IP cameras for video surveillance has been a trending topic amongst enterprises across the world due to rising concerns for security and safety. IP CCTV cameras are revolutionising security measures, and technology has evolved to allow for a more diverse security monitoring system through high resolution, larger digital storage options and compatibility for integrated analytical software.

According to Global CCTV Market Forecast 2022, analysts expect the market for global CCTV to grow at a CAGR of around 11% during 2018-2022. 

Clearly, a successful hack of an enterprise security camera system could lead to a range of implications. Amongst the main ones is unauthorised access to video and audio streams of data, as well as to the archive, violation of confidentiality, HIPPA, PII and potential leaks of personal and corporate information, possible copying, unauthorised distribution and duplication of such data.

“Most Enterprise video surveillance systems are vulnerable to hackers. According to our studies, more than half of companies and organisations, both large and small, do not take sufficient precautions when it comes to preventing their security cameras from being hacked. Be it ignorance or just careless approach to security of their network in general, the results of hacking can be disastrous,” says Chris Ciabarra, the CTO and co-founder of Athena Security.

With the increasing number of surveillance cameras installed in homes, offices and public places, hacking incidents related to these devices happen more and more often. 

The ease of hacking surveillance cameras

It’s not a secret that surveillance cameras, like many other Internet of things (IoT) devices, are full of vulnerabilities that can be exploited by hackers. 

A hacker can find hundreds of potentially vulnerable IoT devices to hack into

Cameras, just like all other devices connected to the Internet, have IP addresses that are easy to find using Shodan, a search engine for Internet-connected devices. With this simple tool, a hacker can find hundreds of potentially vulnerable IoT devices to hack into, including cameras, especially when most companies use default passwords. 

The solution

Below are basic recommendations on how to protect your camera network, and what actions you should take to minimise the chance of hacking.

  • Change the default username and password 

You should start by changing the default password and username of your camera network. Even though this may seem obvious, not everyone does it, practically leaving the door for hackers wide open. 

Use a strong password that is hard to guess. When setting up the password use numbers, symbols, both uppercase and lowercase letters. Do not use simple and commonly used passwords, such as the ones in SplashData's list of 100 worst passwords of the year.

Do not use the same password you are already using for other online accounts. According to a recent survey on data privacy conducted in May 2019, 13% of respondents with at least one online account say they use the same password for all their accounts. Using a password manager to generate a strong random password may be a good idea. 

  • Update your camera firmware regularly

Keeping cameras firmware up-to-date is very important as it allows you to prevent hackers from exploiting vulnerabilities and bugs that are already patched by manufacturers in a new firmware update. 

Despite the fact that most modern cameras will automatically download and install firmware updates, some require the user to check for updates and install them. 

  • Set up two-factor authentication 

Set up the two-factor authentication if your cameras support it. With two-factor authentication on, the camera manufacturer will send you a randomly generated passcode via text message or phone call, as an addition to username and password, during each log in to the account. Two-factor authentication prevents hackers from accessing the camera system even if they were able to crack username and password. 

Not all surveillance camera systems support two-factor authentication, though. 

Technical recommendations

  • Prevent cameras from sending information to third parties

Companies that use surveillance cameras very often do not put enough effort into protecting their cameras and the data they transmit, despite the fact that this footage is of great importance to many people.

The firmware of most cameras from different manufacturers is programmed in a way to keep a connection with the manufacturer’s server without knowledge of the end-user. Most users, both private and corporate, are not aware of this and therefore do not take any steps to protect themselves from this potential vulnerability, which could result in footage leak to a third party or a successful hacker attack.

To prevent your camera network from transmitting, the following steps should be taken.

Step 1: Statically assign an IP address

Statically assign IP address for each camera, subnet mask and leave gateway blank or 127.0.0.1, if this is allowed in gateway fields to be entered. If the firmware does not allow blank or 127 subnets, just point gateway to an unused dedicated IP address.  

This way, cameras will not be able to send the information off the local company network.

Step 2: Assign DNS servers

Assign DNS servers that are local to cameras and force only your domain to be present with zero forwarding DNS servers. 

This way, if a camera tries to do name resolution, it will come up blank. Not being able to find the IP address of the main server (mother ship), cameras won’t be able to connect to it.   

