In September last year, the ABC Investigations journalism unit published an in-depth report looking into the use in Australia of surveillance cameras manufactured by Chinese companies, Hikvision and Dahua, with security ramifications for any organisation installing Internet-connected devices.
Security researchers assert that vulnerabilities in Hikvision and Dahua cameras leave them open to malicious actors looking to syphon off video, audio and other data. Both companies have also been accused of spying on behalf of the Chinese Government and have been banned from US government use.
According to Terry Dunlap, co-founder of ReFirm Labs, governments are taking the right step in evaluating whether Chinese companies like Hikvision are an acceptable risk as suppliers.
“Chinese firms have a long history of embedding backdoors in their equipment,” said Dunlap. “And it’s not happening by accident – in 2013, we found purpose-built backdoors in Huawei equipment. In 2017, we saw the same embedding technique in Dahua security cameras, which the US Congress then banned in 2018.
“All telecom gear coming from China that is placed into critical infrastructure, for example, needs to undergo a thorough security vetting from top layer applications all the way down to the firmware level where we see backdoor implants. Companies need to think twice about purchasing Chinese-made equipment if they don’t have vetting and monitoring capabilities in place to detect such backdoors and implants.”
ABC Investigations found the Chinese cameras above the entrances to the Australian Government Solicitor’s headquarters in Canberra and an office block used by the Department of Home Affairs, the Attorney-General, Austrac, and the Office of National Assessments. Another camera—removed once the Department Of Defence became aware of it—was found at the RAAF Base Edinburgh in South Australia.
Cameras hacked for ransom
Cyber attacks on surveillance cameras like these are not just a theoretical possibility. In Washington DC, over 100 police cameras were hacked and taken down just days before the inauguration of president Donald Trump in 2017, with eastern European criminals demanding a ransom be paid.
Surveillance cameras and telecommunications equipment are just some of the Internet-connected devices subject to cyber attack. There are thousands of other vulnerable devices described by the term ‘Internet of Things’, and they number in the millions if not billions.
While most organisations have taken increased measures in recent years to strengthen the security of their information systems, many overlook device security. Not surprisingly, vulnerabilities in IoT devices are often the easiest targets for hackers and often represent the initial point of entry into organisations’ networks.
In a breach featured in a webinar by Joseph Carson, chief security scientist at Thycotic, an attack by Somalian pirates on a secure database detailing shipping movements was initiated by exploiting wireless lights that had been incorrectly configured, giving threat actors network access.
Unfortunately, the security measures most organisations currently have in place don’t effectively protect IoT devices. Current security measures don’t effectively protect firmware, and fail to proactively address vulnerabilities before it’s too late.
In a 2018 report, research firm Gartner predicted that until 2020, the biggest inhibitor to growth for IoT security would come from a lack of prioritisation and implementation of security best practices and tools in IoT initiative planning. “In IoT initiatives, organisations often don’t have control over the source and nature of the software and hardware being utilised by smart connected devices,” said Ruggero Contu, research director at Gartner.
Innovative IoT security needed
As cyber intrusions become more commonplace, CSOs and CISOs have to look towards more innovative solutions to protect their organisations. Among the challenges they face is allowing business units to meet the demand for IoT devices with the confidence that they do not pose a security risk.
The introduction of cyber security tools into Australia and New Zealand for vetting, validation and monitoring of organisations’ firmware security has now closed this security gap for enterprises, government agencies, operators of critical infrastructure, and other organisations.
With these tools, organisations reliant on IoT devices can vet firmware images for vulnerabilities in around 30 minutes, without requiring source code, giving them confidence in the choices they make. Without them, they could be learning about the vulnerabilities they have introduced to their networks, or their customers, from the media.
