This question is key in today’s security world, when focusing on security cameras. As part of the IoT world, security cameras of today are playing important roles not only in the security area, but also in providing intelligence to accelerate operational efficiency and decision-making in many other business areas. As they become smarter and more complex, their cybersecurity risks also grow. In recent years, the world experienced several examples of cybersecurity incidents with cameras, with the “Mirai Botnet” as one of the most well-known examples. Mirai malware took advantage of insecure IoT devices in a simple but clever way. It scanned the internet for open Telnet ports, then attempted to log in with default passwords. In this way, it was able to amass a botnet army, using the computer power of millions of cameras with default passwords worldwide.
The Mirai Botnet took place in 2016 and, luckily, the cybersecurity of IoT devices has improved significantly since then. But, some things are still the same and/or cannot be changed. Mikko Hypponen, a Finnish cyber evangelist, is well-known because of his statement: “If a device is smart, it’s vulnerable!”. He shows with this statement that all devices that consist of hard- and software and are connected to the internet, are insecure (and therefore ‘hackable’). Although he made this statement some years ago, it is still true and very relevant – an example of something that hasn’t changed.
Security cameras are IoT devices and, therefore, are vulnerable. They are also abundant on the market in a number of forms and are being designed, developed and built by several producers from different countries. Current cameras are so technologically advanced that they come with lots of complex processes and computer power onboard.
These technological developments provide incredible innovative security capabilities, but also serious digital risks. The cameras consist of advanced hard- and software components that are produced both in-house and by third parties. Because of this complexity, such a camera can be seen as a kind of ecosystem on its own and it’s extremely challenging to protect it holistically against the things that could possibly go wrong in this ecosystem. A camera becomes an interesting and inviting attack surface for the ‘bad guys’.
Luckily, cybersecurity has also evolved in recent years and there are different kinds of digital security measures for cameras that can be applied by the camera manufacturers. But, this firstly requires the willingness of the camera manufacturer to put effort and budget into the security of the camera itself. This becomes a key question in this discussion.
As stated before, all security cameras are vulnerable. However, it’s also true that the more difficult it is to hack a camera, the more likely it is that a cyberattacker will jump to another camera that’s easier to hack. Cyberattackers are very smart and sophisticated, but also very pragmatic. They prefer easy targets (if they achieve a similar result). A camera manufacturer that invests in building a cybersecurity foundation that ensures more cyber-resilient cameras, will become a less favourable target for those cyberattackers, because they prefer to focus on cameras that generate the same results with less effort (in other words ‘easier to hack’).
All camera manufacturers and customers need to be fully aware that the more cyber-resilient their cameras are, the less interesting they are for unauthorised hackers to gain access. This cyber resilience requires serious cybersecurity investments in a solid foundation and one of the most effective investments is the implementation of Secure-by-Design into the production process. This means that cybersecurity is built-in during each phase of the production process and not seen as an after-thought when the camera is produced and implemented at the customer’s location. A good example of a Secure-by-Design production process within the IoT industry is the Hikvision Secure Development Life Cycle (HSDLC) as described in the Hikvision Cybersecurity Whitepaper.
Besides the Secure-by-Design implementation, there are other cybersecurity investments that show the commitment of an organisation towards the fundamental cyber resilience of its IoT portfolio. A Security Response Centre is another example. This centre comprises a dedicated team of cybersecurity professionals that responds to and handles customer-submitted security incidents and security matters.
So, a security camera is an IoT device and vulnerable for hackers that are looking for unauthorised access. But, it doesn’t have to be that way, because camera manufacturers can improve the cybersecurity of their IoT devices significantly as long as they take this task very seriously and are willing to invest in the fundamental building blocks of its cybersecurity. Secure-by-Design and a Security Response Centre are just two examples of these investments. The question to consider is whether a company is aware of this and is willing to invest in cybersecurity. Because at the end of this story, it’s not necessarily cameras from one area or lower-priced cameras that will be breached, but cameras from those that don’t take product cybersecurity seriously.