Whitepaper: How secure is your business video surveillance solution?

Verkada Viewing Station and Video Wall

Whitepaper: How secure is your business video surveillance solution?

When it comes to protecting people, property and assets, video surveillance is a powerful tool that plays a growing role. 2014 alone saw nearly 250 million newly installed security camera systems. When we look beyond 2021, as security camera sales are projected to increase by over 7% annually.

Despite the obvious benefits of investing in security cameras, many of these systems have software issues that make them a popular target for malicious attackers. As an example, from 2015 to 2016, hackers executed 458% more vulnerability scans of IoT (Internet of Things) devices than any other previous year, many of them being NVR or server based vulnerabilities. Hackers exploited an IP camera vulnerability in 2016, which resulted in one of the largest distributed denial of service (DDOS) attacks in the Internet age. These examples are just the tip of the iceberg; a quick Google search for “security camera vulnerabilities” returns about 1.1 billion results.

In this whitepaper, we outline vulnerabilities common to traditional video security systems, warning signs to look out for, and we’ll introduce best practices to enhance the security of your organizations physical security solution.

Old vs. New Surveillance Technology Comparison

The table below outlines core differences between traditional surveillance solutions vs. cloud-managed edge based surveillance devices.

Traditional CCTV Technologies
Emerging Cloud-Managed CCTV Technology

Manual updating required, including firmware resulting in open vulnerbilities or outdated features.

All devices are automatically updated and include redundant firmware banks for failsafe updates.

Lack of security of saved distributed video files (USB drives containing footage for example).

Eliminate old recording and storage hardware such as NVRs, DVRs and servers. All data is encrpyted within the cloud with cloud stoage backup redundancy.

Vulnerbilities within NVR software or when transmitting video.

All data is communicated via HTTPS across encrypted communication channels when viewing, recording and sharing video.

Lack of redudancy allows single point of failure.

Between the cameras, the cloud and other nodes, video storage is now distributed to the edge with cloud backup options.

Absence of monitorable user access control and audit logs.

Granular user access control and full audit logs for each camera. User permissions to feature include grouping of users across sites.

Lack of security during remote access to video feeds including firewall modifications.

Requires 2FA for user authentication without the need for local firewall changes to access cameras.

Need to manually check for malfunctioning cameras or NVR systems.

Monitors the health of cameras and software, including automated email alerts and notifications, tamper detection and image failure.

Optonal software features cost.
Includes updates to the software and new features without having to pay additional fees.

Limited hardware warranty resulting in camera replacements after 2-3 years.

Includes up to 10-year hardware warranty.

A note on system design

In the past, closed-circuit television (CCTV) systems required physical contact to access the system, as someone is usually required to be present in front of the recording NVR or server to access and download footage. As implied, CCTV solutions were closed to public access and wired to broadcast to a fixed number of monitors that supported a limited number of cameras and associated views. People with malicious intent would have to physically gain access to the recording hardware to destroy evidence or the system.

Now that technology has continued to evolve; there are many new techniques to penetrate “closed” systems without physical access. The biggest change in this area is the growing demand for remote access, which allows people to manage security systems via connected devices such as laptops, smartphones, or tablets. This requires open firewall ports with port-forwarding rules which expose systems to the internet. Vulnerability scans can trawl the internet and public IP addresses searching for open ports, which in return can provide hackers with access to NVR devices to then execute additional attacks or leap-frog into the greater network.

To address this growing demand, security system providers developed different system designs to promote security. Here’s a high-level overview of these approaches:

Traditional on-premise solutions with internet enabled remote access

Many top security system providers in the world have adopted this system to meet their clients’ demands. With this approach, video cameras and on-premise storage devices are still used but an internet connection is added to enable remote access from public IP addresses. The use of firewall port-forwarding is used to achieve access for external users.

Pros:

  • Works with existing systems.
  • This approach is available from all almost all established surveillance brands.
  • Minor firewall changes to achieve result using port-forwarding.

Cons:

  • Opening systems and cameras to public IP addresses.
  • Exploits in NVR or server software can be attacked.
  • Opportunity to leap-frog into the greater network if poorly designed or minimal security systems are in place.
  • Cameras can be exploited resulting in anonymous viewers.
  • Hard to maintain access, updates and users across multiple sites.

