top of page
Search

CCTV: Live Streaming Your Security Flaws

What if I told you I was going to sell you a security tool? Now, this tool won’t actively do anything—it’s not going to stop anyone from doing anything. It might deter them, but most likely, they’ll ignore it. Not only will the criminals ignore it, but statistics say your employees, managers, and whoever else likely won’t look at alerts either (if you even have them). After a break-in, this tool will provide you with an idea of what happened, but the likelihood of using it to identify someone isn’t great. Oh, and the people setting it up have never actually broken into a facility before, so the placement is often poor, with installation issues left and right that allow the system to be bypassed or turned off. WHO WANTS ONE!?!?


CCTV cameras are the poster children of security theater. They record everything, sure, but they’re about as useful in the moment as a chocolate teapot. When a crime goes down, the cameras dutifully capture it all—giving you a great video to watch after the fact but doing zilch to stop the criminals in their tracks.

And let’s talk about image quality. Have you ever tried identifying a thief from a grainy, night-time shot? It’s like playing “Where’s Waldo?” with a side of frustration. Plus, there are always those sneaky blind spots that criminals seem to know better than the installers do (cough, cough, ask a Red Team, cough, cough).


Security Theater at its finest!


The Human Element—or Lack Thereof

For CCTV to be effective in real-time, you need someone watching the feeds around the clock. But who has the manpower (or the budget) for that? Most of the time, footage just sits there, gathering digital dust until someone needs to play detective. Without an alert or obvious sign of trouble, no one’s checking those feeds. So, unless your intruder is kind enough to hold a “I’m a criminal” sign to the camera, your stuff is as good as gone.

As a Red Teamer, many times our scope includes not bypassing alarms—yes, that means purposefully setting them off. We have done hundreds of Red Teams, and I can count on one hand how many alarms we set off were actually monitored and responded to. Typically, we set off the alarm, stroll across the street, and sit at a park or coffee shop to watch the facility. Nothing happens. No one shows up—no police, no security, not even a manager. Then we simply go back into the facility with our persistent entry and complete the job. Yes I know, alarms and CCTV aren't the same, but nearly every one of those facilities also had CCTV. If someone had checked when the alert went off, they would have seen two people bypassing locks to get into the facility.


Poor Setup and Open Access

A major issue with CCTV systems is that they are often set up incorrectly. The feed ends up being broadcasted on the local network, and many times the IP address is open to the public. This means that anyone with a bit of tech know-how can tap into the cameras. We’ve seen countless instances where a simple Shodan search reveals the IP addresses of publicly accessible CCTV feeds. It’s like putting your security footage on YouTube and hoping no one notices.

The improper setup doesn’t end there. Often, the people installing these systems have never actually broken into a facility themselves, so they miss critical vulnerabilities. They place cameras in obvious spots where they can be easily avoided or disabled. Worse still, installation issues such as exposed wiring or poorly secured cameras allow determined intruders to bypass or disable the system entirely. Before all of the installers start yelling at me, we all have seen poor work, and it is more common than uncommon. If you’re doing good work, good on you!


Poor Set up


The Path Forward

So, how do we turn these glorified spectators into real crime-fighters? The answer lies in technology, policy, and procedure. Integrate AI and machine learning, and you’ve got a game-changer. These systems can analyze footage in real-time, flagging suspicious behavior and alerting someone instantly. This makes the cameras proactive rather than reactive.

We also need to upgrade camera tech. High-definition cameras that can handle low light conditions make a world of difference. Proper placement is key too—cover all those sneaky blind spots and ensure comprehensive coverage of vulnerable areas.

All the tech in the world isn’t going to ensure those responsible are doing their due diligence. We attack facilities at 1 a.m. for that very reason—we want to see if the manager or whoever is monitoring the CCTV, alarm, etc., will even wake up. What is the policy? Is there a procedure if you’re on vacation and your alert goes off? Does the alert go to multiple people? Do you review your camera logs, alert or no alert, every day? Why or why not?

The No-Alert Issue

Here’s the unfortunate reality: if an intruder manages a covert entry, without an alert, no one’s going to check the footage. Why would they? There’s no obvious reason to suspect anything is amiss. It’s like expecting a smoke alarm to go off silently and still prevent a fire. Without real-time alerts or proper policy and procedure, CCTV is just another way to watch your stuff disappear in grainy high definition. You should check, but almost no one does, and for those of you who say your organization does… get a Red Team to test it. You might be very disappointed and surprised.



No one is alerting anyone here


Real-World Lessons

Take London’s extensive CCTV network. It’s great for post-crime analysis but hasn’t done much to prevent crimes. On the other hand, smart cities like Singapore and Dubai are integrating CCTV with other technologies, creating a more effective urban security network. These systems are linked with traffic sensors and social media feeds, providing a comprehensive and proactive approach to security.

And then there’s Bosch’s Automated Night Watch solution, a step in the right direction. This system uses AI to analyze footage and generate real-time alerts for suspicious activities. However, it’s far from perfect. The effectiveness of such a system hinges on having someone on the other end who actually responds to these alerts in real-time. Without real-time human intervention, it’s just another high-tech way to watch your stuff get stolen. It’s a good system, but it still needs to be buoyed with proper policies and procedures. (Dear Bosch, please send all spifs to Kaiju Security)



Automated Night Watch



CCTV systems have the potential to be much more than passive observers if we use them correctly. Organizations need to embracing technological advancements focus on real-time response, along with proper policies and procedure, and then TEST the humans that are supposed to implement and follow those policy and procedures. Make some advancements and small adjustments we can turn these cameras into true defenders of public safety. Let’s make our surveillance systems work smarter, not just harder, and turn those front-row seats into actual security measures.

As a “professional thief”, unless it’s something like a nuclear facility where I know someone is watching the cameras, no one is afraid of the CCTV you have right now.


3 views0 comments

Comments


bottom of page