To stay safe you can order your own DNS servers, locked down to your addresses only.

  • Block your camera network’s access to the Internet 

Blocking your camera network’s access to the Internet is a good way to make sure hackers won’t be able to get access to the footage and other confidential data. Any dual-homed system touching your camera network should be blocked from Internet access. This way all systems in the same subnet won’t have access to the Internet from that box.

Always use DNS because firewall rules tend to be easy to hack, while DNS that is internal is not expected and stops systems from resolving names you do not wish to be translated, like talking back to the mothership of a bad program. 

  • Monitor your system for traffic spikes 

One of the tricky things about hacker attacks is that there are no warnings. In most cases hackers would penetrate your system without any signs or symptoms of an attack, and it isn’t until you face consequences (like leaked footage or hackers manipulating cameras) when you realise something is wrong. It may be days or even months between the hacker attack and the time you realise the system has been compromised. 

Monitoring dual-homed systems for bandwidth spikes could be a good way to spot a hack resulting in the leakage of confidential data like images or video. There are a number of traffic monitoring tools available to private and corporate users that can manage and sniff the network or just monitor them.

  • Facial blur in archived footage 

Blurring people’s faces when archiving in surveillance camera video streams is a great tool, allowing you to comply with privacy laws and make the footage useless to hackers even if they manage to successfully hack your system.

These recommendations will allow you to lower the risk of hackers breaking into your security camera network, detect the hack if it has occurred already, and to protect yourself from possible consequences if camera footage was stolen.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Christopher Ciabarra CTO, Athena Security, Inc.

Chris is a serial entrepreneur and security expert with over 20 years experience using technology to detect and prevent threats. He has dedicated his career to building proactive solutions to security threats. He is an anti-hacking expert who pioneered network security solutions during the dot-com boom, and mobile payment security during the rise of mobile computing. Chris is an award-winning innovator, published author, and member of the Forbes Technology Council. But above all he is an inventor dedicated to making the world a better place.

From 2010 – 2017 he co-founded and was the CTO of Revel Systems, helping grow it from 0 to 800 employees and a $500 million evaluation. Chris developed the technology behind the company’s iPad point-of-sale system. When everyone said it was impossible, Chris made it happen. Chris also designed Athena to create a safer world - one where real threats are quickly identified and neutralised, and where the innocent wouldn’t be profiled as a threat without just cause. 

Christopher is also a certified Thermographer, which is the study of infrared devices and how they work and should be operated.

In case you missed it

Why the touchless office is another argument for going passwordless
Why the touchless office is another argument for going passwordless

