3 Ways to Hack CCTV Cameras (and How to Prevent It from Happening to You)

Hack Method #1: Default Password Access
Anyone looking to break into CCTV cameras can start by simply looking for its IP address online and logging in. By using engines such as angryip.org or shadon.io, they can obtain that signature information and begin trying passwords that will grant access to the wireless camera itself or, if a router is attacked, entire security systems.
In theory, this should be difficult and IP security should protect network data, but the shocking reality is that these passwords are often identical to the default factory settings provided by the manufacturer. In the case of the Hikvision hack, it was known to be “12345” with a username of “admin.”
Changing default passwords for a new security camera system should be a no-brainer in this day and age. So the lesson here is to not overlook the small details. All the firewalls and hardened network protocols in the world won’t help if an unauthorized user can simply log in with a commonly-used or factory-set password to gain remote access to indoor outdoor surveillance.
Hack Method #2: Find the User ID
When CCTV cameras are harder to breach, malicious actors can instead look for the user ID. This was easy to find in a cookie value for Hikvision. Hackers could then reset the account to take over and have full run of the device, its hard drives, and perhaps the wireless security system as a whole.
“While the user id is a hashed key, we found a way to find out the user id of another user just by knowing the email, phone, or username they used while registering,” wrote Medium user Vangelis Stykas earlier this year even after Hikvision had worked to fix its known flaws.
“After that,” the writer continued, “you can view the live feed of the cam/DVR [digital video recorder], manipulate the DVR, change that user’s email/phone and password and effectively lock the user out.”
Hack Method #3: Finding Command Lines
A key flaw in the Hikvision case was a “backdoor” command line of code in the system that granted admin-level access when exploited.
Once this became common knowledge, the Chinese company recognized and patched the flaw. The patch was then included in subsequent firmware updates for all its security cameras with known vulnerabilities. Hikvision stated publicly that the code was a holdover from the testing phase, which developers neglected to remove before launch.
Despite all the press in the security community, many operators never bother to install the latest firmware onto their surveillance cameras. So, this flaw is an issue that even novice hackers will likely continue to leverage.

Be the first to comment

Leave a Reply

Your email address will not be published.