Security-related events and commentary from around the web, with emphasis on issues that affect physical, electronic, and data security management.
This post will be updated periodically with statistics, links, and other information related to shoplifting, theft/fraud, and the security industry in general.
Shoplifting & Loss Prevention Studies & Stats
12-07-2012: Centre for Retail Research “Shoplifting for Christmas 2012” Shoplifting+for+Christmas+2012+Study+US
12-04-2012: NRF article quoting estimates that return fraud will cost U.S. retailers $2.9B this holiday season. The estimates were derived from survey responses – the details of which are available here.
Security Industry Stats
12-07-2012: Freedonia Security Industry Growth Report. “US demand for private contracted security services is projected to increase 5.2 percent annually to $63.8 billion in 2016. The market will be supported by a high perceived risk of crime (from conventional violent and property crimes to white collar crimes and terrorism) and a concern that public safety officials are overburdened. The outsourcing of security activities to contracted firms, instead of relying on in-house security, will support demand. The privatization of some public safety operations, such as guarding government facilities and correctional facilities management, will also boost gains.
Security services that capitalize on continuing technological developments hold especially good prospects. For instance, both security consulting and systems integration revenues will see above-average growth. Security consultants and systems integrators are able to manage a wide variety of services when creating, upgrading or implementing security plans and when installing or upgrading complex electronic security devices. In addition, the trend toward more sophisticated and automated security electronics that are increasingly integrated with other building operations will boost growth for these services. ”
General Crime and Other Stats
As most know, the adoption of Radio Frequency Identification (RFID) technology by U.S. retailers has been very slow – even among companies that operate exclusively out of manufacturing centers and warehouses, where RFID is easier to deploy (compared to brick and mortar retail). When examining a recent Shutterfly order, it appears that the online provider of photo prints and gifts decided to take the plunge and use disposable tags as part of their order fulfillment process. I took a few pictures (below) for those interested. The chip and antenna were secured on a clear substrate stuck to the shrink-wrap that surrounded my order. It was difficult to spot, and I almost threw it away.
This is the first time I’ve found tags on made to order products like these…
Here is a visual summary of the Bring-Your-Own-Device trend, and the impact on IT and data security. I did not personally review the sources for the statistics – and some of them are probably debatable – but it is interesting nonetheless… You can click the image to read the original post and view a larger version.
As reported by Parity News and others, certain Samsung printers (as well as some Dell printers manufactured by Samsung) have been found to contain a hardcoded SNMP “community string” with administrative privileges that remains active even when SNMP is turned off. This could allow a remote attacker to take control of the device, and potentially use it to launch attacks or otherwise compromise the integrity of the printer and network. This type of vulnerability has been seen in copy machines and printers before, but it is a reminder that unused or undocumented capabilities in network devices can be a very weak link.
Consider the multitude of IP cameras, some of which have already been shown to contain similar weaknesses, then add the growing range of network-enabled alarm panels, access control devices, DVR/NVRs, and EAS pedestals. Even large manufacturers who have deep expertise in network security are not immune, as the Samsung story illustrates, so as an industry we will need to partner closely with IT to add layers of protection where they make sense. Some of the precautions insisted upon by experienced CIO/CSOs, like network isolation and port/IP filtering, will need to make their way down into smaller deployments to reduce the chances of a flaw being exploited. Integrators are wise to take these potential threats seriously when designing a system.
Here is the US-CERT Vulnerability Report
When most people think about tracking people or things, RFID and GPS probably come to mind first. That’s not to say there aren’t plenty of other technologies just waiting to be put to good use. The Wallet TrackR is a project that uses Bluetooth Low-Energy to maintain contact between a small device and a smartphone or tablet. From their website:
“The Wallet TrackR fits easily into any wallet – just like a credit card. When combined with the free Wallet TrackR iPhone app, it becomes a powerful new tool to keep you from losing your wallet. When the Wallet TrackR gets separated from your iPhone or iPad, the Wallet TrackR app gently alerts you that you may be leaving your wallet behind. The app also takes a GPS snapshot of where your wallet was at the moment of separation in case you didn’t hear the alert. Tap a button within the app to make your wallet “ring” in case your looking for it around the house or in the dark. The technology works both ways, which means your wallet can beep to alert you that you’re leaving your phone behind. Works with your iPhone 4S, iPhone 5, new iPad, iPad mini and the new iPod Touch.”
Just like low-power mesh RF networks (802.15.4 / Zigbee) have shown promise as a tool for tracking objects and collecting data, Bluetooth Low Energy may enable interesting security and product protection solutions. The range, of course, will be much shorter – but the popularity of Bluetooth in existing handheld platforms makes it an intriguing option to explore.
The Wallet TrackR is still seeking backers for its first production run. I signed up for one, and will update this post when it arrives…
This post will be updated periodically with information related to 4G / LTE vulnerabilities and strengths.