Security experts have discussed the demise of the passwords for years. As early as 2004, Bill Gates told the RSA Security Conference that passwords “just don’t meet the challenge for anything you really want to secure.” Change has been slow, but the sudden increase in remote working and the need for enterprises to become touchless as they try to encourage teams back to the office is increasing traction. Here we look at the future of passwordless authentication - using the example of trusted digital identities - and share tips on choosing a solution that works for your organisation. The move away from passwords was beginning to gain momentum pre-pandemic. Gartner reported an increase in clients asking for information on ‘passwordless’ solutions in 2019. Now Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will put in place passwordless methods by 2022. This is up from 5% in 2018. The many limitations of passwords are well-documented, but the cost of data breaches may be the reason behind this sharp upswing. Stolen credentials – usually passwords – and phishing are the top two causes of data breaches according to the 2019 Verizon Data Breach Incident Report. Each breach costs businesses an average of anywhere between £4M to £8M depending on which studies you read. A catalyst for change As in so many other areas, the pandemic has been a catalyst for change. Newly remote workers using BYOD devices and home networks, sharing devices with other family members, and writing down passwords at home all make breaches more likely. And seasoned home workers represent a risk too.  It also means that enterprises are developing new procedures to mitigate the spread of disease. This includes a thorough examination of any activity that requires workers to touch surfaces. Entering passwords on shared keyboards or touchscreens falls squarely in this area of risk. As does handling physical smart cards or key fobs. Enterprises are expanding their searches from “passwordless” to “passwordless and touchless,” looking to replace physical authenticators. In the quest to go touchless these are items that can be easily eliminated. The future of passwordless authentication Using fingerprint or facial recognition often only provides a new front-end way to activate passwords Common alternatives to passwords are biometrics. But, using fingerprint or facial recognition often only provides a new front-end way to activate passwords. Passwords are still required for authentication after the biometric scan and these live in a central repository vulnerable to hackers. With one successful hack of the central repository, cyber-criminals can swipe thousands of details. In other words, biometrics on their own are not an improvement in security, only a better user experience. They need to be combined with a different approach that adds another layer of security. A more secure option is to move away from the centralised credential repository to a decentralised model. For example, one based on trusted digital identities. This is where digital certificates are stored on users’ phones. Think of encrypted digital certificates as virtual passports or ID cards that live on a worker’s device. Because they are stored on many separate phones, you are able to build a highly secure decentralised credential infrastructure. A solution that uses people’s phones is also compatible with touchless authentication systems. You can replace smart cards and key fobs with a phone-based security model and reduce the number of surfaces and items that people touch. This is especially beneficial for workplaces where people have to visit different sites, or for example in healthcare facilities. Replacing smartcards with a phone in a pocket reduces the number of items that clinicians need to take out and use a smartcard between and in different areas, which may have different contamination levels or disease control procedures. How do trusted digital identities work?   Workers unlock their mobile devices and access their trusted identity using fingerprint or facial recognition Here’s an example installation. You install a unique digital certificate on each user’s mobile device — this is their personal virtual ID card. Authorised users register themselves on their phones using automated onboarding tools. Workers unlock their mobile devices and access their trusted identity using fingerprint or facial recognition. Once they are authenticated, their device connects to their work computer via Bluetooth and automatically gives them access to the network and their applications with single sign on (SSO). This continues while their phone is in Bluetooth range of their workstation, a distance set by IT. When they leave their desk with their phone, they go out of range and they are automatically logged out of everything. Five tips on choosing a passwordless solution More automation means less disruption Consider how you can predict and eliminate unnecessary changeover disruptions. The task of onboarding large or widely dispersed employee populations can be a serious roadblock for many enterprises. Look for a solution that automates this process as much as possible. Scalability and your digital roadmap Will you maintain remote working? Having a high proportion of your team working remotely means that passwordless solutions will become more of a necessity. Are you expecting to grow or to add new cloud apps and broader connectivity with outside ecosystems? If so, you need password authentication that will scale easily. Encryption needs and regulatory requirements If your workers are accessing or sharing highly sensitive information or conducting high-value transactions, check that a solution meets all necessary regulatory requirements. The most secure passwordless platforms are from vendors whose solutions are approved for use by government authorities and are FIDO2-compliant. Prioritise decentralisation Common hacker strategies like credential stuffing and exploitation of re-used credentials rely on stealing centralised repositories of password and log-in data. If you decentralise your credentials, then these strategies aren’t viable. Make sure that your passwordless solution goes beyond the front-end, or the initial user log-in and gets rid of your central password repository entirely. Make it about productivity too Look for a solution that offers single sign on to streamline login processes and simplify omnichannel workflows. For workers, this means less friction, for the enterprise, it means optimal productivity. Security improvements, productivity gains and user goodwill all combine to form a compelling case for going passwordless. The additional consideration of mitigating disease transmission and bringing peace of mind to employees only strengthens the passwordless argument. The new end goal is to do more than simply replace the passwords with another authenticator. Ideally, enterprises should aspire to touchless workplace experiences that create a safer, more secure and productive workforce.

Be our guest: How to manage visitors with both safety and service
Be our guest: How to manage visitors with both safety and service

