Episode 4: Interview with a Security Camera Hacker… In this Episode of the Security In-Focus Podcast we discuss with Alissa Knight Cybersecurity Evangelist and Certified Ethical Hacker the steps hackers to take to Infiltrate CCTV Systems, The Vulnerabilities of Commercial Security Cameras, the Convergence of Cyber and Physical Security Systems & What Advise do Hackers have for IT Managers in Securing their video surveillance systems.
Security Guards, Cyber Security or Surveillance Cameras- What do you do in ‘Security’ again?
Thomas Carnevale [00:00:33] Welcome everybody to another Security in Focus podcast and I am very excited we are having a very unique episode interview with the hacker and I am very pleased to have my special guest Alissa Knight on the line with me Alissa thanks for joining.
Alissa Knight [00:00:51] THOMAS Thanks for having me on the show.
Thomas Carnevale [00:00:53] I am super excited. So in our industry and let me just kind of set the record straight all the time especially in the past 3 5 years when I tell people and I know colleagues of mine in my industry when I say I’m in security, they automatically default to oh you’re in I.T. security you’re in cybersecurity right. Ten fifteen years ago when I said I was in security no one thought I was in cybersecurity or anything like that. But it’s funny I was at a physical security conference this week at the GSX in Chicago and this was a running topic that we would all make fun of ourselves everyone thinks that we’re in cybersecurity when we are not we are in physical security. And so with all the stuff going on in our industry, I thought it was very important to get not a physical security expert on the show and talk about what the technical security vulnerabilities are in commercial and enterprise video surveillance systems so Alissa I’m very excited that you’re here and let’s really dive in. You recently did an experiment and it was a very open experiment you documented some of what your ideas were you documented the process and overall I just really find you so incredible to watch because you are passionate about security. Would you mind kind of diving in and taking us into what the hypothesis was behind your commercial surveillance camera hack and what your kind of ideas were going in and what you found initially.
Alissa Knight [00:02:34] Sure Thomas I do want to tell you that you’re not the only one who gets mistaken for the other (inaudible) security by someone I had that happen multiple times where I’ll tell them you know I work in cybersecurity and even if I say cyber for some reason I always typically sometimes get…
Thomas Carnevale [00:02:54] Your security guard right.
Alissa Knight [00:02:57] Laughter.
Thomas Carnevale [00:02:57] Yeah you’re a security guard and your packing.
Hacking Security Cameras- The experiment by a Surveillance Camera Hacker
Alissa Knight [00:02:59] I know their like… ya know okay so what do you shoot with. What do you carry? Do you have a CCW? It’s like the wrong security guy. But no you know it’s…thanks for bringing it. Thanks for all the things that you said I do definitely, I guess my charisma definitely comes through in my vlogs and my videos and my writing. I do definitely love hacking IOT devices particularly embedded systems. I’m a recovering hacker of 20 years. I’ve fallen off the wagon quite a few times in that time frame. In the latter part of that 20 years, I lived in Germany hacking into connected cars and that was really my foray into hacking embedded systems. And if you look at CCTV cameras if you look at NVRs (Network Video Recorders) if you look at the physical security devices today much to your point it’s all of the Internet of everything right. It’s everything is really just kind of being powered by these embedded operating systems and unfortunately, you have these manufacturers who are bringing physical security devices to market, really with not much experience in cybersecurity. You look at the cameras and they’re fortified against physical you know physical threats so you have to have a star screwdriver to pop off the cover on some of these cameras to gain access to the Ethernet port. But yet it’s wide open. It’s got an IP address. It’s got services running. And in my experience quite a few vulnerabilities out of a lot of remote code execution. So recently which is how I think we met is I published a video on YouTube where I was I think it started out dancing around the room with a CCTV camera and talked about the ability to launch a remote code execution against this camera and CC and NVR. And you know in my experience a lot of these cameras a lot of these NVR devices these network video recorders have vulnerabilities. They’re not properly hardened by the manufacturer. There are vulnerable services running on it that allow remote code execution and allow you to ultimately gain a shell on the device. Now what was interesting about the research that I published is I was actually able to pivot from the CCTV camera into the network of the organization so I was able to do this with both a bank and a casino. So if you think about it it’s kind of like ya know.
Thomas Carnevale [00:05:41] That’s the jackpot.
