Secure your
security surveillance
Surveillance systems offer home and business owners
peace of mind, knowing that their property and valuables are protected from
criminals. But during Surveillance installation owners / responsible
person couldn’t change default password of product, like: DVR. NVR, IP Camera,
IP Intrusion Panel, Router, Access Point etc. Many users sometimes call me and ask “my DVR
data is formatted, but I couldn’t share DVR password”, “I lost my NVR password,
how to retrieve the same” etc. etc.
I have seen 80% of users will not change
the default username and password for their IP cameras. Electronic
Security Surveillance footage is useful in
conducting investigations. IP
video surveillance is not immune to cyber risks, but taking basic steps toward
protecting and strengthening networks and networked appliances will make them
less susceptible to attacks. Below are some tips.
1. Change
default passwords and used strong word:
You can find the default username and password from either
user-manual or the product sticker on the product. Sometime your installer
share password. Default passwords makes your system easier to hack. It’s like
leaving the door already half open for smart hackers. The most used default
account for IP camera is admin/admin. You may need to reset your
device before. After reset, user settings and account information will return
to their factory settings. Below are the top 10 passwords
a.
12345
b.
Password
- 12345678
- qwerty
- abc123
- 987654321
- 111111
- 1234567
- iloveyou
- adobe123
Almost all cameras sold today have a web-based graphical
user interface (GUI), and come with a default username and password which is
published on the internet. Using a strong password is the vital step to protect
your IP camera from unauthorized accessing or hacking. The strong password must
contain more than eight characters and at least include four types of
characters - uppercase letter, lowercase, numbers and special characters.
2. Change
Passwords Regularly:
Regularly change the credentials to your devices to help
ensure that only authorized users are able to access the system. Most cameras
offer at least some form of basic authentication. It may not be super robust,
but at least it is better than nothing at all. Protect your camera feeds with a
username and a strong password and change it periodically. Set high
quality passwords and do password enforcement and account deletion when staff
changes.
3. Rename
the Default Admin Account and set a new Admin Password
Your camera's default admin name and password, set by the
manufacturer, is usually available by visiting their website and going to the
support section for your camera model. If you haven't changed the admin name
and password then even the most novice hacker can quickly look up the default
password and view your feeds and/or take control of your camera.
4. Limitation
of Guest Accounts
If your system is set up for multiple users, ensure that
each user only has rights to features and functions they need to use to perform
their job.
5.
Change ONVIF Password
On older IP Camera firmware (applicable for limited
product), the ONVIF password does not change when you change the system’s
credentials. You will need to either update the camera’s firmware to the latest
revision or manually change the ONVIF password.
6. Manage
your camera settings
Including a camera in a home security system is a must
these days. It can allow you to view online what’s happening at home even if
you’re on the other side of the world. However, with the same feature, you can
also be exposing yourself to potential hackers.
A security camera is set for remote online monitoring by
default during your purchase. This feature makes it possible for you to keep an
eye on your home in real time through a specific app or website. It also makes
it a possibility for hackers to use your own camera to spy on your home. Scary,
right?
If you can go by without remote online monitoring, turn
this feature off. However, if you feel that it’s a necessity to keep the
feature, then guard your home and your system by a strong password. It can also
help if you strictly position the cameras to face only the areas they’re
supposed to monitor. Avoid including your living room or your bedroom entirely.
7. If
Your Camera is Wireless, Turn on WPA2 Encryption
If your camera is wireless capable, you should only join it
to a WPA2-encrypted wireless network so that wireless eavesdroppers can't
connect to it and access your video feeds.
8. Enable
HTTPS/SSL:
Set up an SSL Certificate to enable HTTPS. This will encrypt
all communication between your devices and Storage.
Many cloud vendors provide connection encryption, but
it is variable. Confirm with your cloud vendor how their system handles this.
9. Protect
your router.
Like your security system, you can also make your home more
secure by protecting your router with an effective password. You can use the
same ideas as above. However, make sure you don’t use the same access codes for
your system and router.
You can also try hiding your router by manipulating its configuration
to make it invisible. However, you have to keep in mind that doing so doesn’t
completely make your router invisible. Instead, it only makes your network not
easily seen on basic and automatic searches. If a hacker is too advanced, he
can simply look for a tool and use it to find your network.
10. Avoid
using public wi-fi.
As much as possible, try not to access your automation
devices at home using public wi-fi connections. This makes you more prone to
hackers getting access to your personal informations. You can try using your
mobile data service or find a more secured connection before you click connect.
11.
Enable IP Filter:
Enabling your IP filter will prevent everyone, except those
with specified IP addresses, from accessing the system.
