ABSTRACT
Video surveillance, closed-circuit TV and IP-camera systems became virtually omnipresent and indispensable for many organizations, businesses, and users. Their main purpose is to provide physical security, increase safety, and prevent crime. They also became increasingly complex, comprising many communication means, embedded hardware and non-trivial firmware. However, most research to date focused mainly on the privacy aspects of such systems, and did not fully address their issues related to cyber-security in general, and visual layer (i.e., imagery semantics) attacks in particular. In this paper, we conduct a systematic review of existing and novel threats in video surveillance, closed-circuit TV and IP-camera systems based on publicly available data. The insights can then be used to better understand and identify the security and the privacy risks associated with the development, deployment and use of these systems. We study existing and novel threats, along with their existing or possible countermeasures, and summarize this knowledge into a comprehensive table that can be used in a practical way as a security checklist when assessing cyber-security level of existing or new CCTV designs and deployments. We also provide a set of recommendations and mitigations that can help improve the security and privacy levels provided by the hardware, the firmware, the network communications and the operation of video surveillance systems. We hope the findings in this paper will provide a valuable knowledge of the threat landscape that such systems are exposed to, as well as promote further research and widen the scope of this field beyond its current boundaries.
- ABUS TVIP 11550/21550 Multiple vulnerabilities. http://www.securityfocus.com/archive/1/520045.Google Scholar
- Anonymous authenticated access to MJPEG stream. http://goo.gl/sYkUAF.Google Scholar
- 'Baby Monitor Hack' Could Happen To 40,000 Other Foscam Users. http://goo.gl/2cdYy0.Google Scholar
- BuggedPlanet -- Surveillance Industry and Country's Actings. http://buggedplanet.info/.Google Scholar
- CVE-2013--1391 -- File disclosure in Hunt DVR and generic brands, discloses authentication information.Google Scholar
- CVE-2013--2560 -- Directory traversal in the web interface on Foscam devices.Google Scholar
- CVE-2013--4981 -- Denial-of-service in AVTECH AVN801 DVR.Google Scholar
- CVE-2013--6023 -- Directory traversal in the TVT TD-2308SS-B DVR.Google Scholar
- CVE details -- CCTV systems. http://goo.gl/IB1Hk7.Google Scholar
- CVE details -- DVR systems. http://goo.gl/Xmv1jN.Google Scholar
- CVE details -- IP cameras. http://goo.gl/ObpWCg.Google Scholar
- FTC settles with Trendnet after 'thousands' of home security cameras were hacked. http://goo.gl/94Ibmv.Google Scholar
- Full disclosure -- CCTV systems. http://insecure.org/search.html?q=cctv.Google Scholar
- Full disclosure -- DVR systems. http://insecure.org/search.html?q=dvr.Google Scholar
- Full disclosure -- IP cameras. http://insecure.org/search.html?q=IP%20camera.Google Scholar
- Google Glass hacked by the image of a malicious QR code. http://goo.gl/Qqh72x.Google Scholar
- How A Creep Hacked A Baby Monitor To Say Lewd Things To A 2-Year-Old. http://goo.gl/92yg9G.Google Scholar
- How to ZAP a Camera: Using Lasers to Temporarily Neutralize Camera Sensors. http://www.naimark.net/projects/zap/howto.html.Google Scholar
- Internet Census 2012 -- Port scanning /0 using insecure embedded devices. http://internetcensus2012.bitbucket.org.Google Scholar
- Israeli Road Control System hacked -- malware to hit the security camera apparatus in the Carmel Tunnel toll. http://goo.gl/F5I0ou.Google Scholar
- Mal au Pixel# Festival -- CCTV Sniffing Workshop. http://vimeo.com/57881594.Google Scholar
- Oakland Domain Awareness Center (DAC). http://oaklandwiki.org/Domain_Awareness_Center.Google Scholar
- Ray Sharp CCTV DVRs Password Retrieval. http://goo.gl/Hnp3TO.Google Scholar
- SHODAN -- Computer Search Engine. http://www.shodan.io.Google Scholar
- Swann Song DVRs Insecurity. http://goo.gl/oY3z3w.Google Scholar
