Even if cameras are cyber-secure, protection against threats and cyberattacks is a multidisciplinary effort across different stakeholders.
IP camera cybersecurity remains a tough issue. Today, the security of cameras in the market varies. And even if cameras are cyber-secure, protection against threats and cyberattacks
is a multidisciplinary effort across different stakeholders.
Are today’s cameras really secure?
Amid reports of hacks and security breaches against IP cameras
today, the issue of securing the security device has gained more awareness. Against this backdrop, many IP camera vendors claim they have added various security features to their products to make them secure. But is that really so? According to consultants and SIs, things indeed have improved over the last couple of years, yet in many cases camera security is still an issue that needs to be tackled.
“Many IP cameras still have significant areas of vulnerability out of the box, which can be exploited by attackers. These vulnerabilities include default passwords, unnecessary protocols, services and ports enabled, and vulnerabilities resident in the firmware itself,” said Brian Lipscomb, PSP Manager for Cybersecurity Services at Convergint.
A lot of times cybersecurity issues in cameras have to do with the vendor’s time-to-market and competitive pressure, combined with lack of awareness by users. “According to my observation, most of the IP cameras are not fully secured against cyberattacks,” said Sanjay Kumar, Chairman of Railway Recruitment Board at Indian Railways. “If you look at the vendors in IoT, they have two things that are very problematic. First, they have pressure to decrease their time to market. They need to beat their competitors, or to be at least at the same time when they go out with a solution. Secondly, they also have cost constraints. While consumers tend to get upset upon reading about a compromised security camera, the buying public rarely considers security as a buying factor, they normally look at the price and sometimes performances and product reviews.” Read more about India CCTV market here.
It should be also noted that the security of cameras varies from brand to brand. “If people take their personal privacy and web security seriously, then yes, most IP cameras on the market today are generally secure. This does not mean, however, that all cameras are created equal,” said Luke Bencie, Managing Director of Security Management International, and Zachary Smith, Junior Associate at Security Management International. “Brands that offer two-factor authentication especially, but also WPA2-AES encryptions and SSL encryptions are generally more secure than brands that do not offer these features. The most secure camera would offer encryptions as well as 2FA.”
It’s not just the camera alone
It’s critical to note that it’s not the camera alone that affects an end user site’s security. Even the most secure camera can lead to security breaches if it’s not installed, run and maintained properly.
“While most camera manufacturers now request users to set up a new password and admin credentials at installation, businesses, cities and government organizations with older equipment never updated their passwords, potentially compromising the other critical data and systems that reside on their network,” said Vinayak Sane, COO of Elmark Engineers. “Unfortunately, our research shows that the ‘set it and forget it’ mentality remains prevalent putting an entire organization’s security and people’s privacy at risk. All it takes is one camera with obsolete firmware or a default password to create a foothold for an attacker to compromise the whole network.”
Keeping the end user site’s video surveillance system secure, then, is a multi-pronged effort by all stakeholders. “A strong cyber security program needs to take into account all things which affect an IP camera, from software to network infrastructure, from installation to proper ventilation and from keeping the camera software up-to-date to performing regular hardware maintenance,” Kumar said.
“In my opinion, every device is not cyber safe out of the box. You become the caretaker of the device and must create a protocol of ‘things to do’ in order to keep your devices cyber-secure. What I mean is that every device is vulnerable out of the box and as long as the camera has access to the Internet, you must treat it like every other part of your network,” said Joseph Saracino, President and CEO of Cino.
“Some manufacturers are building in secure features to their devices, but it is still important for the integrator to help their end-users take that basic security up to a higher standard. Legacy cameras are often overlooked by IT departments and are operating on outdated firmware versions with unpatched vulnerabilities,” Lipscomb said.