Alissa Knight [00:05:42] Exactly. Exactly. Literally. With the casino. You know it’s interesting because for me you know I’m always thinking of innovative new ways to pivot within the network and the problem is a lot of these organizations are deploying these physical cameras or these physical security devices and they’re not isolating them onto their own network. They’re bringing them in as part of the corporate Wi-Fi network or the corporate network and you know once you have a foothold on a camera If it’s not micro-segmented into its own network you can then reach other systems on that same network. And for me it was able to I was able to then pivot to other systems within the Windows Active Directory Domain. So, Organizations need to understand that these CCTV cameras these NVRs they need to be protected that they need to be secured just like they would their Windows servers or their Linux servers because that’s really what these things are.
Commercial Surveillance Camera’s Vulnerabilities & the Steps in Hacking CCTV System
Thomas Carnevale [00:06:41] It’s amazing to me how still some people don’t understand the differences between competencies and core competencies that go into securing a facility. You have the drywall guys you have your electricians you have your network infrastructure but more often than not you have a combination of carpenters and electricians doing surveillance systems and they don’t know how to do basic username and password encryption on an IP camera let alone set up a gateway or a subnet or configure that IP address. And what bothers me, even more, is are my industry and I and I’m I’d never hesitate or shy away from complaining or with motivation to make it better right. Complaining on its own is just complaining but too many manufacturers in the physical security industry call themselves now cyber experts and they give these white papers on how to do cyber hardening and because they’re really not speaking to the end-user they’re not speaking to the casino or the bank they’re speaking to the people that are buying their products off the shelf of a distributor and installing it for the wide variety of commercial facilities out there. And they’re trying to do this through education but the reality is it’s very weak sauce for all intents and purposes and it’s more reactive in PR from what I’m seeing and very less about how are you securing your infrastructure. So you were able to get all the way home from some of these initial discoveries. I definitely want to understand if I’m an I.T. manager because that is happening I’ve seen the evolution in the past 10 to 12 years. It’s still the security manager’s job to do the threat analysis but more often than not it’s now becoming the responsibility of the I.T. manager to design specify surveillance infrastructure for a bank or for a commercial facility or for a casino and have you thought about what some lessons learned could be for a job title like that.
Alissa Knight [00:08:57] Sure I learned a lot in this research that I’ve been doing and I continue to learn right. The interesting thing about this attack vector is you can do it from your car sitting in the parking lot of the facility right. That’s the scary thing. I don’t need to try and social engineer my way past the front desk. I don’t need to buy a uniform and pretend that I work for a particular company as a repair as a repair person. I just sat in my car. These cameras were connected to the wireless network for the organization that I was hacking and unfortunately, there was weak encryption being used with the wireless network. I used some basic tools. One, in particular, was a Pwn Pad which is a tablet that was purpose-built from the ground up as a wireless hacking device, and I was able to crack the key for the wireless network and I was then able to become a client on this wireless network that the cameras were connected to. This allowed me to then reach the IP addresses of the cameras that were sitting in the parking lot from my car and then jump in…
Thomas Carnevale [00:10:08] Without doing a sniff…without sniffing the network at all.
Alissa Knight [00:10:11] Right. So actually so the way this tool works is that it allows you to actually sniff the packets of the wireless network for offline cracking.
Thomas Carnevale [00:10:22] Oh.
Alissa Knight [00:10:23] And it’s pretty interesting but so, in any case, the I was able to actually gain access to the wireless network once I had cracked the key. And you don’t need to successfully authenticate what the wireless network in order to sniff the packets and then crack the key. So once I had the key I could then connect to the network as a legitimate wireless client and then access these cameras and then pivot. Yeah, my recommendation would definitely be you need to think about all things around physical security, not just the physical threats to the devices right. So these are enclosed devices. I really can’t walk up to these cameras and you know access to the Ethernet port. I think that the extent of which much to your point I think that’s the extent to which the manufacturers think through these things. Is they don’t think about the cybersecurity implications like why are these cameras listening? Why do they have a web server listening on this port number or the service listing on this port number when it’s not needed, that sort of thing? But in my experience, a lot of these devices have never gone through a penetration test. They’ve never been static or dynamic code analysis has been done. So my advice is you know if you’re using these CCTV cameras on a wireless network make sure that the wireless network is using a strong key. Make sure that you know these are that you’ve got proper cybersecurity controls around the wireless network in addition to making sure that you yourself perform a penetration test on these devices. Unfortunately, we as practitioners can’t rely solely on the manufacturer to do their due diligence and eat their own dog food and perform penetration testing of their devices. We need to take the onus and the responsibility to make sure that if we’re going to invest in this infrastructure we’re going to invest in these devices that we are taking care to perform penetration testing of them make sure that they’re part of our regular patch management strategy and vulnerability management strategy to make sure they’re regularly patched that we update the firmware on these devices. A lot of the organizations that I’ve tested and went through they were running firmware on these cameras and NVRs that go back years. They never upgraded these devices. And a lot of these manufacturers will make published software that makes it easy to upgrade the firmware of these devices on a mass scale. And companies still are doing it. I think it’s a set it and forget it. Then they think about their servers because that’s what they need to be thinking about and they don’t realize that they have these IO T devices around their building that have IP addresses as well and can be compromised can be used as a pivoting point into their internal network because of a flat network or lack of segmentation.