Video Surveillance As A Service (VSaaS)

Now considering the emerging enterprise solution, VSaaS is the ability to provide cloud-based analytics, access and storage without the need for on-premise NVR or server hardware. Software features and AI smarts are delivered via the cloud with the cameras installed onsite acting as “edge” devices, performing their own set of AI analytics and common CCTV functionality, including storage within the device itself.

Usually there are two forms of VSaaS provided services, the first being a service that enables organizations to retain existing hardware and connect them with cloud services which provide additional processing, and secondly solution providers that replace all onsite hardware with controlled hardware and software features. VSaaS solutions are now becoming the new standard within enterprise security as the benefits of the solutions are outweighing traditional systems from both a cost and feature set perspective. An example of this would be VSaaS hardware with a 10-year warranty vs. traditional camera hardware with only a 2-year warranty.

System trade-offs

Regardless of which type of security system you choose, you’ll be presented with a set of tradeoffs. Systems that rely on NVRs or DVRs for their on-premise storage face difficulties when enabling remote access. These difficulties can expose vulnerabilities in your system that can be exploited by malicious attackers. Whilst VSaaS based solutions often prohibitive the use of existing hardware, they reduce the attack surface as secure connectivity to cloud services are introduced.

The goal of this white paper is not to explore the finer details of each type of system, instead we aim to highlight the common security shortcomings present in existing system designs. Just like with any other investment for your business, it’s essential to fully understand the benefits and limitations of the system proposed by your provider. SYNO Global offers a unique and innovative approach to achieving remote surveillance security while enabling user-friendly remote access. We believe this approach is better suited to meet the needs of business owners in the information age. Interested in learning how this approach is different? Visit https://syno.global for more information.

Out of date software

Threats to your security system, such as malware are constantly evolving. Ensuring your hardware’s operating system and firmware are updated regularly is crucial for your system’s security. Ideally, when a vulnerability is detected, system providers will quickly develop and release software security patches, which are then installed across all devices on your network.

However, in reality, it can take weeks or sometimes even months or years before a video security system receives an update. There are many reasons why this happens – sometimes, providers cannot develop a patch fast enough or they release a patch that is just a partial fix. Other times, the patch is ready to go, but it’s only installed on a small number of devices within the security system and finally organizations simply do not manage their CCTV solution (known as set and forget). There are a number of factors that contribute to low patch rates, including:

  • System managers not knowing their systems needs an update.
  • The operating system isn’t compatible with the firmware or software updates.
  • The solution is not managed internally.

It isn’t easy to measure patch rates across different industries, however the high number of incidents where manufacturers fail to respond in time or administrators are slow on updating their systems suggest that many companies continue to run their security systems on outdated software or firmware which exposes the devices to malicious attack especially when firewall changes are in place.

Not just for IT administrators

Overly complex security systems aren’t realistically managed by IT administrators. In many organizations their operations, loss prevention or facilities teams to run their security system and make purchasing decision around such. These groups need something that “just works” without requiring specialized IT skills.

Avoid systems that require manual firmware updates, complex network storage, operating system patches, or backup devices. Only people with specialized IT skills can effectively keep systems with sophisticated networking infrastructure secure but even with the adoption of cloud services, on-premise hardware may no longer be suitable and alternatives need to be researched. Organizations have other pressing priorities; the team responsible for the camera system should be able to plug in a new device, see a green light and feel confident that their system is secure whilst providing a raft of features that meets compliance requirements.

What is a DVR or NVR?

Traditional security systems record footage on physical, on-premise servers known as digital video recorders (DVRs) or network video recorders (NVRs). Even though these devices are rarely user friendly, add risk and are costly, the majority of ordinary video security systems today still use them. Here are a few examples of how DVRs and NVRs create risk and unnecessary difficulties:

Firewall modifications exposing accessing for malicious attack

Many modern DVRs enable remote access through “port forwarding.” This technique allows external devices to penetrate through the firewall and communicate directly with the DVR. This allows users to watch live or recorded videos without having to be on the premises. However, once this connection is open, it creates the risk that malicious attackers can enter the previously firewalled network.

