In a networked physical security environment, each embedded device is a unique computer complete with IP address, passwords, security configuration settings and vulnerabilities. Poorly configured devices can provide a hacker with the opportunity to gain entry into the network where they can alter or collect data, change settings, take control of the system or, ultimately, defeat a physical security system and render the facility unprotected.
Of the many devices vulnerable to attack, IP cameras offer a particularly easy portal into the system. To attackers, a camera is simply another networked device, and therefore another potential attack point — one with which they have had some success recently. IP cameras can become vulnerable due to human factors (misconfiguration, user error, etc.) or the technology (design flaws, firmware).
Another weakness of IP cameras is the “set-and-forget” mindset commonly practiced by the installing dealer as well as the end user. To help overcome the practice, at a minimum the following three areas should be mandatory to address.
1. Default Passwords and Settings: Video surveillance cameras come out of the box with a factory-installed default username and password. Neglecting to change these can leave devices exposed to attackers who are well aware of the tendency to leave settings unchanged. The all-access username is generally admin and the default password is often just 123456. There are also Web sites where default passwords for most IP cameras — both consumer and commercial grade — are publicly listed.
Other security settings, like encryption or remote access, are often set to a less secure state by default to ease “plug-and-play” installation. But even for professional installations, security levels for virus scans or firewalls are set at a lower level so as not to affect the setup and force a reset to the less secure standard level.
Changing passwords cannot usually be done during setup when it would be most convenient, but rather must be done after the fact. For a more secure system, change passwords as soon as possible.
2. Firmware Updates: Many cameras will be vulnerable because of outdated firmware. Attackers have been successful at finding and exploiting bugs in camera software that allow them to bypass authentication and access the device. In many cases, the manufacturer had already identified and provided a patch, but the firmware hadn’t been updated.
Hackers know that a lot of people do not change the default passwords on their network devices.
End users often don’t know how to update their devices, don’t think to do it or lack the time to update their firmware.
In some instances, the end user (or installing integrator) can register the cameras with the manufacturer to receive firmware updates. Also, check the manufacturer’s Web site for firmware updates.
3. Network Segmentation: IP video cameras should not be open to the Internet or any other external networks, but they often are, making it easy for an attacker to find them. Networks should have internal perimeters that align with their functional areas, and reflect the data sensitivity and access requirements for those areas. Many breaches originate in one segment of the network, where attackers find entry easiest, and then propagate to other unrelated segments of the network as the attack progresses.
Security is not the only issue that benefits from proper network segmentation. The ability to contain network problems, improve performance and reduce congestion are all key resulting products.
Network segmentation should be continually managed. Hackers constantly attempt to find new openings as old flaws are fixed, so manufacturers and others are always working on making more secure products and quickly developing patches.
Still, it’s critical to recognize that given the ever-evolving methods and technologies used, no one can guarantee that all potential breaches will be avoided. It is paramount that cameras and the surveillance system network are shielded and separate from systems and networks where sensitive data is kept. This will help prevent IP cameras from becoming an “open door” for hackers to access those systems.
If you would like to learn more, contact our Security Solutions Division today.