Don't care about your cameras being used in DDoS attacks? Think again!

Last year, a major cybersecurity incident took place in which networked devices, including IP cameras, were used to launch DDoS attacks. While some believe that this does not really affect the end user organization’s own operations, users are still advised to engage in certain best practices to better protect themselves.
 
That was the point raised by Razberi Technology in its whitepaper titled “Top 6 Measures to Reduce Video Surveillance Cybersecurity Risks.”
 
In October last year, DDoS attacks were launched against Dyn, an Internet performance and management company based in New Hampshire. The result was a shutdown of service across various famous sites including Amazon, the Financial Times and Netflix. It was later found out that poorly protected networked devices, including cameras and NVRs, were used as robotic attackers after being affected by a malware called Mirai.
 
As the cameras remained operational during the attacks and still captured video, some users’ first reaction was that this probably didn’t concern them. But contrary to this belief, Razberi said that cameras being taken over to launch attacks can still do harm to the end user.
 
“If the camera can be asked to bombard another website with traffic, it could also be asked to take down the company’s manufacturing or point of sale system. If someone can program the camera to send traffic, that person can program it to do other things for example loop the last 15 seconds of video or shut it off entirely,” the paper said. “If the cameras are participating in an attack on other websites, and your network provider detects the excess traffic heading to one site, it may shut down Internet access for your organization until the issue is investigated. This is not good if your organization or company is dependent on making a living off of the Internet.”
 
Even if the cameras were installed behind a firewall, Razberi said this still had flaws, considering the various types of internal threats possible. “Sometimes the ‘insider threats’ come from outsiders. The infamous Target data breach of 2013 occurred because an outside contractor legitimately had a login to a vendor portal used to submit invoices. The contractor had his user name and password stolen in an email hack. The hackers used it to gain access to the Target corporate network and then the point of sale system. This resulted in 70 million credit cards stolen and a US$300 million dollar loss,” it said.
 
As a result users are still urged to exercise best practices to protect their video surveillance, and Razberi has the following suggestions:
 

• Camera passwords matter: The changing of default passwords is critical. “The Mirai virus works exactly that way, using a list of 61 passwords like ‘admin’ or ‘54321.’ The fact that this technique was able to infect over 400,000 devices on the Internet speaks to how many people ignore the importance of passwords,” the whitepaper said.

• Isolate your cameras: According to Razberi, cameras should be Isolated with a virtual LAN (VLAN), and the only thing that should be able to talk to them is the video management system.

• Lock down the network: The network must be effectively shut off from intrusion. “Each camera has a unique identifier called a MAC address. A network can be configured to only allow a certain MAC address on each port (a feature called MAC Binding). With this in place, all communications from other devices gets thrown away and the hacker gets a dead connection,” Razberi said.

• Two operators: Authentication and authorization are also important. “Cameras should be set up the same way: one login used by the VMS that allows for streaming video only, and an admin login that is only used on rare occasions, such as needing to update firmware,” the paper said.

• Don’t ignore unusual events: Intruders trying to get in will leave certain marks or trails, and these can’t be neglected. “The best practice is to set up the system to monitor for events like these with immediate notification,” Razberi said.

• Purchase cameras from a company with a reputation for security: According to Razberi, the user should look for vendors that have a public reputation for attention to proper cyber aware design. They should also have a rapid response to any vulnerabilities that may be found as well as a general level of trust.