Thomas Carnevale [00:13:16] and just so we’re clear she’s not taking a like a nest cam or like an Arlo or something like that like an off the shelf nanny cam. This was a commercial big brand surveillance camera that is used in banks and casinos and critical infrastructure all around the world. Outside of the firmware not being updated which that kind of maybe more relates to the taking seriously of the service and the implementation process of the setup, but what are some other elements that surprised you in the recent endeavor.
Finger-pointing between Physical Security Systems & Cyber Security
Alissa Knight [00:13:50] Well you know one of the things that are starting to happen is I really feel like there’s this convergence occurring between physical security and cybersecurity. So I’m a BSI certified ISO twenty-seven thousand one lead auditor and so I’ve done ISO twenty-seven thousand one audits. And with these organizations, one thing that I’ve been increasingly seeing over the last 20 years is this really this convergence of the two worlds. And I think on the manufacturer’s side you brought this up earlier where these physical security device companies are starting to tout cybersecurity and I think the same thing is happening on the fraud and risk side where fraud companies are really trying to rebrand themselves as cybersecurity companies because that’s where the budgets are. I’m sure that this is the impetus for a lot of the physical security device companies where they see that there are these really inflated budgets in the cybersecurity side in these budgets in cybersecurity crush the budgets of physical security. And so I think they’re wanting in on that. I think it’s a dollars and cents thing. So that’s one observation I to make. The other thing is you know there’s definitely this convergence even of the roles where I see organizations that are eliminating the chief security officer position and the chief information security officer the CISO position is being responsible for taking over the physical security controls. And I think that really has had a lot to do with the laws and rules and regulations like ISO twenty-seven thousand one GDP are all these rules and regulations PCI where physical security controls are coming into play. There’s an entire section of Annex A for ISO twenty-seven thousand one dedicated to physical security controls and the person who’s implementing maintaining that ISO twenty-seven thousand one certification or attestation is responsible for the implementation of the Annex A controls. And I think that we’re going to continue to see this where organizations are starting to shift that that role accountability and authority over to the CISO and the separate role of chief security officer responsible for physical security is going to start to change.
Alissa Knight [00:16:13] Obviously this is going to depend on the size of the organization but in my experience that seems to really be shifting over to cyber. Having said that some of the other findings that I found in my research were really just coming from the realization that these security cameras with these companies are still being seen as the other person’s responsibility. Right. So you know there is a lot of blame-shifting where CISOs will kind of point the finger at facilities and say oh well you know that’s not my responsibility that’s facilities. And facilities are pointing the finger at the cybersecurity group and infrastructure and operations and saying oh yeah you know we’re responsible for doors and gates. You know we’re responsible for deploying the cameras but that really needs to be cyber who’s in charge of patching it and keeping it updated and making sure that they’re implemented securely. So I think there is this blame game that’s going on between facilities and cybersecurity and a lot of the organizations that I’ve been to where I presented these findings. There was a large financial organization that I hacked a few months ago where I showed them actual pictures from their cameras and live video feed where I demonstrated the ability to access their cameras remotely over the Internet. Same thing for a large oil and gas company both upstream and midstream oil and Gas Company,
Thomas Carnevale [00:17:46] Hmm…
[00:17:46] and the ability to also then jump into their badge reader system because the entire thing was orchestrated in the same platform. And it is you sit in this room where it’s a deer in headlights and each person responsible for their area of either facilities in cyber are just pointing the finger and saying hey you know what I was never told that we would be responsible for that. So I think because no one is stepping up and saying Hey when was the last time we upgraded the firmware on our cameras or whose handling patch management for our cameras and our NVRs. I think since no one stepping up to take the reins on that that it’s just not getting done.
