Special Report: Securing Networked Security Devices
In the wake of attacks against hundreds of thousands of networked connected devices, including cameras and controllers, network security is finally receiving the recognition it deserves as a vital component of any networked electronic security solution.
NETWORK security is a science that exists in the backend of many electronic security solutions – a disparate realm that at first glance seems unconnected, yet is the hearthstone of most of our infrastructure. From networked access control, intrusion, automation, and video surveillance solutions, to cloud-based alarm systems and direct-connected NVRs, access controllers and even single devices, this is a deep and complex area. No electronic security solution with an exposed network port can be considered secure without the application of network security policy.
According to Brendan White of Mobotix, the greatest vulnerabilities of network devices are unauthorised access and backdooring.
“By opening a port for the network device to communicate through (over the internet) via port forwarding, most people don’t realise that you are essentially opening a 2-way door unless the individual is versed in networking and knows to only allow specific connections to and from the devices in question,” White explains. “For example, if I port forward a generic camera on the following IP Address: 123.456.789.012:8080 (with Port 8080 for transmissions over the wider internet) and anyone were to ever type this address into their web browser, they could access the camera.
“In addition, even if they don’t have your user login, just stumbling across your camera’s login page they will be able to execute brute force attacks. These are programs scripted to sequentially test different username and password combinations against anything that is hosting a login domain, whether it be HTTP-based (web page) or software-based. If the infiltrator is also able to figure out what your camera model is, they can assume you are using the DEFAULT USERNAME and can then leave a computer running 24/7 to brute force your camera – Which would only take a matter of time provided they know where to start.”
And White says that most integrators leave their cameras communicating over the wider internet using HTTP instead of HTTPS – that’s a big no-no.
“The only thing you need to know here is that the ‘s’ in HTTPS stands for SECURED,” White says. “Let’s look at an example. Say you access your camera’s login page at 123.456.789.012:8080. An experienced infiltrator (if/when they gain access to your network or router) can initiate a man-in-the-middle attack. When the camera asks you (through the web browser) for a username and password, the HTTP protocol sends this information in raw text. The man-in-the-middle attack allows the infiltrator to sniff these packets of data that you are sending. They will then automatically send the information forward to your intended destination and could do this for weeks, even months siphoning all information you may be using such as banking, dropbox login credentials, camera logins etc.
“What are the chances that someone is going to find my camera’s public IP address and guess the correct port you ask?”, says White. “But can you really say that you are allowed to take this risk on behalf of any of your customers? By adding in networking devices with port-forwarding you are opening up vulnerabilities in the customer’s network. For this reason, we always urge installers to ensure proper protocols are followed and to adhere to the advice of the site’s network administrator as they are aware of the vulnerabilities in networking in general.”
There are other risks, too.
“If you Google ‘public cctv cameras’ you will get directed to websites such as Insecam that have web crawlers running in the background,” says White. “Have you ever wondered how Google is able to index every website there is on the world-wide web? If you were to purchase a website domain, I can guarantee within a few weeks or a month, your website will be visible via Google Search. Try googling your full name and be shocked at how social media platforms such as Facebook are open to web crawlers – this is an incredible vulnerability and identity issue. You can search the name of a person who uses Facebook, and you can essentially find their Date of Birth, spouse’s full name, etc.
“In saying all this, you might think: “Well, why would we want to put any camera over the internet? It depends on the security capability of the camera. What’s vital is working with manufacturers who value network security. Cameras (and any other networked connected devices must be able to:
* Disable web crawler browsing (By blocking common ports/addresses that signatures identify as 'web crawlers’)
* Disable HTTP communication and only allow HTTPS connections (So data sent between any PC and your camera is always encrypted and unreadable by any 3rd parties that may be listening in between)
* IP address filtering: Only enable specific network devices to have communications with the camera. For example, you could make it so that in an office environment, only the boss’ laptop and the on-site CCTV computer can initiate connections to the camera. The camera will automatically refuse any connections from foreign network cards that you have NOT allowed in its whitelist. In terms of the wider internet, it can automatically refuse connections from outside network connections without needing to know who the intruder is
* Intrusion detection – after a specified number of invalid login attempts, you can tell the camera to block the IP address of the infiltrator as soon as (For example) 3 incorrect logins are registered and consequently can send the owner or network administrator an email to alert staff of the attempted intrusion.
