CCTV is a growing target for hackers – but, there’s a simple solution
James Wickes – CEO, Cloudview
Earlier this month, surveillance camera commissioner Tony Porter warned that Britain's growing number of CCTV systems could be a target for cyber hacking attacks.
We rely enormously on CCTV to underpin physical security in both private and public settings and, as highlighted in an article from the Telegraph, the commissioner's report indicates that the use and sophistication of this technology continues to grow. In 2015, the British Security Industry Association said there were between four and six million cameras in the UK. Cloudview’s own research suggests there are currently around 8.2 million in use today.
However, it is becoming increasingly clear that the systems we trust to improve security may not themselves be secure. Part of the problem is, by their nature, CCTV systems are almost impossible to control in a joined up way without great expense and constant physical intervention. But, the issue lies not only with users and their deployment of cyber security measures, there are also problems in the supply chain of the CCTV equipment itself which involves many players. What stops a small camera assembler or manufacturer from buying out-of-date firmware from a dealer that is knocking it out cheap? Who owns the manufacturers? Can we be sure about what the kit is doing if its connected to the internet and it "phones home" – actually …. where is home?
Which raises an important point – if “home” happens to be outside the EU, what about compliance with the General Data Protection Regulation (GDPR)?
The vulnerability of CCTV systems has been highlighted by recent DDoS attacks, where systems were combined into massive Botnets to take down critical services. Nearly 1.5 million connected cameras were hijacked for this purpose in September 2016, and just a month later we saw the massive cyber-attack on DYN, the largest DDoS attack so far – which was executed through a Botnet consisting of a large number of internet-connected devices, including a vast number of IP cameras, DVRs and baby monitors infected with the Mirai malware.
In Tony Porter’s words, “cyber security has moved to the top of the security agenda”. Similarly, I believe we have got to – and probably passed – the "something must be done" stage.
Many organisations are still failing to recognise the inherent insecurity of their CCTV systems. In fact, independent research found major vulnerabilities in both traditional DVR-based and cloud-based systems. I would speculate that this is partly because users simply assume that equipment generally used for security must be secure – a reasonable assumption. The GDPR shines a powerful floodlight onto the need to be more vigilant with the security of personal data from hacking and theft but the users of CCTV equipment need protection too. Only CCTV equipment that is fit for purpose should be sold into the market and manufacturers and resellers of un-safe equipment must be held to account where their equipment is found to be wanting.
In the case of Cloudview, the connection between cameras and Cloudview’s cloud service is secured with an adapter (the VNA) which only allows outbound communication to Cloudview. This enables analogue or IP CCTV cameras to be securely connected using regular broadband, 3G/4G or satellite services. The adapter is a device dedicated to its task, not a hefty piece of kit with massive storage and processing power which can be potentially hijacked.
There are many benefits of cloud-based systems and one that is particularly relevant security-wise is that we are constantly improving defences against cyber attacks as well as adding new features to increase efficency. Because Cloudview is cloud-based, we can automatically make these updates. That isn’t going to happen in a meaningful way where DVR-based systems are concerned – it is simply too expensive and time consuming.
I am in no doubt that properly implemented modern cloud-based CCTV and visual data systems are far more secure than non-cloud alternatives. We don't know the nature of the risks in front of us and therefore it’s a good strategy to lay-off cyber security risks to organisations that place it at the core of what they do. Cloudview goes through rigorous penetration testing and our cloud services operate to national and international physical and cyber security standards.
It’s also important to point out that, in the new world of the GDPR, the responsibility for data protection is far more onerous for data processors (in this case, the suppliers of these cloud-based CCTV services) than ever before. There are more direct security obligations placed on suppliers, so their very business depends on being secure!
For more information on how Cloudview can make your CCTV network more secure, visit www.cloudview.co.