Thomas Carnevale [00:18:25] Well even facilities saying that our responsibilities are doors and gates. In my last episode we talked about access control vulnerabilities and even doors and gates, you actually don’t need any software or network architecture experience to hack the Wiegand protocol which is covered in 90 percent of all proximity card readers across the world. All you need to know is a very basic Wiegand outline and get a BLE key and you’re in. That’s most facilities. So even more…
Alissa Knight [00:19:02] Yeah and a lot of things especially in the connected car space are shifting the BLE as well. Yeah it’s yeah its crazy and you know it’s funny because I really don’t think that these individuals who are responsible for these systems for these devices really understand that especially with CCTV cameras and NVRs these are mini computers. It’s the same thing with car the connected car spacing embedded systems. Cars are now no longer just these you know combustion engines and you know they’re rolling around with IPs and you know SIM chips in them and communicating over GSM. You know these are little mini computers with wheels. Same thing with cameras. These are computers connected to a wireless network in some cases, Ethernet in other cases. But as long as you have access to that network infrastructure these cameras in my experience are not getting properly hardened and not getting secured. And it’s possible to breach these devices and use them as a pivoting point into the internal network because of a lack of micro segmentation, because of a lack of just because the prevalence of flat networks where IO T building devices, facilities devices, like scada systems are on the same network as the corporate LAN.
Why Hackers attack Surveillance Cameras and How They Do It?
Thomas Carnevale [00:20:16] So you are you’re a Certified Ethical Hacker correct. Obviously.
Alissa Knight [00:20:20] Correct.
Thomas Carnevale [00:20:21] And so if you could maybe flip that little. I’m sure it doesn’t exist at all but if you could flip that little switch and not be ethical, and if you were looking to penetrate a commercial corporation, you’ve driven down this road a little bit already. But if I’m a hacker and I want to get into a corporate facility why would I start potentially outside of some of what we’ve already said with surveillance cameras. Why would I start initially there?
Alissa Knight [00:20:50] Well it depends on your proximity right. So if I’m targeting organization if I’m going to use any of the IoT devices in and around the building I would need physical access right. It’s not something that I do over the Internet unless those cameras are connected to the Internet which is a possibility. We saw that in the large DDOS attacks with the CCTV cameras. But it depends on your vantage point to the target. So if it’s a company that I want to use the IO T devices in or around the building then yes I’ll need to drive over there. I’ll need to make sure I physical I’m within physical proximity to the devices that I’d be using whether it’s CCTV cameras or anything else in and around the building. If I’m targeting a company over the Internet it’s going to be a different vector. It’s going to be in a different attack vector. It’ll be their APIs which a lot of embedded systems communicate with believe it or not. Like you know talk about smart cities and parking meters and all that. So those are all communicating over APIs.
Thomas Carnevale [00:21:54] Yep.
Alissa Knight [00:21:54] But yeah it really I think the answer to your question is it depends on my vantage point to the target. If I am within driving distance sure I’ll drive over there because my favorite thing now right now is hacking a company through its cameras or any other IOT device that may be connected to their corporate LAN.
Thomas Carnevale [00:22:12] So there’s not really a methodical approach it’s really what type of company is it where is it located. You wouldn’t necessarily go after known vulnerabilities first or go after firmware second. There’s not necessarily a pecking list order that you would check off. It would be very targeted.
Alissa Knight [00:22:30] So yes you are correct. My focus right now at this point in my career is financial services and fintech. So I’m a senior analyst for a research analyst firm called I Take a group that’s focused on financial services. So a lot of my research right now is in financial services. So the answer to your question is just to expound on what you’re saying is it’s really all of the above. So it’s its first understanding of my target. Understanding what their attack surface looks like, you know are there any services open to the Internet. Do they have a mobile app and with many banks and financial institutions these days they have a mobile app I’ll download the mobile app and see if I can get your URLs out of it. If they’re using code up (inaudible) and if they’re not I’ll grab what I can out of that source code. And if they hardcoded any API keys in that mobile app. Any credentials in that mobile app. I recently just finished research for downloaded 30 financial services mobile apps and I hacked twenty-nine out of 30 of them by reverse-engineering the mobile app and finding hardcoded keys and credentials in that app. So that’s the first place I’d check. Then I would check any Internet-facing servers. I would check who works there or find them on LinkedIn to see if it’s possible to social engineer them and send them a spearfish to get them to click on a link or drive-by download site where I can get easy access onto their system. If they’re if I’m within physical proximity of the building yeah I’ll drive over there I’ll see if they have any CCTV cameras or any wireless networks in the area that are bleeding out into the parking lot. I’ll try and see if I can jump onto that wireless network from the parking lot or you know see if I can walk into the reception area and plug in a poon plug or something into the wall and access the network that way. There are so many different ways in which you can breach a company now these days that it really doesn’t require much effort.
Advice to IT Managers on Surveillance Camera Hacking
Thomas Carnevale [00:24:25] That’s amazing because there is a big difference between an I.T. manager who could make surveillance camera decisions and a CISO right and then the security team. And so if I’m an I.T. manager is there a way I could know that my surveillance cameras could be hacked.