- Anonymous. Insecam Project -- The world biggest directory of online (insecure) surveillance security cameras. http://insecam.org.Google Scholar
- Anonymous. TRENDnet Exposed. https://twitter.com/trendnetexposed.Google Scholar
- J. Aron. Want to rob a bank? Hack your way in. New Scientist, 220(2937):22, 2013.Google ScholarCross Ref
- J. Bau, E. Bursztein, D. Gupta, and J. C. Mitchell. State of the Art: Automated Black-Box Web Application Vulnerability Testing. In IEEE Symposium on Security and Privacy, 2010. Google ScholarDigital Library
- J. Bellardo and S. Savage. 802.11 denial-of-service attacks: Real vulnerabilities and practical solutions. In Proceedings of the USENIX Security Symposium, 2003. Google ScholarDigital Library
- G. Berg, I. Davidson, M.-Y. Duan, and G. Paul. Searching for hidden messages: Automatic detection of steganography. In IAAI, pages 51--56, 2003.Google Scholar
- H. Bojinov, E. Bursztein, and D. Boneh. Xcs: Cross channel scripting and its impact on web applications. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS '09, pages 420--431, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- H. Bojinov, E. Bursztein, E. Lovett, and D. Boneh. Embedded management interfaces: Emerging massive insecurity. Blackhat USA, July 2009.Google Scholar
- M. Brocker and S. Checkoway. iSeeYou: Disabling the MacBook webcam indicator LED. In 23rd USENIX Security Symposium (USENIX Security 14), pages 337--352, 2014. Google ScholarDigital Library
- N. Carlini, P. Mishra, T. Vaidya, Y. Zhang, M. Sherr, C. Shields, D. Wagner, and W. Zhou. Hidden Voice Commands. In 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, 2016.Google ScholarDigital Library
- A. Castiglione, M. Cepparulo, A. De Santis, and F. Palmieri. Towards a lawfully secure and privacy preserving video surveillance system. In International Conference on Electronic Commerce and Web Technologies, pages 73--84. Springer, 2010.Google ScholarCross Ref
- J. Clark, S. Leblanc, and S. Knight. Hardware trojan horse device based on unintended usb channels. In Network and System Security, 2009. NSS'09. Third International Conference on, pages 1--8. IEEE, 2009. Google ScholarDigital Library
- M. Coole, A. Woodward, and C. Valli. Understanding the vulnerabilities in wi-fi and the impact on its use in cctv systems. 2012.Google Scholar
- A. Costin. Poor Man's Panopticon: Mass CCTV Surveillance for the masses. In PowerOfCommunity, November 2013.Google Scholar
- A. Costin, J. Zaddach, A. Francillon, and D. Balzarotti. A Large-Scale Analysis of the Security of Embedded Firmwares. In USENIX Security Symposium, 2014. Google ScholarDigital Library
- A. Costin, A. Zarras, and A. Francillon. Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces. In ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2016. Google ScholarDigital Library
- A. Cui, M. Costello, and S. J. Stolfo. When firmware modifications attack: A case study of embedded exploitation. In Proceedings of the Symposium on Network and Distributed System Security (NDSS), 2013.Google Scholar
- A. Cui and S. J. Stolfo. A quantitative analysis of the insecurity of embedded network devices: Results of a wide-area scan. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC '10, pages 97--106, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- A. Dabrowski and M. Slunsky. Hacking CCTV -- Watching the watchers, having fun with cctv cameras, making yourself invisible. In 22nd Chaos Communication Congress, 2005.Google Scholar
- J. Demme, M. Maycock, J. Schmitz, A. Tang, A. Waksman, S. Sethumadhavan, and S. Stolfo. On the feasibility of online malware detection with performance counters. In ACM SIGARCH Computer Architecture News, volume 41, pages 559--570. ACM, 2013. Google ScholarDigital Library
- A. Dessiatnikoff, Y. Deswarte, E. Alata, and V. Nicomette. Potential attacks on onboard aerospace systems. IEEE Security & Privacy, (4):71--74, 2012. Google ScholarDigital Library
- DigitalMunition. Owning a Police Car and It's DVR. http://www.digitalmunition.com/OwningCopCar.pdf.Google Scholar
- K. El Defrawy, A. Francillon, D. Perito, and G. Tsudik. Smart: Secure and minimal architecture for (establishing a dynamic) root of trust. In Proceedings of the Network & Distributed System Security Symposium (NDSS), San Diego, CA, 2012.Google Scholar
