em360tech image

CCTV cameras line high streets, offices and government buildings around the world. But the widespread surveillance systems may give cybercriminals a new lens for malicious activity. 

That's according to a recent investigation by BBC Panorama, which found that two of the world’s leading CTTV camera manufacturing brands – Hikvision and Dahua – may suffer from security flaws that can be exploited by hackers to infiltrate company systems. 

The investigation found that malicious actors could strategically target security cameras in company buildings to compromise confidential data including passwords and usernames of employees and wreak havoc on computer networks. 

Panorama worked with the US-based Internet Protocol Video Market (IPVM), one of the world's leading authorities on surveillance technology, to test whether it was possible to hack a Hikvision camera. The research supplied a camera and installed it in a Panorama studio.

The camera Panorama investigated contains a vulnerability discovered in 2017, which IPVM's director Conor Healy described as "a back door that Hikvision built into its own products.”

Hikvision says its devices were not deliberately programmed with this flaw and it points out that it released a firmware update to address it almost immediately after it was made aware of the issue. It adds that Panorama's test is not representative of devices that are operating today.

But Healy says more than 100,000 cameras around the world may be still vulnerable to this security flaw, putting companies around the world at risk.

11 Seconds

Healy and IPVM's research engineer John Scanlan started by locating the camera inside the BBC Broadcasting House, then began attacking its security defences. 

Just 11 seconds later, Scalan announces: “we have access to that camera now.” The researchers could see inside the studio, including a panorama employee working on his laptop. 
 

Footage taken from the hacked security camera. Source: BBC Panaroma
Footage Panaroma BBC

If we zoom in tight on the keyboard, we can see clearly the keys that he's pressing to put his password in," Scanlan said. 

"This is akin to a locksmith giving you a key to your home and secretly making a master key for all of the locks in that community… that's effectively what Hikvision engineers did."

Following BBC Panorama's investigation, Hikvision published a statement that Panaroma’s claims were “farcical.” 

“The BBC will broadcast a ‘hack’ of a six-year-old Hikvision camera to exploit a vulnerability that was identified in 2017, but was patched and publicly disclosed less than one week after it was brought to the company’s attention,” the statement reads. 

“This test simply cannot be characterised as representative of ‘the cameras lining our streets today’, which would be much better defended than the camera in this so-called ‘test’ the BBC has run,” the statement reads. 

Entry points and IoT

Regardless of the vulnerability patch, the investigation provides just one example of hackers exploiting flaws to compromise systems and gain unauthorised access and control.

Earlier this month, the UK government announced that it would be removing Chinese cameras in all government buildings across the country, including the CCTV camera which cause former Health Secretary Matt Harris’ kiss scandal last year – which sparked his eventual resignation for breaking the COVID  guidance in place at the time.

An inquiry by Information Commissioner’s Office into the camera footage being leaked to the press was closed without any charges. The regulator said the images were most likely obtained by someone recording the CCTV footage screens rather than a hack into the camera itself. 

The incident demonstrates that, with access to footage, cybercriminals can do a lot of damage – from launching malware or committing social engineering attacks to blackmail or fraud by getting hold of sensitive data.  

To read more about cyber attacks, visit our Business Continuity Page.

A big part of why CCTV hacks are such a threat lies in the multiple entry points available from IoT or cloud-connected devices.

If a security camera company is subject to a data breach, log-in details for CCTV systems could be made publicly available, providing unfettered access to your network. 

And with each new device added to the network, cyber-criminals are presented with a new entry point to carry out an attack.