Devices connected to the Internet are usually scanned thousands of times per day. Firewalls are highly complex and require thousands of rules to keep your system safe. When managed incorrectly, DVRs can comprise the security of your entire network, even when done by an expert, port-forwarding introduces unnecessary risk and complexity that’s best avoided altogether. VSaaS solutions usually create direct edge device to cloud connectivity streams that are secured using SSL connectivity.

Shared passwords and factory defaults

New DVRs and NVRs come with login credentials that are set at the factory. Because the user interface on these devices is so cumbersome and difficult to use (many of these devices don’t even have keyboards) it’s common for system administrators to keep the default login credentials when configuring the system. A lot of the time, the default user name is something as simple as “admin,” and the password is blank.

Research shows as many as 70% of active NVRs and DVRs are running on unchanged passwords. Even if you cut this estimate in half, it still suggests that over a third of systems are running with factory default user settings, which provide virtually no protection.

Single point of failure

Because NVRs and DVRs centralize security footage storage, they can represent a single point of failure in your system. Unless you store all your footage in the cloud (which significantly hinders bandwidth as mentioned earlier) you risk losing all your security footage if the device is tampered with or stolen. There have been many situations where a disgruntled employee or savvy malicious actor deliberately targets the video recorder to make it easier to complete their criminal act. This is a key difference between distributed edge based surveillance solutions vs. traditional server based solutions. With edge surveillance, cameras act individually and feed into the cloud services, so if a single camera is stolen then all footage across the remaining cameras is maintained and still accessible.

Poor encryption

There’s a shocking amount of NVRs, DVRs and other equipment that get shipped without encryption enabled by default. In most cases, this is a setting that must be configured by a person with specific technical knowledge. Even with encryption enabled, NVRs and DVRs still pose other problems, most of the time the encryption only applies when the device is at rest. Any time footage is viewed, the playback is done over an unsecured connection, usually by using the real-time streaming protocols (RTSP) or insecure apps connecting to a public IP address.

The result is that even though your footage is protected in storage, there’s no encryption during playback. If a malicious attacker can penetrate your system’s architecture, they can intercept the video stream during playback and access all your video data. This also opens opportunity to penetrate the greater network.

Weak user access and auditing

As mentioned earlier, traditional systems are not user-friendly, making it hard to grant or revoke user access permissions. It’s common for different users within the same organization to share the same log-in credentials in these situations. The credentials are usually shared on a spreadsheet or another insecure method, which adds another gap in your security system. While copy/pasting your log-in is easier than configuring a new user account, this is a habit that comprises your system’s overall security and should be avoided. When employees leave an organization it isn’t uncommon for them to still retain access which can results in privacy problems.

A better way to provide physical security solutions

SYNO Global aims to modernize how security systems work. The way we approach designing video surveillance systems involves a level of nuance and attention to detail you won’t find from other providers. The result is that all of our systems come with network security best practices enabled by default – no special configuration required.

We work with enterprise built cloud-enabled edge technology that is able to modernize your system by eliminating the need for local servers and network video recorders (NVRs). Each camera stores footage on industrial-grade solid-state storage devices. We use public key infrastructure (PKI) to encrypt the footage at rest and prevent access in the unlikely event that the camera itself falls into the wrong hands. We also back up on-camera footage in encrypted cloud storage for extra redundancy. Eliminating NVRs reduces the cost of running your system while making it more user friendly. Ultimately, we are able to remove the risk of a single point of failure.

HTTPS/SSL encryption is enabled by default. This means no extra configuration is required to protect video data when it’s in transit. In addition, each camera only communicates with outbound protocols and is automatically self-firewalled upon connecting, which negates the risks associated with open ports.

SYNO Global makes it easier than ever to quickly manage access permissions across your organization. Through cloud software, you can quickly grant, edit, or revoke user permissions via a friendly interface. You can even edit permissions at the organization or individual user level. Additionally, you can give users access for a set period or set up a time-restricted access schedule. To further enhance security, the command platform offers two-factor authentication as a standard feature.

Lastly, and most importantly, software updates and upgrades occur automatically. New updates roll out security patches within 24 hours to ensure your system is always running the latest software.