TL;DR CCTV is often overlooked; ‘shadow tech’ whose security isn’t as carefully reviewed as core IT assets It is often a responsibility for facilities managers who may have little experience of cyber security Security of the hardware and software of some CCTV camera brands is sorely lacking A breach of the camera system is one thing. A pivot from it on to corporate networks is another CCTV systems have been the cause of major internet outages, together with significant privacy invasion. Their complexity makes ensuring good cyber security challenging for some manufacturers. The complexity and security challenges come from a number of areas: API security : the link between the on site digital video recorder (DVR) for storing footage, then to the vendors cloud platforms, then back to the owners smartphone is a common source of security flaws. These are generally the most serious security issues for privacy, as it allows for anyone with some technical skill to remotely access video and audio feeds. We would assess the risk by carrying out a very thorough test of the API security. The most common API security flaws we discover are to do with user and device authorisation, allowing anyone to access any feed. CCTV camera hardware : in most cases, the camera itself it a relatively ‘dumb’ device if hard wired to the DVR. Exploitation via this type of camera is fairly pointless. However, if the camera has a Wi-Fi or similar RF connection, it creates an interesting point of attack….Read More