Cyber security and IP cameras: the threat is real
As recent events demonstrate, unprotected connected devices are being used to target corporate networks
At some point, the line between physical and cyber security became blurred.
A lot of people did not realise this until two years ago when a cybercrime group took hostage millions of IT surveillance cameras and routers, employing them to create a massive botnet now famously known as Mirai, the largest DDoS attack ever.
In hindsight, we should all have seen it coming-combine millions of connected devices that are barely protected, and you have a recipe for disaster.
IP cameras, essentially IoT devices, are susceptible as many models are not designed to address the cyber security challenge, making it easy for hackers to get illegitimate access to networks they are connected to. Just like any connected device, IP cameras can become a vehicle to carry out attacks on other parts of the network, notes Amin Hasbini, senior security researcher at Kaspersky Lab.
A recent research by Kaspersky Lab uncovered that not just one, but a whole range of smart cameras were found to be vulnerable to a number of severe remote attacks due to an insecurely designed cloud-backbone system that was initially created to enable the owners of these cameras to remotely access them. The demand for remote video access vastly expands potential entry points for attackers, warns Hasbini.
Because the camera is often the most remote outpost in the network, it can be easily overlooked when implementing data security measures, observes Hakan Ozyigit, regional director of security systems & building technologies, Bosch Middle East.
“Security cameras are increasingly connected to the internet and transitioning into intelligent sensors that collect significantly more data than video security images alone. However, as this level of connectivity and collection of business-sensitive data becomes more widespread, the threat from cybercrime also rises,” says Ozyigit.
IP surveillance systems reside on the local area network and have to be considered in any IT policy. And just like other network devices, clients and servers, IP cameras need to be protected, Tertius Wolfaardt, BDM architects & engineering, Axis Communications says. “Threats must be managed on a system level. An organisations’ cybersecurity is not their concern alone; responsibility to secure the network, its devices and services falls across the entire vendor supply chain, bringing together people, processes and technology,” Wolfaardt says.
The majority of network security breaches are due to human error, negligence, misconfiguration, and poor maintenance, Wolfaardt says. “IT network security policies are not always applied to surveillance networks; but it is imperative to factor in those policies,” he adds.
The rise of the IoT, supplemented by a shortage in cybersecurity skills, a lack of consideration for security throughout supply chains as well as siloed communications, have all conspired to bring about a worrying rise in data breaches and successful cyber-attacks. Data protection from the outset of a project, by design and default, must be a top consideration, says Wolfaardt. “A truly secure service or solution can only be accomplished if security has been analysed at every stage of a project – from development through to deployment. The key is to ensure ‘security by design’, where everyone involved understands the security implications of a breach and how to prevent one, as well as how to react if the worst does occur,” he adds.
Even more worrying are Targeted Attacks. Enterprise and critical infrastructure organisations are subject to not just opportunistic but also targeted attacks, Wolfaardt observes. “These will use the same low-cost vectors as before, however a targeted attacker has more time, resources and determination as there is more value at stake. In order to determine what security controls should be used to reduce your risks, it is important undertake threat modelling and risk analysis,” he adds.
End users will many times choose convenience over security. That is why security of connected devices should be by default.
For its products, Bosch follows a four-step approach to ensure the entire video surveillance infrastructure is protected, says Ozyigit.
First is by requiring users to set a password as cameras are setup. Secondly, only secure (HTTPS) connections with the cameras are allowed and all ‘unsecure’ ports are disabled by default. Thirdly, the execution of third-party software is disabled and firmware updates can only be done via Bosch firmware files. Finally, all Bosch IP cameras feature a built-in Trusted Platform Module (TPM). This module safely stores all certificates and private key needed for authentication and encryption. Even in cases of unauthorized access, the TPM ensures that the private key cannot be retrieved, Ozyigit says.
End users should, on the other hand, maintain best practices to mitigate the likelihood of being attacked.
For one, they must change all default passwords in IP cameras. Many connected devices manufacturers only pay pedestrian attention to security. Hackers skimming for IoT devices try known default passwords which in many cases, work. “If you haven’t changed the password, these opportunistic hackers feel practically invited to take control of your device,” Hasbini warns.
If you haven’t changed the password, these opportunistic hackers feel practically invited to take control of your device.
And the passwords should be hard-to-guess, says Axis’ Wolfaardt. As with almost every other internet-enabled device, a password is the camera’s primary protection to prevent unauthorised access to its data and services. There is much debate about definition of what a strong password is. One common recommendation is to use least eight characters long with a mix of upper/lower letters, numbers and special characters. A brute-force-login-attack is not practical on strong passwords as it would take thousands of years.
