How to mitigate IoT threats to video surveillance systems

July 6, 2018
Using machine learning security algorithms adapted for IoT to identify and mitigate threats to network video

The expanding world of security video surveillance has yet to evolve into the Orwellian nightmare predicted in the novel 1984. But as device connectivity continues to define the digital age, monitoring the technology that monitors us is demanding stricter rules and protocols to ensure risk is mitigated, threats are dealt with in a proactive manner and global laws are managed.

“We believe behavioral science, cognitive computing, and machine intelligence are essential to a successful, holistic surveillance offering and critical to efficient and effective organizational compliance with an increasingly intricate global regulatory environment,” said Adena Friedman, who currently serves as the president and CEO of Nasdaq, at a 2017 press conference where Nasdaq announced the acquisition of a London-based regulatory technology firm Sybenetix, which uses algorithms to catch rogue traders. The software algorithms can learn the behavior patterns of individuals and groups within an organization to help detect suspicious trading.

When it comes to physical security systems like video surveillance, more and more end users and their integrator partners are looking for that holistic approach in dealing with network attacks and malicious insider behavior. And as the flood of IoT devices spread their tentacles across corporate, commercial and residential markets, having a viable cybersecurity game plan is essential.

Mitigating IoT Threats to the Physical Security Landscape

While Nasdaq is employing a combination of AI and human behavioral analytics to take a proactive stance against inside and outside attacks, companies like SecuriThings that have served traditional IT sectors are now shifting focus to the physical security market in general and video surveillance systems in particular. This Israeli-based vendor supplies a User and Entity Behavioral Analytics (UEBA) solution for IoT. It monitors users and the IoT devices themselves. It also uses machine learning security algorithms adapted for IoT to identify and mitigate threats. Physical security and video surveillance is currently a major area of focus, with four major vertical technology markets as prime drivers; physical security/video surveillance, Smart Cities, connected buildings and consumer electronics.

“Although there are many connected devices, the reason we decided to focus on the physical security side is that this is where the most dramatic adoption of IoT is and they are tied to real business cases. This is where you have solutions deployed by integrators, operated by service providers, and consumed by actual end users where we can realize real commercial success,” says Yotam Gutman, the Vice President of Marketing at SecuriThings and a former Lieutenant Commander in the Israeli Navy. “The other point is that this segment, up and down the chain, is willing to pay to secure their devices. There are a lot of connected devices, but we asked what one of the most vulnerable devices is and the overwhelming answer was (surveillance) cameras.”

Gutman concedes that the smarter the camera, the higher the risk potential. Years ago when he worked homeland security for various global agencies it was analog technology that drove security. Those days are gone forever.

“The smarter the cameras become, the more likely they are vulnerable to cyber attacks. Cameras are also more complicated and expensive today so there is more to secure,” citing an example of a user paying around $250 for an IP camera and another $60 per camera for installation. ”And now for less than $4 a month, if we can come in to secure that camera, it becomes a compelling business case for the customer who is looking for quality of service and reliability.”

An Easy Solution to a Difficult Problem

The company’s software agents are set up for common IoT protocols so the client can implement the solution without having to write any tedious code. The solution utilizes behavior analytics to analyze human and machine behavior allowing it to detect threats in real-time. It relies on proven concepts of User Behavior Analytics (UBA) while adding machine/device behavior analytics and risk models tailored to the IoT world. This layer of real-time security enables IoT service providers to constantly monitor their IoT applications, enact policies and mitigate attacks. Users can also establish rule-based policies on top of the behavior analytics. Rules can be based on each alert’s risk score, activity type, location and many other attributes, and can automate the user’s decision-making process.

Gutman admits it is an intensive process for the vendors who must verify that their platform will be compatible. SecuriThings has created a strategic breakdown of the video surveillance market working with all the major solution providers to certify their cameras, software agents, programs and APIs provide a compatible and open environment. While Gutman says in a perfect world his company would love to be able to provide OEM services to the video industry, the plan at present is to be content with being an important video analytics add-on solution to existing video surveillance deployments.

The technology integration is touted as a seamless process between the VMS and the camera. For example, In a Milestone or Genetec system where the SecuriThings software is uploaded, the user clicks the number of devices they want this software installed, press deploy and the solution is embedded in the devices. Gutman says that the software can support almost any camera and VMS.

“It is the easiest sort of security integration you can do with any security device,” Gutman explains. “Once the software has been deployed the VMS is now the channel to collect information from the devices, but it is not the video footage itself so we are doing nothing to damage the privacy of the end-user customers or the subject that video touches. We are collecting information related to IP address being accessed, the users who logged into the cameras, how many attempts there have been, and the geography – all the metadata that can point to potential malicious behavior.”

He adds that this data then goes back to the cloud or advanced monitoring centers through the VMS. “There is no need for each camera to be connected since we literally piggyback the entire deployment. You know if you potentially generate additional network traffic the integrators will throw us away. We looked to offer them a solution that was light on intrusion and seamless to integrate.”

