Critical Infrastructure Monitoring: Assessing Threats From Vulnerable China-made CCTV Equipment

Try and name a sector of the economy that you personally move through every day that doesn't have a closed circuit television (CCTV). It's likely you cannot do this and for many people the chances are high that even their own home has CCTV installed, which is why this post should provide an informed basis for reflection - not panic. When it comes to protecting physical infrastructure CCTV plays an important role in monitoring and surveillance. Yet, what if these systems can be co-opted and used for espionage against Australians or Australia's interests and national security? Given rising economic and military tensions in Asia Pacific this is an important issue.

Two of the biggest producers of CCTV cameras worldwide are situated in China: Dahua and Hikvision. They provide several different security products, such as IP cameras, recorders, and access control systems. A variety of IP cameras are available from Dahua, including dome, bullet, and PTZ (pan-tilt-zoom) cameras, as well as specialty cameras for uses like facial and license plate recognition. Network video recorders (NVRs), which are used to store and manage video footage from the cameras, are also available from Dahua.

Artificial intelligence and sophisticated analytics are capabilities found in many of Dahua's cameras and NVRs. Similar devices are available from Hikvision, which specializes in high-resolution IP cameras and NVRs. Additionally, Hikvision provides a selection of specialty cameras, such as infrared, fisheye, and panoramic cameras. Hikvision's cameras and NVRs include strong analytics and AI capabilities, just like Dahua's.

Both businesses provide a variety of software programs and mobile applications for controlling and watching video from their cameras, as well as cloud-based services for remote access and storage. Although Dahua and Hikvision are both renowned for manufacturing high-quality and reasonably priced cameras, they have also come under fire for security flaws in their devices.

What are some of the potential attack vectors regarding IP cameras?

The development of digital video has made linked IP cameras and related devices on the network more vulnerable to hacking than in the days of legacy?CCTV cameras, which only stored data for a limited amount of time and were not connected to the internet. The value of the information gathered by security cameras, as well as what can be done with it, has spawned a new generation of hackers who are searching for information they can steal and resell. Thes following are examples of attack vectors relevant to IP-based CCTV cameras:

Malware: Hacking network video surveillance cameras and locally stored video surveillance equipment is frequently simple. Many DVRs, NVRs, and video security cameras are shipped from the manufacturer pre-infected with spyware, viruses, and/or Trojans. Furthermore, the majority of networks permit outbound connections from any local area network device. Infected webcams can easily transmit passwords, video footage, and files from local network PCs to hackers. Hackers can have access to private and sensitive data, including credit card details, social security numbers, and other forms of personal identity. Additionally, company-related information, including a customer database, client data, financial accounts, and confidential information, is of interest to hackers.

Brute-force attacks: A brute force attack makes several efforts to figure out login information or other crucial details. Hackers attempt every combination in the hopes of guessing passwords. Such attacks may readily compromise IP devices, such as cameras, that employ default passwords.

Man in the Middle attack: A man-in-the-middle attack is a cyberattack in which the attacker positions themselves between two parties who think they are speaking directly to one another. Additionally, the attacker could tamper with the two parties' communications. The attack's first phase involves spoofing the Address Resolution Protocol (ARP). Every computer that has access to the camera has an ARP table that keeps track of every IP address and the MAC addresses to which they are linked. If there is no validation check to ensure that the MAC address provided back by the real destination address is accurate, there may be a vulnerability here. This makes it simple for attackers to use their machine as a MitM.

DoS attacks: A denial-of-service attack is carried out by saturating the targeted host or network with traffic to the point that it becomes unresponsive or fails altogether, blocking access for authorized users. While their resources and services are unavailable, DoS attacks can cost a company money and time. DoS attacks can be launched using IP cameras as threat vectors. The attack could be done after successfully executing a MitM attack.

Vulnerabilities found in Chinese made CCTV cameras:

CVE-2021-36260: A command injection vulnerability in the web server of Hikvision products relating to inadequate input validation allows attackers to take advantage of the flaw and execute a command injection attack by delivering certain messages that include malicious commands. It received a Common Vulnerability Scoring System (CVSS) initial base score of 9.8 [1].