“You will find more vendors that have locked down their operating system, closed ports, implemented role based access, use secure communication channels and certificate based authentication, check and update firmware and require changing default passwords (as quick list). Again, and with emphasis, all of these things require these configurations to be properly maintained and for the IP camera to be operating with other system components that support these feature sets. To answer the question, are most cameras cyber-secure, no, because they are not properly configured, integrated, operated, and maintained. Are there a diverse set of vendors who provide high performance IP cameras that could be cyber-secure, yes, but you need a supply chain that supports this over the device and system lifecycle,” said Salvatore D’Agostino, CEO of IDmachines.
What the end user should do
That said, what should the end user do to make sure their cameras and video surveillance system are properly secured? The following are a few tips.
Buy a good camera from a trusted source
Making sure the camera is properly secured begins with buying the right camera. “The first thing anyone should do to ensure their camera is secure is to make sure they’re buying a camera that is able to be secured effectively. Cheap, poorly made, or outdated IP cameras will not have the protection features of higher quality and regularly updated cameras,” Bencie and Smith said.
“Do your homework before buying a connected device: Before you purchase a smart device, check what measures the vendor is taking to protect the data stored on their device. How often will they update it? What out-of-the-box security measures are there?” said Stephen Mak, VP of SPARK Sales for Asia Pacific at BlackBerry.
“Encourage the procurement process to require IP camera hardening during deployment. Make sure the vendor has a ‘hardening guide’ to help secure it. Where possible (inside a large enterprise for example), ensure the IP cameras are as thoroughly validated as any other network device (ask IT to run their finest network security scanner tools in ‘bad attitude’ mode to confirm the IP camera is robust). Make sure your vendor supply chain has a sound cyber posture, ask them how to validate their devices. Check the usual IT security sources to make sure the vendor does not show symptoms of delivering compromisable products,” said Rodney Thayer, Convergence Engineer at Smithee Solutions.
Once a secure camera has been purchased, the user should attempt to connect via hardline to prevent remote hacking into the device. “Users should attempt to connect the IP camera via Ethernet instead of over Wi-Fi/5G,” Bencie and Smith said. “If this is not possible, it does not mean that the camera will be unsecured; the user simply needs to take further steps to protect themselves against intrusions.”
Change default password
While this has been repeated over and over, the end user should still be reminded to change the factory default setting. “Change default passwords to ones that are over 14 characters long and meet complexity requirements,” Lipscomb said. “Rotate passwords regularly as well.”
“Change factory-default configurations on your cameras and all Internet-connected devices, as factory default passwords can be found online. Use strong and unique passwords or passphrases along with two-factor authentication,” Saracino said.
“All users of IP cameras should immediately change the default username and password of their devices, so that sites such as insecam.org cannot just gain access based on company default, and this should be done regardless of whether the device is connected via ethernet or wifi/5G network,” Bencie and Smith said. “If the camera purchased has two-factor authorization, it should be set up as soon as possible as well.”
Update firmware on camera devices regularly
During operation, the user should disable unnecessary ports, protocols and services. Then, the user should regularly check the device settings to ensure that the most recent firmware has been downloaded and installed into the device. “Companies are regularly finding gaps in security or quality of life improvements that they patch into regular updates. It is important to keep up-to-date on these firmware updates to keep the user’s device as secure as possible,” Bencie and Smith said.
“Keep things up to date as much as possible: Even in the case of vendors that consistently release security patches, they don’t always download automatically. Keep on top of firmware updates and vulnerability hotfixes,” Mak said.
Finally, there are certain network device security guidelines and references that end users can follow. “One example is the United States National Institute of Standards and Technology (NIST) cybersecurity publications. There is a Core Baseline, whose full title is Core Cybersecurity Feature Baseline for Securable IoT Devices (Draft NISTIR 8259), which is voluntary guidance intended to help promote the best available practices for mitigating risks to IoT security. It complements the recent publication of Considerations for Managing Internet of Things Cybersecurity and Privacy Risks (NISTIR 8228), which primarily addresses large organizations that have more resources to dedicate to IoT cybersecurity,” D’Agostino said.