Cybersecurity has constantly been ranked as a top trend in IP surveillance. This note discusses some of the top threats, what manufacturers are doing about them and what end users should do to protect their equipment.
Cyber threats against video surveillance equipment are an ongoing issue facing end users. In fact, cybersecurity has constantly been ranked as a top trend in IP surveillance. This note discusses some of the top threats, what manufacturers are doing about them and what end users should do to protect their equipment.
Needless to say,
cyber threats against IP cameras are real and ongoing. In 2016, IP cameras and NVRs were used as bots to launch denial of service attacks against an Internet management company, resulting in shutdowns of various major websites. Since then, reports of IP cams infected with viruses and baby cams being hacked have been in no shortage.
While cybersecurity issues are a source of headache for video surveillance users, they are really nothing new in this age of IoT. “Any network connected device is potentially vulnerable to a cyberattack: a laptop, a mobile phone, a smart speaker, a car or a network video surveillance camera. The goal is to make exploiting the device so difficult and time-consuming that the threat actor looks elsewhere for easier targets,” said Shawn Keating, Senior Consultant for Cybersecurity at Axis Communications.
“Basically, IP cameras of today do not really differ from other network participants and are thus equally exposed to all possible attack scenarios. We see it as our responsibility to ensure that our products and thus also our customers are protected against attacks of this kind in the best possible way,” said Hartmut Sprave, CTO of MOBOTIX.
A list of some common attacks vectors
That said, what are some of the more common cyberattacks against IP cameras? These are discussed as follows.
Malware
Malware is software intentionally designed to cause disruption to an IoT device and the network it resides on. “Installing malware requires network access to the camera, so not allowing direct exposure to the Internet is a great way to reduce the number of possible threat actors. Then, by following basic hardening procedures like setting strong passwords and turning off unused services, it becomes extremely difficult to gain access to the camera with the root level privileges required to install malware on the camera,” Keating said.
Ransomware
Ransomware is a form of malware aiming to lock devices until a ransom is paid. “The leverage here is denied access to sensitive data on IoT devices and the failure of a potentially critical IoT device. In the case of IP cameras, the impact therefore depends on the intended use and on whether integrated storage is available and, if so, which data is stored there in a decentralized manner,” Sprave said.
Denial-of-service attacks
A denial-of-service attack is accomplished by inundating the targeted host or network with traffic until the target cannot respond or simply crashes, preventing access for legitimate users. DoS attacks can cost an organization both time and money while their resources and services are inaccessible. IP cameras can be used as threat vectors to launch DoS attacks, as in the 2016 incidents.
Brute force attacks
A brute force attack uses repeated attempts to guess login info or other relevant information. Hackers try all possible combinations in the hope of guessing the information correctly. IP devices including cameras that use default passwords can be easily compromised via such attacks.
Man-in-the-middle attack
A man-in-the-middle attack is a cyberattack where the attacker secretly positions himself between two parties who believe that they are directly communicating with each other. The attacker may also alter the communications between the two parties.
What are companies doing about it
Given the rampancy of cyberattacks, IP cameras vendors are
putting in efforts to harden their devices, making them more secure.
“Axis devices themselves include several cybersecurity-related features, including signed firmware and secure boot to prevent tampering and ensure the integrity of the firmware; the use of a trusted platform module (TPM) in certain devices to securely store encryption keys on the camera; and enabling HTTPS by default to facilitate setting first-time passwords over an encrypted channel,” Keating said, adding: “Axis cameras support a Prevent DoS attack functionality that doubles as a brute force password protection. The functionality allows the user to set a limit for page and site requests and the time interval in which that limit is reached. If the limit is reached, connection requests from that page or site are refused for a period of time which is extended if the requests continue.”
“Many of the attacks mentioned benefit from unrestricted access, inadequate password protection, poorly protected interfaces and unencrypted network communication. The MOBOTIX camera provides active support by requiring that the default password is replaced by strong, customized passwords during the initial setup. In addition, digest authentication, IP address access control and intrusion detection for repeated unsuccessful login attempts further limit the scope for attacks on the camera,” Sprave said. “To ensure that we do not provide any opportunity for malware to be uploaded, we subject our upload and communication interfaces to regular penetration tests conducted by objective external experts. For secure data transport, our systems offer a wide range of secure protocols that enable exclusively encrypted communication without losing compatibility with third-party systems.”
What end users should also do
Yet keeping IP cameras secure is a two-way street. Other than vendors, the users should also
engage in certain best practices to ensure their equipment are well-protected. According to Keating, these best practices include the following:
- Upgrade to latest firmware when new vulnerabilities are discovered;
- Set device password;
- Create a video client account to reduce the risk of compromising the device administrator password;
- Configure network settings;
- Set time and date so that, for example, the system logs are time-stamped with the right information;
- Use edge storage encryption if the camera has support for SD cards and video is recorded to this storage device.
Coming up with an IT security guide can also help. “We often find that far too little attention is paid to the topic of IT security, in part also due to smaller budgets, and thus no response measures are available to counter the well-known attack scenarios already mentioned. We support the development of such measures with an IT security guide, which presents the secure integration of our camera and software products as simply as possible and thus minimizes the risks and efforts as much as possible,” Sprave said.