By /

Back to: Advanced Physical Security Integration (APSI)

0

Lesson 7.1: The Threat Landscape (IoT & The Edge)

Module: 7 – Cybersecurity for Physical Security Prerequisites: Module 2 (Networking) Estimated Time: 45–60 Minutes

1. Learning Objectives

By the end of this lesson, you will be able to:

  • Explain why physical security devices (cameras, controllers) are high-value targets for hackers.
  • Analyze the mechanism of the “Mirai Botnet” and how it utilized CCTV cameras to take down the internet.
  • Define a “Pivot Attack” and how an outdoor camera can compromise the corporate server room.
  • Identify the risks of “Port Forwarding” and why it is now considered a forbidden practice.

2. The “Soft Underbelly” of IT

For years, IT departments secured their servers and laptops but ignored the security system. They viewed cameras as “appliances,” like toasters.

The Reality: A modern IP Camera is a fully functional Linux Computer hanging on the side of a building.

  • It has a CPU, RAM, and an Operating System.
  • It is connected to the network 24/7.
  • The Risk: If an IT Director locks down the firewall but you install a cheap, unpatched NVR with the password “12345,” you have just opened a back door into the entire company.

3. The Wake-Up Call: The Mirai Botnet (2016)

This is the event that changed our industry forever.

What happened: A piece of malware named “Mirai” scanned the internet for IoT devices (mostly cheap DVRs and IP cameras) that were using default factory passwords (e.g., admin/admin or root/12345).

The Result:

  • It infected 600,000+ devices.
  • It turned them into a “Botnet” (a zombie army).
  • On command, all 600,000 cameras sent junk traffic to a single target (DynDNS).
  • Impact: Massive chunks of the internet (Netflix, Twitter, Reddit) went offline for hours. It wasn’t hackers with supercomputers; it was security cameras doing the damage.

4. Attack Vector 1: The “Pivot” (Physical to Digital)

Security devices are unique because they are often located outside the secure perimeter.

The Scenario:

  1. Entry: A hacker walks up to a camera mounted on a pole in the parking lot.
  2. Access: They unscrew the maintenance plate and unplug the Cat6 cable from the camera.
  3. Connection: They plug that cable into their laptop.
  4. The Pivot: Because the integrator didn’t secure the switch port, the hacker is now on the internal VLAN. From there, they scan for the Financial Server or HR Database.
  5. Lesson: Your physical device is a network jack. If you don’t lock it down (MAC Filtering / 802.1X), you are providing free Wi-Fi to attackers.

5. Attack Vector 2: Shodan & Port Forwarding

The Old Way (Forbidden): To let a client see their cameras from home, integrators used to log into the firewall and “Port Forward” ports 80, 8000, or 554 directly to the NVR.

The Risk: This punches a hole in the firewall. The NVR is now naked on the public internet.

Shodan.io: This is “Google for Hackers.” It scans the entire internet 24/7 looking for open ports.

  • A hacker types: device:webcam country:US port:80
  • Shodan returns a list of thousands of login screens for cameras.
  • The hacker tries admin/12345. If it works, they are watching your client’s bedroom or office.

6. Attack Vector 3: The “Backdoor” Account

Some cheap, “White Label” manufacturers (often rebranded by multiple companies) have hidden hard-coded accounts for “Technical Support.”

  • Example: You set a strong password, but the camera has a hidden user named “service” with a fixed password that cannot be changed.
  • Defense: Only buy NDAA-compliant equipment (National Defense Authorization Act) from reputable manufacturers who publish firmware vulnerabilities (CVEs).