Cheap CCTV systems are being sold at almost any electrical store these days, and picking up a 4 camera kit can be done alongside your weekly supermarket shop. Although Rossells rarely get involved in budget CCTV systems, we are often asked to advise on additional cameras, or upgrades. It’s astonishing how many CCTV security systems are left on an unsecured network, or open to the internet with their default passwords.
There are online website directories committed to sharing links to the various unsecured cameras around the internet, some boasting over 100,000 cameras. A simple online search will quickly have you browsing through private living rooms, kitchens and gardens, but the owners are completely unaware, and unfortunately there is little way of alerting them to the situation.
So how has it all gone so wrong?
Poor end user education and lack of manufacturer’s duty of care…
It’s understandable that every CCTV system needs to be shipped with a default collection of settings, and the inevitable situation of customers forgetting their passwords will happen, so its essential provisions are made for a quick factory reset when necessary. However, the cameras software needs to insist on the default passwords being changed upon first use, forcing the user to acknowledge their responsibility and indirectly protect themselves.
- Warning labels need to be clearly displayed on the product boxes, along with informational stickers over the network connection points. Users that remove the sticker are then forced to question their knowledge, and seek further advice on internet security.
- A crucial update to the camera or DVR software that prevent an external connection from being established if the default passwords remain unchanged.
- Wireless cameras should not have an option to allow them to broadcast on an unsecured wireless network. Although convenient for a user, this option opens the camera to local public access, even from a smart phone user passing by.
How do they find public cameras?
This is quite a broad area, but we’ll try and break it down into an understandable snippet of information.
Every home or business in the UK, has its own little location on the internet, a similar concept to your phone number. This is called an IP address, and although these are usually re-allocated from time to time, they stay with you for a while. Now, every hour or two, someone, somewhere in the world will give your IP address a little poke, usually from an automated piece of software running on a fast server. How your router (the little wifi box often supplied by your internet provider) responds, will dictate how much further digging our unknown friend will decide to do. A process known as ‘Port Scanning’ is the next step once a router has responded favourably. This process scans across a popular collection of possible areas of interest being shared publicly on your connection. If any ports show that they are open, a further collection of data will be made about the item sitting on that port. This is usually a small snippet of identification data, and usually nothing to violating; however, it may give away the brand and model of camera being used within your home.
Although this information is possibly not of great interest to the person doing the initial poking, it will usually be shared across a collection of sources, ready to be checked out by somebody with a more dedicated attention to finding open cameras. Quite simply, the interested party will try sending the default manufacturers login details to the IP address, and port number previously collected. If your camera login details haven’t been changed, then a thumbs up is given to our intruder, and your live camera image will shortly be on show for the rest of the world to see.
It’s sad to think that there are people out there who commit their time and resource to this type of procedure, but when they’re so successful, the buzz must keep them focussed.
I have cameras installed, what can I do to check they’re not vulnerable?
- Check the default user password has been changed – If you have inadvertently setup your internet box (router) to allow access to the camera, this will be the first defence against others getting in.
- Upgrade the camera or DVR’s firmware – Search your model numbers on the manufacturers website, and follow the procedure for upgrading its firmware. This will ensure that you have the latest software running on your CCTV equipment, along with any security patches the manufacturer has released.
- Now focus on your Router firmware, in the same way as above. This could also have some performance benefits for your internet connection reliability and speeds.
- Use a Port Scanner (http://www.radmin.com/download/previousversions/portscanner.php) to give your internet connection a health check. Any ports that are open need to be investigated, and closed if necessary. Use the router instructions to do this, or do a Google for some tutorials.
- Be honest with yourself, if you got in a pickle whilst setting up your cameras, and ticked every box on the settings screen in an effort to make it work, then now is the time to perform a factory reset and understand the meaning of those enabled options.