A Conduit For Attack

A Conduit For Attack

What every retailer should know about managing patches and updates

In the days of analog DVR-based surveillance systems, the biggest worries retailers faced were equipment failure and theft of the recording medium. As closed systems, their problems remained contained within those systems. But in today’s surveillance landscape, where an ever-greater number of IPbased cameras ride on the corporate network, retailers need to understand their video security system’s vulnerabilities in a whole new light.

Specifically, any under-protected, network-connected device presents a potentially exploitable entry point for attacking every system and any data on the network, from point-of-sale transactions and credit card processing to strategic business plans and company financials. With today’s PCI requirements pushing physical and cyber security closer together, addressing this topic becomes paramount.


When it comes to network security, IP-based cameras are relatively new kids on the block. But the guiding principles for securing those devices are the same as IT uses for any device sharing their network. So it makes sense for Loss Prevention and Asset Protection Departments to reach across the organization to their IT counterparts for expertise and guidance in protecting their surveillance technology.

So, what are some of the best practices LP and AP can apply to their video systems?

Change factory default log-in credentials. This is a common oversight that needs to be addressed before the device goes live. Back in the days of analog, if the DVR had password protection it was generally the default one and couldn’t be changed or updated. However, with IP systems password control is in the hands of the end user. When changing the default log-in, make sure that users create strong passwords that are at least eight characters in length that incorporate a mix of uppercase and lowercase letters, numbers and symbols. To maintain security, users should change their passwords with some frequency.

Create a least-privilege access hierarchy. Also during the analog days, rights and privileges were generally global in scope. If you had access to the system, you had access to the entire system. IP systems give you much more granular control. When creating user accounts be sure to grant only those privileges that are essential to a user’s daily job performance and nothing more. If you let users access your company’s network video recorders and IP cameras using an admin’s root credentials, those credentials risk compromise and then hackers can gain wholesale access to the entire network.

Be diligent about configuration and patch management. Being a closed system, analog technology was inherently difficult for IT departments to update and manage. But the open standards used by today’s IP systems allow them to evolve over time. This puts the onus on companies be sure their operation keeps pace with the changing threat landscape. Failing to update years-old firmware can leave your surveillance system exposed to many known virus and malware and give hackers an open door to the network through your camera.

Track attempted hacks and breaches. The best way to shore up defenses against future attacks is to understand what’s happening on the network today. This is where the partnership with IT becomes paramount. IT usually owns the network monitoring technology and possesses the log analysis skills to identify unauthorized access attempts and breaches. They can help pinpoint the exploitable weaknesses in your surveillance technology and devise strategies for hardening your devices.


Because of their high-capacity processing power many IP cameras are delivering added value beyond traditional security. With the ability to run onboard analytics such as people counting, traffic patterns, dwell time, line queuing and more, they’re able to provide retailers with vital business intelligence to improve marketing, merchandising, and operations. But those added apps present yet another layer of potential vulnerability that must be tightly managed.

The lack of cybersecurity awareness coupled with careless security precautions (such as haphazard application of updates and patches) invariably opens the door for malware infection and exploitation.

Denial of service. One of the more common attacks is denial of service. Whether through an intentional internal act, a mistaken download of particular software, or an external attack, the malware purposefully increases communication on the network, eventually clogging the network by repeatedly flooding it with tens of thousands of requests per second. Once the network is clogged, retailers can no longer conduct business—including POS transactions, credit card verification and other mission critical activity.

Port hijacking. Oftentimes hijackers will troll for open, unsecured ports that they can commandeer to gain access to the network or they gain physical access to your network by grabbing the network cable from an outdoor camera and plugging into their laptop. Once inside your system they can do unlimited damage.

Brute-force dictionary attacks. This attack’s name comes from the way hackers try to penetrate the system: trying as many permutations and combinations as there are words in a dictionary. When faced with a log-in credential request—a decryption key or passphrase—sophisticated hackers try hundreds or even millions of likely possibilities to defeat the authentication mechanism. Once this line of defense is breached they can penetrate any part of the system that credential is authorized to access.


In addition to the lessons from IT, industry specialists recommend a number of other steps you can take to secure your surveillance devices and your network.

  • When using your smart devices implement security principles such as input validation, bounds checking, access control and authentication.
  • Encrypting communications is good, but if the keys are readily available then all they do is delay an attacker rather than stop him. Keys should be guarded as closely as possible and not recorded in logs. They should also be protected against resetting by an untrusted party.
  • If encryption is used on an interface then the secret information contained within should not then be decrypted and passed on via an unencrypted interface as it defeats the purpose of encryption. Encryption/ decryption should be used as quickly and discretely as possible then cleared from memory.
  • Firmware should be signed and encrypted to prevent bad firmware uploads or tampering. Failure to do this not only carries security risks but business risks as well since smart devices like cameras rely on their firmware to protect their customers. Open source firmware—such as Jail Break which allows the device to download free software—opens that device to future attacks because developers rarely issue updates to repair security gaps.


Cybersecurity for surveillance systems certainly grows more challenging every year. As a retailer, your environment often stretches across a wide geographic area and includes a host of network attached devices. Managing cybersecurity on such a large scale might seem quite daunting, but consider looking to your own IT department for guidance and partnership. Employing the same common sense security policies and practices that they already have in place will help you mitigate your risks. It will also give your enterprise a much more cohesive and holistic approach to loss prevention, operations, strategic merchandising and overall cyber protection. In turn, that will help you safeguard your assets, your bottom line and your brand.

This article originally appeared in the June 2016 issue of Security Today.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3