“In a video management system (VMS) environment, authentication is primarily machine-machine, since users don’t access the cameras directly. Adding login-failure-delay in a VMS environment may increase the risk of locking yourself out. In smaller organisations, clients often connect directly to the camera (human-machine-authentication), so we recommend using hard-to-guess but easy-to-remember passwords. Use long passphrases as passwords such as “this is my camera passphrase. (Yes, space is allowed). But, whatever you do, don’t just use the factory default password,” says Wolfaardt.
Second is to have a separate Wi-Fi network. When a hacker gains control of one of your corporate IoT devices, they can theoretically access everything beyond that point through the local Wi-Fi network connection.
Third is to limit access to sensitive data. One risk of IoT is that the devices might pick up what’s considered private information. “An IoT security camera is a very risky thing to have open to the internet,” Hasbini says.
Organisations should also reduce their network exposure, Wolfaardt says. “Basically, don’t attach something to the internet unless it really needs to be. And if you do, then understand that making that step requires it to be sufficiently hardened before you hook it up,” he adds.
The challenge with network cameras is that many people want to be able to remotely access the video. IP-enabled cameras have a web server and video can often be accessed just by using a web browser. It may seem like a good idea to poke a hole in the router/firewall (known as port-forwarding) and use a web browser as the primary video client, but this adds unnecessary risks, so it’s not recommended.
There are better and more secure ways to get remote video access. For systems that use a VM, it is recommended to follow the VMS vendors’ recommendations for remote video access, says Wolfaardt. “If your video is streamed to the public, e.g. a web attraction, then we suggest you use a media proxy with a properly configured Internet web server. And if you have multiple remote sites, then you would be best to use a VPN,” Wolfaardt says.
End users should also select video surveillance manufacturers whose video system does not degrade the existing network protection, says Wolfaardt. “Physical security teams should work with the IT team and solution providers to handle risk analysis, system deployment and maintenance,” Wolfaardt says.
Bringing together an ecosystem of partners and technologies is increasingly seen as the best model to tackle these risks.
Data is becoming businesses’ most valuable asset, which is why adopting an end-to-end security solution is crucial. Focusing on the edge of video surveillance set-up alone is not enough, warns Ozyigit. Even a single weak link in a surveillance solution can jeopardise the entire system. “That is why a four-step approach that considers the entire video surveillance infrastructure including cameras, servers, clients, storage devices, network protocols and standard key infrastructures is recommended,” he adds.
In a world where almost everything is connected, data security is now a collective concern and a community effort , says Ozyigit. For example, Bosch offers extended user management options for controlling individual user access rights and supports existing industry standards such as Microsoft Active Directory, says Ozyigit.” We also have our own PKI solutions with in-house Certification Authority (CA) Escrypt. Our solutions also support third-party public key infrastructure (PKI) solutions from companies such as SecureXperts, Incorporated (SXI).”
Vulnerability testing is becoming an increasingly important tool to help manufacturers identify potential problems before they can be discovered, involving so-called “ethical hackers. “Manufacturers (of IP cameras) can adopt this best practice and have a security vendor test their products and offer recommendations. This ensures that solutions, in this case cameras, will be as secure as possible when they are deployed,” Hasbini.
Good security must be all-inclusive, as the best cybersecurity solution will be worthless if those that use it aren’t properly trained, says Wolfaardt. Therefore, it’s imperative that data processors and controllers are aware of their responsibilities and that all staff are well educated, helping to create a culture of cybersecurity.
But companies shouldn’t just look inwards, says Wolfaardt. “Collaboration with system vendors, integrators and installers is also hugely important. Conversations need to take place across the supply chain throughout a project to ensure needs are understood and security risks managed,” he adds.
Wolfaardt says, as a provider of IP-enabled security devices, Axis strives to help businesses navigate the ever-changing world of cybersecurity through its knowledge, developing a number of tools to guide the way. “Additionally, we also offer regular trainings and webinars aimed at our end-users to keep them updated of the latest happenings,” he adds.
Getting and staying ahead of the problem is crucial for maintaining a positive relationship between IP camera vendors and end users. Whether an algorithm is cracked, a vulnerability discovered in a camera’s operating system or hackers figure out a loophole, the most important thing for vendors is to be transparent by letting people know about it and take an action by releasing a firmware patch to bridge the gap, says Kaspersky Lab’s Hasibni. “Cyber security is a moving target so there will always be incidents that occur and organisations need to be prepared and ready to react,” he adds.
Surveillance cameras are of utmost importance in the modern world. As they are now part and parcel of the IT infrastructure, it is essential that they are secured as any other internet-facing device would. Luckily, unlike other complex network devices, securing IP cameras really is as easy as a ticking on a best practice checklist.