Editor’s note: A glossary of network terms can be found at the end of this article.
The spirit and intent of this common question are correct, but with the complexities of IP video and the variations of how vendors deploy and store video, the question is really answered by asking three other ones:
• How secure is your network?
• How are you recording your video and in what format?
• How secure is your vendor’s video system?
How secure is your network?
If we look at this from an ethical hacking standpoint, everything truly hinges on the first question of network security. Penetration testing is accomplished in three phases: Network enumeration, vulnerability analysis, and exploitation. These different phases mean I have to find your network, find a weakness based on an operating system or application, and then exploit that weakness to gain control of a machine in your system.
Finding you can be accomplished by doing a WHOIS search on the Internet or by using a program like Sam Spade. Once I have found an IP address or addresses for your network, I can start to construct a picture of your network layout by attempting to perform a DNS zone transfer as well as using tools like ping and traceroute. These tools will help establish landmarks and routes inside your network—such as servers, routers, firewalls, and gateways.
Vulnerability analysis will allow me to gather information needed to gain access to one of your servers in your demilitarized zone. I start by indentifying the operating system on any servers I find by using a tool called Nmap which analyzes a target machine’s TCP stack when responding to packets. Once I know the operating system, I can begin making a list of possible weaknesses I want to exploit.
Exploitation allows me to gain machine-level access to a server in your system. Port scanning using a tool like Nmap will help detect which ports are open on target machines, and then I can match what application or service is associated with which ports. Typical points of attack are default ID and passwords to programs like SQL and known weaknesses in programs like Microsoft IIS or Apache. Once inside a machine, I can load a root kit or one of many programs like Net Cat that will collect data for me and eventually provide me with credentials and a path to get inside your real network.
How are you recording your video and in what format?
There are many variables to this question. Variable one is how you are recording - analog or IP to DVR, IP to NVR, IP to edge, or IP to iSCSI.
To find a DVR or NVR, I have two options. Option one is to ping sweep your production network and hack away until I find your DVR or NVR. However, an ICMP Sweep in any well managed network should set off every alarm in the facility if you have intrusion detection system. Option two is to capture and analyze network traffic to find IP packets with H.264 or video information, and hack the destination address.
If you are using IP encoders or cameras that are recording direct to iSCSI, or “edge recording,” you have added a twist. Encoders with built-in intelligence at the edge typically run a proprietary kernel designed to run in a limited memory space. This leaves no options to hack into the edge device, and these devices typically do not place any video on the network until it is requested by a client or assigned to a target.
Variable two is what format you are recording the video in. Most DVR and NVR applications record in a proprietary file format. These can be in any format from *.AVI, to *.G64 files and are usually in the box or on SCSI/network drive targets. If I do find a box and hack into it, I have to wade through terabytes of three to 10 minute video clips to find what I’m looking for. Once anything within this file is changed, the video will not play. If the video is watermarked, any authentication attempts will fail. So, you can rest assured that no details have been changed in the recorded video that you are viewing.
If you have encoders or IP cameras that are recording in true iSCSI or edge format, chances are they are recording in a block format within a .DAT file structure. This means there are no true video files to browse or view, and the files cannot be accessed or played without the corresponding indexing files. Also, video iSCSI targets are viewed as LUNs, not network shares, and in most cases, the IQN of the encoders or management systems needs to be added to the privilege list on the iSCSI target to access any of its LUNs. In some scenarios, video can span across multiple LUNs and iSCSI targets, making it even more difficult to access.
Intercepting Live Video
To intercept and watch live video as it is traveling across your network, I need to have completed all three phases of penetration. I also need to know which vendor you are using to determine which ports you are transmitting on as well as how to decode your video. If you are in a true “edge” scenario, I have to wait until the video is requested by a licensed client, as well as know which IP address to monitor.
Now, the question arises about video encryption, which is written into some specifications. Most vendors offer encryption, but once implemented, the customer complains about video quality. I have yet to see encrypted video retain its original resolution and quality after being decrypted. If your video is encrypted and I really want it, I will just hack your viewing station and get the encryption key from your video software.
How Secure is your Video System?
So, I hacked and found one of your encoders. What am I going to do with your hours of video? If I were to spend that much time and effort hacking into your system, I would be better served going after valuable data, not video.
So what are the true risks to your video? In most cases it is internal employees. The following is a short list of issues when video is not secured properly:
• Incident video ends up on YouTube within 24 hours
• Incident video is deleted, intentionally or accidentally
• Cameras are diverted from incident area
• Recording is turned off intentionally
• Storage platforms were formatted by untrained technicians
When choosing a video provider, you want a system that will allow you to implement granular permissions to users and groups for tasks such as exporting, deleting, protecting, and unprotecting video. You want a system that will log activities of all users, including administrators. And, you want to make sure the installing technician has actually been trained on the system.
About the Author: David Brent is a technical information engineer for IT systems at Bosch Security Systems, Inc. He has extensive knowledge of video surveillance systems and holds a number of IT and networking certifications. He can be reached at [email protected].
DNS: Domain Name System
TCP: Transmission Control Protocol
SQL: Structured Query Language
ICMP: Internet Control Message Protocol
SCSI: Small Computer System Interface
iSCSI: Internet Small Computer System Interface
LUNs: Logical Unit Numbers
IQN: iSCSI Qualified Name