12.
Check the Log
Most of the time, the easiest way to know if someone has
been messing around with your system is by checking your camera logs. There are
several security cameras that can show you the IP addresses that accessed your
cameras. If you find a suspicious one on your log, immediately change your
access codes and notify proper authorities.
13.
Disable UPNP:
UPNP will automatically try to forward ports in your router
or modem. Normally this would be a good thing. However, if your system
automatically forwards the ports, and you leave the credentials defaulted, you
may end up with unwanted visitors.
If you manually forwarded the HTTP and TCP ports in your
router/modem this feature should be turned off regardless.
14.
Disable SNMP:
Disable SNMP if you are not using it. If you are using
SNMP, you should do so temporarily, for tracing and testing purposes only.
15.
Disable P2P:
P2P is used to remotely access a system via a serial
number. The possibility of someone hacking into your system using P2P is highly
unlikely because the system’s user name, password, and serial number are also
required.
16.
Disable Multicast:
Multicast is used to share video streams between two
recorders. Currently there are no known issues involving Multicast, but if you
are not using this feature, you should disable it.
17. Put up
a firewall.
Make sure you have a firewall in your network to prevent
unauthorized access to your devices. If you don’t have one, you can browse the
internet to know your best options on firewall downloads.
For a cloud-based solution without port forwarding, an
on-site firewall configuration is not needed. Speak with your integrator or
system manufacturer to confirm this.
18.
Change Default HTTP and TCP
Ports:
Change default HTTP and TCP ports for Dahua systems. These
are the two ports used to communicate and to view video feeds remotely.
These ports can be changed to any set of numbers between
1025-65535. Avoiding the default ports reduces the risk of outsiders being able
to guess which ports you are using.
19.
Forward Only Ports You Need:
Ideally, do NOT connect your unprotected server to the
internet. If you do expose your system to the internet, then “port forward” as
few ports as possible and utilize a next generation firewall
which analyzes the protocol and blocks incorrect protocols sent over the
wrong port. In an ideal situation, also deploy an IDS/IPS for further
protection. Its applicable for IP Camera/ DVR/ NVR/ VMS.
The more secure cloud-based systems do not have port
forwarding, so no vulnerability exists, and no incremental protection action is
required. Ask your integrator or provider to verify this for any system you own
or are considering acquiring.
20.
Build a separate network
Mixing the cameras on a standard network without separation
is a recipe for disaster. If your security camera system is connected to your
main network, you are creating a doorway for hackers to enter your main network
via your surveillance system, or to enter your physical security system through
your main network. Some DVRs can even be shipped with a virus.
Ideally, place the security camera system on a physically
separate network from the rest of your network. If you are integrating with a
sophisticated IT environment, it is not always possible to separate the two
systems physically.
In this event, you should use a VLAN.
21.
Connect IP Cameras to the PoE
Ports on the Back of an NVR:
Cameras connected to the PoE ports on the back of an NVR
are isolated from the outside world and cannot be accessed directly.
22. Secure
your smart phone
Most of today’s home security systems are controlled
through smart mobile applications and this is what makes your smartphone
very important for your home’s security. Keep it in mind to always have it
protected.
For one, you should avoid logging in to your system while
in public places. Someone near you could be waiting for your password. Also,
make sure that no one else can access your phone by securing it with a password
lock. You can also install a track app just in case you misplace or lost your
phone.
If such event happens, make sure to immediately remove your
phone’s access from your security system and report the incident right away.
23. Upgrade
your apps and firmwares.
The reason why companies keep updating their firmwares is
to fix bugs and glitches as well as to add security patches. By complying with
the updates, you are arming yourself with better protection against hackers.
24.
Disable Auto-Login on apps:
If you are using apps to view your system and you are on a
computer that is used by multiple people, make sure auto-login is disabled.
This adds a layer of security to prevent users without the appropriate
credentials from accessing the system.
25.
Use a Different Username and
Password for apps:
In the event that your social media, bank, email, etc.
account is compromised, you would not want someone collecting those passwords
and trying them out on your security surveillance system. Using a different
username and password for your security system will make it more difficult for
someone to guess their way into your system. Set high quality passwords and do
password enforcement and account deletion when staff changes.
Surveillance System Assessment, Deployment & Maintenance
Data breaches continue to accelerate throughout the world.
With increasing Internet connectivity, physical security systems are very
vulnerable to cyber-attacks, both as direct attacks and as an entrance to the
rest of the network. Liabilities for these attacks are still being defined.
It is prudent to protect your company and your customers
through preventative measures.
