To make sure end users are protected as much as possible, camera vendors are putting efforts into hardening their devices against cyberattacks.
As more and more cameras move towards IP, their security has also become critical in an increasingly networked world. To make sure end users are protected as much as possible, camera vendors are putting efforts into hardening their devices against cyberattacks.
Since the first IP camera came out in the late 1990s, video surveillance has been moving steadily towards IP due to its various benefits: higher quality, better integration and smart features enablement, just to name a few. Due to these benefits, demands for IP cameras have been increasing steadily.
With IP cameras sitting on the network, they are just like other networked devices and can be equally vulnerable to threats and cyberattacks that end users are faced with every day. “Thanks to the rapid adoption of Internet of Things devices, there are more systems connected to the network than ever before. Hackers are leveraging weak passwords in IoT devices, including security cameras, to access the network,” said Sara Chaput, Vertical Marketing Manager for Critical Infrastructure at FLIR Systems
The attacks that IP cameras are subject to include brute force attacks, denial-of-service attacks and man-in-the-middle attacks, among others. It’s important to note that the attacks are evolving and becoming more sophisticated by the day. “The variety of cyberattacks is rapidly growing and is massively strengthened above all by the use of artificial intelligence which causes malware to reliably scan the network for vulnerabilities,” said Thomas Lausten, CEO of MOBOTIX
. “Due to the exponential growth of networked devices and the resulting data, some of which is very sensitive, the appeal of hacking these systems is becoming even greater and, above all, more profitable.”
Further, the ongoing covid-19 pandemic may provide even more incentives for hackers to attack IP cameras at end user entities, now that some offices are empty and IT people are harder to reach. “Cyberattacks have increased as hackers seek to take advantage of COVID-19 and remote working. With so many people working remotely, hackers hope these attacks will go unnoticed,” said Aaron Saks, Product and Technical Manager at Hanwha Techwin
What vendors do to make products secure
With cyberattacks becoming more rampant and sophisticated, the concept of “securing the security device” has also gained more awareness. “Many leading Western and European manufacturers are heavily investing in cybersecurity R&D, implementing new cyber hardening measures,” Chaput said. “Physical security companies are running penetration tests, eliminating backdoor accounts, removing default passwords, introducing network monitoring software and enforcing end-to-end encryption through secured TLS connections.”
Meanwhile, more and more vendors have adopted the “secure by design” principle by putting in defense measures at the device level. The overarching objective is to make the camera as difficult to get into as possible. “Overall, the goal is to make a camera frustrating enough that a hacker decides to move on and find something easier to attack,” Saks said.
That said, the following are some of the measures that camera vendors put into their devices to make them secure against attacks.
Encryption and trusted platform module
The camera should encrypt data in rest (the data residing in the camera) as well as data in motion (video, username and password data that are in transmitted). In order to do that a set of public and private keys are needed, the latter of which is used to decrypt coded messages and should stay safely at the device. To this end, more and more IP cameras have the so-called trusted platform module that stores the private key. This ensures that the private key remains in a safe environment no matter how hard the intruder tries to get it.
“We ensure that data is encrypted at the edge (when captured by the camera) and that it stays encrypted during transit and in rest; cryptographic keys for encryption are stored in the trusted platform module,” said Roel Smolenaers, Marketing Communication Expert at Bosch Building Technologies
Hackers and intruders are known to implant malicious software in the camera. Secure boot, then, is the mechanism whereby the camera only boots with safe or authorized firmware, including vendor-signed firmware updates or patches. Increasingly, cameras have the secure boot function to prevent the camera from becoming corrupted.
“Hackers don’t care about the camera, they just want access to the network, so by ensuring the system completely boots up securely before communicating with any other part of the system, it’s possible to prevent interruptions to the boot process which can be exploited,” Saks said. “We have a secure boot routine that protects against someone maliciously trying to load their own software. If the camera detects that, it won’t boot up because it recognizes that something has been tampered with. This is a major benefit of having our own SoC and being ‘secure by design.’”
Alerts and reporting
In the event of a security breach or suspicious activities, the camera along with relevant tools should have the capability to alert the user of the incident immediately and let them see a report of what happened. “We have instant cybersecurity alarm management, with which the camera could send out the event when it’s under attack and also alarm the end-user when your device is compromised,” said Neo Chang, Frontend Product manager at VIVOTEK
. “With our user-friendly software VAST2 connected with cameras, you could see the cybersecurity event report through an interactive real-time cyberattack dashboard. The management software helps users easy to identify common types of cyberattacks and able to take a further step to filter attack logs through different criteria, making it quicker to find abnormal events in a large number of records.”
Compulsory change to default passwords
Finally, most of the camera hacks occur due to the use of default passwords that are easily found on the Internet. Forcing the user to change the default password, then, becomes a key feature for IP cameras. “Forcing an installer to pick a complex password before the camera is configured is a great method to protect a device against the use of default passwords,” Saks said. “There are no default passwords in Hanwha cameras. They must be given a unique password before they can be configured.”
Further, there are those trying to get hold of the camera using brute-force attacks, or repeatedly submitting passwords with the hope that one of them will be correct. The camera, then, should have a mechanism protecting against that as well. “Locking out access after a certain number of bad attempts can easily prevent dictionary attacks. Beyond that, sending notifications when wrong passwords are entered is a simple way to know when a device might be under attack. IP filtering is also useful to limit who can access the camera,” Saks said.
“It is hard to stop hacker’s attacks if we only take traditional measures to such as changing password or firmware upgrade. Now, we enable our IP surveillance system to proactively withstand cyberattacks and intrusion anytime. With build-in Trend Micro anti-intrusion software, VIVOTEK’s cameras and NVRs can detect brute force attacks automatically,” Chang said. “Multi-layer protection with Trend Micro IoT Security for camera and video recorder, including brute force attack detection, intrusion detection and prevention, helps to build robust shield of their surveillance system.”
Importance of process
It’s important to note that technology in the camera alone isn’t enough. The vendor must help the SI and end user develop a process in which the IP camera can be set up, configured, operated and maintained correctly. “Securing IP surveillance system is the responsibility of not only manufacturers but also the end-users. The market and users still need more education to understand how important cybersecurity is and how to react when your device is hacked. Educating end-users to reset password frequently, giving them the guideline to correctly set up the system and asking users to update the latest firmware are the three main steps in the process of securing surveillance cameras,” Chang said.
“Implementing a process offers the greatest guarantee of success. The best integrators we partner with ensure their engineering teams have studied manufacturers’ hardening guides, white papers and other guidelines to develop their own corporate process standards,” Saks said. “Having an implementation plan prevents things from going unnoticed. It’s important to have checklists and guides and to have processes clearly documented so everyone is working in unison.”
SI/end users’ role
For the end user’s part, they should always make sure they’ve done the basics. “The customer/user should always ensure to run the latest firmware on the devices. They should generally make sure that they are not an easy target by using any kind of unencrypted network communication. They should restrict access to the cameras as much as possible. For this purpose, it is recommended to use Digest Authentication with a strong password and the IP access control of the cameras,” Lausten said.
"The most important thing is a mindset change. Although counterintuitive, the most secure device is a connected device. We as an industry need to embrace the fact that cameras need to be connected in order to enable automatic firmware updates over the air. This is the best protection against cybercrime, since the latest firmware patches also include the latest defence mechanisms against cyberattacks," Smolenaers said. "If an online connection isn’t possible, at least SIs need to ensure that the cameras have latest firmware files and are regularly updated. Of course, but that’s a no-brainer, during setup a password needs to be set. This is something that is anyway done by default when installing Bosch cameras, so that this cannot be forgotten."