Alissa Knight [00:24:44] Yeah. So my advice to an I.T. manager or anyone in any capacity really in I.T. or cybersecurity at a company is, well, first of all, make sure you’re doing regular penetration testing and make sure you’re doing it with an outside company. Bring in outside expertise to make sure that… Organizations tend to be drunk on their own Kool-Aid. So make sure you’re retaining an independent third party to come and do a penetration test and make sure that your I.O T. devices are within the scope of that pen test. If they’re doing an internal penetration test which I recommend all organizations to do, make sure that your CCTV cameras your badge readers all of those things are within the scope of the penetration test. And then determine after that you know who really ultimately is in charge of this is it. Is it I.T.? Is it infrastructure and operations? Is it facilities? You know who’s in charge of the ongoing care and feeding of these cameras of these physical security devices like badge readers, moving forward once it’s up and operational. Those kinds of things needs to be ironed out because whoever is in charge of it needs to make sure that it’s part of a regular patch management strategy and vulnerability management strategy moving forward.
Thomas Carnevale [00:25:59] There’s just no doubt. I mean and I and I relate that to what you said earlier. I mean the budgets are incredibly lopsided for cyber than they are for physical. And that also spills into the ongoing service and maintenance and I think that’s a big thing that commercial security companies. They’ll spend maybe half a million dollars on a very high-end surveillance camera system or less maybe one hundred thousand dollars. But then they’ll spend nothing for the first three years to maintain it. That just happens all the time. Is that they don’t…
Alissa Knight [00:26:30] Yeah.
Thomas Carnevale [00:26:30] Consistent preventative maintenance and service agreements for video surveillance systems then what happens oh firmware’s two years out of date.
Alissa Knight [00:26:35] Yeah I think organizations have a tendency to really just kind of budget for the initial purchase and not put any thought into the real true cost moving forward of who maintains this and the continuous care and feeding. Who performs it and how is it done. Every organization really needs to adopt an information security management system framework like ISO twenty-seven thousand one, NIST, you know adopt a framework it doesn’t matter what it is. I’m more partial to ISO, organizations that are international have international locations they may find that ISO twenty-seven thousand one is the best fit because it’s more of an international standard and it’s very popular in Europe. For organizations that do business with the U.S. government or are just U.S. only may want to look at NIST, CSP that sort of thing. But I mean adopt a framework make sure that you have some sort of plan do check act meaning a continuous OODA Loop Framework that where your cybersecurity program your physical security program as part of a continuous improvement cycle, that you’re continuously improving it, tracking key performance indicators on how well it’s doing, are the number of incidents physical and cyber going down over time, and just continue improving those. And if you don’t know how to do this internally retain help. Reach out to organizations that have this expertise that can come in make sure that things are operating efficiently, that waste is being eliminated and that these devices are continuously fed and improved and kept it kept accurate over time.
Thomas Carnevale [00:28:18] Well I am one of the opinion that you are an amazing gift even though you’re not in my industry. You’re an amazing gift to my physical security industry because I really think we just need more call-outs. We need more reality checks and I really hope you continue your research because I for one have learned a lot from it and I hope that the I.T. managers and physical security managers listening really got something out of this. Any final thoughts Alissa on hacking surveillance cameras?
Alissa Knight [00:28:48] Well you know first of all thank you for the warm approbation. I’m happy. It’s a privilege to be your spirit animal in cybersecurity. And I would love to be on your show again. I think what you guys are doing is awesome.
Thomas Carnevale [00:29:01] Thank you.
Alissa Knight [00:29:01] And you know I think drawing awareness to this problem really needs to happen and it happens with one person at a time. And it’s great to meet other influencers like yourself. I do consider myself to be a content creator and cybersecurity influencer both written short long-form content as well as video, so check out my YouTube channel for those of you listening to I’ publish videos weekly. Check out my Twitter I’m at Alissa Knight its ALISSA KNIGHT, and reach out to me on LinkedIn. I love giving my time to people who are interested in this if you’re interested in moving to cybersecurity especially women out there, happy to be a guide for you and a sounding board because we definitely need more women in this industry and happy to provide that sort of guidance. So thank you very much for having me on your show. THOMAS It’s been fun.
Thomas Carnevale [00:29:53] My pleasure Alissa. Well we’re going to link all of those up so that you can click the link in the profiles and bio. And thanks again. Another episode security in focus in the books.
Announcer [00:30:03] You’ve been listening to security in focus. A service of umbrella technologies. For more information go to www.umbrellatech.co/podcasts