I recently participated in a webinar aimed at helping physical security professionals, corporate security managers and others responsible for both physical and logical security. This is an area of security that doesn’t get near the attention it deserves – especially when it comes to the Web security component.
Look at any given physical security-related video or access control system and the technology is amazing. From high-definition to DVR storage to remote access, you can literally control your physical security systems from a simple Web browser or even a mobile app. The problem is these systems are getting lost in the information systems complexity present in the average enterprise. But they’re no different than any other Web-based system – the potential for Web related vulnerabilities is endless. All it takes is a rogue insider or, in certain cases, an external attacker to compromise the essence of your organization’s physical security.
There’s a bit of irony in it all.
When performing my information security assessments, any given video management or access control system is chock full of Web flaws such as cross-site scripting, cross-site request forgery and so on. There are also more general flaws such as default passwords, no SSL, no audit logging or alerts enabled – no nothing related to application security. To top it all off, these systems are rarely, if ever, patched. Typically a systems integrator installs the physical security systems with zero security in mind and the systems stay that way with no one monitoring them, no one maintaining them…there’s no accountability.
Anyone with ill intent has free reign to watch (and control) internal video cameras, cover their tracks by deleting logs and actual video files, setup backdoor accounts and so on all the things that bad guys do.
Indeed, we have a long road ahead of us in securing physical security-related video and access control systems. I strongly believe that unless and until these systems are included in the scope of Web security testing, businesses, government agencies and everyone in between will continue to have these critical security flaws flying under the radar.
Like with any other computer system, if it has a URL or an IP address, it’s fair game for attack. Give these systems the attention they deserve.