Secure your security surveillance

Secure your security surveillance

Surveillance systems offer home and business owners peace of mind, knowing that their property and valuables are protected from criminals. But during Surveillance installation owners / responsible person couldn’t change default password of product, like: DVR. NVR, IP Camera, IP Intrusion Panel, Router, Access Point etc. Many users sometimes call me and ask “my DVR data is formatted, but I couldn’t share DVR password”, “I lost my NVR password, how to retrieve the same” etc. etc.

I have seen 80% of users will not change the default username and password for their IP cameras. Electronic Security Surveillance footage is useful in conducting investigations.  IP video surveillance is not immune to cyber risks, but taking basic steps toward protecting and strengthening networks and networked appliances will make them less susceptible to attacks. Below are some tips.

1.     Change default passwords and used strong word:

You can find the default username and password from either user-manual or the product sticker on the product. Sometime your installer share password. Default passwords makes your system easier to hack. It’s like leaving the door already half open for smart hackers. The most used default account for IP camera is admin/admin.  You may need to reset your device before. After reset, user settings and account information will return to their factory settings. Below are the top 10 passwords 

            a.     12345

            b.     Password

3. 12345678
4. qwerty
5. abc123
6. 987654321
7. 111111
8. 1234567
9. iloveyou
10. adobe123

Almost all cameras sold today have a web-based graphical user interface (GUI), and come with a default username and password which is published on the internet. Using a strong password is the vital step to protect your IP camera from unauthorized accessing or hacking. The strong password must contain more than eight characters and at least include four types of characters - uppercase letter, lowercase, numbers and special characters. 

2.     Change Passwords Regularly:

Regularly change the credentials to your devices to help ensure that only authorized users are able to access the system. Most cameras offer at least some form of basic authentication. It may not be super robust, but at least it is better than nothing at all. Protect your camera feeds with a username and a strong password and change it periodically. Set high quality passwords and do password enforcement and account deletion when staff changes.

3.     Rename the Default Admin Account and set a new Admin Password

Your camera's default admin name and password, set by the manufacturer, is usually available by visiting their website and going to the support section for your camera model. If you haven't changed the admin name and password then even the most novice hacker can quickly look up the default password and view your feeds and/or take control of your camera.

4.     Limitation of Guest Accounts

If your system is set up for multiple users, ensure that each user only has rights to features and functions they need to use to perform their job.

5.      Change ONVIF Password

On older IP Camera firmware (applicable for limited product), the ONVIF password does not change when you change the system’s credentials. You will need to either update the camera’s firmware to the latest revision or manually change the ONVIF password.

6.      Manage your camera settings

Including a camera in a home security system is a must these days. It can allow you to view online what’s happening at home even if you’re on the other side of the world. However, with the same feature, you can also be exposing yourself to potential hackers.

A security camera is set for remote online monitoring by default during your purchase. This feature makes it possible for you to keep an eye on your home in real time through a specific app or website. It also makes it a possibility for hackers to use your own camera to spy on your home. Scary, right?

If you can go by without remote online monitoring, turn this feature off. However, if you feel that it’s a necessity to keep the feature, then guard your home and your system by a strong password. It can also help if you strictly position the cameras to face only the areas they’re supposed to monitor. Avoid including your living room or your bedroom entirely.

7.     If Your Camera is Wireless, Turn on WPA2 Encryption

If your camera is wireless capable, you should only join it to a WPA2-encrypted wireless network so that wireless eavesdroppers can't connect to it and access your video feeds.

8.     Enable HTTPS/SSL:

Set up an SSL Certificate to enable HTTPS. This will encrypt all communication between your devices and Storage.

Many cloud vendors provide connection encryption, but it is variable. Confirm with your cloud vendor how their system handles this.

9.      Protect your router.

Like your security system, you can also make your home more secure by protecting your router with an effective password. You can use the same ideas as above. However, make sure you don’t use the same access codes for your system and router.

You can also try hiding your router by manipulating its configuration to make it invisible. However, you have to keep in mind that doing so doesn’t completely make your router invisible. Instead, it only makes your network not easily seen on basic and automatic searches. If a hacker is too advanced, he can simply look for a tool and use it to find your network.

10.   Avoid using public wi-fi.

As much as possible, try not to access your automation devices at home using public wi-fi connections. This makes you more prone to hackers getting access to your personal informations. You can try using your mobile data service or find a more secured connection before you click connect.

11.   Enable IP Filter:

Enabling your IP filter will prevent everyone, except those with specified IP addresses, from accessing the system.

