Surveillance & Biometric Systems
Cameras and biometrics are often treated as premium controls even when they are poorly placed, weakly monitored, or operationally disconnected from access control. A modern physical assessment should validate what these systems actually see, how quickly anyone responds, and whether checkpoint design makes spoofing or bypass easier than the owner thinks.
Assessment Goal
Camera Architecture Review
What To Validate
- • Approach coverage to badge doors, elevators, and stairwell exits
- • PTZ timing and whether operators can realistically track movement
- • Lighting, backlight, and angle quality for identification
- • Whether cameras cover only the perimeter or also the post-entry objective path
Common Weaknesses
- • Wide-angle presence cameras with poor facial detail
- • Visible cameras that do not cover the route people actually use
- • PTZ cameras aimed at the wrong default scene
- • Recording without review, alerting, or retention practices that support investigations
Biometric Checkpoint Questions
| Control | Assessment Question | Failure Pattern |
|---|---|---|
| Face recognition | Is liveness checked, and can staff override low-confidence matches casually? | Convenience overrides confidence thresholds |
| Fingerprint / palm | What happens when the reader fails or the user is in a rush? | Fallback badge or manual override becomes the real control |
| Voice / intercom | Is there trusted callback or only conversational persuasion? | Social engineering defeats the checkpoint faster than technical spoofing |
ONVIF, RTSP, and Camera Network Exposure
If the engagement includes authorized camera-network validation, document whether management interfaces, ONVIF discovery, or RTSP streams are exposed on trusted segments without segmentation or strong credentials. Many “physical” camera issues become technical compromise opportunities once you reach the right switch port.
# Example authorized checks from an internal assessment segment
nmap -sV -p 80,443,554,8080,8899 10.10.20.0/24
# Look for RTSP and ONVIF exposure
nmap --script rtsp-url-brute -p 554 10.10.20.0/24
# Common review points
# - Default credentials or shared service accounts
# - ONVIF discovery responses leaking make / model metadata
# - Unencrypted RTSP streams on internal shared segments
# - Camera VLAN reachable from non-security workstations# Example authorized checks from an internal assessment segment
nmap -sV -p 80,443,554,8080,8899 10.10.20.0/24
# Look for RTSP and ONVIF exposure
nmap --script rtsp-url-brute -p 554 10.10.20.0/24
# Common review points
# - Default credentials or shared service accounts
# - ONVIF discovery responses leaking make / model metadata
# - Unencrypted RTSP streams on internal shared segments
# - Camera VLAN reachable from non-security workstationsResponse Workflow Matters More Than Sensor Count
A camera seeing you is not the same thing as a camera stopping you. During assessments, record:
- • Whether alarms or access denials generate an actionable response
- • How long it takes for local staff or guards to investigate suspicious movement
- • Whether operators can correlate visitor records, badge events, and camera views quickly
- • Whether surveillance is positioned to support prosecution, deterrence, or neither