Editor’s note: A glossary of network terms can be found at the end of this article.
The spirit and intent of this common question are correct, but with the complexities of IP video and the variations of how vendors deploy and store video, the question is really answered by asking three other ones:
• How secure is your network?
• How are you recording your video and in what format?
• How secure is your vendor’s video system?
How secure is your network?
If we look at this from an ethical hacking standpoint, everything truly hinges on the first question of network security. Penetration testing is accomplished in three phases: Network enumeration, vulnerability analysis, and exploitation. These different phases mean I have to find your network, find a weakness based on an operating system or application, and then exploit that weakness to gain control of a machine in your system.
Finding you can be accomplished by doing a WHOIS search on the Internet or by using a program like Sam Spade. Once I have found an IP address or addresses for your network, I can start to construct a picture of your network layout by attempting to perform a DNS zone transfer as well as using tools like ping and traceroute. These tools will help establish landmarks and routes inside your network—such as servers, routers, firewalls, and gateways.
Vulnerability analysis will allow me to gather information needed to gain access to one of your servers in your demilitarized zone. I start by indentifying the operating system on any servers I find by using a tool called Nmap which analyzes a target machine’s TCP stack when responding to packets. Once I know the operating system, I can begin making a list of possible weaknesses I want to exploit.
Exploitation allows me to gain machine-level access to a server in your system. Port scanning using a tool like Nmap will help detect which ports are open on target machines, and then I can match what application or service is associated with which ports. Typical points of attack are default ID and passwords to programs like SQL and known weaknesses in programs like Microsoft IIS or Apache. Once inside a machine, I can load a root kit or one of many programs like Net Cat that will collect data for me and eventually provide me with credentials and a path to get inside your real network.
How are you recording your video and in what format?
There are many variables to this question. Variable one is how you are recording - analog or IP to DVR, IP to NVR, IP to edge, or IP to iSCSI.
To find a DVR or NVR, I have two options. Option one is to ping sweep your production network and hack away until I find your DVR or NVR. However, an ICMP Sweep in any well managed network should set off every alarm in the facility if you have intrusion detection system. Option two is to capture and analyze network traffic to find IP packets with H.264 or video information, and hack the destination address.
If you are using IP encoders or cameras that are recording direct to iSCSI, or “edge recording,” you have added a twist. Encoders with built-in intelligence at the edge typically run a proprietary kernel designed to run in a limited memory space. This leaves no options to hack into the edge device, and these devices typically do not place any video on the network until it is requested by a client or assigned to a target.
Variable two is what format you are recording the video in. Most DVR and NVR applications record in a proprietary file format. These can be in any format from *.AVI, to *.G64 files and are usually in the box or on SCSI/network drive targets. If I do find a box and hack into it, I have to wade through terabytes of three to 10 minute video clips to find what I’m looking for. Once anything within this file is changed, the video will not play. If the video is watermarked, any authentication attempts will fail. So, you can rest assured that no details have been changed in the recorded video that you are viewing.