickly. One of the things that a customer can do to protect themselves, obviously customer's not going to be able to know every potential vulnerability that may exist within, an, device. And, , if that's exploited, they're going to be victim to the manufacturers efforts. But, they can certainly protect themselves to some degree by making sure that they're using secure passwords and, and that they're not putting devices out on the edge of a network, meaning that they don't have access to wide area network unnecessarily. So, there, there are devices that access the network. Let's say your Wi-Fi doorbell for instance, and, those cases, that device is going to register itself on the customer's network and it's going to talk out through the network to a secure server.
Brian: You're typically not going to have a situation where the customer's going to open up their firewall, which is the piece of software that protects their home network from the outside world. They're not typically going to open up their firewall to allow traffic into their home network to access that doorbell. So, hopefully that device is secure. The manufacturer's done a good job of securing it. And, or if there are vulnerabilities discovered that device is updated, the firmware is updated from either from the manufacturer or from a notice from the manufacturer to the customer that they need to update it so that somebody can't exploit that vulnerability. But , you have in the terms of IP cameras, in a commercial facility for instance, you may have something where the customer is trying to access their cameras remotely and they may be actually opening up ports on their firewall to allow traffic inside of their network to that box.
Brian: Now, the firewall helps protect the rest of the network from any unsolicited attacks. But if a hacker, or one of these script kiddies that run a preconfigured software to gain access to many, many devices at once, they're potentially going to open up their firewall to allow themselves access to a device within their network. Now, that may open up a vulnerability to that one device. So if they, let's say they open up the port 5,000 on their network, to allow access to a video system now that port on their firewall is accepting traffic. And if somebody from the other side of the world decides that they're going to scan IP addresses and they get a response on 5,000, off of a customer's network, then all of a sudden they know that there's a doorway that they can potentially reach to get into that network somehow to what, to what level they can access things is based on the equipment typically.
Brian: But they will continue to possibly hit that port on the network trying different passwords to get into that device. So if it's a known port they may keep trying, if they know that 5,000 is manufacturer a, then they may try manufacturer A's default username and password. And if the customer did not change the default password, then that gives them very quick, easy access into the device. And then it's only up to the abilities of the device within the network to restrict where they can go. So if it's a windows machine, that can be very dangerous because they can very easily talk amongst other windows devices within the network. If it's an embedded Linux device, maybe a lot more difficult because those devices are hardened and are more compartmentalized. So if a hacker did get into one of those, again they could use the process of resources potentially or, but they're typically not going to be able to scale through a network to extract data.
Brian: So, the easiest thing that a customer can do and the best thing that a customer can do would be to protect themselves by using secure passwords and passwords that are not replicated elsewhere in their lives. So, if it's, if it's your home banking information, maybe you have specific passwords for that. If it's your work, you have some passwords for that. If it's your IP video system, you have passwords for that and nothing matches. That way you, you, you keep those walls, those boundaries up in case somebody does get access to something and it makes the repairing of that situation a lot easier and a lot faster.
Aaron: Okay. So when they, when they get into the, say they find port 5,000, you were discussing in the video camera and network surveillance, they can get into the rest of your network. Is there an idea or is there, you should you split, make sure that it's each network is isolated. So like your data, your servers for your company on one network. Your security systems on a different network.
Brian: Yeah, absolutely. Best practice would dictate that as much as possible. You isolate segments of your network and that holds true with IP video as well. So anytime we go into a customer, we want to talk about creating that isolation between the video network and their network. for mainly two reasons. One, bandwidth. IP video uses a lot of bandwidth on the network. So if you're, if you're traversing a customer's network with IP video and a lot of cases, any sizable system, , we do many systems that are 60, a hundred, 200, 300 cameras, , that puts a massive impact and it actually Max out a traditional network. So, one reason you want to keep that isolated and it's just sheer bandwidth. The second reason is for security.
Brian: If, if any part of that is compromised, you want to contain and compartmentalize that as much as possible. So by creating an isolated physical network, , if anything is accessed that would help keep it separated. the other thing that does is it really puts, , if we put a, let's say we build a, an IP video system and we put the cameras on an isolated network, nobody really can access that network from any place in the world or within the customer's network. That isolated network would physically have to be connected to in order to access those cameras and to possibly exploit those vulnerabilities. So now we can use physical security measures, door monitors and things like that on IT closets, IDFs and MDFs to protect that infrastructure to keep somebody from accessing those switches and then it keeps it relatively secure because there's really no way to access or exploit those.
