Securing Networked CCTV Cameras
After the recent DDoS botnet attack, integrators and end users are right to be thinking seriously about securing IP cameras and the networks they run on. Fortunately, there are many practical measures that can be taken to harden devices exposed to local networks and the Internet.
WHEN you’re thinking about securing IP cameras, the first thing to do is work on the password that gains access to the camera browser. Default user names and passwords like admin and admin, root and pass, admin and no password, admin and 123456 are a sure way to leave cameras open to hacking. Passwords are more difficult than they sound. They need to be complex enough to defy easy breaching and they need to be manageable. There’s nothing worse than losing a password and having to reset every device on a network, in effect recommissioning the system to re-gain communication. Passwords need to be managed and securely stored.
Cameras with weak or predictable passwords are more vulnerable when they reside on a shared data network and not a secure CCTV subnet – this happens most often in SME businesses. Typically, larger organisations will need a subnet for cameras to ensure there are no dramas with traffic congestion. If a subnet is not possible then a VLAN is required – using a VLAN is always a good idea. Depending on the security level of the network, a strong system password can be used for multiple cameras. Any cameras that are not on secure networks should have unique identifiers.
Supporting camera passwords are system passwords – the idea is that there are layers of security would-be hackers must get through. System passwords need to be complex and they should be regularly changed. IP addresses that make multiple attempts to breach a password should be locked out. Behind system passwords are operating system passwords. The more passwords, the more secure, the harder to manage.
Most quality cameras have SSL encryption that can be activated if they are connected directly to the internet – make sure that this functionality is employed. This is particularly important if you’re hooking up to a cloud-based service. It’s not hugely complex – if a device has a direct connection to the Internet and is not protected by general system firewalls and encrypted passwords, then it needs to be protected to the level of the network frontline. A possible weakness of internet-connected DVRs and NVRs is that connections are not encrypted to an acceptable standard. A DVR without the capability for SSL is vulnerable to loss of passwords. Make sure SSL is activated for DVRs that are exposed to the internet.
Installing network devices directly to data network creates weaknesses in both directions. The device may become an entry point for an attacker to get to the network and the shared network may become an entry point for the attacker to get to the device. It’s this fundamental that drives the need for secure subnets with the bare minimum of access points that are open to authorised users only. In defence applications, this may go so far as ensuring no part of the security network is connected to any Internet-connected network, only to a handful of local workstations. If access is required by a remote site in an emergency, it will be temporary and highly secure.
An increasingly common access point to IP cameras is through mobile devices and these devices are often unsecured themselves. They should be biometrically secured, with complex password support. Security settings should be activated and multiple attempts to enter a password, particularly if the phone uses a biometric, should result in lockout and possible blanking of the device, depending on the security level of the system the device can access.
Mobile device connection usually means some measure of port forwarding and the key thing here is to limit exposed ports and to protect them with tools that will detect attempts to breach unauthorised ports. The Internet is a jungle and network ports may be scanned thousands of times every day by would-be intruders seeking an access point. You want the exposed port to be defended by a firewall with an intrusion detection system that reports events and rejects malicious traffic.
Firewalls are a science of their own. If you’re using something like a Synology server with an integrated firewall in a store or small business, you might activate this yourself after some careful thought but rules-based firewalls are complicated and if you are serious about network security, then you’ll need help. Firewalls need careful config, they need to be kept up to date with the latest threats and they need to be monitored in the same way a perimeter intrusion detection solution is monitored.
A vulnerability that might not be considered is physical access to network rooms, which should be protected using the organisation’s access control and intrusion detection system. Something we’ve seen is DVRs or NVRs with no passwords just sitting out in common areas – not just in small retail stores but in hotels, shopping centres and sports grounds. Node zero should be defended and all access to CCTV equipment should be logged.
Securing video surveillance solutions is something integrators and end users need to get serious about. The capability to undertake such target hardening has existing for a long time – we need to start deploying it – not only on new systems but on hundreds of thousands of brownfield sites as well. ♦