IP cameras are all the rage, but users should be aware of potential security risks. The article deals with major threats and shows what installers and users must consider when installing a network-based video surveillance especially.
Modern network cameras are all the rage. They fit easily into any modern business anyway existing TCP / IP network that the installations are easily expandable and require no external connections, because the cameras can be supplied with power due to the low power consumption via the LAN. Banks, embassies, airports, railway stations, ports, gas stations, hotels and underground car parks are just some of the application areas. But experts point out the possible risks. Finally, each camera provides an interactive node in a network. From their connection not only images can be sent, but flow all kinds of data in both directions. In this respect, a TCP / IP-camera is fundamentally different from the classic BNC technology.
Starting from the individual threats, the user should pay attention to the risks of the new technology. Without precautions, a network camera can do more harm than good, especially if it is mounted outdoors. The network connection is an electronic access to the sensitive inner area of the company. Although IP cameras are usually operated on a separate network segment, an intrusion is conceivable. Finally / IP networks dozens of manipulation and attack tools on the Internet are freely available for TCP. A relatively large group of people has also due to professional activities in the network environment on profound knowledge, this purposefully apply.
Major damage with wired network cameras has not yet been published. This does not mean that it has not given them. Quite different is the case with wireless cameras. Again and again, hackers have pointed to the foolproof skimming of wireless cameras and this even documented in television programs, which is likely to cause no small imitation effect. Without activated encryption such cameras are commercially available through wireless router easily vulnerable, the knowledge is due to the countless WLANs widely used in private households. You should never be operated without protective mechanisms, such as strong encryption via WPA2 and have no placed in a commercial environment, according to experts, only in exceptional cases something.
Searches like “google hacking camera” also quickly lead to lists visible on the Internet, wired IP cameras. Whether the operators of these cameras really want that virtually anyone can watch what currently is happening in their own premises or in the hallway, it is doubtful, at least for some of the cases. Again, the users usually have simply forgotten when assembling the system to activate the protective mechanisms. Unlike an analog camera is an IP camera not only from Lens and video electronics. In it a complete web server is installed, which send the video frames at the request of the control software in the form of IP packets.
As with any Web server, each network subscriber who knows the camera’s IP address, ask them to send information. Conversely, another server takes over the role of the camera, and occur with their IP and MAC address on the network. In such an attack would simply connect the camera disconnected from the network and replaced by a laptop that would send previously copied from the network traffic IP packets with unsuspecting video images again.
Network security and IP cameras
IP networks have the task of involving all participants in a bidirectional data stream. This differentiates them fundamentally from analog CCTV systems. These can of course be manipulated and “tapped”. This will only work by prominent mechanical action and always requires special knowledge, which the circle of perpetrators severely limits. Due to the spread of home networks, the use of analytical tools to detect network nodes and tools for recording of IP packets to a wide circle is known.
Experts warn repeatedly that security cameras can be a security risk in this way, because you are practically uncontrolled provides sensitive information available to everyone. Therefore, all eligible participants should form a PKI (public key infrastructure). In addition, a firewall and / or a watchdog program is useful, which prevents any unwanted traffic and report unauthorized network users immediately. For very high security requirements Special solutions are offered that allow network traffic from outside to inside, but prevent the reverse direction by physical effects. The configuration and maintenance, and monitoring of a firewall requires no small degree of knowledge.
Generally it should be set up for IP cameras a private LAN. Where you can not go this way, or wants, the firewall is of special importance to course. Another potential risk is even justified in the unprotected network connection. Connectors should be optionally mechanically secured against withdrawal and replacement.
Even when creating user accounts the managers can undermine fatal errors. Not all people who should see video images may get influence on the configuration of the system. Otherwise, they could lock out the encryption, delete records or copy. It is therefore to regulate exactly who owns what rights, and who gets the administrator’s password.
To complicate such attacks at least, the network communication with the methods must be protected, which are known from the field of online banking. This includes a secure authentication of network devices and encrypted communication. Timestamp should also ensure that it is current camera images.
The most important component of a secure infrastructure is the SSL protocol. It is used for encryption and authentication of communication between Web servers and browsers.
As with all encryption systems also offers https not foolproof, especially not against well-equipped private detectives or governmental services, which offer special equipment. The hurdles are high enough according to experts, for many cases, if a cipher is used with sufficient key length. The most important requirement is of course that https is also available and used.