In today’s fraught times, business continuity and success hinges on how you manage the visitors to your company. By prioritising safety and security, and coupling them with top-notch attention and customer service, you win loyalty and gain a reputation that will serve you in years to come. An excellent way to accomplish this is by identifying and implementing the best visitor management system for your company. And visitor management systems go beyond ensuring the safety of your visitors and staff safety from your visitors. A feature-rich VMS will track your guests' activities, so you can better understand their preferences for future visits. That way, you can manage visitor experience and tailor amenities and preferences. Both customer loyalty and brand reputation benefit. Visitor management systems: who uses it, and why is it used? Visitor management refers to all the processes put together by an organisation to welcome, process, and keep track Visitor management refers to all the processes put together by an organisation to welcome, process, and keep track of all the guests daily. A visitor management system (VMS) is the technology used to manage guests for their convenience, safety, and security. Several features are typical in today’s applications. They include preregistration tools,  video intercoms, self-check-in stations, and health screening. In visitor management, the term "visitor" doesn't only refer to guests but also anyone without an authorized access credential. For instance, an employee without their access credential logs in as a visitor. The same applies to a delivery man or a technician carrying out routine maintenance. A VMS helps to account for everyone within the organisation at any given time. Who uses visitor management systems? You need a visitor management system to manage a school or hospital, an office, or even a residential building. Here's why: Visitor management system for schools: schools are among society’s most vulnerable facilities. A VMS is almost mandatory in this setting. It helps to identify visitors, detect intruders, and alert security of any unauthorised access. Visitor management system for offices: A VMS accounts for guests at all times. They include clients, maintenance contractors, delivery men, employees without credentials, friends, and family, Visitor management system for hospitals: access control is essential in hospitals, and managing visitors plays a major role. Hospitals offer access to pharmaceuticals, medical records, newborns, and expensive equipment. It is crucial to monitor restricted hallways and sections with video intercoms and track unauthorised persons' movements. Residential visitor management system: tracking people's movement is a key VMS component. In case of a crime, knowing who had access to the building within a specific time frame can help in the investigation. Plus, tracking the activities of visitors can deter future crime. Why is the visitor management system important? A video intercom makes it much more difficult for a visitor to impersonate a known guest. VMS accounts for everyone within the organisation in cases of emergency. VMSs can prevent intruders and alert the security department of a breach. A VMS creates a positive visitor experience, which shapes perception of the organisation. With a trusted VMS in place, employees can focus on being productive. Health screening gives staff peace of mind. It increases employees' willingness to return to work in the midst of the COVID 19 pandemic. How does a good VMS address occupant and visitor safety? The necessary technology to ensure building safety The best visitor management systems contain the necessary technology to ensure building safety. To maximise occupant and visitor safety, a VMS should have the following features: Job one of a VMS is visitor identification. It also helps deter potential criminals. Some VMSs go beyond identification by running a quick check on the visitor's ID and alerting security of any discrepancies. By identifying and proving a visitor's identity, the VMS ensures the safety of employees and other visitors. VMS helps with compliance A good visitor management system helps the organisation follow regulations, such as for occupancy. In the COVID era, some states may require health screening for guests. Health screening helps protect the building's occupants from exposure to health hazards. Information security VMSs also aid in information protection. It takes mere seconds for a rogue visitor to download files into a jump drive, photograph exposed blueprints, or copy customer lists. Visitor management systems restrict visitor access to parts of the building and track the whereabouts of guests. Visitor privacy With pen and paper systems, walking up to the receptionist often gives visitors full view of the visitors list. Visitor management systems seal that vulnerability. Visitors can check in without fear that anyone nearby can see their information. Emergency evacuation With a good VMS, the exact number of people within the building is always known. In the case of an emergency, first responders can use VMS data to identify everyone on site. This is a safety net for both the occupants and visitors to the organisation. How to manage building visitors System features depend on the purpose and setting of the VMS. Yet certain features and processes are essential. Preauthorisation and health screening The first step is knowing the visitors upfront. Preauthorisation allows everyone to know who is coming and when. Guests specify the time and purpose of their visits. You get to welcome and accommodate your visitors accordingly. Some systems may also be able to upload documents of interest, such as proposals, contracts, presentations, or agendas. Health screening is critical today. It signals that the organisation cares about its guests. A visitor is more likely to visit an organisation that prioritises health and safety. Health screening is a way to protect your staff and send the right message. Video intercom Along with health screening, video intercom is a key element of VMSs. It enables secure video identification with remote, touchless, and COVID-safe access into buildings. Intercoms are a safe and secure way to communicate with audio and video without physical contact. Video allows you to visually verify the visitor. The audio component enables spoken communication. Some systems even use facial recognition technology and mobile app unlock. When integrated with access control, visitor arrival is seamless. Upgrade to touchless access Touchless access is the safest and most secure VMS option Touchless access is the safest and most secure VMS option. It is more sophisticated because it receives visitors without them having to lift a finger. It's also convenient and effective. In this time of the novel coronavirus, the demand for hands-free systems is surging. VMS has pivoted to met this demand. Many organisations are finding how touchless systems increase safety in the workplace. Visitor logging is essential for managing guests to your building. Besides being a source for verification and data tracing, it also helps in real-time to know who signed into the building and who hasn't signed out yet. Tracking the movement of visitors within the facility makes it clear where they are at all times. This way, there can be an effective emergency action plan for visitors and other occupants. This feature has use in contact tracing, health investigations, and other investigations, such as for theft.

