IP camera hacks, which have become more rampant, have led to calls for better product design. Yet, with security being a two-way street, the user has a role to play as well to better protect themselves.
Precautionary measures begin with purchasing the camera. Considering the security of cameras varies across brands and models, the user should do some homework before making a purchase. “Choose a quality product that you have reviewed online and discussed with a cybersecurity expert, if you can. Review security protocols with the supplier and find out if it protects itself. Understand historical alerts and determine if the information would have gotten to you,” said Dave Tyson, SVP of Cyber Security Consulting at
Apollo Information Systems.
Password
A lot of the high-profile IP camera hacks of recent had to do with the user not changing the default admin password, which can be easily searched on the Internet. According to a South China Morning Post
report, dozens of Canon IP cameras were hacked across Japan back in May, and users in Chiba and Saitama Prefectures admitted that they had failed to reset the cameras’ default passwords.
That said, changing the camera’s default password to something that’s hard to guess or crack is critical. “Many IP cameras either come with default access credentials or have their security features disabled by default. While we cannot be certain, the motivation behind this is probably for consumer ergonomics in limiting the number of steps users are required to undergo during the initial setup process. However, many users unfortunately forget to reset or enable password protection after their initial setup, and thus expose their IP cameras’ vulnerabilities to unauthorized access,” said Cheng Lai Ki, Cyber Operations Consultant at
Horangi Cyber Security. “To ensure the IP camera you acquired possesses basic user-authentication features, equip it with a strong password that is a combination of 12-24 upper/lower case letters, numbers and special characters.”
“Having a secure password is great, but a longer, more complex passphrase is better, something easy to remember but specific to you: I lovemysubaru4ittakesme2work!. This is safer and takes a half second longer to put in,” Tyson said.
Tyson also recommends an additional layer of security on top of password. “Better security would be to use two-factor authentications to access the camera – set up a system where your phone gets an alert and you have to put in a passcode to get access beyond the password,” he said.
Firmware update
The camera’s firmware may also include vulnerabilities that intruders can exploit. Given such, regularly updating the device’s firmware is needed. “A security patch is often issued as, or alongside, a firmware update when an identified vulnerability is rectified by the manufacturer. Users should regularly review their IP camera’s manufacturer website for announcements about firmware updates to ensure protection from the most updated security patches,” Ki said.
According to Bud Broomhead, CEO of
Viakoo, the user should take a compliance-based approach. “On a per camera model basis they should identify what firmware is considered ‘compliant’ given the VMS support matrix and other factors. Then using an automated verification solution the entire system can be assessed for which specific cameras are not on a compliant version of the firmware. For most physical security system operators the scale of the problem (dozens or hundreds of cameras) should lead them to use automated camera firmware update managers,” he said.
Other tips
Besides the aforementioned points, experts also offered other tips that are summarized as follows.
Change default port
The camera’s default port is another potential entry point into the device. Changing it and closing unnecessary ports can be a useful measure. “For sure you want to use https and close all other unnecessary/unused ports. If you can’t close them, you’ll need to monitor that port traffic,” said Andrew Lanning, Co-Founder of
Integrated Security Technologies.
Wireless connection
Some IP cameras possess wireless capabilities. “If so, users should only connect it to a WPA2-encrypted wireless network or WPA2-enterprise wireless network for corporate environments. Doing so prevents unauthorized wireless eavesdropping to connect, monitor and extract your sensitive video feeds,” Ki said.
Camera position
Keep the camera away from sensitive material to minimize the damage in the event of it being hacked. “As users, we can implement every security feature we can think of, in the effort to secure our IP cameras from being compromised. However, technology will always remain a tool that can be broken by dedicated and sophisticated hackers,” Ki said. “Provide yourself with an additional layer of security by carefully planning where these cameras are positioned throughout the space you are deploying them in. Avoid positioning it towards an employee’s screen or keyboard to avoid hackers being able to identify password keystrokes or capture sensitive materials displayed on their monitors.”