- J. Fridrich, M. Goljan, and R. Du. Reliable detection of lsb steganography in color and grayscale images. In Proceedings of the 2001 workshop on Multimedia and security: new challenges, pages 27--30. ACM, 2001. Google ScholarDigital Library
- M. Gasser. Building a secure computer system. 1988. Google ScholarDigital Library
- O. Gayer, O. Wilder, and I. Zeifman. CCTV Botnet In Our Own Back Yard. https://www.incapsula.com/blog/cctv-ddos-botnet-back-yard.html.Google Scholar
- I. J. Goodfellow, J. Shlens, and C. Szegedy. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.Google Scholar
- M. Guri, O. Hasson, G. Kedma, and Y. Elovici. Visisploit: An optical covert-channel. arXiv preprint arXiv:1607.03946, 2016.Google Scholar
- M. Guri, A. Kachlon, O. Hasson, G. Kedma, Y. Mirsky, and Y. Elovici. Gsmem: data exfiltration from air-gapped computers over gsm frequencies. In 24th USENIX Security Symposium (USENIX Security 15), pages 849--864, 2015. Google ScholarDigital Library
- M. Guri, G. Kedma, A. Kachlon, and Y. Elovici. Airhopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies. In Malicious and Unwanted Software: The Americas (MALWARE), 2014 9th International Conference on, pages 58--67. IEEE, 2014.Google ScholarCross Ref
- M. Guri, M. Monitz, Y. Mirski, and Y. Elovici. Bitwhisper: Covert signaling channel between air-gapped computers using thermal manipulations. In 2015 IEEE 28th Computer Security Foundations Symposium, pages 276--289. IEEE, 2015. Google ScholarDigital Library
- M. Guri, Y. Solewicz, A. Daidakulov, and Y. Elovici. Fansmitter: Acoustic data exfiltration from (speakerless) air-gapped computers. arXiv preprint arXiv:1606.05915, 2016.Google Scholar
- M. Hanspach and M. Goetz. On covert acoustical mesh networks in air. arXiv preprint arXiv:1406.1213, 2014.Google Scholar
- C. Heffner. Exploiting Surveillance Cameras. Like a Hollywood Hacker. In BlackHat US, 2013.Google Scholar
- D. Hely, F. Bancel, M.-L. Flottes, and B. Rouzeyre. Secure scan techniques: a comparison. In IEEE International On-Line Testing Symposium (IOLTS), 2006. Google ScholarDigital Library
- iPower Technologies. Hidden Virus Discovered in Martel Police Body Camera. http://www.goipower.com/?pageId=40, November 2015. Accessed: July 25, 2016.Google Scholar
- iSpy. iSpyConnect -- the world?s most popular open source video surveillance application. https://www.ispyconnect.com/sources.aspx, 2007. Accessed: July 26, 2016.Google Scholar
- N. Jenkins. 245 million video surveillance cameras installed globally in 2014. June 2015.Google Scholar
- U. Johannes. This is why your DVR attacked my Synology Disk Station (and now with Bitcoin Miner!), April 2014.Google Scholar
- A. Kharraz, E. Kirda, W. Robertson, D. Balzarotti, and A. Francillon. Optical delusions: A study of malicious QR codes in the wild. In 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pages 192--203. IEEE, 2014. Google ScholarDigital Library
- A. Kidman. How A Prison Had Its CCTV Hacked. http://goo.gl/sKombD, September 2012.Google Scholar
- G.-W. Kim and J.-W. Han. Security model for video surveillance system. In International Conference on ICT Convergence (ICTC). IEEE, 2012.Google ScholarCross Ref
- D. Kriesel. Xerox scanners/photocopiers randomly alter numbers in scanned documents, 2014.Google Scholar
- J. Kuboviak. Legal admissibility of digital video recordings. LAW AND ORDER-WILMETTE THEN DEERFIELD-, 52(4):92--99, 2004.Google Scholar
- M. G. Kuhn and R. J. Anderson. Soft tempest: Hidden data transmission using electromagnetic emanations. In International Workshop on Information Hiding, pages 124--142. Springer, 1998.Google ScholarCross Ref
- I.-S. Lee and S. Y. Wan. Security Requirements for Network CCTV. World Academy of Science, 70, 2010.Google Scholar
- Y. Liu, P. Ning, H. Dai, and A. Liu. Randomized differential dsss: Jamming-resistant wireless broadcast communication. In INFOCOM. IEEE, 2010. Google ScholarDigital Library
- J. Loughry and D. A. Umphress. Information leakage from optical emanations. ACM Transactions on Information and System Security (TISSEC), 5(3):262--289, 2002. Google ScholarDigital Library
