When security cameras are more like a hole than a protecting Wall, you have a problem. Cameras are a double-edged sword and webcams are the perfect example of that: they allow people to keep in touch with their loved ones and help companies hold meetings regardless of the distance between participants. However, even Mark Zuckerberg covers his laptop camera for security reasons in order to avoid being spied on. The danger in this case seems obvious, but our laptop cameras are not the only ones that pose a certain risk.
Many companies use video surveillance systems, and security cameras obviously play a key part in those systems. Watching the areas that surround a company’s premises to prevent theft or try to identify potential trespassers is something essential for any organization. However, a network of surveillance cameras can also become a threat if attackers find a vulnerability in it.
This has been shown by a recent study carried out by a team of Hungarian researchers who found multiple vulnerabilities in the cameras of Taiwanese CCTV manufacturer AVTECH. These flaws could pose many risks to companies entrusting their business security to this maker’s devices if connected to the Internet.
First, the cloud that these cameras connect to in order to sync data does not use the HTTPS protocol to secure transmissions. As a result, any cyber-criminal could be able to access the footage captured by the CCTV cameras, which could also be downloaded without needing to enter a username and password.
This way, an attacker with the necessary knowledge could obtain the images taken by a company’s video surveillance system, and use that information for more dangerous activities. They could use that information to, for example, find out the exact location of the security personnel at any time, find out if there are employees on the premises or if the place is empty, and even use the cameras to view passwords and confidential data.
In addition to the severity of the flaws, what really surprises us is the fact that AVTECH has not given any kind of explanation about the vulnerabilities discovered or any potential fixes. Obviously, any organization thats use surveillance products must be able to trust them as well as the makers that provide them, something that seems extremely difficult in this case.
Even though it’s true that any surveillance system can have its flaws, there are steps that can be taken to reduce the risk to businesses: do not connect video surveillance devices to the Internet, and keep your devices’ firmware always up to date.