I want to describe a specific scenario of an attack on a monitoring system - not to scare you, but to show how simple it works and what can be done to defend yourself against it. All the techniques I describe are publicly known and used by security researchers. I describe them from a defense perspective.
Krok 1 – Rekonesans: Shodan
The attacker does not start with a specific company. He starts by looking for easy targets. The number one tool is Shodan – search engine for IoT devices connected to the Internet. Shodan constantly scans the internet and indexes devices by banners, HTTP headers and port responses.
Wpisz w Shodan: przykładowe zapytanie techniczne. You will see hundreds of Polish Hikvision recorders exposed directly to the Internet, with a web interface available without VPN. Some of them will respond to the default password within thirty seconds.
Krok 2 – Identyfikacja wersji firmware
Once the attacker finds the device, it checks the firmware version. The registrar's login page often reveals the software model and version even without logging in - in the HTTP headers or HTML code of the login page.
Given the model and version, the attacker checks public CVE (Common Vulnerabilities and Exposures) databases. CVE-2021-36260 - a critical vulnerability in Hikvision cameras - allowed remote code execution without any logging, via a specially crafted HTTP request. The vulnerability was rated 9.8/10 on the CVSS scale. It touched dozens of models. The patch is out - but thousands of devices still run on the old firmware.
Step 3 – Entering the system
With a working exploit or default password, the attacker logs into the recorder. What does he see? Full view of all cameras, historical recordings, network configuration - including IP addresses of other devices on the same network.
The recorder runs on Linux. If the exploit allows code execution, the attacker can launch a system shell and begin exploring the rest of the network. If the cameras are on the same network as company computers, nothing stops him from trying to access the file server, database or workstations.
Step 4 – Maintain access and goals
The attacker's goals may be different:
- Industrial espionage – preview of production, warehouse, management office
- Wymuszenie – threatening to reveal recordings (employees, clients) or encrypt the system
- Sabotage – deleting recordings as evidence or turning off monitoring before a physical break-in
- Botnet – use of seized cameras for DDoS attacks on other targets
How to defend yourself – a specific list
Do not expose the recorder directly to the Internet. If you need remote access, use a VPN. WireGuard on MikroTik or pfSense is a two-hour setup that eliminates the largest attack vector.
Zaktualizuj firmware. Check the firmware version of your cameras and recorders on the manufacturer's website. Hikvision and Dahua release security updates regularly. Many of the vulnerabilities - including CVE-2021-36260 - have long been patched, but only on devices running current software.
Change default passwords. Each device – camera, recorder, switch – should have a unique, strong password. Minimum 12 characters.
Segment your network. Cameras in a separate VLAN do not have access to the rest of the network. Even a compromised device is isolated. I describe details in the article about VLANs.
Disable unnecessary protocols. Telnet, UPnP, legacy RTSP without authentication - if not using, disable. Every active protocol is a potential target.
Monitoruj logi. Unsuccessful login attempts, connections from unknown IP addresses, configuration changes at 3 a.m. - these are signals that should trigger an alarm. Modern recorders save event logs - it is worth reviewing them regularly.
Podsumowanie
An attack on a CCTV system is not an advanced hacking operation requiring years of experience. For someone who knows the tools and has Shodan at hand, taking over an unsecured recorder takes minutes. Defense is easier than attack - and definitely cheaper than the consequences of a break-in.