- D. Maass, C. Quintin, and EFF. License Plate Readers Exposed!, October 2015.Google Scholar
- A. Mahendran and A. Vedaldi. Understanding deep image representations by inverting them. In 2015 IEEE conference on computer vision and pattern recognition (CVPR), pages 5188--5196. IEEE, 2015.Google ScholarCross Ref
- MajorMalfuntion. Old Skewl Hacking -- InfraRed updated. In 22nd Chaos Communication Congress, 2005.Google Scholar
- J. Marpet. Physical Security in a Networked World: Video Analytics, Video Surveillance, and You. In DefCon, 2010.Google Scholar
- Y. Mirsky, M. Guri, and Y. Elovici. Hvacker: Bridging the air-gap by manipulating the environment temperature.Google Scholar
- T. Morkel, J. H. Eloff, and M. S. Olivier. An overview of image steganography. In ISSA, pages 1--11, 2005.Google Scholar
- K. Mowery, E. Wustrow, T. Wypych, C. Singleton, C. Comfort, E. Rescorla, J. A. Halderman, H. Shacham, and S. Checkoway. Security analysis of a full-body scanner. In 23rd USENIX Security Symposium (USENIX Security 14), pages 369--384, 2014. Google ScholarDigital Library
- C. Mulliner and B. Michéle. Read it twice! a mass-storage-based TOCTTOU attack. In Proceedings of the 6th USENIX conference on Offensive Technologies, pages 11--11. USENIX Association, 2012. Google ScholarDigital Library
- J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. 2005.Google Scholar
- A. Nguyen, J. Yosinski, and J. Clune. Deep neural networks are easily fooled: High confidence predictions for unrecognizable images. In 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 427--436. IEEE, 2015.Google ScholarCross Ref
- R. K. Nichols and P. C. Lekkas. Wireless security. McGraw-Hill New York.Google Scholar
- J. Obermaier and M. Hutle. Analyzing the Security and Privacy of Cloud-based Video Surveillance Systems. In Proceedings of the 2nd ACM International Workshop on IoT Privacy, Trust, and Security, pages 22--28. ACM, 2016. Google ScholarDigital Library
- M. Olson. Beware, even things on Amazon come with embedded malware?. http://artfulhacker.com/post/142519805054/beware-even-things-on-amazon-come, April 2016. Accessed: July 25, 2016.Google Scholar
- OWASP. Buffer Overflow. owasp.org/index.php/Buffer_overflow_attack.Google Scholar
- OWASP. Command Injection. owasp.org/index.php/Command_Injection.Google Scholar
- OWASP. Information Leakage. owasp.org/index.php/Information_Leakage.Google Scholar
- OWASP. Path Traversal. owasp.org/index.php/Path_Traversal.Google Scholar
- OWASP. Top 10 Vulnerabilities 2013. owasp.org/index.php/Top_10_2013-Top_10.Google Scholar
- S. J. O?Malley and K.-K. R. Choo. Bridging the air gap: Inaudible data exfiltration by insiders. In 20th Americas Conference on Information Systems (AMCIS 2014), pages 7--10, 2014.Google Scholar
- D. Papp, Z. Ma, and L. Buttyan. Embedded systems security: Threats, vulnerabilities, and attack taxonomy. In Annual Conference on Privacy, Security and Trust (PST). IEEE, 2015.Google ScholarCross Ref
- T.-S. Park and M.-S. Jun. User authentication protocol for blocking malicious user in Network CCTV environment. In Computer Sciences and Convergence Information Technology (ICCIT), 2011 6th International Conference on, pages 18--24. IEEE, 2011.Google Scholar
- C. Pöpper, M. Strasser, and S. Capkun. Jamming-resistant broadcast communication without shared keys. In USENIX security Symposium, pages 231--248, 2009. Google ScholarDigital Library
- ProCheckup. Owning Big Brother: Multiple vulnerabilities on Axis 2100.Google Scholar
- N. Provos and P. Honeyman. Hide and seek: An introduction to steganography. IEEE Security & Privacy, 1(3):32--44, 2003. Google ScholarDigital Library
- C. Pu and J. Wei. A methodical defense against tocttou attacks: The edgi approach. In International Symposium on Secure Software Engineering (ISSSE), 2006.Google Scholar
- G. Ritt and B. Eberle. Sensor protection against laser dazzling. In SecurityGoogle Scholar
- Defence, pages 783404--783404. International Society for Optics and Photonics, 2010.Google Scholar