* Certify any recordings made by a camera via X.509 Certificate Signing (a 2048-bit AES public key cryptography encryption which is part of the highest level of encryption in the networking standard) to authenticate that video footage was produced by a specific camera without any modification to the footage allowing camera footage to be officially authenticated in court and legal proceedings, if required. Mobotix cameras offer all these network security capabilities.
According to White, the single most important thing installers and integrators can do to ensure their customer’s networked security solutions remain secure are to change username and password of the network device on the local network and if the device is exposed to the internet, deploy IP address filtering with white list to only allow authorised addresses
In White’s opinion, password management can be as important as passwords themselves.
“Password management defines who has access to these passwords as well as the way these passwords are stored,” he explains. “Password application refers to the complexity of passwords and how those passwords are transmitted to the network device (via HTTP, etc). One is just as important as the other and your network security is only as good as your weakest link.”
When it comes to setting up a VLAN, White says the configuration and complexity is dependent on the network switch (Typically Layer 3).
“Generally, you would create a VLAN on your network switch then you would assign specific ports to specific VLANs,” says White. “This is generally used as a way to limit the amount of transmissions being broadcast by all devices within a network. For example, you may find that a large corporate office may have all of their SIP phones running on VLAN1 and their workstations can run on VLAN2. This way, all devices will only be able to communicate to other devices within the same VLAN, without transmitting unnecessary information to other devices and can limit hopping, which is the transmission of data through multiple devices to reach a destination. Hopping can reduce overall network bandwidth communications and prevent bottlenecking.”
According to White, the process of blocking an IP address that makes multiple attempts to breach a password is straightforward when understood.
“In general, a network device (if it offers the feature) can take note of specific IP addresses that have numerous failed login attempts,” he explains. “By default, most network devices will allow all devices to communicate with it and when a possible intrusion is detected (identified by failed login attempts), the device can add the offending IP address into a blacklist, sometimes temporary, sometimes permanent, which will outright decline any incoming communications to prevent further suspicious activity.”
Something that’s a bugbear for many installers and end users is whether or not electronic security devices can still be secure if connected directly to the internet. And there’s also a question as to whether subnets offer an inherently higher level of security.
“Installing a device on a subnet does offer some protection but only if the subnet being used is not a standard Class A (255.0.0.0), Class B (255.255.0.0) or Class C (255.255.255.0) subnet,” White explains. “Because subnets do not stop network scanners from finding your network devices, so infiltrators can still identify your network devices and may not be able to get into them right away, but if you are using a default subnet you can guarantee they’ll try the defaults and compromise your network. To prevent this, you can change the access port of the device in question (Not 80) to add an additional layer of security. Otherwise, you may utilise firewalls via the router or switches (even VLANs help in this regard) to prevent unauthorised network discovery of your security devices.
Using mobile devices to steer electronic security solutions remotely is another delicate matter and it needs to be handled with care to ensure vulnerabilities are not introduced into the system.
“Depending on budget and existing infrastructure of the customer we would setup the mobile device to communicate back to the security system on a secured VPN via HTTPS, which would then protect devices within the security solution from being exposed to the World Wide Web,” says White. “This configuration would also ensure that only a specific mobile device could access the network using the added layer of credentials that comes with accessing a VPN. This would also protect the customer’s network from infiltration via man-in-the-middle attacks, as communications transmitted through the VLAN are secured.”
Bosch’s James Layton says the greatest vulnerabilities of networked security devices are dependent on the complexity of the connected devices.
“For example, when considering a storage server or network video recorder, we are usually looking at a device which is a conventional PC at its core, and will often have some form of standardised operating system,” Layton explains.
“This facility, if compromised, could allow a hacker access to further network devices. Even in the case of relatively simple components, such as IP cameras or intrusion systems, the fact that the device communicates through an IP network means that it can be subject to denial of service (DoS) attacks, where a hacker may attempt to overload the communication socket with junk data, effectively eliminating the device’s ability to communicate.