What does 2020 mean for the future of security trade shows?
What does 2020 mean for the future of security trade shows?

Trade shows have always been a basic element of how the security industry does business - until the year 2020, that is. This year has seen the total collapse of the trade show model as a means of bringing buyers and sellers face to face. The COVID-19 pandemic has effectively made the idea of a large trade show out of the question. Today, even air travel seems incredibly risky, or at minimum a huge hassle. The good news is that the industry has adapted well without the shows. A series of “on-line shows” has emerged, driven by the business world’s increasing dependence on Zoom and other video conferencing platforms. The fact is, 2020 has provided plenty of opportunities for sellers to connect with buyers. It’s easy to dismiss these sessions as “Death by PowerPoint,” but some of them are incredibly informative. And conveniently accessible from the comfort of a home office. Internet transforming businesses We have already seen how the online world makes it easier than ever to connect with customers. In the consumer space, businesses like Uber, Shopify and Airbnb have proven that the Internet can transform how business is done. But in the security industry, we hear: “You can’t replace the value of meeting face to face.” That’s definitely true to some degree. A lesson of 2020 is the need to take a hard look at the economic model of trade shows However, the reality of 2020 suggests that there are alternatives that are almost - emphasis on almost - as good. And that don’t cost as much. And that don’t take away as much time from the office. And that don’t involve the effort of schlepping luggage through an airport yet again to a hotel in a beautiful city you will never see where you will spend three days in a big exhibit hall eating overpriced hot dogs and regretting your choice of footwear. Economic model of trade shows Sure, you’ll meet up with old pals, and get some value out of the experience. But how much value versus the cost? A lesson of 2020 is the need to take a hard look at the economic model of trade shows - how much they cost versus the value they provide. Considering how well we have gotten along without them, one wonders how and why trade shows have become such an integral part of our industry, and of hundreds of other industries, for that matter. I have had many conversations with exhibitors at trade shows in the last several decades. I have heard probably thousands of complaints about the slowness of the foot traffic, the high costs of exhibiting, the price and hassles of travel. The question I have often wondered (and asked): Is it worth it? Defray the costs Usually, the complaining exhibitor will reluctantly admit that it is, and/or provide some other justification, such as one of the following: All my competitors are here. If I don’t exhibit, it sends the wrong message to the market. That’s why I need to have the largest booth near the front of the show, too, because it’s all about perception and positioning ourselves in the market. We need the show for the sales leads, which drive our sales for the next six months. If I meet one large end user who turns into a big sale, the extra revenue pays for it all and makes everything worthwhile. This is the only time I get to see my sales staff or other coworkers from around the country. We have a sales meeting this week, too, so it helps to defray the costs. Success of alternatives The realities of 2020, and the challenges to the business world, will impact the nature of commerce for years to come Given the experience of the year 2020 without any trade shows, might some of these justifications melt away? At a minimum, companies will be taking a hard look next year to evaluate what they missed about the trade show experience, and more importantly, what the impact was on their business (if any). What is the future of trade shows? After the 2020 hiatus, exhibitors and attendees alike will be starting with a clean slate, taking a fresh look, reexamining the value proposition with new eyes, braced by the successes (while acknowledging the failures) of alternatives that emerged as necessities during a global pandemic. Ensuring safety and security The realities of 2020, and the challenges to the business world, will impact the nature of commerce for years to come - including trade shows. During the pandemic, we have all had to reinvent ourselves, deploy new strategies, work around new challenges, and in the end, hopefully, emerge better for it. There’s no reason trade shows shouldn’t undergo the same transformation. And it’s likely the “new normal” could look very different. The security market has found new opportunities during the pandemic, including new applications for existing technology and a renewed emphasis on the importance of ensuring safety and security. That positivity will hopefully carry our industry triumphantly into the new decade, and trade shows will adapt to find their place in the newly revitalised industry. As it should be.