- E. Ronen and A. Shamir. Extended Functionality Attacks on IoT Devices: The Case of Smart Lights. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pages 3--12. IEEE, 2016.Google ScholarCross Ref
- E. J. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In IEEE Symposium on Security and Privacy. IEEE, 2010. Google ScholarDigital Library
- V. Sepetnitsky, M. Guri, and Y. Elovici. Exfiltration of information from air-gapped machines using monitor's led indicator. In Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint, pages 264--267. IEEE, 2014. Google ScholarDigital Library
- S. Shekyan and A. Harutyunyan. To Watch Or To Be Watched. Turning your surveillance camera against you. In HITB Amsterdam, 2013.Google Scholar
- Shodan. Shodan Images -- an easier way to browse the screenshots that Shodan collects. https://images.shodan.io/.Google Scholar
- S. Skorobogatov and C. Woods. Breakthrough silicon scanning discovers backdoor in military chip. In E. Prouff and P. Schaumont, editors, Cryptographic Hardware and Embedded Systems -- CHES 2012, volume 7428 of Lecture Notes in Computer Science, pages 23--40. Springer Berlin Heidelberg, 2012. Google ScholarDigital Library
- C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.Google Scholar
- D. H. Titterton. A review of the development of optical countermeasures. In European Symposium on Optics and Photonics for Defence and Security, pages 1--15. International Society for Optics and Photonics, 2004.Google ScholarCross Ref
- D. Tsafrir, T. Hertz, D. Wagner, and D. Da Silva. Portably Solving File TOCTTOU Races with Hardness Amplification. In FAST, volume 8, pages 1--18. Google ScholarDigital Library
- M. Vuagnoux and S. Pasini. Compromising electromagnetic emanations of wired and wireless keyboards. In USENIX security symposium, pages 1--16, 2009. Google ScholarDigital Library
- G. Wei. Evaluation method for jamming effectiveness on electro-optical imaging systems {j}. Opto-Electronic Engineering, 33(2):5--8, 2006.Google Scholar
- J. Wei and C. Pu. TOCTTOU Vulnerabilities in UNIX-Style File Systems: An Anatomical Study. In FAST, volume 5, pages 12--12, 2005. Google ScholarDigital Library
- Y. Xia, Y. Liu, H. Chen, and B. Zang. Cfimon: Detecting violation of control flow integrity using performance counters. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012), pages 1--12. IEEE, 2012. Google ScholarDigital Library
- YouTube. The fastest robbery -- 1 min in bank. http://youtu.be/LFArxqcP4MI.Google Scholar
- J. Zaddach and A. Costin. Embedded devices security and firmware reverse engineering. BlackHat USA, 2013.Google Scholar
- K. Zetter. CCTV Hack Results In 33M USD Casino Theft. http://goo.gl/zmxVXe.Google Scholar
- B. Zhu, A. Joseph, and S. Sastry. A taxonomy of cyber attacks on SCADA systems. In International conference on cyber, physical and social computing Internet of things (iThings/CPSCom). IEEE, 2011. Google ScholarDigital Library
Index Terms
- Security of CCTV and Video Surveillance Systems: Threats, Vulnerabilities, Attacks, and Mitigations
Recommendations
Combining Cyber Security Intelligence to Refine Automotive Cyber Threats
Modern vehicles increasingly rely on electronics, software, and communication technologies (cyber space) to perform their driving task. Over-The-Air (OTA) connectivity further extends the cyber space by creating remote access entry points. Accordingly, ...
Cyber security quantification model
SIN '10: Proceedings of the 3rd international conference on Security of information and networksSecurity of information systems is a major concern today because the existing threats are getting new dimensions. Information Security (IS) is to protect our important information assets from accidental or deliberate damages. Cyber Security (CS) is a ...
Improved Network Traffic by Attacking Denial of Service to Protect Resource Using Z-Test Based 4-Tier Geomark Traceback (Z4TGT)
AbstractNetwork security plays a vital role in protecting the resources available in the network against various threats. There are vulnerabilities in every system connected to the network. Due to these, unauthorized users try to access and utilize the ...
Comments