To maximize your cyber security, it is critical to define
best practices for your own company, as part of your security camera system
assessment, as well as its deployment and maintenance.
Security audit is another way to know system performance of
your security Surveillance systems. You need to see what camera saw, Auditing
of CCTV Video Easier and Efficient. Auditing helps in gaining better
Situational Awareness and Actionable Intelligence.
Some of these technologies are new and have been developed specifically to combat cyber-attacks whilst others, which were originally intended simply to make chipsets more efficient, are also able to contribute to camera security. Almost all, when mentioned in video surveillance-related documents, datasheets or on the Internet, are stated as acronyms or have names which do not make it obvious what they are intended to do. Here, therefore, is an explanation of some of those you are most likely to come across.
- Anti-Hardware Clone: Anti-hardware clone functionality prevents a chipset from being cloned. In addition to protecting intellectual property, this ensures that a chipset with a manufacturer’s label is a genuine copy and removes the risk of a cloned device which may contain malicious software being used to steal sensitive data such as passwords.
- Crypto Acceleration: When applied to video surveillance solutions, crypto acceleration is normally referred to within the context of a camera chipset performing complex mathematical functions for encryption and decryption This is a very intensive operation requiring the chipset to use a large proportion of its resources. Equipping chipsets with a dedicated ‘engine’ for this purpose ensures that encryption/decryption is efficiently carried out, without affecting other camera functionality.
- Image Scrambling: Between the location of a camera and where the images it captures are remotely viewed, recorded and stored, there is always the possibility that a cyber criminal could hack into the network and gain access to what may be confidential video and data. Image scrambling is the encryption of video prior to transmission over the network. It does so by randomly rearranging the pixels of each image so that it cannot be viewed by anyone maliciously hacking into the network.
- Secure JTAG: JTAG ports are hardware interfaces which are used to programme, test and debug devices. However, they can be compromised by cyber criminals to gain low level control of a device and perhaps replace firmware with a malicious version. This can be prevented by securing the JTAG port via a key-based authentication mechanism to which only authorised personnel working for the manufacturer have access.
- Secure UART: UART ports are serial interfaces typically used for debugging cameras. They allow administrator access to a camera and are therefore a target for hackers attempting to access sensitive information such as password keys. Hackers could also potentially access a camera’s firmware in order to reverse engineer it, as well as examine it for vulnerabilities in the device’s communications protocols. Enforcing restricted and secure access to the UART port, will allow the debugging process to be safely completed, without opening the door to cyber criminals.
- OTP ROM: This is an acronym for One Time Programmable Read Only Memory which allows sensitive data, such as encryption keys, to be written only once onto a chipset and then prevents the data from being modified. This protects the integrity of encryption keys which are used to validate the stages in a secure boot up sequence and allows access to the JTAG Port.
- Secure Boot Verification: Secure Boot provides an extra layer of security by sandboxing different elements of a camera’s operating system, which means they are in a protected space. The system will complete a full boot before communicating with any other part of the system and this prevents an interruption to the boot process which could be exploited by a hacker.
- Random Number Generator: Computers are designed to create very predictable data and are therefore not very good at generating random numbers which are required for good encryption. A dedicated random number generator overcomes this problem by having a dedicated mechanism for the task.
- Secure OS: Using a separate operating system (OS) for encryption and decryption, as well as for verifying apps have not been modified or are forgeries, reduces the workload of a camera’s main OS. A separate Linux based API is needed to access a Secure OS and without this, there is no way to make any changes from the outside of a camera. A Secure OS should always, therefore, be used to process important stored information.
In a highly competitive market, there is no shortage of camera manufacturers to choose from. Consultants, system designers and systems integrators therefore have the freedom to narrow down their shortlist of preferred supplies to those who have fully embraced and incorporated best practise into their manufacturing process. A clear demonstration of this would be if they have equipped their cameras with most, if not all, of the above functionality and technology.
Biography:
Arindam Bhadra is an eSecurity
professional 11yr + in this industry. He is a good freelance blogger. His blog
is now No 1. Blog in India. 2.9L page viewer globally. Mr. Bhadra is an
Electronics & telecommunication Engineer from IETE, New Delhi. He is a
member of FSAI from 2011 & Go Beyond security from 2008. His blog arindamcctvaccesscontrol.blogspot.com focuses on security. Apart from his job, he
loved to spend all his time with eSecurity & Safety technology
understanding and loves to help people. He is a Tech enthusiast and has written
articles over the period in this Magazine & blog. You can follow him on
Facebook, Twitter, LinkedIn & Google+ etc.