12.   Check the Log

Most of the time, the easiest way to know if someone has been messing around with your system is by checking your camera logs. There are several security cameras that can show you the IP addresses that accessed your cameras. If you find a suspicious one on your log, immediately change your access codes and notify proper authorities.

13.   Disable UPNP:

UPNP will automatically try to forward ports in your router or modem. Normally this would be a good thing. However, if your system automatically forwards the ports, and you leave the credentials defaulted, you may end up with unwanted visitors.

If you manually forwarded the HTTP and TCP ports in your router/modem this feature should be turned off regardless.

14.   Disable SNMP:

Disable SNMP if you are not using it. If you are using SNMP, you should do so temporarily, for tracing and testing purposes only.

15.   Disable P2P:

P2P is used to remotely access a system via a serial number. The possibility of someone hacking into your system using P2P is highly unlikely because the system’s user name, password, and serial number are also required.

16.   Disable Multicast:

Multicast is used to share video streams between two recorders. Currently there are no known issues involving Multicast, but if you are not using this feature, you should disable it.

17.   Put up a firewall.

Make sure you have a firewall in your network to prevent unauthorized access to your devices. If you don’t have one, you can browse the internet to know your best options on firewall downloads.

For a cloud-based solution without port forwarding, an on-site firewall configuration is not needed. Speak with your integrator or system manufacturer to confirm this.

18.   Change Default HTTP and TCP Ports:

Change default HTTP and TCP ports for Dahua systems. These are the two ports used to communicate and to view video feeds remotely.

These ports can be changed to any set of numbers between 1025-65535. Avoiding the default ports reduces the risk of outsiders being able to guess which ports you are using.

19.   Forward Only Ports You Need:

Ideally, do NOT connect your unprotected server to the internet. If you do expose your system to the internet, then “port forward” as few ports as possible and utilize a next generation firewall which analyzes the protocol and blocks incorrect protocols sent over the wrong port. In an ideal situation, also deploy an IDS/IPS for further protection. Its applicable for IP Camera/ DVR/ NVR/ VMS.

The more secure cloud-based systems do not have port forwarding, so no vulnerability exists, and no incremental protection action is required. Ask your integrator or provider to verify this for any system you own or are considering acquiring.

20.   Build a separate network

Mixing the cameras on a standard network without separation is a recipe for disaster. If your security camera system is connected to your main network, you are creating a doorway for hackers to enter your main network via your surveillance system, or to enter your physical security system through your main network. Some DVRs can even be shipped with a virus.

Ideally, place the security camera system on a physically separate network from the rest of your network. If you are integrating with a sophisticated IT environment, it is not always possible to separate the two systems physically.

In this event, you should use a VLAN.

21.   Connect IP Cameras to the PoE Ports on the Back of an NVR:

Cameras connected to the PoE ports on the back of an NVR are isolated from the outside world and cannot be accessed directly.

22.   Secure your smart phone

Most of today’s home security systems are controlled through smart mobile applications  and this is what makes your smartphone very important for your home’s security. Keep it in mind to always have it protected.

For one, you should avoid logging in to your system while in public places. Someone near you could be waiting for your password. Also, make sure that no one else can access your phone by securing it with a password lock. You can also install a track app just in case you misplace or lost your phone.

If such event happens, make sure to immediately remove your phone’s access from your security system and report the incident right away.

23.   Upgrade your apps and firmwares.

The reason why companies keep updating their firmwares is to fix bugs and glitches as well as to add security patches. By complying with the updates, you are arming yourself with better protection against hackers.

24.   Disable Auto-Login on apps:

If you are using apps to view your system and you are on a computer that is used by multiple people, make sure auto-login is disabled. This adds a layer of security to prevent users without the appropriate credentials from accessing the system.

25.   Use a Different Username and Password for apps:

In the event that your social media, bank, email, etc. account is compromised, you would not want someone collecting those passwords and trying them out on your security surveillance system. Using a different username and password for your security system will make it more difficult for someone to guess their way into your system. Set high quality passwords and do password enforcement and account deletion when staff changes.

Surveillance System Assessment, Deployment & Maintenance

Data breaches continue to accelerate throughout the world. With increasing Internet connectivity, physical security systems are very vulnerable to cyber-attacks, both as direct attacks and as an entrance to the rest of the network. Liabilities for these attacks are still being defined.

It is prudent to protect your company and your customers through preventative measures.

