The Security of Video Surveillance Systems Questioned

The same useful features that enable security administrators to monitor surveillance cameras from any Web browser are also fraught with security vulnerabilities, according to a security services company. Gotham Digital Science recently posted a blog write-up that described how an unauthorized person could gain remote access to a closed circuit television video system. Doing so would allow that user to view video being captured with the camera, gain access to archived video footage, and, if supported by the particular model of camera, control the direction of the camera. Also, the company reported, many of the organizations running video surveillance may never know that an attacker has gained access to the system.

According to Justin Cacak, who penned the blog entry, the vulnerability can be tested with the use of a new tool added to the Metasploit Framework, a part of the Metasploit open source security project that allows testers to develop and execute exploit code against a specified target. So far the tool has been run against surveillance gear from MicroDigital, Hivision, and CTRing, as well as a "substantial number of other rebranded devices," the blog entry stated. Many of these systems are rebranded by other vendors and sold under different names in the United States

A common problem is that often the password that provides remote access to the device is never changed. "Typically, in over 70 percent of cases the device is still configured with the default vendor password which allows trivial access to real time video, the ability to control PTZ (pan-tilt-zoom) cameras, and access to any archived footage," Cacak wrote.

During its testing, in cases where the default password had been changed, the company used a network proxy to intercept and modify network data for non-proxy-aware applications, allowing researchers to determine valid and invalid users and authentication responses. That in turn allowed them to develop software that could validate user accounts, exclude non-valid ones, and use "brute force logins" to gain entry to the video systems.

"It is likely that other manufacturers and CCTV devices are similarly vulnerable," Cacak noted. Gotham recommended that organizations protect themselves against unauthorized breaches by changing default passwords, using strong passwords, filtering access to trusted hosts, and exposing the video system to the Internet only "if absolutely necessary."

The company also suggested that security professionals try out the new Metasploit module, available in the Metasploit Framework, to scan their networks for vulnerable systems.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • The AI Show

    Register for Free to Attend the World's Greatest Show for All Things AI in EDU

    The AI Show @ ASU+GSV, held April 5–7, 2025, at the San Diego Convention Center, is a free event designed to help educators, students, and parents navigate AI's role in education. Featuring hands-on workshops, AI-powered networking, live demos from 125+ EdTech exhibitors, and keynote speakers like Colin Kaepernick and Stevie Van Zandt, the event offers practical insights into AI-driven teaching, learning, and career opportunities. Attendees will gain actionable strategies to integrate AI into classrooms while exploring innovations that promote equity, accessibility, and student success.

  • laptop displaying a red padlock icon sits on a wooden desk with a digital network interface background

    Reports Point to Domain Controllers as Prime Ransomware Targets

    A recent report from Microsoft reinforces warns of the critical role Active Directory (AD) domain controllers play in large-scale ransomware attacks, aligning with U.S. government advisories on the persistent threat of AD compromise.

  • laptop displaying a glowing digital brain and data charts sits on a metal shelf in a well-lit server room with organized network cables and active servers

    Cisco Unveils AI-First Approach to IT Operations

    At its recent Cisco Live 2025 event, Cisco introduced AgenticOps, a transformative approach to IT operations that integrates advanced AI capabilities to enhance efficiency and collaboration across network, security, and application domains.

  • educators seated at a table with a laptop and tablet, against a backdrop of muted geometric shapes

    HMH Forms Educator Council to Inform AI Tool Development

    Adaptive learning company HMH has established an AI Educator Council that brings together teachers, instructional coaches and leaders from school district across the country to help shape its AI solutions.