CCTV Data is More Valuable and Regulated Than Ever Before: Here’s How to Secure It
Phil Muncaster, freelance journalist
Given that the primary aim of CCTV cameras is to improve security, it’s somewhat ironic that most modern systems contain a wide range of vulnerabilities. Even the introduction of newer cloud video platforms has not significantly improved matters, leaving organisations, their staff and customers exposed to multiple threats. What’s more, analytics tools have made CCTV data more valuable than ever before, increasing the urgency with which it needs to be protected.
The industry has for too long wilfully ignored cyber security, preferring to rush products to market at any cost rather than to spend time developing secure, resilient kit. This approach is no longer sustainable. Why should you care? Apart from the obvious, European regulators will soon demand strict safeguards to protect data against loss, destruction, use, modification or disclosure. Potentially huge fines await those who fail.
In short, it’s time to get serious about CCTV cyber security.
Threat levels are rising
Since major government investment in CCTV in the 1990s sparked a surge in popularity, these systems have gradually evolved from dumb analogue devices to, first, incorporate VHS recorders, and subsequently digital recorders (DVRs) with hard disc local storage. Most recently we’ve seen an emergence of cloud-based video solutions, as the number of CCTV cameras hit six million in the UK — according to the British Security Industry Association (BSIA).
Yet there remain major vulnerabilities in both DVR and cloud-based CCTV solutions:
- Default port forwarding punches a hole in the corporate firewall, potentially allowing anyone in
- Connected devices can be easily found by remote attackers via a simple internet search
- Vulnerabilities are common and firmware is often left unpatched
- DVRs could be compromised for use in DDoS attacks, or to extract data from a network
- Many IP camera feeds are accessible to anyone without authentication, and automatic port forwarding opens the network up to attack
- Cloud-based systems often aren’t secured with HTTPS. Attackers could tamper with comms, harvest log-ins and view videos
- Cloud-based systems are riddled with web vulnerabilities, while config mistakes can leave them exposed to attack
- Few cloud providers offer digital signatures or encryption
The bottom line
Vulnerabilities and system failures like the ones above could be exploited by attackers in a range of scenarios, endangering staff and customer safety, and opening organisations up to the risk of theft and covert surveillance – and potentially large data protection fines.
The threats are no longer theoretical. The now infamous Mirai malware attacks compromised hundreds of thousands of DVR, and other, devices to launch damaging DDoS attacks on organisations; one of which resulted in outages at Spotify, Twitter and others. New vulnerabilities are cropping up all the time; most recently, the so-called Devil’s Ivy flaw was found in a staggering 249 camera models. Some patched it, many did not.
Most urgent for IT leaders is the forthcoming EU General Data Protection Regulation (GDPR) which brings with it maximum fines of up to 4% of global annual turnover or £17m for non-compliance (whichever is higher). CCTV recordings fall in scope if individuals can be identified. That should be enough to grab the attention of any board room.
Time for action
Historically CCTV has not been a part of the IT function – a fact which threatens to leave today’s increasingly connected, smart systems woefully exposed to cyber threats. Data must be secure, end to end, from device to cloud, in line with industry best practices and regulators’ demands.
Unlike most CCTV systems, Cloudview was built from the ground-up with security in mind. It does not require port forwarding, and devices are completely hidden from attackers. Systems get regular firmware updates and pen testing, and data is encrypted in real-time to the highest standards. Cloudview is classed as a data processor, under the GDPR, so is therefore required to focus on ensuring continued compliance.
Cyber security is too important to ignore, especially when it comes to CCTV.