To maximize your cyber security, it is critical to define best practices for your own company, as part of your security camera system assessment, as well as its deployment and maintenance.

Security audit is another way to know system performance of your security Surveillance systems. You need to see what camera saw, Auditing of CCTV Video Easier and Efficient. Auditing helps in gaining better Situational Awareness and Actionable Intelligence.

Some of these technologies are new and have been developed specifically to combat cyber-attacks whilst others, which were originally intended simply to make chipsets more efficient, are also able to contribute to camera security. Almost all, when mentioned in video surveillance-related documents, datasheets or on the Internet, are stated as acronyms or have names which do not make it obvious what they are intended to do. Here, therefore, is an explanation of some of those you are most likely to come across.

• Anti-Hardware Clone: Anti-hardware clone functionality prevents a chipset from being cloned. In addition to protecting intellectual property, this ensures that a chipset with a manufacturer’s label is a genuine copy and removes the risk of a cloned device which may contain malicious software being used to steal sensitive data such as passwords.
• Crypto Acceleration: When applied to video surveillance solutions, crypto acceleration is normally referred to within the context of a camera chipset performing complex mathematical functions for encryption and decryption This is a very intensive operation requiring the chipset to use a large proportion of its resources. Equipping chipsets with a dedicated ‘engine’ for this purpose ensures that encryption/decryption is efficiently carried out, without affecting other camera functionality.
• Image Scrambling: Between the location of a camera and where the images it captures are remotely viewed, recorded and stored, there is always the possibility that a cyber criminal could hack into the network and gain access to what may be confidential video and data. Image scrambling is the encryption of video prior to transmission over the network. It does so by randomly rearranging the pixels of each image so that it cannot be viewed by anyone maliciously hacking into the network.
• Secure JTAG: JTAG ports are hardware interfaces which are used to programme, test and debug devices. However, they can be compromised by cyber criminals to gain low level control of a device and perhaps replace firmware with a malicious version. This can be prevented by securing the JTAG port via a key-based authentication mechanism to which only authorised personnel working for the manufacturer have access.
• Secure UART: UART ports are serial interfaces typically used for debugging cameras. They allow administrator access to a camera and are therefore a target for hackers attempting to access sensitive information such as password keys. Hackers could also potentially access a camera’s firmware in order to reverse engineer it, as well as examine it for vulnerabilities in the device’s communications protocols. Enforcing restricted and secure access to the UART port, will allow the debugging process to be safely completed, without opening the door to cyber criminals.
• OTP ROM: This is an acronym for One Time Programmable Read Only Memory which allows sensitive data, such as encryption keys, to be written only once onto a chipset and then prevents the data from being modified. This protects the integrity of encryption keys which are used to validate the stages in a secure boot up sequence and allows access to the JTAG Port.
• Secure Boot Verification: Secure Boot provides an extra layer of security by sandboxing different elements of a camera’s operating system, which means they are in a protected space. The system will complete a full boot before communicating with any other part of the system and this prevents an interruption to the boot process which could be exploited by a hacker.
• Random Number Generator: Computers are designed to create very predictable data and are therefore not very good at generating random numbers which are required for good encryption. A dedicated random number generator overcomes this problem by having a dedicated mechanism for the task.
• Secure OS: Using a separate operating system (OS) for encryption and decryption, as well as for verifying apps have not been modified or are forgeries, reduces the workload of a camera’s main OS. A separate Linux based API is needed to access a Secure OS and without this, there is no way to make any changes from the outside of a camera. A Secure OS should always, therefore, be used to process important stored information.

In a highly competitive market, there is no shortage of camera manufacturers to choose from. Consultants, system designers and systems integrators therefore have the freedom to narrow down their shortlist of preferred supplies to those who have fully embraced and incorporated best practise into their manufacturing process. A clear demonstration of this would be if they have equipped their cameras with most, if not all, of the above functionality and technology.

Biography:

Arindam Bhadra is an eSecurity professional 11yr + in this industry. He is a good freelance blogger. His blog is now No 1. Blog in India. 2.9L page viewer globally. Mr. Bhadra is an Electronics & telecommunication Engineer from IETE, New Delhi. He is a member of FSAI from 2011 & Go Beyond security from 2008. His blog arindamcctvaccesscontrol.blogspot.com focuses on security. Apart from his job, he loved to spend all his time with eSecurity & Safety technology understanding and loves to help people. He is a Tech enthusiast and has written articles over the period in this Magazine & blog. You can follow him on Facebook, Twitter, LinkedIn & Google+ etc.