Security camera systems are increasingly internet connected, driven in great part by customer demand for remote video access. The systems range from cloud-managed surveillance systems, traditional DVR/VMS/NVRs connected to the internet, and traditional systems connected to a local network which in turn is connected to the internet.
With cyber-attacks accelerating, physical security integrator and internal support staff must keep up-to-date on cyber security attack vectors which can impact the camera video management systems they sell and/or support. These systems require the same level of protection from cyber security vulnerabilities given to traditional IT systems.
The best practices for internet-connected security camera systems.
-
Physical Security: A Dangerous Door for Cyber Attacks:
Security Camera Systems are increasingly internet connected, driven by the desire for remote access and control, integration, and drastically reduced cloud storage costs.
In addition to the growing number of cloud-managed surveillance systems, most traditional security camera systems are now connected to the internet for remote access, support, and maintenance, or they are connected to the local network which in turn is connected to the internet.
In parallel, cyber-attacks continue to escalate. Reading about millions of breaches in the news headlines are becoming commonplace. Liabilities for damages are a great risk to companies.
Thus it is critical that security camera systems get the same level of attention to, and protection from, cyber security vulnerabilities that are given to traditional IT systems.
Physical security integrator and internal support staff must keep up-to-date on cyber security attack vectors which can impact the camera video management systems they sell.
-
Major Attack Vectors for Security Camera Systems:
The five major cyber-attack vectors for surveillance camera systems are:
Windows OS
Linux OS
DVRs, NVRS, VMS
Endpoints (Cameras)
Firewall ports
We will discuss these attack vectors in context of applicable best practices which can be deployed to protecting your surveillance system against them.
-
Best Practices Differ Based on Surveillance System Type:
The term ‘cloud video surveillance’ and cloud system’ is used inconsistently. Thus it is important to check with your provider to see exactly how they achieve internet access, as it will impact which steps you must take to ensure your system is secure.
A traditional system, either DVR, NVR or VMS, with an internet connection, typically for the purpose of remote video access.
A cloud-managed system, also called VSAAS. With a cloud-managed system, though there may be an onsite device, the video is recording and managed from the cloud.
There are differences within each of these categories that impact features and functions, however, this top-level distinction will offer clarity in how you can apply cyber security best practices, as well as what questions to ask your provider.
-
Best Practices for Cyber-Safe Security Camera Systems:
Vulnerability
At first glance, camera passwords may seem like too obvious a security measure to discuss. However, a Network World article in November 2014, cited that 73,011 locations with IP Cameras from 256 countries were exposed on one website. The United States topped the list with 11,046 links, where each link could have up to 8 or 16 cameras.
Further,, it is estimated that 1 in 5 Web users still use easy-to-hack passwords.
The Top 10 passwords of 2013, according to Splash Data.
- 123456
- Password
- 12345678
- qwerty
- abc123
- 123456789
- 111111
- 1234567
Almost all cameras sold today have a web-based graphical user interface (GUI) and come with a default username and password which is published on the internet.
Some installers don’t change the password at all and leave the same default password for all cameras.
Very few cameras have a way to disable the GUI, so the security vulnerability is that someone can attempt to hack into the camera via the web GUI to guess a password.
The hacker must have network access to do this, but the cameras are often on a shared network, not a physically separate network or a VLAN.
Port Forwarding:
Most end users now demand and expect video access from remote mobile devices.
This feature is normally delivered by exposing the DVR, NVR, or VMS to the internet in some way.
This typical exposure to the internet of an HTTP server is extremely dangerous, as there are a large number of malicious exploits that can be used to obtain access. Machines open to the Internet are typically scanned more than 10,000 times a day.
One example of this vulnerability was the Heart-bleed OpenSSL exploit in 2014; many manufacturers had to ask users to reset their passwords.
Firewalls:
As stated above, any on-premise DVR/NVR/VMS should have a firewall for protection, especially if you are going to expose it to the internet for any type of remote access.
Firewalls can be very complex, with thousands of rules. The next generation firewalls are even more complex because they analyse the protocols going over the ports and verify that proper protocols are being used.
Network Topology:
Mixing the cameras on a standard network without separation is a recipe for disaster.
If your security camera system is connected to your main network, you are creating a doorway for hackers to enter your main network via your surveillance system, or to enter your physical security system through your main network.
Operating Systems:
Your on-premise VMS, DVR, NVR or recording system will all have an operating system. The cameras all have an operating system.
All operating systems have vulnerabilities, both Windows-based and Linux-based.
Window OS vulnerabilities are so well-accepted that IT teams monitor them regularly. Recently it has become more and more apparent that Linux has many vulnerabilities also, such as Shell-shock (2014) and Ghost (2015), which made millions of systems vulnerable.
In theory, your system manufacturer would have a high-quality security team that is responsive in providing you with security updates. The reality is that many vendors don’t do this on a predictable basis.
Cloud-Managed System
Best practice here is to inquire with your integrator or cloud vendor if the cloud vendor has a dedicated, experienced security team which monitors vulnerabilities.
It also confirm whether the cloud vendor will automatically send security patches/updates through the cloud to any on-premise appliance. If so, no action is required from the end user to do operating system security monitoring, patching or upgrading.
Data breaches continue to accelerate throughout the world. With increasing Internet connectivity, physical security systems are very vulnerable to cyber-attacks, both as direct attacks and as an entrance to the rest of the network. Liabilities for these attacks are still being defined.
It is prudent to protect your company and your customers through preventative measures.
To maximize your cyber security, it is critical to define best practices for your own company, as part of your security camera system assessment, as well as its deployment and maintenance.