Since the early 1990s, there has been a silent but very real war being waged – a cyber war. Currently, China has between 50,000 and 100,000 troops in its “cyber” divisions. This is up from 15,000 in 1998. While the media has covered larger events over the past few years, such as Stuxnet, Carbanak, and the Yahoo and Sony hacks, there are a reported 60,000 new malware signatures identified each day.
As our world has evolved technologically over the last 20 years, so have the frontlines of this war – which now includes consumer electronics. Simultaneously, over the last decade, the video surveillance industry has morphed drastically in attempts to keep pace with both the consumer electronics and enterprise IT markets, and as a result, as of 2015, close to 300 million IP cameras have been installed around the world.
To date, there has been little or no consideration to the fact that well over 95 percent of the currently sold and deployed video systems today consist of IP edge devices running an operating system that is typically a flavor of Linux, servers, and some form of network accessible storage. The small amount of legacy analog video equipment that is deployed in field environments still relies on digital equipment of some kind, and in most cases, the associated software runs on older and more vulnerable 32 bit operating systems. All of this equates to the fact that the primary – if not all – pieces of today’s video surveillance systems are subject to the same scope of cyber and data security threats as any other device attached to a network.
Because of all the possible parts and pieces of a surveillance system, the easiest way to assess its strengths and vulnerabilities is to look at the system from what is known as a “Threat Vector.” Given today’s environment, it is imperative to protect all facets (or threat vectors) of a security system, including streaming video, recorded video, edge devices, servers and recording devices. This is the key to achieving the highest standards in end-to-end data security for video systems, and protecting a customer’s networks.
Remembering that data can exist in three distinct states; at rest, in motion, and in use, let’s begin at the edge and work our way back, evaluating each technology and ways to secure it:
Streaming Video (Data in Motion-Threat Low)
While the actual threat of streaming video being intercepted and used in some way is low, the knowledge that the data from a specific IP address is video can be used against you. From the aspect of network enumeration, an attacker now knows he has non-PC target(s) that he can try to leverage.
Protection Protocol:
- Video devices should be able to utilize HTTPS communications, with certificates. This ensures secure end-to-end communications including control channels and video payload.
- Video devices should be equipped with a Trusted Platform Module (TPM) to securely store certificates utilized in different secure network scenarios such as 802.1x and Public Key Infrastructure (PKI).
- Your video devices should have features that provide the ability to disable certain protocols such as ICMP, Telnet, and FTP.
Recorded Video (Data at Rest-Threat Medium)
The two primary purposes of any video system are to act as a deterrent and to be used as admissible evidence in a court of law, if needed. Technically, digital video falls under the scrutiny of the Federal Rules of Evidence (FRE) as it pertains to digital evidence, and authenticity affects admissibility.
Most NVR systems write video in a base file format such as *.AVI,*.G64, *.MKV. If the video drives are accessible via network share, they are subject to tampering.
Protection Protocol:
- Video, if written in a readable format, should be encrypted to reduce accessibility and the possibility of tampering.
- Video devices should use some form of hashing as a form of authenticity. Hashing provides the “Data Fixity” of a file and is a form of admissible evidence. Older forms of authenticity, such as water marking can be considered video tampering.
- The VMS should also provide a way to protect original incident video for any undefined time beyond the system’s retention time in case of prolonged court cases.
Playback and Export (Data in Use-Threat Medium)
The current biggest threat to recorded video is internal employees posting incident video footage to social media or leaking it to the press. The need to keep recorded video secure is paramount for many reasons. Unrestricted access to recorded video can cause several different types of issues, including legal and HR incidents.
Protection Protocol:
- Be sure your VMS provides granular privileges concerning the export, deletion and protection of recorded video.
Weaponizing IP Cameras (Threat High)
Most IP cameras today are manufactured with an open operating system, or basic kernel, that gives no real consideration to data or cybersecurity. For years, people have asked about the security of the video that their system produces; now, people are asking if their IP camera system can be used against them.
Think of an IT administrator who has worked diligently to secure a network, servers and mobile devices who then finds out that the 200 recently installed IP cameras on the edge of that network that are vulnerable to root kits, can be weaponized and used as attack platforms against their own network – and there is no way to monitor them.
This may seem far-fetched, but in Sept. 2016, 1.5 million IP cameras, DVRs and L3 network devices were highjacked in the largest DDOS attack ever seen. So what are the current fundamental considerations that an organization needs to take into consideration before placing an IP camera on their network?
Protection Protocol:
- The operating system (OS) on a video device should be a closed OS that runs in limited memory space.
- Nothing should be able to be written to the device itself with the exception of digitally signed firmware. If the device has the ability to run third-party apps, it can be weaponized.
- Common ports should be disabled by default. From a vulnerability and pen testing perspective, the more ports that are open, the more opportunity there is to leverage a device or the services on that device.
- Video devices should utilize HSTS/ HTTP Strict Transport Security if you are going to implement end-to-end security. This protocol helps protect against protocol downgrade attacks, cookie high jacking, as well as forces an HTTPS connection to the device.
- Consider devices with a built-in “firewall” to prevent dictionary attacks from Botnets.
- Monitor user accounts and access to the video devices. Most IP cameras are installed with the default user name and password, and if installed on an accessible network, a connection can be established from anywhere in the world. Devices should have a force password feature that also adheres to password policies, such as length and complexity.
- Monitor a device’s chain of custody. The vendor should have a secure chain of custody during a manufacturing process all the way through to the final sale. If they are not manufactured in a controlled environment, video devices can be tampered with at any time prior to being sold to the customer
Attacking Servers and NVRs (Threat High)
Most VMS servers and NVRs reside on either a Windows operating system or some flavor of Linux. There is an illusion of security that most of us have with regards to OS security, but just take a look at an OS vulnerability chart and that illusion will quickly disappear.
A base unpatched Windows Server 2012 OS has 36 vulnerabilities; a standard Linux distribution has 119. Most vulnerabilities that machines are subject to are a result of “add-ons” – such as Internet Explorer (242) and Chrome (124). While Windows Server is a more secure platform, it is also a bigger target due to its market share and utilization.
Protection Protocol:
- As with any machine on a network, it is imperative that the most current updates and patches are applied to video system devices.
- Ensure a VMS can work within your network policies and environment while a network firewall and anti-virus software are operational.
- Use hardened password policies, restricted physical and network access, and disable USB ports.
David Brent ([email protected]) is the Network Video and Cyber Training Engineer at Bosch Security Systems. He has extensive knowledge of video surveillance systems. He holds a Bachelor’s Degree in Computer Forensics and Digital Investigations (CFDI), an Associate’s Degree in Networking, and several IT and networking certifications. Request more info about Bosch at www.securityinfowatch.com/10213805.
