You’ve seen it in movies and TV shows dozens if not hundreds of times. A skilled computer whiz hacks into a security system to unlock or lock doors at will or disable surveillance cameras to prevent the powers that be from detecting a crime or other activity. But that’s just Hollywood, right? That can’t happen in real life. Can it?
The truth is that it not only can happen, but it happens more often than anyone would like to admit. It’s not only reality, it’s the physical security industry’s dirty little secret, one that’s been actively hidden by some of the largest manufacturers in the space.
In spite of being the two most prominent security technologies, both video surveillance and access control technologies have – rightly so – fallen under massive scrutiny of late, exposing their susceptibility to cyber vulnerabilities, which has turned the entire industry on its head.
So how did this happen? And more importantly, how can you avoid becoming another statistic in the cybersecurity world?
The Wiegand Effect – and its Consequences
Real-world examples of the vulnerabilities of IP-based access control aren’t restricted to smaller organizations with limited budgets. In July 2017, someone found a way to unlock doors at Google’s offices in Sunnyvale, California, without an RFID keycard. The good news is that it was a Google employee who was testing a potential vulnerability after discovering that the encrypted messages the company’s access control system was sending across the network weren’t random, which meant they were not properly protected. After investigating, he discovered all of the manufacturer’s devices employed a hard-coded encryption key, which he was able to replicate to forge commands to unlock doors – without leaving a record of his actions.
The bad news is that this was possible at all.
Here’s how it happened. For the last 40-plus years, the industry standard in North America for communicating access control credentials to open doors of facilities ranging from the Federal Reserve to the corporate headquarters of Netflix is Wiegand. Don’t worry if you’ve never heard of it; most people outside of the security industry haven’t.
It’s the standard used to connect card-access proximity readers (the little black box you swipe to open a door) to a control panel located in a closet somewhere within the building using a specific protocol language. It’s used in proximity readers, retina scanners and other access systems. Hypothetically, Wiegand keycards are more secure than simple magnetic stripe cards because they include a series of short Wiegand wires that encode the key via the presence or absence of those wires. These make up the card number, which can’t be changed.
Wiegand is one of the most easily hacked and vulnerable technologies on the market. The main problem is that anyone who can learn the Wiegand protocol language can communicate with the electronic access 
control system. Accessing, skimming, emulating, brute forcing and fuzzing are the most common tactics employed to hack Wiegand. The security issue associated with Wiegand is not hypothetical. There are numerous known instances of hacking actually occurring, going back more than a decade. Yet the vulnerability remains. Google “Wiegand vulnerability” and you’ll be amazed not only at how prevalent the problem is, but also the number of “how to hack Wiegand” sites there are out there.
By the way, almost every building with an access control system uses Wiegand wiring. That’s good for standardization but not so great when standardizing for security. As a result, the keycard reader is the single most vulnerable point in your entire physical office security setup.
If that’s the case, then why is it still used and installed everywhere today? Unfortunately, that’s all down to access control product manufacturers, who have have sacrificed security in the name of convenience and standardization. Wiegand is easy to install and use, which is the main reason it has become the de facto standard. All manufacturers who develop card readers and other access control devices ‘must’ at some point incorporate Wiegand if they want to sell their solutions. Even if they want to sell their solution as an upgrade, they have to make it Wiegand compatible even though there are more secure technologies available.
At the 2015 Blackhat Conference, a security expert and an entrepreneur demonstrated how a Wiegand system could be defeated by a tiny, inexpensive device that uses Bluetooth and takes less than a minute to attach to the wires within a card reader. Even a card reader that requires users to enter a PIN can be defeated because PIN data is transmitted over the same wires the device is spliced into. This is just one more example of Wiegand’s vulnerability, which can’t be easily patched. Making access control systems secure would require completely replacing the protocol entirely, which would be a very, very good idea.
Access control is exactly where video surveillance was 10 to 15 years ago, when it was “groundbreaking” to transmit video over Ethernet networks, while the legacy installed base was still dominated by analog transmitted over coaxial cable, which, like Wiegand, can easily be sliced (aka hacked). However, in this situation, rather than embracing a move to a better, more secure technology, access control manufacturers are fighting tooth and nail against such a change. One can only hope they will see the error of their ways – sooner, rather than later.
But the trouble with video surveillance goes much, much deeper than that.
Cybersecurity Concerns
If the vulnerabilities around access control systems seem scary, the cybersecurity risks associated with video surveillance systems should be downright terrifying.
In our increasingly connected world, where everything from refrigerators to cars to TVs can be connected to the Internet, any network is only as secure as its weakest device. This includes the millions of IP-based video surveillance cameras and recorders out there in the wild. Like many of the devices that make up the Internet of Things, these cameras are susceptible to cyberattacks.
Remember that time in late 2016 when the Internet practically came to a standstill because of a big botnet attack? It would be hard to forget because it wasn’t just big; the Mirai botnet attack was the largest DDoS attack in history, one that nearly broke the Internet. It was triggered by remote commands to unsecured networked devices, which had been compromised and hijacked. Care to guess what the majority of those devices were? Spoiler alert: IP surveillance cameras didn’t come out of it looking so good.
But why choose to hijack cameras? Because they are the ideal entry point for network breaches. For starters, they are constantly connected to the Internet. In fact, they need this connection to enable the real-time live-look-in capabilities we’ve come to expect. But as is the case with access control devices and Wiegand, this convenience comes with severe consequences because that exposure to the Internet also opens the door for hackers to not only find connected cameras but to exploit them as well.