“We have developed very powerful analytics that cannot reside on the cameras because there are literally millions of devices that we monitor and we run Big Data with sophisticated machine learning that picks up real-time activities like hacking attacks or more subtle things like insiders misusing the cameras for unauthorized viewing,” he says.  “Building our system this way allows us to offer it as a managed service since all the data goes back to the cloud where we connect from our security operations center. We can then communicate with our customers and instruct them how to mitigate their threats. The customer doesn’t have to buy a piece of software. It’s a SaaS; instead, they pay by consumption on a monthly basis. The customer doesn’t have to know anything about IT security. This is also a highly competitive business model for the integrator and service provider. We charge between one to two dollars per device depending on the quantity of soft devices and then the integrator can take this model and upsell to their client if they like.”

Integrators have told them that they have changed their business model from long-term deployment and maintenance according to breakage to a chance for reoccurring revenue. The system can run on-premise or from multiple sites connected to a central monitoring center. The system is also intuitive. The client can see an alert; drill down into it and understand what happened with the event. It can also tell the client whether it there is a need for a firmware update or a password reset.

But Gutman, understanding the nature of the security industry, is quick to point out that the solution is certainly highly functional on-premise, realizing some clients are still not comfortable with their sensitive data residing in the cloud.

“I know the mentality of the industry and I don’t want to push don’t some clients away. We have consulted with several of our high-profile Israeli customers, who are by nature very paranoid, and they are very enthusiastic about this solution because they feel we have bullet-proofed our entire network,” Gutman says. 

What is a Connected Device?

Devices can be infected with malware in several ways. People leave their devices open to the web, they fail to change the factory default credential, even following regular maintenance, ports can be left open creating a pathway for any novice hacker.

“We’ve noticed that the infected devices were usually not done so intentionally, rather there are automatic scanning mechanisms looking for opportunities on vulnerable devices. Once they notice that vulnerable device – and I don’t think these bots realize it is a camera or anything else since it is an automated process – the device is bombarded with connection requests until the password is actually cracked or they go for the dictionary of all default credentials that allows for the device to be hacked in seconds,” says Gutman. “Once inside, an alien software code will be installed and the havoc begins. Most often the infected device will attempt to recruit other connected devices to the compromised network. The most damaging outcome for a video surveillance network is that this digital disease could severely impair the integrity of the video network by slowing the feed from the cameras, increasing power usage and bandwidth and yes, even dramatically shorten the life of the cameras and associated network devices like NVRs.”

Gutman is concerned that service providers that have a large percentage of their video network infected will feel the pain of having to replace cameras much sooner than expected or bring them to repair and ultimately reset the devices. Over time, it could prove to be quite a costly issue if an organization is monitoring thousands of cameras.

“Our selling point is that although we can’t stop attacks – they will happen – but when it does happen, we can identify it in real time, help mitigate the issue, and in the future the agent that is running on the device will also help do some of the mitigation itself,” he adds. “That is our roadmap. The goal is to isolate the infection to one or two devices, identify or disconnect them to mitigate further damage, which saves on the maintenance.”

He says that malware attacks on cameras and surveillance systems that hack data and compromise footage are not uncommon and users realize this is a risk they must mitigate. But what most users don’t realize is the insidiousness of these embedded bot attacks that over time degrade the video capabilities and systems themselves, costing the organization downtime and money.

New regulations like GDPR in Europe and the just passed California Consumer Privacy Act (CCPA), along with expanding use of facial recognition around the world have exacerbated the concerns over insider abuse and personal privacy, The more sophisticated today’s cameras and recording devices become the greater the risk there is for these devices being used for malicious intentions.

“This type of activity is something our software can pick up. An insider threat is not especially intuitive like a hacker coming in from the outside. It is a more subtle breach that could have real-life implications for an organization and should be monitored a lot more closely,” stresses Gutman.

Monitoring the Insider Threat

He cites a recent client challenge. An established video surveillance vendor selling video surveillance as a service (VSaaS) using an OEM cloud-based video platform that collected metadata from cameras related to the user’s global activities suspected there were some possible security and compliance issues that could prove to be troublesome. Unfortunately, the client only collected the video data and didn’t analyze it so there was no way to detect or investigate potential malicious activities.

SecuriThings’ machine-learning algorithms identified abnormal behaviors of several users accessing devices from various locations, which indicated account takeover or credential abuse. The system also identified support personnel working at the service provider's support center accessing specific video cameras in what appeared to be peculiar and malicious in nature. The machine-learning algorithm identified this behavior by creating a baseline pattern for “normal” support center behavior, including time of operation, duration and recurring activity.

The alert raised by SecuriThings prompted an internal investigation that uncovered that support center employees that had access to the devices for maintenance purposes, were “checking in” on specific cameras on an ongoing basis, breaching the privacy of end-users.

“This solution is a win-win for both the end user and his integration partner. It is an easy and cost-effect mitigation strategy for the user and a potential source of RMR for the integrator. And as we progress, the functionality will only expand,” concludes Gutman.

About the Author: 

Steve Lasky is the Editorial Director of SouthComm Security Media, which includes print publications Security Technology Executive, Security Dealer & Integrator, Locksmith Ledger Int’l and the world’s most trafficked security web portal SecurityInfoWatch.com. He is a 30-year veteran of the security industry and a 27-year member of ASIS.