Hacked Off
7 ways to protect security cameras from hackers
- By Tom Galvin
- Sep 01, 2017
The digital writing is on the wall
for the physical security industry.
We’ve recently witnessed
some of the biggest distributed
denial of service (DDoS)
attacks in history, facilitated by devices such
as network security cameras. Yet while our
industry is fairly good at anticipating and reacting
to new physical security threats, we’ve
been very slow to react to the clear and present
danger from cybersecurity attacks.
There are myriad reasons for this, including
lack of knowledge about how to properly
secure cameras. So far, the camera attacks
have been focused on disrupting the business
of those other than the camera owner. With
code floating around the Internet that breaks
into poorly protected cameras, how long will
it be before hackers modify that code to attack
the camera’s owner?
What has become obvious in the last year
is that simple devices such as security cameras
must be installed and administered with
cybersecurity in mind. Fortunately, while the
risks are real, it doesn’t take a CCNA certification
to apply cybersecurity defenses. Here
are seven simple measures to take to protect
your cameras, your network, your revenues,
and your reputations.
Change Your Passwords
Many installed cameras are still using the
manufacturer’s default passwords. Many
others have weak passwords that are easy to
guess. Hackers can easily exploit this by writing
programs that try a list of default and
common weak passwords very quickly, hoping
to stumble on one that works.
Isolate Your Cameras
If criminals can’t talk to your cameras, they
can’t attack them either. Do not put them on
the corporate network with all of the other
PCs and Workstations. Isolate them with a
Virtual LAN (VLAN). Only the Video Management
System (VMS) should be able to
talk to them.
Lock Down the Network
Hackers can gain access to any camera on
your network by unplugging any camera
and replacing it with a laptop. Thwart this
by configuring the network so that the only
devices allowed to communicate over those
ports are the cameras you installed. Each
camera has a unique identifier called a MAC
address. A network can be configured to only
allow a certain MAC address on each port
(a feature called MAC Binding). With this in
place, all communications from other devices
get thrown away, and the hacker gets a dead
connection.
Use Two Logins
for Each Camera
IT departments discovered a long time
ago that computers should use at least
two logins: a user with a minimal amount
of privileges and an administration login
with full privileges. This separation of users
minimizes the chances of a frequently used
login falling into the wrong hands. Cameras
should be set up the same way: one login
used by the VMS that allows for streaming
video only, and an admin login that is only
used on rare occasions, such as needing to
update firmware.
Monitor for
Unusual Events
Hacking often leaves signs. If a hacker unplugs
a camera for nefarious purposes it will,
of course, go offline. That said, the hacker
may try to plug the camera back in, so you
should regard even a short outage with suspicion.
If a new set of firmware is uploaded,
the camera will reboot.
Viruses often place a load on the camera
and reduce performance. You might get
lucky and notice one of these during your
normal use of the system, but good security
takes more than luck. The best practice is to
set up the system to monitor for events like
these with immediate notification.
Purchase Cameras from
Reputable Companies
There is much concern over the security of
certain brands of cameras. Most certainly,
checking the “cyber reputation” of any system
component vendor should be on your
checklist prior to a major purchase. Look for
vendors that have a public reputation for attention
to proper cyber aware design. They
should respond rapidly to any issues.
If you already have a significant investment
in cameras from a less than trustworthy
vendor, following these best-practice recommendations
will significantly lower the risk.
Apply Automation
Automated cyber protection mechanisms
can make the administration of these best
practices scalable and automated. On the
front end, automation tools can configure
best practices such as enabling a protected
VLAN for the security system and changing
a camera’s default login credentials. Once the
system is installed, automated cyber protections
can also monitor network flows, detect
abnormalities, and respond immediately to
suspected attacks.
Don’t wait to be attacked
to take proactive
cybersecurity measures.
This article originally appeared in the September 2017 issue of Security Today.