“Network communication is not new, and myriad are the ways to try and overcome or compromise the functionality or security of IP based technologies. Security devices are, by design, intended to function beyond attempts to sabotage or overwhelm, and thus it is vitally important that technology is used to protect these devices, and the ecosystems they operate within."
According to the pragmatic Layton, self-education is the most important step in ensuring the security of a technology platform.
“You can have the world’s finest encryption, most secure sockets, and most complex passwords, but it’s all going to be useless if you don’t understand how these systems interoperate, and you introduce vulnerabilities inadvertently,” he explains. Most failures of security systems these days – either physical or data – have a human aspect at the root cause. It’s one of the reasons that hackers these days employ social engineering techniques (such as phishing emails or phone calls), rather than trying to simply brute-force their way through data barriers.
“By being well informed about the technologies behind data security and how they interact with an existing network environment, the installer can ensure they purchase the right equipment, and install it in such a way that it doesn’t risk compromise to the system.”
Layton agrees passwords are important but says there’s a trade-off for end users and access control has a major role to play.
“Most people think that the more complex a password is, the safer a system is,” he says. “This is only partially true. The real value in creating a password that contains multiple different elements is that it decreases the likelihood that an automated system can brute-force hack through the barrier by just simply trying repeated random combinations.
“At the same time, plenty of people get frustrated when password requirements are too complex. The moment you must create a password that contains an uppercase letter, a number, a haiku, a gang sign, a hieroglyph, and the blood of a dragon, there’s a high likelihood that you’re going to write it somewhere so that you don’t forget it and this is where the previously mentioned social engineering comes in.
“Despite general knowledge about the importance of network security, people still share their passwords, use their children’s names and their own birth dates. Therefore, more important than ensuring overly complex passwords, is ensuring that even once a user has gained access to the system, they are limited to the functions that they specifically need, and thus you minimise the risk of damage to other areas of the system.”
Is there a simple way to apply a VLAN? Layton argues that it depends on the knowledge level of the installer.
“When thinking about complexity of network setup, the question becomes what aspect of this is a simple process?” he says. “IT-trained professionals would see VLAN operation as a relatively simple component of networking but for the average security installer still struggling with port forwarding, the concept can feel quite daunting.
“When a security tech walks in to a site with an existing IT infrastructure, very few IT managers are going to be punching the air with joy when you tell them that you are going to attach several hundred video-streaming cameras to their network. VLAN set up allows a system to maintain a network segregation without having to install an entirely independent infrastructure.
“Setting up a successful VLAN for the most part depends on using the right networking hardware, and having your entire network layout planed out in advance before you start plugging devices in,” explains Layton. “System integrators that feel that they may struggle with this should really look to gain assistance from pre-sales support services offered by most distributors and manufacturers.”
When it comes to defending against IP addresses that make multiple attempts to breach a password, Layton says many products already have the ability to identify and block brute-force attacks against a password.
“For those products that don’t, the only other reliable method is human diligence – you would have to regularly review system logs for signs of these attacks and then manually black-list the IP in your firewall,” he explains. “The bigger problem is that attackers are generally smart enough to use proxy services that allow them to frequently alter their origin IP. If one address is blocked, they simply move to another address. Block IP ranges can help reduce the risk, but this also comes with the risk of inadvertently blocking desired network traffic.”
According to Layton, blocking individual IPs or ranges of IPs is unlikely to really solve the problem of brute-force attacks.
“For this reason, more secure systems are more likely to go in to an enforced lockout period after too many failed attempts, rather than simply resorting to IP blocking,” he says. “When it comes to securing devices, network segregation of subnets (especially through VLANs) is one way of ensuring data security for network components. When 2 or more devices do not share a subnet, there is literally no way for them to communicate unless static routes are created.
“The best example of this would be to have the video security system on a different subnet to the site’s Internet connection. This would prevent external forces from accessing the security system, though it would also make these same resources not available for use through the Internet (such as on a smart phone app).”
Layton says secure sockets layer so important for networked security devices as it defends communications.