A cyber attacker can enter the internal network and obtain complete control of a device by exploiting this vulnerability, giving them greater power than the end user. It is sufficient for an attacker to have access to either http(s) port 80 or port 443, both of which are frequently left open on most networks. The intruder then has complete freedom to run whatever malicious code they like. Without the need for authentication, remote exploitation is possible on unpatched devices. Once access is acquired, the attacker can disable the device, read, and write to user data, attack the internal network, and even launch a physical attack on the location.

Since many of the devices are employed to observe critical sites, this vulnerability might lead to significant data breaches across a wide range of companies. When Hikvision learned of the flaw, the business moved quickly to provide a fix, uploading a patch to the firmware on their website.

CVE-2022-28173: Some Hikvision wireless bridge devices' web servers have an access control weakness that may be exploited to gain admin rights. Sending specially designed messages to the vulnerable devices will allow the attacker to take advantage of the flaw. It received a Common Vulnerability Scoring System (CVSS) initial base score of 9.1 [2].

The product's web-based administration interface's poor parameter handling is what leads to the issue. By submitting a specifically constructed request with a payload that does not exceed 200 bytes, an attacker can take advantage of the flaw to acquire admin access to the administration interface. After exploitation, the administration session continues and has complete access to all bridge interface features. CVE-2022-28173 can be exploited via the local network by an insider or threat actor who has acquired access to the company's network, as well as directly from the internet if a vulnerable device is made available to the internet. Once the flaw has been discovered and exploited, the attacker can compromise CCTV systems or intercept network traffic.

These gadgets transmit CCTV video feeds from elevator camera systems to a command post or security operations console. As part of a premeditated physical incident, such as a coordinated robbery or theft, an assailant can impair or shut off the video stream or spy on individuals. For these devices, firmware patches are also available.

CVE-2022-30564: Through a specifically constructed HTTP request, the Dahua Camera, may be used to perform an unauthorised time change. It happens because the timestamp modification API is not authenticated, and an attacker who is familiar with the available API options can take advantage of this vulnerability. The vulnerability has a severity level of "high," according to Redinent [3].

Without knowing the login and password of the camera, an attacker can change the timestamp of the video stream, causing an inconsistent date and time to appear on the recorded video. It directly affects digital forensics. DDoS botnets may target Dahua device vulnerabilities, although, in the case of CVE-2022-30564, it is more probable that it will be used in highly focused assaults intended to tamper with evidence rather than conducting?cybercrime operations. Dahua has released patches to address this vulnerability.

Amid security concerns, Australia will remove Chinese monitoring equipment.

Concerns that the information gathered by some Chinese-made cameras may jeopardise national security led the Australia's defence minister to recently announced that the Australian Government will assess its complete surveillance system across all federal buildings and deactivate such cameras. This announcement followed the discovery that around 900 surveillance systems installed at more than 250 locations (Commonwealth ministries and agencies) are manufactured by Hikvision and Dahua. Both companies have known links to the Chinese government. The concern being that these cameras could enable espionage and information theft, that may end up in the hands of the Chinese Communist Party and its intelligence services.

Australia decision to remove?China-made cameras from government buildings, follows the lead of its “5-eyes” intelligence partners, the United States and the United Kingdom. Due to the threat such cameras represent to national security, the US and UK both declared in November 2022 that they were removing the devices from all government facilities.

Several mitigations help protect against vulnerabilities in China-made CCTV cameras:

Firmware should be updated: Firmware updates from manufacturers that fix known vulnerabilities are often released. Updates may be regularly checked for and applied to help protect cameras from known vulnerabilities.

Use strong passwords: Attackers can quickly guess or crack weak passwords. For every camera, a strong, distinct password should be used, and these should be cycled at agreed intervals.

Limit access: Limit the number of users who may access the cameras and ensure that IP cameras are segregated on their own network, which is not connected to any corporate or other OT systems.

Use firewalls: Install firewalls to filter allowed traffic going to and coming from the cameras.

Disable redundant services: Disable any unnecessary services or features on the cameras since they may widen the attack surface.

Monitor network traffic: To find and stop unwanted access to cameras or strange activities, network traffic should be monitored regularly.