Brian: And then, when we, when we create the isolated video network, the recorder for that network either stands by itself on that network or if it does interface with the customers network for remote view or something like that. It's only one point of contact. So there's only one touch point from that video system then to the customer's network. So it's, it's much more controllable and much more visible in terms of what kind of traffic is happening, locking down permissions to access that within the customer's network. And if they do access, let's say, somebody does get into the customer's network and they're able to identify where the NVR is on that network. They'd have very limited access to what they would be able to do with that NVR. Of course they could compromise potentially the video solution, , turn off cameras, things like that.
Brian: But , that's, they would effectively be stopped at that device or that NVR. So, certainly best practice to keep things isolated internally. The unknown, , another best practice, , we talked about porting in of a firewall and using secure passwords to protect you in that circumstance. But the porting of a firewall is actually at the low end of the preferred solution range. And we really try to get customers to, if they're going to do any sort of remote access, meaning that they're going to open their system up to the outside world. We really want to see them use a VPN, virtual private network as a piece of software that connects whatever remote device to the internal network through an encrypted connection. And it's a very secure connection. So if your company's running a Cisco Network, there's Cisco switches and Cisco routers are going to have a Cisco VPN capability and so long as the customer subscribes to that through, through Cisco for instance, and there's a bunch of them out there, there's even some free VPNs, but , that creates a secure connection from the end user's device to their network.
Brian: So you don't have to open those vulnerabilities. So somebody from across the world can bang on that firewall all day long and they're not going to get through because the firewalls totally locked down except for that encrypted VPN connection. So that would be a priority for anybody that's remotely accessing their network, put a VPN in place, then you have very, very minimal concerns. The secondary alternative to that would be to use a cloud access functionality. So a lot of these manufacturers are coming out with cloud connected or cloud managed devices. And in that architecture, rather than poking holes in the customer's firewall to gain access through a port and relying on a password to maintain your security, those devices actually reach out of the customer's network to secure servers on an encrypted connection. So those devices are registering themselves in the cloud with any number of service providers, whether it's Amazon or Windows or a manufacturer's own server farm.
Brian: And then the end users linking up with their device in the cloud from their phones. So everything's connecting in a secure server someplace where the architecture is constantly monitored and updated and things like that. So, as long as you're in a secure data center that takes your risk, , much lower than that. , again, trying to access through your firewall. And then the third and, and what we consider to be the least secure, the most risky, would be the, port forwarding the direct firewall access into the network. And, that's where a lot of times these devices are exploited is that somebody is, somebody opened up the firewall to those devices. And the only thing keeping somebody out is the password. And if the password is not secure enough, then of course it's not real hard to get access to that device.
Brian: Or if there was, the forwarding happening on the firewall and the device itself has a vulnerability that can be exploited, then it can be as simply as running a script. And once you've connected to that port, you could push a script through and it would allow you access to that device. So in addition to simply making sure you have secure passwords, there's definitely a couple of additional layers of protection that you can put in place with your cloud managed services or VPN connectivity to your devices to keep, to keep the bad guys out. Keep your, your network secure.
Aaron: So you say, that port forwarding, that's the worst choice that you could make for your network?
Brian: Of the three, it would be the highest risk of the typical connectivity options. Just because you are literally opening the door to the outside world. So if you think about it, like the first two solutions, a VPN and cloud connectivity, my firewall is constantly in place. It's constantly closed. So my front door is closed and locked and nobody's going to get through that, that front door. The third solution, the port forwarding, I basically opened my door or a window, to use an analogy since there's many, many ports that can be opened, but I've opened the front door and the only thing that's keeping the bad guy out is the bouncer that standing inside the doors. So now I've hired a guy in my firewall to stand inside the front door and check people in as they come in and out. So if somebody comes up and presents themselves to the, to the Bouncer, yeah, fake Id, , they've got the password, right?
Brian: Then the bouncer says, oh yeah, that information is over there in the living room. You can go over and have a seat and , , there'll be with you in a moment and that's kind of how they get in. So, keeping that front door closed and locked is going to be the best situation for you. So as long as you can maintain that and, use the super-secret entrance, use the VPN connection or the cloud connection to gain access, you're going to be in a lot better shape. If you have to resort because you don't have VPN access or your manufacturer doesn't have cloud connectivity and you have to resort to an opening the front door and employing a bouncer. You just want to make sure that you've got a really good code word to keep anybody out that shouldn't be coming in.
Aaron: As far as consumers, like with, smart homes and smart devices and security cameras, all that stuff, can they take these same steps that a business would take?
Brian: Yeah, absolutely.
Aaron: Cause I know my home, I have one, one cable router that comes in and one Wi-Fi or cable modem in one Wi-Fi router and everything connects into it. And that's probably a bad idea if something's vulnerable on the networking.
