Assessment of the video surveillance cameras
Following a thorough cybersecurity assessment of Hikvision and Dahua Chinese manufactured video surveillance cameras used in Lithuania, the National Cyber Security Centre under the Ministry of National Defence (NCSC), concluded that remote control of the cameras could be achieved through cyber-attacks due to a number of risks, examples of which were poor password safety solutions and software vulnerabilities.
NCSC Director Dr. Rytis Rainys stated that the key to ‘controlling those risks identified in the study was dependent on the understanding of the cyber security threats, responsible maintenance of IT assets and holding the manufacturers to account’.
The video surveillance camera assessment was initiated by the NCSC earlier this year following the national broadcaster LRT‘s publication about potential low-security IP cameras that had been blacklisted in the United States of America. The objective of the assessment was to carry out a thorough and technically based investigation to determine whether specific Chinese manufacturers’ produced IP cameras with security risks and how they affect users. The assessment provides technical facts about the security threats found in the IP cameras and how they could be used by malicious actors; it also offers solutions and recommendations for users to manage the identified risks. It is important to note, that similar security gaps may be present in video surveillance cameras produced by other manufacturers available on the market and that those risks identified may represent a systemic shortfall.
Cybersecurity experts examined operationally live video surveillance cameras currently being used by Lithuanian institutions. The investigation was carried out in such a manner that peer researchers could repeat the same steps and obtain the same results; the assessment metric was based on the analysis of software functionality, data flow structure and hardware component decomposition.
The assessment identified a number of known cybersecurity gaps in software packages used in the IP cameras that are listed and publicly available in the Common Vulnerabilities and Exposures (CVE) database; these gaps present a real risk of cyber-attack, such as Denial of Service (DoS) or insertion of malware. Moreover, not only do the cameras lack an automatic update function, but the update infrastructure is held on servers in China and Russia.
The research also observed that the IP cameras used poor password protection mechanisms as authentication transmission lacked encryption and only used HTTP with an outdated MD5 algorithm. As such, passwords could be intercepted and decoded when users logged in and then be used for unlawful login that allowed the camera stream to be taken over, allowing camera functions to be activated or deactivated in real-time (face recognition, sound recording, etc.), or the camera to be shut down.
It was also identified, that the Hik-Connect mobile app, for Hikvision camera remote control, connects to servers in China, Thailand, Singapore, and Ireland, and that it also registers SIM card IMSI and ICCID numbers as well as mobile device IMEI numbers.
According to a poll carried out by the NCSC, 57 public sector institutions are currently using Chinese manufactured Hikvision and Dahua video surveillance cameras in Lithuania. Those security risks identified can be managed through the application of technological solutions but heads of organisations should pay more attention to IT maintenance and the implementation of cybersecurity. The NCSC recommends that users of Hikvision and Dahua cameras should isolate the cameras in a dedicated physical or logical network without connection to service, local or public Internet networks. It is also advises that identity credentials should not be disclosed on, or updates downloaded from, remote servers in non-NATO or European Union countries. Regular Real-time audit of port activity is also recommended to prevent unnecessary communications, as well as the creation of white-list that capture only required functionalities as a way to reduce the potential exploitation of vulnerabilities.
When conducting public procurement, it is recommended that the supplier is required to supply cameras with the most recent manufacturer software updates to ensure protection against identified security gaps and vulnerabilities. Also, the supplier should only download software updates from NATO and EU-based servers and should ensure the cameras they provide only have the functionalities listed in technical specifications and that additional functionalities are deactivated.
