Cracking down on camera hacks
Editor / Provider: William Pao, a&s International | Updated: 9/17/2014 | Article type: Tech Corner
Recent reports on baby cam hacks raised new concerns over malicious intrusion into networked security devices. The threat is even more imminent for home and small business users who are not as well protected as their enterprise counterparts. Luckily for them, most of today's network camera manufacturers work hard to keep flaws to a minimum and equip their products with various security features.
Two recent incidents where baby cams were attacked by hackers caught the attention of vendors and users alike. One happened in Ohio just in April, when a couple was awoken late at night by strange sounds coming from the baby cam in their toddler's room, only to find that the camera had been taken control over by a hacker. A similar incident happened last year, when a Houston couple heard a man swearing through the baby cam in their infant's room and found out the Wi-Fi-connected device was hacked. In both cases, it was found that the cameras, made by the same vendor, contained security flaws that could easily be exploited.
In fact, hacking can happen to not just cameras but also practically any device on the Internet. Last year, the NAS device of a particular vendor was found to have a vulnerability potentially allowing attackers to execute arbitrary commands on the system. The vendor has since released a patch to solve this problem.
The above incidents illustrate the danger facing users of network cameras and other security devices, which may be targets for malicious intruders. That danger is even more imminent for home and SMB users who, unlike their enterprise counterparts, are not protected by firewalls or advanced perimeter defense software. What they can do to protect themselves has therefore become an urgent issue. Luckily for them, today's network camera makers work hard to minimize flaws and equip their products with various security features, which users should take advantage of to reduce the risk of these devices being hacked. “In general it is not possible to guarantee that computers and network devices do not contain flaws that may be exploited for malicious attack. However, there are measures that can be taken in order to reduce the risk considerably and eliminate the obvious flaws,” said Fred Juhlin, Senior Consultant for Solution Management at Axis Communications, whose Companion series targets home and SMB users.
Unauthorized access to a system can be prevented by a simple yet effective method called password protection. Most network cameras today allow users to create their own usernames and passwords, which can be secured through various means. Zinwell, which makes power line-based home security cameras, has patented a technology that keeps passwords from being sent out to the Internet. “In that case, hackers won't be able to get passwords from the Web,” said Ben Huang, Senior Marketing Supervisor at Zinwell.
Encryption of passwords is another protection method. “The user has the option to let the system remember passwords, and if so the client protects the password with encryption,” said Juhlin.
Once a user accesses the camera, it's a good idea for the device to have multilevel access control based on the user's privilege. For example, a regular user may only view streaming video, while an administrator may access the camera's storage or control the device. In fact, most network cameras today offer this functionality. “This means users can control exactly who can see what in their system, and that their video is safe from any form of third-party manipulation,” Juhlin said.
Many IP cams also allow encryption. The videos can be encrypted before being sent over to the network to make sure that unauthorized persons cannot view or tamper with the data. Different encryption technologies are used. One of the most commonly used is SSL/TLS, which encrypts contents with special codes that can be deciphered only by pairs of public and private keys, the latter of which are hidden in the computers of the communicating parties. As private keys can be obtained in a security breach, Bosch, whose Advantage line also targets home and SMB users, makes sure that this will never happen.
“The SSL private key of the device is stored securely on the smart card chip that is directly involved in the SSL connection setup. The private key never leaves the chip and cannot be read out even if the user has complete access to the device,” said Konrad Simon, Product Manager for IP Video at Bosch Security Systems. “This way no access is possible to the private key, even in a hostile approach someone would have achieved to read sensitive data from internal memory.”
Advanced encryption standard (AES) is a protocol that encrypts contents with 128-bit, 192-bit, or 256-bit keys, making encoded messages harder to decipher by untrusted parties. Among camera makers that use AES is Amaryllo, another home security camera maker. It uses 256-bit encryption, at the same time ensuring that video latency is less than 0.5 seconds.
Keeping Flaws to a Minimum
Vendors who are security-minded keep exploitable flaws to a minimum. One way to achieve this is checking third-party software regularly to make sure problematic software isn‘t incorporated into their products. As an example, to implement SSL encryption, many camera makers use OpenSSL, which drew huge attention in the security world in April when it was found it contained a bug called Heartbleed. If left ignored, Heartbleed could lead to the leak of sensitive data, such as usernames and passwords. One camera maker that managed to avert this disaster was Bosch. “We do not use OpenSSL as SSL implementation on our IP cameras, encoders, and decoders. The SSL implementation in our devices is not OpenSSL, nor is it related, so Heartbleed did not affect us at all,” Simon said.
Crowdsourcing, where users in a community share their collective wisdom, is another way to identify flaws and get them fixed. “We monitor discussions in the network community to quickly identify possible vulnerabilities which may impact our products. If a vulnerability is discovered, we will provide patches, firmware, risk analysis, or recommendation to our customers,” Axis's Juhlin said.
While camera vendors may have included a range of security features in their devices, users should also do their part by taking advantage of these features. For example, it's often the case that users simply use the camera maker's default username and password settings, which are easily obtainable. It is also important to check for notices on firmware updates or security patches, which are normally sent via e-mail. Moreover, users may consider isolating their cameras from a local network, since hackers may attack other devices in the network through the camera.
A Two-Way Street
Keeping hackers at bay requires a commitment by both vendors and users. The vendor should build their products with the concept of “security” in mind, while users should familiarize themselves with security features included in cameras and use them whenever possible. It's only through this two-way street can security camera users achieve their primary objective — keeping safe — without being harmed in the process.