A post on ExtremeTech analyzed a claim published by MIT Technology Review that LTE networks can be shut down using a “simple jamming trick” utilizing a cheap software-defined radio. Their assessment was that it would be far more difficult than implied by the authors – both in terms of practicality (large transmit power requirements) and scope (attacks would affect close range devices only – not a whole geographic area).
Nevertheless – and unsurprisingly – it appears that LTE devices may be vulnerable to specific methods of jamming, just like other common wireless systems. As always, where wireless is used for security communication, multiple paths are a necessity.
A recent article in Security Systems News summarized the efforts of Pine Bluff, Arkansas to create an ordinance requiring surveillance cameras at convenience stores and restaurants.
Despite support in the wake of a tragic event – the shooting death of a store clerk during an attempted robbery – this effort is destined to fail. As an integrator for most of my career, I should laud the initiative… after all, nothing sells a system (and service agreement) faster than a government mandate. The reality, however, is that this requirement would do little to improve the safety of store employees – the sponsoring Alderman’s stated goal – while creating a significant burden for those charged with its execution and enforcement.
Without delving into the challenges around ensuring system functionality (i.e. auditing and health monitoring), one needs only to consider the most basic problem of defining what equipment should be required. Cameras at the points of entry? What about each point-of-sale terminal? The safe? What about non-public areas like receiving docks and the manager’s office? What resolution and camera features should be specified? If the cameras are not capable of producing an image that would allow identification of a suspect, but are otherwise functional, is the business in compliance? If the picture is washed out at certain times of day due to strong back-lighting, is the business in compliance? How much video storage will be required? How long is too long to complete a repair? The list goes on and on…
Clearly, there is a problem here. Make the requirements vague and you create a false sense of security while unintentionally defining a “minimum standard” that will not deliver results. The other extreme is worse: Specifically defining an acceptable system is a complex task, and may result in unintended consequences such as increased litigation, conflicts with industry standards, and high compliance/administration costs. Settling somewhere in the middle would likely be so subjective as to be useless.
I give credit to the Pine Bluff Police Department and George Stepps, the Alderman, for wanting to deter crime in a more proactive way, and I agree that cameras can help, but ordinances like this are the wrong strategy. Just look at the debate surrounding the NFPA 730/731 standards. Even working groups within the security industry don’t agree on system design best practices. How much time and money would be spent building a city program that would exist under constant scrutiny and revision?
The best way to get video systems installed – long term – is to promote their use, publish guides and statistics, and get buy-in from the business owners. Special tax incentives and licensing discounts are two ways that government involvement could promote this technology from a distance.
The ROI and deterrent value of video surveillance has always been difficult to quantify – especially for businesses without Loss Prevention departments – but when the benefits are understood, the decision is easy. Business owners need to be educated about these systems, including the many advanced features available today. I expect that our legal system will continue to help the cause, by shielding those who take appropriate preventative measures, and punishing those who ignore known risks.
This is a call to action for integrators and business owners alike. When something as fundamental as basic video surveillance has to be mandated, we’re not doing our jobs.
12-07-2012: Security Director News article with additional commentary
12-19-2012: The City Council passed a revised version of the ordinance. See this post for more…
One of my more unusual “hobbies” is closely watching the mix of low-cost video surveillance products available from manufacturers, resellers, and wholesalers, which has expanded and improved over the past several years. From the exhibitors at the Asia Pavilion at ISC West, to the myriad options on eBay and Alibaba, there are literally hundreds of sources of inexpensive video equipment. Are there bargains to be found, or do the risks outweigh the rewards?
I occasionally purchase products through these channels – mostly out of curiosity – and thought I would share some recent experiences. First of all, a spoiler: I wouldn’t consider purchasing any of these cameras or DVRs in bulk without a substantial undertaking to ensure regulatory compliance (e.g. FCC), quality assurance, component validation, and the impact of shipping, taxes and duties on the final price. That said, when a 700TVL Sony CCD camera with OSD controls, IR LEDs, and a waterproof housing can be had for under $50USD delivered, my curiosity gets the better of me.
With the analog camera market shrinking, and consumer expectations around image quality rising, it makes sense that quality components would begin to creep into the lower-end of the product spectrum. It is a nice change. Over the past six or eight years, I have purchased about a dozen low-cost cameras from a variety of sources – including a few from U.S.-based distributors like SuperCircuits. Most had poor (or abysmal) video quality, mediocre construction, and a short lifespan, but if you expect too much from any of these off-brand units, you’re going to be disappointed. That said, the difference today – at least in specifications – is significant versus just a couple of years ago. There are a wide range of high-resolution (500-700TVL) color cameras for under $100, and if you can live with lower resolution, prices can drop below $20. Even cameras with more expensive features like varifocal lenses, wide-dynamic range, mechanical IR-cut filters, and dual 12VDC/24VAC compatibility are commonly found for less than half of what you would expect to pay – even at wholesale – from a reputable supplier.
