Ways to Secure Your Security Camera System on the Internet
A Dangerous Door for Cyber Attacks by security camera:
Internet-connected devices, can create a door for cyber-attacks. By connecting the cameras to the internet for remote viewing, the system becomes vulnerable to potential cyber-attacks. If the security camera system is not properly secured, it can leave the system open to cyber criminals who can compromise the security of the system and potentially access sensitive information or data. The danger is particularly pronounced as the trend towards connected security camera systems continues to grow. It is important for security camera owners and operators to take appropriate steps to secure their systems against cyber threats.
Major Attack Vectors for Security Camera Systems
Five major cyber-attack vectors for surveillance camera systems are:
- Windows OS
- Linux OS
- DVRs, NVRS, VMS
- Endpoints (Cameras)
- Firewall ports
Best practices for securing surveillance camera systems can differ based on the type
Cloud-based surveillance systems may have different security requirements compared to traditional DVR/VMS/NVR systems connected to the internet, or traditional systems connected to a local network which is connected to the internet.
For cloud-based systems, security measures may include using encryption for data in transit and at rest, implementing multi-factor authentication, and regularly monitoring the system for unusual activity.
For traditional systems connected to the internet, security measures may include securing the network with firewalls and virtual private networks (VPNs), regularly updating software, and changing default passwords.
For traditional systems connected to a local network which is connected to the internet, security measures may include limiting access to the local network, regularly updating network equipment, and implementing network segmentation.
It is important to understand the specific security requirements of the surveillance camera system being used and to implement best practices accordingly to keep the system secure.
Camera Passwords
security risks exist with the web-based graphical user interface (GUI) of cameras that are commonly sold today. The issue is compounded by the fact that many cameras come with a default username and password that is readily available on the internet and some installers fail to change the password, leaving the same default password for all cameras. The statement also mentions that it is estimated that a significant portion (one in five) of web users still use easy-to-hack passwords, which increases the security vulnerability.
The top 10 most common passwords list:
- 123456
- Password
- 12345678
- qwerty
- abc123
- 123456789
- 111111
- 1234567
- iloveyou
- adobe123
Very few cameras have a way to disable the GUI, so the security vulnerability is that someone can attempt to hack into the camera via the web GUI to guess a password.
The hacker must have network access to do this, but the cameras are often on a shared network, not a physically separate network or a VLAN.
Best Practice
The ideal best practice is to assign a unique long non-obvious password for each camera. Such a meticulous process takes time to setup, is more difficult to administer, and is very hard to track. Therefore, many installers, unfortunately, use a single password for all of the cameras in an account.
To allow for this challenge, an acceptable best practice is:
- Public Network: Different strong password for each camera
- VLAN or Physical Private Network: have the same strong password for all cameras
Port Forwarding
The increasing demand for video access from remote mobile devices has created a security vulnerability by exposing the DVR, NVR, or VMS to the internet through an HTTP server. This vulnerability is dangerous because it opens the system up to numerous malicious exploits that can be used to gain access, and internet-connected machines are scanned over 10,000 times a day. The statement provides an example of a security issue that can result from this vulnerability with the Heartbleed OpenSSL exploit in 2014, which forced many manufacturers to ask users to reset their passwords
Best Practice
Connecting an unprotected server to the internet is not recommended, as it can pose a security risk. If it is necessary to expose the server to the internet, we suggest limiting the number of ports that are “port forwarded” and using a next-generation firewall to block incorrect protocols. we also recommend deploying an IDS/IPS for additional protection. The statement notes that cloud-based systems are typically more secure, as they do not have port forwarding, and therefore do not have any security vulnerabilities. We advise to check with an integrator or provider to verify the security measures in place for any system in use or being considered
Firewalls
The increasing demand for video access from remote mobile devices has created a security vulnerability by exposing the DVR, NVR, or VMS to the internet through an HTTP server. This vulnerability is dangerous because it opens the system up to numerous malicious exploits that can be used to gain access, and internet-connected machines are scanned over 10,000 times a day. The statement provides an example of a security issue that can result from this vulnerability with the Heartbleed OpenSSL exploit in 2014, which forced many manufacturers to ask users to reset their passwords
Best Practice
To ensure the best possible protection, it is important to assign a professional network security expert to configure a modern firewall. We emphasize the importance of having clear documentation on the firewall configuration and regularly monitoring and making any necessary changes to maintain security.
for a cloud-based solution without port forwarding, an on-site firewall configuration is not necessary. We advise speaking with an integrator or system manufacturer to confirm this, as the security measures in place may vary among different cloud-based solutions.
Network Topology
Mixing the cameras on a standard network without separation is a recipe for disaster.
If your security camera system is connected to your main network, you are creating a doorway for hackers to enter your main network via your surveillance system, or to enter your physical security system through your main network.
Some DVRs can even be shipped with a virus.
Best Practice
Ideally, place the security camera system on a physically separate network from the rest of your network.
Acceptable Best Practice:
If you are integrating with a sophisticated IT environment, it is not always possible to separate the two systems physically.