Brian: No, not necessarily, not necessarily a bad idea. One of the major exploits recently was within routers. It was part of an embedded Linux attack if I'm not mistaken. And these routers that run Linux OS are able to be compromised based on some vulnerability that was found in that architecture. And , what a lot of people have had happen is nobody in a residential consumer world, pays very much attention to the routers. They may get a Linksys or a Netgear or something, put it in their home and they forget about it. They, they hook up their cable modem, they hook up their AT&T modem, whatever that is. And they think they've got their Wi-Fi password secured and everything else, and they don't realize that this router has been sitting there for three years and they've never done an update to it.
Brian: So it's really important to remember that you have a touch point, you have a device that can be compromised that's literally operating your firewall to your house. You have to pay attention to that. And, and to be responsible with it, you would need to know how to log into it. You would need to know how to update the firmware on it. , in the case of a Linksys or Netgear or something like that. A lot of times you can log into those routers and there'd be an update firmware button and it'll tell you if your firmware's out of date and it'll go out and find the new firmware and install it. And everything will be fine until the next vulnerabilities found. And then there'll be another firmware. When you deal with, you mentioned like Comcast or AT&T, if you're using their router and their modem, in most cases they're managing those devices.
Brian: So if you have a subscription to Comcast and they've got a modem that you're leasing from them on, on your site, that modem is typically going to stay up to date. They're going to push updates to it, firmware or things like that as they see as they see that come out. So that's actually probably one of the better situations that you could be in. If you say, well, I'm not going to pay that $5 or $10 a month to lease the modem from them. You just, you just give me a gateway, you just give me a modem and I'll put my own router in for my own connect to that. You got to make sure that you manage that router because what happens then is that AT&T modem goes into bridge mode and all it does or , pound cash, whatever, all it does is pass everything that it gets through into the end of the router.
Brian: So it's up to the router to stop that, that traffic, , that's trying to get into your network. So , you want to make sure that you, you stay up to date with that. And then just the same as with a commercial environment. They have, , I mentioned there's, there's free VPN offerings out there that, that you can get, there's some that you can subscribe to depending on the size and scale and what you're trying to do. But , you can, you can actually implement your own VPN architecture. So if you're out and about and you've got your computer set up in a, in a coffee shop or something and you're, you're using the Wi-Fi that may or may not be very secure, you can actually employ that VPN to connect you to your home so that you can encrypt that, that connection from that Internet connection to your computer so that you don't have any worries of, of anybody, tapping into what you're seeing or, or the web pages you're going to or anything like that to possibly be able to get information from you. So as long as you're keeping your home network secure, that gives you a portal back to your home network that you can utilize to make sure that your remote connection is secure as well.
Aaron: The other question, last area, are all security cameras vulnerable to hacking? I mean, is it the security cameras? Is it the NVRs the video systems or where's the, I guess the doorway?
Brian: So something that we've got to recognize in the world of IoT is that everything is available to hacking. It's not a matter of if, it's just a matter of when, a lot of it depends on how prevalent the manufacturer is. You see in a lot of times, ,a few years back, Linksys got hit pretty hard with hacking. Well, they're the biggest name and home routers. So somebody found that it was to their advantage to invest some time in cracking, , into a Linksys architecture, and then they can replicate that across every Linksys router across the nation, across the world. So, depending on how big a manufacturer is can sometimes play to whether or not you see more abilities come out, everything is vulnerable in some regard because the software that's written for these programs, the software that's written and keep people out of these programs is all done by humans.
Brian: And we all make mistakes. We all have errors. It's just a matter of time before somebody finds a way or, or has the keys to exploit something. There was a very large manufacturer not too long ago that had a situation where somebody was able to exploit encryption within their system. If, if a former employee gets an encryption key, which is generally well protected within an organization, there's only certain people that would have access to that information. But if an employee gets any sort of encryption key or anything like that, and then they're able to also find some vulnerability and a piece of software or hardware, it's not too difficult then to use those two things in combination to get quite a bit of information. So, a lot of it is a situation and circumstance, but anything that's out there is going to be vulnerable, so the best thing that we can do as consumers, both commercially and personally is to make sure that we stay on top of those updates and make sure that it's part of our responsibility to go out and, and look at the manufacturers of the Internet of things devices that we have connected to the network and make sure that we are running the most current firmware.
Brian: And that if there, there are known vulnerabilities that are out there, , that we apply the patches to those. There's a really neat website called CVEdetails that registers vulnerabilities across the world. And you can see, any, you can search any number of different manufacturers and find over history what, , what was the vulnerability, , what was the severity of the vulnerability because these things are all ranked from, from one to 10 and 10 being , , basically that you can gain complete access to any information that was on there. And then , all the way down to nuisance type stuff and not a big deal, but you should get it fixed kind of thing. So you can search manufacturers out on there. So , I encourage people to protect themselves and, and be aware of what, , what devices they have in their homes, what things do they have connected to their network and make sure that they stay on top of, of , of those updates.
