What is being seen as an effective means of personal as well as public safety and security can itself turn out be a security threat. Closed-circuit TV (CCTV) cameras are mushrooming everywhere in India in public, private and commercial spaces. But these very cameras can be exploited as tools for illegal surveillance and even hacking. CCTV systems in neighborhoods, shops or homes might deter local criminals but they can offer international hacking groups or even hostile governments access to sensitive private and public data.
A recent case has highlighted the need for caution in the use of CCTV cameras. A Chinese firm whose subsidiary has been shortlisted to supply security cameras for Delhi is on a US watch list, with an advisory on threats, including remote hacking and potential backdoor access. Concerns have also been raised on the firm being owned by the Chinese government, adding a twist to the controversy over a Delhi government project to install 1.5 lakh CCTV cameras across the city.
India’s video surveillance market is projected to grow at a CAGR of nearly 13% during 2017-2023, according to a study by 6Wresearch. A 2016 report by American data storage company Seagate Technology said that Indian organisations use 249 cameras on average for video surveillance.
The number was about the same as in China, but significantly lower than that in developed countries such as the US and UK, where organisations uses about 349 cameras on average. This indicates vast scope for use of more CCTV cameras by organisations in India.
According to an ET report, the video surveillance market is expected to more than treble from $700 million in 2017 to $2.5 billion by 2020. Most of the cameras will be installed in public places and commercial establishments, with the share of households at 13%.
All this points at rapidly increasing number of CCTV cameras in India. While the Chinese CCTV cameras are suspected of having bugs that can relay information to the Chinese government, even otherwise it's not difficult for hackers to manipulate CCTV cameras. According to Kaspersky lab researchers, uncovered flaws could allow attackers to obtain remote access.
By exploiting these vulnerabilities, malicious users could execute the following attacks:
Access video and audio feeds from any camera connected to the vulnerable cloud service; remotely gain root access to a camera and use it as an entry-point for further attacks on other devices on both local and external networks; remotely upload and execute arbitrary malicious code on the cameras; steal personal information such as user's social network accounts and information which is used to send users notifications; and remotely disable vulnerable cameras.
All these attacks were possible because experts found that the way the cameras interacted with the cloud service was insecure and open to relatively easy interference. They also found that the architecture of the cloud service itself was vulnerable to external interference.
The US government has found similar vulnerabilities in the products of the Chinese firm involved in the controversy regarding Delhi government's order of 1.5 lakh CCTV cameras. A US Department of Homeland Security advisory states that the products are “remotely exploitable” and require a low skill level to exploit. The vulnerabilities, advisory explains, are “improper authentication” and “password in configuration file”.