How to Hack CCTV Cameras in a Secured Network by Jamming WPA2/3 Exchange packets

Cover image : source (wikimedia commons/anon)

Disclaimer: This article is for educational purposes and seeks to promote ethical hacking and superior cybersecurity practices in organizations and private entities. It does not advocate for any malicious intent. Furthermore, all materials used in this tutorial are solely personal and intentionally set vulnerable. I, therefore, absolve myself from any future unauthorized scripting from parties reading this article that may compromise the integrity of respective access to unauthorized wireless networks

Hey! Your hacker is back again. Today, I Want to show you how to hack CCTV cameras in a network system. Hacking a CCTV is a game of patience and rerunning the scripts ( expect to curse a lot!). Today, we will be cracking my CCTV camera, that I just picked at Fortress hill in Hong Kong for some couple of bucks.

Look at me below :

Victim‘s’camera : Me knowing I am about to hack myself lol

Theory of Literature :

Simple depiction of IPcorder NVR with cameras , source (Wikimedia commons : “Petr Novák, Wikipedia)

Too much academics! I advise you to watch this video below to understand the Network architecture of a CCTV camera : How it connects to the Router and receives information, enabling real time video rendering to the user’s monitoring dash cam.

Requirements

• Kali Linux — Install Kismet, Aireplay-ng (pre-installed) , Airmon-ng (pre-installed)
• External USB Adapter (optional: can use the Inbuilt NIC)
• A WIFI Router — already connected if possible (if not, you can read my article here on how to hack a network password and sign onto it)
• CCTV camera(s) — Wirelessly connected

Laboratory procedures

• Set the Attacker wireless USB WIFI dongle/NIC card to monitor mode using the root privileges (su) i.e

1. Run sudo airmon-ng start wlan0 → run ifconfig and see whether its renamed to wlan0mon — This helps us to set our to observe the networks and not connect to the internet at that time . Take note of the interface : wlan0mon
2. Run sudo kismet start configurations as shown below :

Open the browser of the following link : http://localhost:2501

Once it is open, click on the far left three bars to open the side bar

On the side bar, select Data sources

Enable source wlan0mon and click close : The window will start populating the devices in our vicinity. In normal circumstances, most CCTV cameras have mac-address that starts with numbers : n

Now, we need to know what is the macaddress of our CCTV for the sake of this tutorial purpose , as you can see, I already have mine as below (Checked it from my router and managing app as shown below )

Confirmed from my TP link app

Re-confirmed from my router admin page.

Now that I have the mac address, I need to search for it on the list of devices that populated the kismet page..simply go to search and type the Mac address in the search box (I Initially typed the number 20:23….) and the device came up. click on it to get more information as show cased below

Kismet device search : This device is my CCTV apparently

Now, we need to take note, like write or be ready to copy-paste, of 3things :

1. Mac address of the CCTV again → 20 : 23 : 51 : 47 : 74 : 7E
2. Mac address of the main router → we can see from above that it is the client of router with mac address → 50 : D4 : F4 : 10 : B4 : 88
3. Channel, as labeled ch on the image above , which is ch 4

Now, before hacking, we need to observe the number of packets that are being exchanged between the CCTV and the router i.e ..

Router back end showing us the devices connected to it…our CCTV is number 6

We note that our CCTV was doing around 739 received and 486 sent packets which means the signal is strong and there is communication. Also, if you look at your router, it should still have the green LED color on the blip (not very clear from my picture) → Tutorial on c100 connectivity explaining the color modes.

My CCTV lol

Now, its time to attack the CCTV!

We do this by carrying the deauth attack using aireplay-ng and start network jamming :

First, we re-run airmon-ng with the channel in mind :

sudo airmon-ng start wlan0mon 4 (specify 4 since it is the channel)

sudo aireplay-ng -0 0 -a <bssid of AP {mac address of Router} -c {BSSID of the client : {Mac address of the device} wlan0mon.

as shown below

Sending Deauth packets

To explain what the aforementioned instructions are doing : By setting the attack option to 0, Deauth packets will be sent to the device from the access point, posing as the source. You can select a fixed quantity to send here, or you can send a continuous stream of Deauth packets as indicated by the 0 that follow :

-a : will configure the device’s linked Wi-Fi access point’s MAC.

c : The device we want to disconnect from the network will have

Great! we are now sending the Deauth packets. If you hover back to kismet messages we, can see the deauth packets being sent :

Messages from the kismet with updates from the Deauth

Bingo ! I can not start seeing the CCTV beep red indicating instable network :

CCTV — red blips

Now, I need to observe the router connections in the back end and see how many Packets are being exchanged between CCTV and Router. As expected, there is a drop to only 2 packets averagely down from 700–900 indicating the connection is seriously being jammed!

I could also observe the lag on my CCTV monitoring dashboard like low latency to reactions and warnings of unstable network. With this lag, recording is hampered and real-time quick intended actions can be taken : Its up to you

Defending your CCTV from the Deauth Attacks :

1. Never share your WIFI password onto which it is connected
2. Always use wired connections to critical infrastracture like CCTV
3. Avoid cheap CCTV cameras !

Follow-up notes:

I will be updating the script to experiment whether we can take over the CCTV output i.e Plastering a Hacked JPG or blurring it out, or remotely controlling it on it on the next tutorial