IP camera manufacturers can both build in various security features as well as act in a systematic, transparent and timely manner to make sure end users are properly protected.
Video cameras are increasingly migrating to the Internet. As IP devices, they are vulnerable to cyberattacks and threats just as any other endpoint residing on a network. To this end, IP camera manufacturers can both build in various security features as well as act in a systematic, transparent and timely manner to make sure end users are properly protected.
Video surveillance cameras are moving towards IP due to various benefits. These include capturing scenes in high resolution, integration with other networkable devices and allowing remote access and monitoring. Due to benefits like these, demands for IP cameras have been increasing steadily, with IHS reporting 70 percent of all security cameras shipped in 2018 being network cameras.
Jessica Chang,
Regional Director,
North Asia,
Axis Communications
However, users today are contrasting these benefits against reports of intrusion and cyberattacks against IP cameras. At the end of 2019, a series of Ring camera hacks were reported in the United States, whereby the hacker was able to retrieve recycled passwords from the Internet and use them to take control of the cameras. In another 2019 case, a stranger hacked a Seattle couple's baby cam, telling the couple’s three-year-old "I love you.” Back in October 2016, a series of coordinated cyberattacks were launched against Dyn through a botnet of IoT devices, including IP cameras and network video recorders. The result was service disruptions across various famous sites including Airbnb, Amazon.com and The Boston Globe.
These examples underscore the fact IP cameras are as vulnerable to threats and attacks as other networkable devices. “The IP camera is often the most remote outpost in a network and is a common target of cyberattacks. Today, the most common type of attacks are MitM (man in the middle), DoS (denial-of-service), installation of malware, privilege escalation and ACE (arbitrary code execution),” said Jessica Chang, Regional Director for North Asia at
Axis Communications.
These known attacks and threats highlight the importance of camera cybersecurity. While cybersecurity-related camera features and vendor capabilities were once little more than a footnote, today they have gained more relevance and importance. Indeed, in an increasingly connected world in which cyberattacks have become more sophisticated, camera cybersecurity has become a critical topic for manufacturers, system integrators and end users alike.
What camera cybersecurity entails
Proper protection of network cameras takes place on the following three levels, according to Chang.
Technology
The camera itself should be built according to the “secure by design” principle and include features such as a trusted platform module (TPM), secure boot functionality as well as signed and encrypted firmware.
Devices with an integrated TPM module provide enhanced cryptographic features suitable for protecting certificates and their corresponding keys against unwanted access. Private keys are stored in the TPM and never leave it; all cryptographic operations that require the use of the private key are instead sent to the TPM to be processed. This ensures that the secret part of the certificate never leaves the secure environment within the TPM and remains safe even in the event of a security breach
Secure boot ensures that the camera only boots with authorized firmware. It also assures that the camera is clean from malware after a factory default.
A basic rule for effective cybersecurity of IT is to that in order to keep the system updated, the user needs to apply the latest security patches and updates. Without this approach the system quickly is vulnerable to the weakest link in the security chain.
Process
The majority of network security breaches are due to human error, negligence, misconfiguration and poor maintenance. That’s why alongside technology, every business is recommended to have implement simple processes and procedures to keep their networks safe.
End user support
The vendor should help system integrators and end users understand the threats that they are facing and how to counter them. This includes educating users on how to protect their systems from vulnerabilities via training and tools for hardening their systems as well as managing passwords, firmware and HTTPS certificates. It also demands vendors monitor and report against known common vulnerabilities and exposures in a timely and transparent manner.
In these regards, Axis has put in efforts to not only make their cameras secure but help customers set up, maintain and operate cameras in the most secure way possible.
What Axis does to ensure cybersecurity
“Axis delivers higher performance in both technological configuration and process implementation to defend against cyberattacks.” Chang said. In terms of technology, Axis has the technological foundation for cyber-secure products that come with advanced features. Axis-signed firmware is based on the industry-accepted RSA public-key encryption method. The private key is stored in a closely guarded location at Axis while the public key is embedded in Axis devices. Axis firmware has a signature attached, which the device with signed firmware validates before accepting to install it. The TPM used in selected Axis products is certified to meet the requirements of FIPS 140-2, which means that it also fulfils requirements for role-based operator authentication and tamper evidence, among other requirements.
Axis offers product firmware management according to either active or long-term support (LTS) tracks. Being on the active track means continuously getting access to all the latest product features. With LTS, the products can maintain cybersecurity without introducing any significant functional changes or affecting any existing integrations. This ensures a more cybersecure system with increased stability. It also saves both time and money for whomever maintain the system, that is, system integrators or end customer.
Then, Axis offers device management tools for cost- and time-efficient implementation of cybersecurity process. The Axis Device Manager tool makes it easier and more cost-efficient for the user to implement security configurations, update passwords and deploy patches. AXIS Device Manager Extend (ADMX), a new version of this tool planned to be available this summer, enables end user sites to enact policy-based device management. This tool gives organizations a way to set up, monitor, reporting against and enforce their unique set of policies and configurations for local Axis devices both locally and remotely.
Finally, Axis provides active learning and support information to end users and system integrators, helping them understand the threats they are facing and how to counter them. The company has a recently updated
hardening guide for cameras, offering various means of protection and providing users with technical advice about such aspects as checking firmware, encryption enablement, setting IP address filters, managing passwords and much more. Further, Axis monitors the CVE (common vulnerabilities and exposure) databases that publish known vulnerabilities in software for the CVE entries that relate to the open source packages used in Axis devices. The Axis
vulnerability policy outlines how committed the company is to acting in a transparent and timely manner against any known vulnerability.
In short, vulnerabilities that Axis identifies as limited risk will be remediated in future firmware releases. Vulnerabilities that Axis identifies as increased risk will be treated with priority resulting in an unscheduled firmware patch or publishing of a security advisory, informing about the risk and recommendations.
Axis monitors and announces the vulnerabilities through its Security Advisory service. The security advisories include a vulnerability description, risk assessment, recommendations and if/when a service release will be available. “Occasionally a new critical vulnerability may be discovered. In such cases, Axis guarantees speedy response, transparency and free upgrades and patches.” Chang said
With intrusions and attacks becoming the new reality in the cyber space, IP camera manufacturers must build cybersecurity features into their products and provide the necessary support to help end users counter those threats. In these, Axis leads with its technology prowess, device management tools and customer support. This helps gives users peace of mind against cyber threats.