Common vulnerabilities in security devices and ways to avoid them

The DDoS attack launched from various network cameras and NVRs last year again exposed the vulnerabilities of security devices as they migrate towards IP. Some of the experts we spoke to listed common vulnerabilities in security equipment and made suggestions on what vendors should do to avoid them.
 
Their comments came after the DDoS attack against a U.S.-based Internet performance and management company, resulting in a shutdown of service across such sites as Amazon and Netflix. It was later found out several IP cameras and NVRs were used to launch the attack after being affected with the Mirai malware. “Once the malware has identified and accessed the devices, it turns them into bots that can be commanded as part of an army of devices to flood websites with requests, effectively crippling the server and eventually forcing it to go offline,” said Jeff Hurmuses, VP of APAC at Malwarebytes. “It was estimated that Mirai had been spread to least 500,000 devices with vulnerabilities.”
 
According to experts, one vulnerability is the use of default username and password. “Exploiting this vulnerability, Mirai was able to gain control of these devices. What the malware did was scan the internet for devices that were still ‘factory’ set, which meant they were still using default username and password combinations,” Hurmuses said.
 
Besides the default username and password, the default configuration of the device can also create problems. “Default configuration typically uses insecure protocols and leaves open services. This can cause information to be sent in the clear and also enable access to a command line via services such as telnet,” said Salvatore D’Agostino, CEO of IDmachines.
 
Another vulnerability is the execution of proprietary encryption, as opposed to the more well-established encryption methods, as more powerful tools are now available to crack encryption algorithms.
 
Then comes firmware, where vulnerabilities and flaws can be exploited and help hackers intruder further into a device. “Most security devices are full blown computers with modern operating system, for example embedded version of Windows or Linux,” D’Agostino said. “Updating firmware for these devices is as crucial as the updates to your desktops and the related applications.”
 
Having said that, vendors should make their best efforts to secure their security devices. And a good point to start is requiring the user to change the username and password. “The newly revised NIST publication ‘Digital Identity Guidelines’ as well as the NISTIR 8040 on passwords for mobile devices are some examples of publically available guidance to follow,” D’Agostino said.
 
Encryption, meanwhile, is also important. “Enable encryption within the network-based physical security devices whenever available,” said Hurmuses. Among the documents that can be followed, the so-called NSA Suite B algorithms represent the list of acceptable cryptographic algorithms.
 
In addition, vendors should regularly update firmware, in a manner that is easy and friendly to users. “Much has been discussed with regards to user interface design in recent days. The end goal is to ensure users do not find running updates to be a hassle. Thus, an efficient interface to ensure great user experience is essential,” Hurmuses said. “Another alternative is automatic patching, a path we are seeing Microsoft experimenting with, with the launch of Windows 10. This removes the need for user involvement in the update process.”
 
Hurmuses also made other recommendations. “Vendors can even consider implementing two-factor authentication, be it from tokens, apps or RFID cards to verify user’s identity instead of simply entering a username and password to log in. Finally, they could also look at collaborating with cybersecurity companies for vulnerability testing and assessment, the potential of these devices from being hacked can be identified earlier and thus can be further improved to minimize the chance of being attacked,” he said.