Computing power is another thing that makes these cameras attractive. IP cameras have the potential to perform a number of functions at the edge, such as video analytics and more. But those functions aren’t always used, meaning all this computing power is sitting idle, just waiting to be exploited. Even for those cameras that don’t feature heavy processing power, what they do have is usually more than capable of performing hacking-related tasks like dispersing botnets and mining Bitcoin and other cryptocurrency. Of course, there’s also the little matter of the potential security implications.
From a “nuts and bolts” perspective, the main culprit behind the vulnerabilities of surveillance cameras is their default settings. It might shock you to learn just how many of these devices are deployed without having those settings changed. Unfortunately, there are entire websites devoted to sharing those default settings and even providing IP addresses of “open” cameras. However, even implementing basic best practices like strong passwords is no guarantee of protection, as seen in an exploit of devices produced by Axis, a Swedish company that consistently ranks in the top five in security camera sales.
Exhibits A and B in the case for improving the security of surveillance cameras would be two relatively recent entries in the space that have made inroads in the industry thanks to a combination of their low cost and friends in high places.
The Chinese Connection
When you talk about cameras that have been exploited by cybercriminals, the two most companies whose products have been the most vulnerable are Hikvision and Dahua, both of which have experienced massive, high-profile breaches in the last couple years that have thrown a wrench in their quest for world dominance.
Most notable for Dahua is that its cameras were among those exploited to drive the 2016 Mirai botnet attack.
Hikvision’s cameras contained a backdoor that allowed easy exploit of vulnerable devices – a backdoor that went unchecked for more than three years. And while Hikvision has claimed the vulnerability was a piece of code inadvertently left behind by one of the software developers, the fact that it no one in Hikvision’s development or QA noticed that code for so long is cause for more than a little skepticism, and with good reason, considering the company’s ownership. But more on that later.
There are massive numbers of these cameras installed around the world, the number one reason being that they are cheaply made and, by extension, inexpensive to purchase and deploy. However the potential security costs far outweigh whatever savings end users realize from buying from these manufacturers.
How bad have Hikvision and Dahua been on the cybersecurity front? So bad that the U.S. recently passed a law banning the use of their equipment in securing government facilities, critical infrastructure and other applications with national security implications. This not only means they 
can’t be used going forward, it also means these cameras and other equipment have to be removed and replaced. So while the ban technically starts in August 2019, it’s technically been in place since the law was passed.
Now that these cameras have been banned, all signs indicate this could be the start of a global domino effect. Many companies, industries, governments and other entities are looking at the ban as a statement on the trustworthiness of these products and will likely follow suit with bans of their own.
Another issue with these companies is their deep relationship with the Chinese government and its entities. This is directly responsible for Hikvision’s ability to sell its cameras cheaply around the world. When the ruling party in the most populous country in the world owns 42 percent of your company and also happens to be your largest customer, you’re going to sell tons of product without even trying all that hard. That alone leads to massive profits that allow you to undercut the costs of other manufacturers’ products. This is known as Problem Number One.
Problem Number Two is that China is one of the largest state sponsors of cyberattacks in the world. Given the government’s economic stake in Hikvision, one has to wonder just how “accidental” the vulnerability may have been. So while I’m not quite ready to call it a full-on conspiracy theory, I’m also not willing to believe this vulnerability was unintentional. For now, put me firmly in the “better safe than sorry” camp, although I’m inching farther into tinfoil hat territory.
Troublingly, many other major brands and manufacturers continue to private-label vulnerable Chinese products under OEM agreements, which is not well-known to those outside the security industry – or even to many within the industry. And the vulnerabilities discovered and exploited in the primary products have also been found in private-label cameras as well.
Of course, these products are also banned under the new law, but enforcing that ban is much more difficult. For Hikvision and Dahua products, simply looking at the label will tell government procurement agencies that they are off limits. That isn’t so easy for OEM products and is a major reason that the risks associated with these companies’ products and technology is not going away anytime soon.
The Bottom Line
It’s unconscionable that these vulnerabilities have been allowed to persist. Manufacturers who either bury their heads in the sand and ignore the problem or just plain don’t care about anything but profits are not just part of the problem – they ARE the problem.
It’s high time for the security industry to wake up and realize that the back door is wide open.
It’s clear that changes are needed but they are anything but imminent. As manufacturers continue to crag their feet or put up roadblocks every step of the way, they are doing a serious disservice to those who have invested in technologies to protect themselves. Worse yet, they are putting people and property in danger, all in the name of convenience or profit. I shudder to think what it will take to make it clear that changes must be made.
Meanwhile all these potentially vulnerable technologies are sitting out there. The hope is that the blowback against Hikvision and Dahua will be a wake-up call but don’t count on it. The security industry typically moves at a glacial pace, so any changes are likely years away – and there’s no guarantee that those changes, assuming they occur, will be for the better.
In the meantime, demand better. Say no to Wiegand. There are better, more secure options out there. Insist on strong cybersecurity from all connected devices. That not only includes changing default passwords and settings, but making sure software is updated regularly.
Your best bet? Find a knowledgeable, responsible security consultant who understands the drawbacks and vulnerabilities of these technologies and will do whatever it takes to make sure your security is as secure as possible. Security is critical, and believe it or not, there are security consultants out there who actually treat it that way. Find one and make him or her your best friend.