Aaron: As far the updates and all, I know some like Google chrome pushes updates. And windows computers. Is that, I guess, is that kind of the future? Is that should, is that a good idea? I mean, cause I think the problem is a lot of people forget to check to see if their router or their modem is updated. And
Brian: In the security world it's kind of a double edge sword. Ideally we would love for everything, every manufacturer to be able to automatically push updates to every device that's connected to the network to make sure that it's all secure. There's, there's two thoughts on that and one is that yes, the future is that every IoT device, every security camera, every alarm panel or fire panel or anything that's connected to the network would be able to register itself with the manufacturer, pull down a firmware update and update its firmware. The second school of thought though on that is kind of two fold. One, the, a lot of times the end user is a little leery about components going out and just arbitrarily pulling information down. That could be a security concern of theirs. That if something does happen this device is set the register itself, that it could be registering sensitive information that it, that it doesn't want.
Brian: It could affect some sort of integration that they may have. So, in the security world we have components that are set up and this firmware works with this firmware and maybe they have it all made it up. And if that device goes out and updates itself, the next component that's part of that solution may not be ready for that other systems update and it could break the connection. And then the third part of that is with UL listings and life safety and things like that. When we talk about, , network connected devices, , if that device were to go out and pull a firmware, a lot of times when you initialize firmware updates, those devices have to reboot themselves. And if the device reboots itself and it doesn't come back online and this is all happening in an automated fashion, nope, somebody might not actually recognize that it's done it.
Aaron: And that is offline. , , there could be a compromised situation either in a security system and access control system, the video system that, , somebody has to attend to. So, one thing that we try to do for our customers is, we set up service plans where we might go out once a year, four times a year, and check over the system, do a general health check on it, update the firmware as necessary so that there's a technician on site. If we, and we can control that upgrade. So we can identify what the firmware levels are, what is it play here, is everything going to work together, when, when we update everything and then we can push those updates and verify that everything comes back online and is stable before we believe. So, it's, it's a nice thought to think, oh yeah, everything's just going to automatically update itself.
Brian: But it's a little scary on the other side to that, , things would automatically update and what could potentially happen if they're not. So again, there's a lot of it is just the importance of understanding what you have. , does this device update itself automatically or do I need to be worried about it? And if I need to be worried about it, what are my steps, what , what, what is my control to make sure that I regularly check with the manufacturer and find, , find those updates and apply them as necessary. So there's no perfect answer right now. There's no perfect answer, but , we definitely need to be aware of of the things that are out there and be aware of the situation, the world that we live in today and the, that everything, everything is connected in some of those things are our responsibility to make sure that we stay on top of,
Aaron: I think that's probably the difficult part is that so many things are becoming connected. Notice that you just, you just created yourself a huge list of, , they got to check the updates for this thing and that thing, , I forgot about that one. And , I mean yeah, it used to be just your computer. The Chore List got a lot longer. He just used to, it used to be your computer, you checked for you to update and that was it. , like, which reminds me, I need to go home and check my Wi-Fi router to make sure it's up to date. I mean, that's, , that's one thing that always forget to do. Yeah, absolutely.
Brian: Yeah. And that's, you see that a lot now with it companies that are pushing infrastructure into the cloud and , for server management and things like that, it makes it easier for them because the, the data center that they push their infrastructure into is typically on top of that. They're monitoring on a large scale all of their components and the vulnerabilities and applying those patches. But as, as the, it, the local it groups and these organizations are pushing that infrastructure in the cloud. They're almost back filling their time with keeping up with all of the IoT devices now that they have on site because they have hardware on site now that you can't really push into the cloud. So now there where they were managing servers and things that are being pushed in the cloud, now they're managing these, these IoT devices and these, , the local, physical infrastructure.
Aaron: All right. I mean I think that we could probably talk about for this for hours and get more detailed and dive into it, but I think this is a good kind of overall covering cybersecurity security cameras and just internet of things. That's about it. Thank you. That's it for today's podcast. Thank you. If you liked today's episode, we encourage you to subscribe to the podcast and rate us on iTunes. You can also find our podcast on Spotify, Pocketcasts, Google Podcast and other popular podcast players search for "Koorsen Fire and Security Chat" to find it. Thanks once again for listening and I will see you next week for our next episode of the Koorsen Fire and Security Chat podcast. Have a great day, everybody. Bye. The information in this podcast is for informational purposes only and is believed to be reliable, but of Koorsen Fire and Security assumes no responsibility or liability for any errors or emissions in the content of this podcast. It does not constitute professional advice. The listener of this podcast is responsible for verifying the information's accuracy from all available sources including the product manufacturer. If Authority having jurisdiction should be contacted for code interpretations.