I decided that it was time to upgrade my aging home surveillance system, and in the process, evaluate a couple of bargain cameras and a DVR (see separate post for a summary of the recorder). After combing through a field of options, I settled on two cameras that each had a difficult-to-believe combination of features and price. These were my selections, both from AliExpress:
My existing DVR was a GE StoreSafe Pro, a commercial-grade product that was popular with retail stores for its reliability and ease of use, but is now obsolete. The two cameras I replaced were of moderate quality – both were purchased from U.S. distributors and fit into the middle of the pack (among bullet and ball-dome IR equipped cameras) as far as cost and specs were concerned. Over the years, their LEDs began to dim and picture quality slowly degraded to the point that I had these views:
I swapped out the front door camera with the white “generic” 700TCL camera first. Here is the image on the GE recorder:
And here – as a preview – is the image captured by my new (very inexpensive) D1/H.264 recorder:
The image is already much better, despite some harsh lighting in the scene, but the overall quality of the image is still below what I prefer for such a close shot.
I will update this post with images from the Sony-chip camera as soon as I run some cable… I decided to keep the existing driveway camera and add backyard and front yard shots. More soon…
UPDATE 12-19-2012: Still haven’t had time to run my new cable, but here are images from the unboxing of the Sony chipset 700TVL camera:
There have been a number of articles and proof-of-concept hacks in recent years illustrating vulnerabilities in IP camera software, access control systems, and the like. Some have raised awareness about fundamental flaws in technology – like the relative insecurity of common proximity card readers, unprotected programming access to a locking system, and simple methods to access a camera’s video feed. Most of the attention following these announcements is focused on the ability of a device to be bypassed or viewed (in the case of a camera), which misses a critical point.
While it is concerning that a replay attack can spoof an access card, and that an IP camera may not provide adequate security against unauthorized viewing, the real danger lies in the potential of these systems to be hacked and modified to serve some other purpose. Here are a few examples – and a prediction: We will see one or more of these in the wild within 24 months.
Scenario One: The IP Camera Worm
Many IP cameras are designed using FPGAs, not microprocessors, so their ability to run arbitrary code is limited. This trend is changing, however, and as cameras adopt a more standards-based architecture, they will become powerful edge devices running operating systems that can be attacked like any other. Some higher-end models can already run cron scripts, handle video analytics, and manage local storage of data. They are, without exaggeration, computers with a lens and network connection. They are also commonly thought of as “appliances,” with a plug-and-play approach applied to many projects. It is feasible that a worm or other malware could infect these devices as early as the point of manufacturing, or when they are plugged into the installer’s laptop for programming. The software might lie dormant or attempt to infect other cameras or computers on the same network. Affected devices could even be used to launch a Denial of Service (DoS) attack against the recording server or some other target. The common practice – at least in larger systems – of segmenting cameras onto their own LAN might help to reduce this potential, but since the recording server is usually connected to other network(s) for remote viewing and administration, malware capable of infecting the server is a logical progression of this threat.
Scenario Two: The surveillance DVR/NVR (Network Video Recorder) as a point of entry into corporate networks
Executives like video surveillance systems – and for good reason. As networks and video quality have improved, these systems have saved organizations tremendous amounts of money. Investigations can be performed more efficiently, guards can be reduced, travel costs can be cut, and the list goes on. This means, of course, that the video systems need to be accessible to various departments via the corporate network. Most implement some type of basic security, like requiring a remote user to connect over a VPN, but few have taken steps to totally isolate the video traffic from other network systems. Since many DVRs and NVRs are full-fledged PCs running Windows or Linux, they are vulnerable to the same kinds of attacks as any other server or workstation, but they are easily overlooked and could become a “zero-day” vulnerability or convenient back door into the network.
Scenario Three: Unintended “Integration”
Every year, security hardware and software moves closer to delivering on the promise of interoperability. It has been a long road, and there are still miles to go, but today’s systems come equipped with protocols for a variety of devices, in order to enable integration. This means that building a “security network” within an enterprise often makes sense. To gain the full benefit from your systems, they need to be able to interact, and since capabilities are sure to be added later – anything that might need to share data ends up on the same segment. When industrial controllers, manufacturing equipment, or other critical systems make this list, the scene is set for security devices to be used as a launchpad for espionage or manipulation. It can seem logical to group these systems together – after all, the “security network” should be a safe place for any important devices, right?
So, why is a hack inevitable?
Fundamental to the problem is that these systems and devices are routinely installed without sufficient thought given to security, and without a plan for ongoing monitoring and maintenance. Furthermore, some of the latest features of alarm panels, home automation controllers, IP cameras and DVRs require Internet access or remote server connections just to function properly, opening a vector of attack that, again, is not well understood or monitored. This means that segmenting a network or “sandboxing” the application may not be an option unless the owner is willing to sacrifice functionality.
I realize that it is not much of a stretch to predict that a hackable device connected to a network might be used in a new and nefarious way… but let’s hope I’m just plain wrong.
DVRs are being targeted by hackers, says security expert – Article discussing vulnerabilities in consumer DVRs
Bypassing IP Camera Authentication (example)
OpenIPCam site, dedicated to hacking various cameras and the development of custom firmware