Physical security solutions like access control, intrusion detection, and surveillance cameras are designed to protect people and property. Still, they can introduce significant cyber risk into an organization if not appropriately secured. Because these systems are often directly connected to an organization’s network and IT infrastructure, hostile actors can potentially compromise these devices to gain an initial foothold into an organization’s network and use them to pivot to other higher-value targets or systems.

Challenges in managing physical security systems

Traditional IT departments often overlook physical security systems and may not have the resources or expertise to patch, update or otherwise secure these devices properly. This blind spot can result in the widespread usage of devices running outdated firmware versions, some of which haven’t been updated in years. Research conducted by Genetec, a video management vendor, indicates that as many as 68.4%, or almost 7 out of 10 physical security cameras connected to corporate networks, are currently running out of date firmware. These legacy firmware versions may be riddled with security vulnerabilities that are easily exploitable by attackers.

Even in organizations where the systems and devices are managed by IT departments, visibility and inventorying of all of these devices across large enterprises can be challenging. In large, siloed environments, physical security personnel can potentially connect ’‘rogue” physical security devices and cameras that don’t meet organizational security requirements without the IT department’s knowledge.  This can lead to large gaps in the organization’s security posture which fly under the radar.

Firmware attacks are skyrocketing

Hackers, who often take the path of least resistance, have noticed the widespread proliferation of firmware vulnerabilities. According to the National Institute of Standards and Technology (NIST) and research conducted by Microsoft Corporation, firmware-based attacks across all device types have skyrocketed over the last few years. The National Vulnerability Database maintained by NIST reports more than a five-fold increase in firmware attacks during the previous four years. Similarly, in a survey of 1,000 businesses conducted by Microsoft, 83% of companies surveyed reported at least one firmware-based attack in the past two years.

Default or weak passwords are low-hanging fruit for an attacker

To make matters worse, default or weak passwords are often used on physical security devices throughout the organization, unwittingly providing hostile actors with a virtual “layup” for obtaining privileged access to the system. Internet-accessible cameras with default passwords configured on them arguably offer the most accessible avenue for an attacker to get initial access into an organization’s network. Exploiting these vulnerabilities could not only result in exposed video feeds and control of the camera system but could potentially provide the attacker with the ability to capture sensitive data traversing the network, send outgoing messages or requests, or pivot to other more sensitive internal IT systems.

How to secure physical security systems/devices

In light of these challenges, what are some concrete steps that organizations can take to improve their security posture and reduce the cyber risk their physical security devices introduce?  Implementing the following three steps can dramatically reduce the risk associated with these physical security devices by up to 70-80%.

  • Understand your universe of devices -The first step to reducing cyber risk is to create and maintain a comprehensive inventory of devices, documenting their firmware versions and security configurations. This information can be used to audit the firmware landscape and pinpoint devices that may require updating or replacement.
  • Update firmware versions -Firmware versions should be updated as they become available from the device vendors. Running the latest firmware from the manufacturer ensures that cyber vulnerabilities are reduced to the maximum extent possible.
  • Update default or weak passwords -Default and weak passwords should be updated to comply with organizational password complexity requirements. Ideally, these passwords should be rotated on a regular basis.

Convergint Technologies can assist your organization with implementing and automating these measures at scale. Contact us for a free assessment.


Michael Chung

Principal Cybersecurity Consultant, Convergint

Michael Chung is a Principal Cybersecurity Consultant with Convergint’s Cybersecurity Services Team (CST). Prior to joining Convergint, Michael was responsible for overseeing several Federal cybersecurity projects on behalf of the Department of Defense (DOD) and also oversaw the selection and implementation of various cybersecurity controls on physical security systems as the Cybersecurity Advisor to Kaiser Permanente’s National Physical Security Group.  Michael was also the Co-Lead of the Cybersecurity Incident Response Team for the DOD Joint Chiefs of Staff Office of the Chief Information Officer (JCS OCIO). Michael also held a position at the Department of Energy, Office of Intelligence and Counterintelligence as a Cyber Incident Response Advisor and was the Technical Lead for Endpoint Security on Top Secret, Secret and Unclassified networks.

Contact us

Convergint is a trusted leader providing the highest level of service for the cybersecurity sector. To learn more about Convergint’s cyber capabilities, contact a specialist today.