“Encryption of data is a key measure to ensure ongoing data security within a system,” he explains. “When data is encrypted between the sending and the receiver, the advantage is that even if the data packet is somehow intercepted by a nefarious third party, they are unable to utilise the data without the appropriate decryption key.
“The most common forms of shared data encryption are transport layer security (TLS) and its predecessor secure sockets layer (SSL). Using this technology, once 2 devices begin communicating an initial handshake takes place during which both systems automatically agree to an encryption / decryption algorithm. This then ensures that any communications remain secure, even if intercepted.
“More advanced systems are now using public key infrastructure (PKI) where the encryption algorithm for a communications product is freely available, but the decryption algorithm is kept separately by the target system or a third-party validation authority,” Layton explains.
“The advantage of PKI comes when we look at third-party security system integration. You may have 2 products which interoperate, but due to one system becoming compromised, the integration support is removed. Under normal encryption certificated controls, you could only ensure security if all partners using the same encryption were changed to a new algorithm. With PKI, you can exclude a partner from your system and the fact that they still have access to the encryption algorithm, does not allow them to compromise your system, as they can’t decrypt data sent by other partner systems.
Layton says that when defending network ports from scanning and attempted breaches it’s important to understand first what a network scan is.
“Most network scans are not targeted attacks – the hacker is simply scanning a range of unknown IP addresses looking for an exploitable vulnerability,” he explains. “Such vulnerabilities will usually come from software packages that have not been updated, or malicious software (Malware) that may have previously been installed by a virus.
“Getting scanned does not contribute a security breach on its own. The situation would be analogous to having a burglar drive past your home looking for an easy target for a break-in. If the hacker does not identify a vulnerability, they will simply move on to scanning the next IP in range.
“If constant network scans are really a concern, one methodology to limit exposure would be change the port range of your network connected device from its default. Recent successful attempts to gain unauthorised access to NVRs has come from hackers knowing what port is opened by default for a given system – they simply scan IP ranges for a device with this port open and then attempt to use the connection software for that NVR using the default password.
“We need to realise here that where this hacking attempt was successful, the root cause was still the human factor – having the port open was part of the regular operation of the NVR, but failing to change the default password was the true vulnerability.”
According to Layton, there are 2 main considerations when it comes to using mobile devices to control security eco-systems.
“First off, most mobile devices have a standardised method of user access control – whether it’s a PIN, fingerprint recognition, or lock screen pattern,” Layton says. “This automatically limits who can access the apps on the device if it is stolen or found. Many security system apps also give the option of or require using an additional password or PIN. Where possible, it will always be safest to have multiple levels of authentication – your kids may know your phone PIN to play Candy Crush, but you don’t want them accessing your office security system.
“The second consideration is that for high security applications, it is possible to get specialised apps for a mobile device that allow the device itself to authenticate to the system as a known device. Such systems will often use the Unique Device ID (UDID) number of an Apple device or the IMEI, Android ID, or MAC of an Android device. These apps prevent your mobile device from being “spoofed” by a hacker, even if they can compromise your passwords or PINs.”
At Inner Range, Russell Blake argues the greatest vulnerabilities of networked security devices include default passwords that haven’t been changed, unneeded services that are running in the background that present an attack vector, unpatched and out-of-date firmware/software that contain known security vulnerabilities, operator permissions that are not locked down and weak implementation of security defences (e.g. devices that don’t allow long and complex passwords, easy allow privilege escalation attacks, etc).
“If there’s a single thing security installers can do to help ensure networked security devices remain secure it would be to truly understand, understand and understand,” Blake says. “Understand network security, understand the application they are working with, understand the customer’s requirements and understand how network attacks are continually changing and how defences need to keep up to date. With a solid foundational understanding and a willingness to always what’s new, everything else will flow.”
Blake says VLAN complexity is subjective.
“I would say setting up a VLAN is a relatively easy process even for someone that has no network certification or strong I.T. experience,” he explains. “The answers are easy to find and pleading ignorance just won’t cut it these days. VLAN’s are nothing to be scared about. They are simply layers that create isolation and increased security between network segments. In Cisco’s Command Line Interface, setting up a VLAN and assigning ports to VLAN’s can be done in as few as 2 easy commands.”
