How A Scottish Hacker Tried To Hack My Security Camera … and why he failed.

If you’ve ever worried about how secure your IT stuff is then you’ll find some useful ideas in this story.

I have a camera on my house right now and, every time it reboots, a computer near Glasgow tries to login.  It tries using a “brute force password attack” which simply means it tries lots of passwords very quickly and hopes that it’ll get lucky.   

And you can get pretty lucky when you try 800 billion passwords every second.  ( I doubt if my hacker, who I’ll call Wee Jock McNasty, has that sort of computing power but that is the sort of thing that networks of computers called botnets have at their disposal ).

Anyway if you want to make sure no-one can use your very own system to spy on you then here’s some practical tips.

Don’t Use The Default Login

If you do use the default then the hacker might succeed after just 1 attempt, which is a bit less effort than 800 billion per second.

Anything can be hacked yes that’s the golden rule of hacking, but it’s not the question. The question is one of workload and intent. The harder something is to hack, the more resources / $ required, the less likely you’re going to be hacked (unless you’re a bank or Sony or someone with something worth spending that sort of money hacking). To put things in perspective a decent BotNet can cost in the millions per hour to hire.

Use An Unbreakable Password

So always use a password with at least 9 ( not 8 ) characters.    Using our 800 billion per second hacking computers a 5 character password takes 0.03 seconds, 8 characters takes 2.6 days and a 9 character password takes 9.1 years.

If you want an unbreakable password here’s the trick:   simply use four simple four letter words separated by a -.  Throw in a weird character in the middle of just one of the words and you’re even safer e.g. ball becomes ba>ll.   If you must, by all means use four unusual words to thwart a dictionary attack even more but don’t worry about doing all those things that everyone does that don’t work very  well ( like using symbols instead of letters or using capitals ).

Use A Camera With Intrusion Detection

Fortunately my camera has a built in firewall with Brute Force Protection.  So even if Wee Jock McNasty did have computing power capable of trying 800 billion passwords every second, he’d be stopped after just 5 attempts and locked out for say 30 minutes before he could try again!  That’ll slow him down a bit.

Use A Camera With 2048 Bit Encryption

Let’s say he managed to get hold of the video stream from my little camera ( which shows my carport and driveway by the way so Wee Jock might get a bit bored if he ever did get to see it - which he won’t ).  The problem is the data from my camera is encrypted using the very latest standards: X.509, AES-256, SHA1 and 2048 bit Public Key Encryption.

To put that 2048 bit into perspective …

If Wee Jock McNasty had a computer when the universe got started about 14 billion years ago ( sorry Young Earth Creationists but 6000 years ago humans had already been drinking beer for 3000 years ) and he had been trying to decode the data since then, he would have made some progress true.  The trouble is he’d have to repeat that effort another half a million times! ( just too much work ).

Of course for higher security applications than my carport you can use a system which supports IEEE 802.1x with up to EAP-TTLS (MD5).  That’s military or banking grade network security.

Use a Camera With Other Nice To Have Security Features

My camera LEDs show a live view, so you have a physical indicator if you are being watched.

The encrypted video stream is already encrypted in a manufacturer specific format.

All recordings are digitally signed. (audio, video, and any input data)

There’s a ‘Privacy Mode’ which allows me to instantly scramble the access to the camera so no-one ( not even me ) can see the live video and the recording is stopped too. Celebrities use this on their mansions when they’re entertaining apparently.

An OpenVPN client is built in to the camera so accessing it remotely is even more secure.

Cameras Like This Are Available in Auckland Today

If you want to take sensible steps to protect your business or your castle, all you have to do is ask!

By the way in case you’re wondering how I know Wee Jock is in Glasgow, I see his IP address every time he tries!  Then a geolocation website is just a google search away.

As an experiment I contacted the Scottish Police.  They put me onto the NZ Police who put me onto Netsafe … who suggested I contact the Scottish or NZ Police ( but to be fair at least Netsafe did also offer some other suggestions ).

I'll let you know how I get on.