Standard cyber protection
Computer networks are constantly under attack. However, only a small number of these attacks are successful. The majority of cyber-attacks are opportunistic, not targeting a specific victim, but just poking and prodding by scanning for open networks/ports; trying easy-to-guess passwords; identifying unpatched network services or sending phishing emails. The attackers don’t want to spend any time or effort on a failed attack, so they will just move along to the next potential victim.
If you think of it as the equivalent of a car thief wandering down a road trying door handles until he finds a car that has been left unlocked, then similarly it is easy to protect yourself from opportunistic attacks by following some standard cyber hardening recommendations – i.e. don’t leave your car door unlocked! Having a router with a firewall built-in, using hard-to-guess passwords on your computer and keeping your OS and software up to date are simple things you can do at home. Other things that hopefully have been drummed into us in the last 10-20 years include: don’t open attachments from unknown senders; install anti-malware; don’t install software from untrusted sites and don’t insert that USB-stick you just happen to find on the street (didn’t your mother ever tell you that don’t know where it’s been?)
But this is the Axis blog, so what about IP-enabled cameras and what are the risks, if any, when you install them? Thankfully, cameras are not subject to the same threats as a PC. A camera doesn’t have users that log in, install software, visit web-pages or open email attachments. However, a camera DOES have services that an attacker may want to use as a platform for other attacks. The explosion of the ‘Internet of Things’ has led to many insufficiently hardened and Internet-exposed devices, including cameras, that are easy targets for hacker groups to ‘enslave’ into botnets.
So, here are a few simple recommendations that will mitigate the risks from opportunistic attackers:
Reduce network exposure
Basically, don’t attach something to the internet unless it really needs to be. And if you do, then understand that making that step requires it to be sufficiently hardened before you hook it up.
The challenge with network cameras is that many people want to be able to remotely access the video. IP-enabled cameras have a web server and video can often be accessed just by using a web browser. It may seem like a good idea to poke a hole in the router/firewall (known as port-forwarding) and use a web browser as the primary video client, but this adds unnecessary risks, so we don’t recommend it.
In the interests of openness, we should note that Axis cameras have historically supported UPnP NAT traversal, a service that simplifies the router port-forwarding configuration process.
However, it isn’t enabled by default and we don’t recommended you enable it. It is a legacy feature that will be removed in future products. There are better and more secure ways to get remote video access. For individuals and small organizations that do not have a VMS (Video Management System), Axis recommends using AXIS Companion client free of charge, which enables secure remote video access without exposing the camera (as a device) to the Internet. For systems that use a VMS we recommended you follow your VMS vendors’ recommendations for remote video access. If your video is streamed to the public, e.g. a web attraction, then we suggest you use a media proxy with a properly configured Internet web server. And if you have multiple remote sites, then you would be best to use a VPN (Virtual Private Network).
As with almost every other internet-enabled device, a password is the camera’s primary protection to prevent unauthorized access to its data and services. There is much debate about definition of what a strong password is. One common recommendation is to use least 8 characters long with a mix of upper/lower letters, numbers and special characters. A brute-force-login-attack is not practical on strong passwords as it would take thousands of years. In a VMS environment, authentication is primarily machine-machine, since users don’t access the cameras directly. Adding login-failure-delay in a VMS environment may increase the risk of locking yourself out. In smaller organizations, clients often connect directly to the camera (human-machine-authentication), so we recommend using hard-to-guess but easy-to-remember passwords. Use long passphrases as passwords such as “this is my camera passphrase”. Yes, space is allowed. But, whatever you do, don’t just use the factory default password.
Firmware and Software patching
Software is made by human beings and human beings are still fallible (for now!). So, new vulnerabilities are regularly discovered, and will continue to do so, even while we do our best to catch them before the software goes live. Most aren’t critical but some may be, so always keep your firmware and software updated and check for new versions at regular intervals. When a critical vulnerability is discovered there is a good chance that someone will exploit it, assuming it is economically viable to do so. If an attacker has access to an unpatched network service it is very likely they will succeed, which is one reason why it is important to reduce those opportunities.
Enterprise and critical infrastructure organizations are subject to not just opportunistic but also targeted attacks. These will use the same low-cost vectors as before, however a targeted attacker has more time, resources and determination as there is more value at stake. In order to determine what security controls should be used to reduce your risks, it is important undertake threat modeling and risk analysis. This is a big topic that I will go into in more detail in a future blog post.
We are continuously working hard to reduce our customers’ risks, including improving our development process and product life-cycle, better security controls, more secure default configurations, enhanced user interfaces and additional guidance such as this blog post. If you want to find out more about how best to harden your IP-enabled cameras, please read this guide to get more recommendations.