Security in a modern information technology environment is of paramount importance. Network appliances are growing in number and diversity, making them attractive vectors for black-hat hackers to attack. Among these appliances are IP Surveillance Cameras. These devices are being sold to physical security directors as the next generation of CCTV, and they may well be, but they are also potentially the next generation of security breach waiting-to-happen.
When WIFI routers first hit the market they were sold in every big box store, right off the shelf with no qualification or training. The result was tens of thousands of plug-and-play installations with WIFI that "Just Worked". Unfortunately, nearly every single one of them was entirely unsecured. Around the time routers began shipping with WEP encryption enabled by default that form of security became trivial to bypass, and shortly after vendors began shipping WPS-enabled routers that form of security became easily exploitable as well.
Right now, home automation technology is just beginning to reach maturity. For just tens of dollars, consumers can purchase WIFI connected plugs, sensors, and other devices that can allow just about any old electrical device to be scheduled, remote-controlled from work, or automated in some clever way. Some of the more prominent home automation brands have already issued firmware updates to patch security holes that could give hackers a foothold on their customers' networks.
Network appliance security is and has always been a nightmare. This is not to disparage IP camera manufacturers, some of whom have gone to great lengths to secure their products, but ultimately anything attached to a network is potentially at risk from anyone who has access to that network. This is a basic truth that can be mitigated by never fundamentally changed.
At first glance to a physical security professional, IP cameras seem like a variation on the familiar. An I.T. professional looking at the same camera would also find it familiar, but for very different reasons. To an I.T. professional an IP camera is similar to a print server, NAS, or a router. It is a network attached device running an embedded operating system.
Looking at IP cameras through that lens, the potential for security problems comes into focus very quickly. There are some 'Best Practices' that can and should be followed, but because most IP cameras are made by camera manufacturers (not network appliance manufacturers) it's unfortunately very common for products to follow few or none of the guidelines that might otherwise significantly reduce their risk profile.
One basic practice that is too-often overlooked is SSL/TLS. This is the encryption method also known as HTTPS that triggers a "Lock" icon in web browsers to notify that connection to a website is secure. Some IP cameras do not implement this at all, which at a minimum means passwords are being sent across the network in plain-text that anyone with access to the line could simply read.
Even when implemented, most SSL/TLS protections can be defeated with a 'Man in the Middle' attack. Normally, before accepting a security certificate a web browser confirms its identity through a trusted certificate authority. In the case of IP cameras, most will have a self-signed certificate by default. This is not inherently insecure, but it does mean no certificate authority can verify the authenticity of the certificate, so the web browser will pop up a dialog box manually asking the user if they want to trust the certificate.
In such a scenario a well-positioned attacker can place themselves between the user and the IP camera such that the user is securely connected to the attacker (not to the camera). Because the certificate is unverifiable, the user will correctly believe the connection is secure, but incorrectly assume they are connected to the camera. Then the attacker simply allows information to pass back and forth as normal, while retaining the ability to monitor and even modify every packet of data the user is sending and receiving.
Some camera manufacturers build in the ability for organizations to purchase signed certificates from the certificate authority of their choice and upload them to the cameras. This goes a long way towards eliminating the possibility of a 'Man in the Middle' attack, but many organizations are unaware of this option and do not take advantage of it.
Another practice many IP cameras fail to implement is an account lockout protocol. This is a simple rule that temporarily locks any valid user account that has experienced a number of failed login attempts. e.g. If an incorrect password is submitted three (or five, or ten) times the account is locked for ten minutes (or one hour, or until an administrator unlocks it).
This is a simple and effective method to mitigate automated password hacks. Normally an attacker might find success after several hours with hundreds of guesses per second. Account lockout protocols can spread those seconds out over weeks or months, making this attack vector completely infeasible. Unfortunately, most camera manufacturers have yet to include this feature in their products.
Other user management features may not be as immediately beneficial, but would provide additional security were they implemented. One such feature is a password strength meter to encourage users to use stronger passwords. Another is the ability to restrict specific device permissions by user or group, so not all users have complete unfettered access to view or modify all camera settings. These and other practices that have become standard in adjacent fields help to reduce the possibility of account compromise or mitigate the potential mischief a compromised account might accomplish.
Network devices do not look like computers but most are running some form of operating system, usually a variant of Linux. While the web interface is the window through which most people view the device, there is much more to it. By default, Linux-based operating systems offer remote command-line access through Telnet or SSH, and have a master user account known as 'root'. The 'root' password is almost always set by the manufacturer, and the manufacturer rarely communicates this to the end-user or provides a straightforward way to change the password.
On the surface this means that anyone with proprietary knowledge (e.g. a former employee of the manufacturer) might potentially gain unauthorized access, but it's actually much worse. Telnet dictionary and brute force software has been commoditized and simply knowing most manufacturers use short passwords that are easy for employees to remember is enough to reliably obtain the correct passwords within hours or even minutes, just by guessing.
If that vector of attack is closed off, others still remain. Video Management Software typically does not connect through the web interface, it connects over other ports using other methods. These unknowns (and the underlying implementations) are the sort of potential weakness an intruder would probe when searching for a way in. The proprietary nature of these devices means some vulnerabilities will not become public knowledge until long after they've been actively exploited at customer sites.
IP cameras are also vulnerable to denial of service attacks. If an intruder can gain access to the network they might initiate a broadcast storm that overloads the network switches and routers. This could bring network traffic to a standstill and completely prevent cameras from being viewed or recorded. This is a type of attack IP camera manufacturers are completely powerless against because it is not an attack on their products but rather the network infrastructure itself. That is why security concerns with network appliances don't stop at the appliance, but must encompass a full examination of the network the appliance lives on.
Ultimately, all network appliances (including IP cameras) represent a complex security challenge that can be likened to leaving an unattended vehicle parked next to a chop shop. No matter how well-designed the security system, the risk never approaches zero. Physical security professionals will be familiar with the tactic of delay. This is just as true for I.T. security. The gates, doors, and walls are virtual, but the purpose is identical.
Every bit of added security helps and while many IP cameras are inherently insecure, even the most secure IP camera may be vulnerable given an attacker with the ability to connect to it and enough time. Optimally, an attacker should never be able to achieve a direct connection to secure devices on a network. Access can be restricted using firewalls, VLANs, and even physical network isolation. Learn more about these and other network security concepts in 'IT Security 101'.