A few days before the inauguration the D.C. Police CCTV network was affected by a ransomware attack. It was widely reported that on Jan 12 two variants of ransomware were found on 4 sites of the D.C. Police’s CCTV network. After further investigation it is discovered that 70 percent of DVRs were infected, affecting 123 of the 187 network cameras.
The system was back up and running after taking the infected cameras offline and re-installing the software on each infected system. The outage lasted for 48-hours, but according to the interim Police Chief Peter Newsham, there was “no significant impact” overall. According to the acting CTO Archana Vemulapalli, the intrusion did not spread outside of the CCTV network.
While an investigation is still ongoing, it has been suggested that sites could have been infected due to the CCTV systems being connected to the public internet for remote access. This is most likely the case due to nature in which ransomware operates. Having a CCTV system that is connected the net for remote management is a very common practice, however so are these types of attacks.
Even though there wasn’t any critical data being held hostage and that cameras were online for the Presidential Inauguration. It should be noted that 48-hour downtime window is not something that should be shrugged off. CCTV footage has been critical for solving major terrorist attacks like the Boston bombing. As tech professionals, we should be implementing solutions that not only protect critical data but critical physical infrastructure as well.
This type security issue is nothing new. Last summer hackers used 25,000 compromised DVRs and CCTV cameras in a DDoS attack against a handful of websites. In March of 2016, KerneronSecurity found a remote code execution vulnerability that affected 70 different vendors. In February of the same year Risk Based Security found that approximately 45,000 DVRs were exposed by use of same hard-coded passwords. These are credentials that cannot be changed for the root account. It would seem that most of these vendors source their equipment from the same Chinese company which uses the same vulnerable firmware.
CCTV cameras are put in place to support and aid with physical security. The ironic thing is that their virtual security is typically an afterthought. I could continue to list more cases of vulnerabilities and hacks until I am blue in the face. When IT departments rely on vendors to secure their products and not good system administration practices; they may be leaving giant security holes in their network. It is important to realize that a large segment of these DVR security systems isn’t being built with cyber security in mind.
It would unwise of a system admin to trust the vendors of these systems to patch their exposed systems. If you have CCTV cameras and DVRs servers that you manage it would behoove you to filter or restrict how your systems connect to the open web. If remote management is needed, setting up a VPN to remote in with might be in order. Trusting one solution for physical and cyber security is never a good practice.
To learn more: