Eyes Everywhere: Turning Security Cameras into Pentesting Assets
Last time I discussed how to harden your home through the use of proper security camera setups. Today, we will switch gears to the role of the attacker and focus on identifying security cameras through recon and OSINT.
When running a physical pentest, one thing you have to identify is the security posture and equipment used by your client, and of course a part of that will inevitably be security cameras. So during your recon phase, there are a few things about these cameras that you want to check and verify to make your life easier.
Quick Primer on How IR Cameras Work
Photo by cctvsg.net
Infrared (IR) security cameras function by using a form of light invisible to the human eye to illuminate their field of view, essentially acting like IR flashlights paired with sensitive sensors. This technology doesn't provide true "night vision" in the sense of thermal imaging, which detects heat signatures. Instead, IR cameras use their built-in IR LEDs to cast an invisible light over an area.
The camera's sensor, sensitive to this wavelength of light, captures the reflection off objects within its range, creating a visible image in what appears to be complete darkness to the naked eye. This method is highly effective for surveillance in low-light conditions, offering a cost-effective solution for continuous monitoring. However, the quality of the image and the effective range of visibility depend on the power and number of IR LEDs surrounding the camera lens, as well as the camera's sensor sensitivity.
Identifying Make and Model: The First Crack in the Armor
One of the first steps in assessing the security landscape of a target location is to identify the make and model of the security cameras in use. Different cameras come with different vulnerabilities and limitations — knowing exactly what you're dealing with can offer you a roadmap to exploitation. But how does one go about acquiring such specific details?
A keen eye and a bit of research can go a long way. Many camera models have distinctive designs or branding elements. Once you have a visual or a brand name, a simple online search can reveal the model.
For example, some cheaper Chinese made security cameras utilize FTP for authentication and their mobile control application is readily available to anyone. Therefore, if there is poor wiring setup, meaning you can simply unplug the camera, and plug your own device in, within a few seconds of doing so, the FTP credentials will likely come directly to your device in plaintext. These creds are likely used across the entire security camera network and possibly on other systems.
Identifying Make and Model: Typical Specs
For standard PTZ (Pan-Tilt-Zoom) IR cameras, the detection range at night with IR illumination can vary. For instance, some high-resolution PTZ cameras are capable of detecting human presence at night using IR up to 500 meters (approximately 1600 feet). More specialized long-range IR PTZ camera systems can provide visibility at night up to 1,600 feet (about 500 meters) with IR illumination, and certain models can even achieve greater distances.
Extremely advanced systems, designed for very long-range surveillance, are capable of night detection using laser illumination at distances up to 1,000 meters (approximately 0.62 miles)
It's also important to note that wireless long-range surveillance cameras, which might employ IR for night vision, can transmit signals from 2,400 feet up to 3 or 4 miles, assuming a clear line of sight (LOS) between the camera and the receiver.
Many cameras today can detect humans vs animals or vehicles as well as send SMS upon discovery.
Obviously these models will not be used everywhere, and an internal office camera has no need for a 1 mile range … but this is why you need to do your recon and homework to discover the abilities and limitations of these systems.
Things to Consider and Know
Keep reading with a 7-day free trial
Subscribe to Covert Access Team to keep reading this post and get 7 days of free access to the full post archives.