If installers are trying to secure systems against attacks on ports, Blake says different systems and vendors may approach securing against brute-force attacks differently.
“Any security system that takes itself seriously, however, should have an easy-to-configure tick-box or similar that enables a brute-force blacklist feature, if that feature isn’t already enabled by default,” he explains. “Defending again port scanning can be difficult to defend against given the increasing stealth of reconnaissance scanning and masquerading of attacks. Saying that, basic principles can be put into place to stop the vast majority of attacks. Establishment of dedicated network security devices are key, with examples being a good quality stateful firewall (at the internet border and even between network segments if necessary) and an internal IPS/IDS (Intrusion Prevention System/Intrusion Detection System) – take Cisco Meraki’s MX appliances as a consideration.
“Other configuration options to help prevent attacks can include shutting down ports that don’t need to be used, setup of VLAN’s to segregate traffic and isolate an attacker, setup of access control Lists to surgically control the flow of traffic (particularly for high security devices), locking network ports to pre-defined MAC addresses, setup of a centralised system log server to actively monitor and report certain activity and of course change any default password to a strong and uniquely applied password and keeping security devices patched with the latest firmware/software.”
According to Blake, SSL (or TLS as SSL’s successor), is critical for secure communication with security devices as it provides both encryption and authentication.
“I’m sure everyone understands the principals surrounding and need for encryption, but authentication is also important as it validates that the device you are talking to is actually the real device and not a counterfeit device such would be seen in man-in-the-middle attacks.”
Mark Shannon at BGWT believes 2017 will possibly be the year for the general security industry to become more aware of the potential risks that unsecure devices can have on the network.
“This awareness is a great thing and there are 2 main aspects for securing network devices and these 2 combined form the biggest vulnerability,” Shannon says. “Firstly, the device itself and whether or not at the device’s firmware level, it is secure enough. That is, has the manufacturer provided firmware with inbuilt protection measures to help protect itself against brute force attacks, injection of malicious codes and the like – these are important components to help prevent breeches.
“Secondly, at the human level and whether we have done all that can be to ensure that the measures to protect the device are implemented. Ensuring the end user/consultant specify that the job requires the right level of security for the risk and then follow it up to ensure that the installer implements it accordingly – it needs to be a closed loop process. Today, these 2 things are lacking and I am hoping that the awareness of recent events will help in the reduction of breeches.”
What does Shannon think is the single most important thing installers and integrators can do to ensure their customer’s networked security solutions remain secure?
“We can make people change default passwords, implement network security using 802.1x and install firewalls, etc, but the one thing that covers it all is to implement a security strategy and let all stakeholders know the necessary practices to follow,” he says. “Starting at the planning stage of the security system, to the installation stage and then the ‘afterwards’ stage where it becomes even more critical to ensure breeches do not happen. The ‘afterwards’ stage tends to be neglected as it is forgotten about.
“Too often people has the attitude: “The system is running so everything is ok”. However, there are practices that ring alarm bells. Even connecting USB memory sticks to offload footage may contain a virus, spyware or the like and unless a rigid practice is implemented and followed, the good work done at the start can be easily undone afterwards once the system is running. A security strategy is critical and it needs to be made known to all parties involved in the security system. A strategy means that when a party interacts with the system, they have a framework to work within to keep the system secure.
Passwords are important, too, argues Shannon.
“We all know the story about the chain’s weakest link and this tends to be where the breech will occur,” he explains. “The password tends to be the weakest link on many occasions. Passwords are important but they are only one aspect. Where passwords tend to fall down is because on occasions, more so than not, they are left at default or changed without a password management plan.
"Even to just change a default password doesn’t make the device more secure. It should be, “What do I change it to”? This is password management and it forms part of the overall security strategy for the system. Password management has a number of aspect: 1 – That passwords are actually implemented, 2 – that passwords are difficult to crack, 3 – that passwords are well-protected and encrypted, and 4 – where possible, passwords should be changed periodically. This all forms a password management system and a strategy should be implemented at the planning stage.” ♦