In this event, you should use a VLAN.
Operating Systems
As with camera passwords, a weak system password can create an opportunity for cyber-attacks on the surveillance system and the network.
Unfortunately in many OS environments, the root password or the administrator password is shared among all the admins, spreading the security risk. Employee turnover, either through attrition or a change of roles can create unexpected security holes.
Best Practice
Set high quality long passwords for the operating system.
Additionally, establish policies and procedures for changing passwords. For example, the root admin password should be changed every time an employee with password access leaves the company or changes roles.
True cloud systems do not have separate passwords for OS access. They only have system passwords for individual accounts (see below) which are explicitly deleted when employees leave or their roles change
System Passwords
Unauthorized access to your security camera system leaves both the surveillance system vulnerable and network connected to it vulnerable.
Best Practice
Change your surveillance system passwords on a schedule. Enforce security quality with the same stringency as your company standard. Long, strong passwords are the best.
Connection Equipment
A surprising number of DVR/NVR/VMS’s use connections which are not encrypted with SSL or equivalent.
This risk would be identical to logging into a bank or doing online shopping without https. It creates password vulnerability and allows potential for privacy and eavesdropping breaches.
Best Practice
It is imperative that the connection be encrypted with SSL or equivalent.
Ask your vendor how they handle this. Only choose vendors who encrypt their connections.
Many cloud vendors provide connection encryption, but it is variable. Confirm with your cloud vendor how their system handles this.
Video Encryption
In addition to insecure connections due to lack of encryption, the same privacy risks apply when the video is not encrypted when stored on the disk or in transit.
Best Practice
For a truly secure system, the video should be encrypted, both when it is stored on disk and when it is in transit.
Mobile Access
Password, account deletion and encryption vulnerabilities apply doubly to mobile.
Best Practice
Just as when you run the application on your personal computer, ensure that you have an encrypted connection for the mobile application on the iPhone or Android to the VMS or NVR/DVR. Set high-quality passwords and do password enforcement and account deletion when staff changes.
Physical Access to Equipment and Storage
The financial rewards for stealing company data are sufficiently high enough that intruders will also seek to access your network by directly hacking into your onsite physical equipment.
Best Practice
Keep secure: your cabinets; the cables; and the room where the DVR/NVR/VMS, switches and video storage servers are located. Provide secure access control to the room, including video security to monitor it. This practice not only protects your network, but prevents ‘smash and dash’ thefts at your facilities, where the recording DVR/NVR is stolen along with any other items.
Although the same principle clearly applies to a cloud-based system, there is much less on premise equipment to protect. The immediate cloud recording also protects against smash and dash theft of the on-site recording.
It is important to inquire of your integrator or vendor what general security measures they take for their cloud servers.
Video Recording Software
Video Management Software use a lot of components beyond the operating system, such as Microsoft database applications. As with the operating system itself, these components must be upgraded and secure.
Many VMS’s for example use, Microsoft Access, or libraries, as well as the software that they have written. New system vulnerabilities can be introduced if the supporting software is not kept up-to-date, including security patches.
If you are passive here, you are highly dependent on the provider sending patches for you to update the system for such vulnerabilities.
Best Practice
Ask your VMS vendor about their policy for keeping the components they use up-to-date and secure. Check for and install regular updates. Be proactive in monitoring the known security vulnerabilities in the industry and contact your integrator or vendor when you learn of new breaches.
It is important to make sure the VMS vendor has a team focused on this and is sending you updates regularly.
True cloud managed systems do not have software on site, so no vulnerability exists here.
However, it is very important to confirm if the system is truly ‘cloud- managed’ vs. internet-connected before making this assumption, or you risk exposure to a potential vulnerability.
Special tips for Secure Your Security Camera System
Securing IP cameras over the internet process is including:
Securing IP cameras over the internet is important to protect your privacy and the security of the camera’s footage. Here are some ways to secure an IP camera:
- Change the default login credentials: Many IP cameras come with default usernames and passwords that are easily accessible to hackers. Changing these credentials to strong and unique combinations will prevent unauthorized access to the camera.
- Use WPA2 encryption: When setting up the wireless network for the camera, make sure to use WPA2 encryption. This will secure the connection between the camera and the router, and prevent unauthorized access to the footage.
- Disable remote access: If you don’t need to access the camera from a remote location, it’s best to disable this feature. This will reduce the attack surface and prevent potential hacking attempts.
- Use a strong and unique password: When setting up a password for the camera, use a strong and unique combination of letters, numbers, and symbols. Avoid using easily guessable passwords like “123456” or “password”.
- Keep the firmware up to date: Regularly check for firmware updates for the camera and install them as soon as possible. Firmware updates often include security fixes for known vulnerabilities.
- Use a VPN: A virtual private network (VPN) encrypts all internet traffic and provides an extra layer of security for the camera’s connection. This will prevent hackers from intercepting and accessing the footage.
- Limit access to the camera’s network: Only allow trusted devices to connect to the network where the camera is connected. This will reduce the risk of unauthorized access to the camera.