When installing IP cameras, the network technical skills and expertise in IT security play an increasingly important role. Users as well as installers must be able to circumnavigate the pitfalls of configuration problems.
Manufacturers sometimes carelessly
Manufacturers do not always help. The Gelsenkirchen security expert Prof. Norbert Pohlmann and his colleague Marco Smiatek made a shocking discovery in the year of 2008. In the manuals of the IP cameras not even the existing security features were explained in detail, some manufacturers had equal entirely dispensed with https. The systems were also generally delivered with disabled encryption and inform the user manual insufficiently aware of the risks.
Attackers can simple tools that unencrypted communication between camera and user follow and bring as passwords and usernames in experience. The advice of the experts: Activate the configuration menu initially https, and then the – often in the manual printed and therefore generally known – Replace default passwords to own, which also here to ensure sufficient length.
On the criticism of advisory boards, some manufacturers have now responded. For example, the expected mid-2010 new user interface of Mobotix facilitates the establishment of a secure network. A cryptographic check triggers manipulated images of alarm.
One of the reasons why not offer all manufacturers https as the protocol is likely to be the not low computing power, which require the encryption algorithms. Network cameras have usually only on a chip for video compression and web server that offers little reserves for additional services for cost reasons. As demanded by some security experts powerful image-by-image encryption would require an additional, powerful microprocessor.
Critical external cameras
But attackers could feed not only fake, old video images, while go to work after Rififi style long people on facades and windows. The bi-directional nature of the data line allows attacks on the IT infrastructure itself. Already at normal security requirements of unprotected operation of IP outdoor cameras over the existing internal data network is gross negligence, explains Stefan Strobel, owner of the security consulting firm cirosec GmbH. Although a separate network cabling will be installed for surveillance cameras usually, but this is far from the case everywhere.
Anyway, the basic safety standards should be adhered to within any corporate network. Unused communication ports should include in any case the user. “In the most difficult situations, for example in the video monitoring of internal high security areas, you are recommended customers products that guarantee an access permit in one direction only,” said Stefan Strobel, “because they exploit physical effects which can not be manipulated by software.” Such devices scots two network strands totally from each other, they thus quasi “information diode”. All signals are transmitted from a potentially unsafe exterior inward flow through a laser-light-emitting diode on a photodiode. A proprietary network protocol used to connect to the common IP infrastructure. Thus, there is no way to request information outdoors and appreciated there.
Configuration and operation of IP cameras
Network cameras are virtually stripped down PCs with lens – and therefore exposed to the risks of the PC world. They are also a part of TCP / IP networks and thus exposed to any threats which might arise from the weaknesses of this Protocol.
Send IP cameras their pictures normally in the so-called Real Time Streaming Protocol (RTSP). The record thus sent is of anyone who has access to a node of the network cost. This can with cameras in sensitive areas cause serious security problems. Far more unpleasant it is when the camera is removed from the network and fake pictures are shown. Under certain circumstances, an attacker must be to make not to tamper with the actual camera but so force the embedded web server with an overload of requests to its knees that only his – manipulated – data packets arrive at the headquarters. Insiders can lead the attack from their desks. As far unable to establish an encrypted streaming protocol, SSL is the easiest way to protect against this threat.
Since the cameras are usually delivered with the lowest security settings, it is for the employee in charge of the installation or the appointed service to enable this.
“Decisive the Video Configuration” explains Peter Loibl, CEO of the mill’s by the management consultancy, “it prescribes what the client needs to see and what not. Based on this plan, the locations are determined and selected cameras and lenses. ”
Appropriate decisions should meet the customer after consultation itself and not left to the contractors, who may decide to irrelevant criteria and leave the mounting tray strangers who are overwhelmed by the safe configuration.
Within the network firewall and / or a watchdog should ensure that captured video footage can not be deleted or manipulated via network command. For this purpose the customer must of course first determine which facilities and which user group it classifies as “safe”.
Integrated Security Systems
Network Design & Installation
Connect Your Security Camera to TV: Easiest Way to Go …
Hands-on Review: Amcrest ProHD 1080p Wireless Indoor IP …
Cisco Connected Physical Security Solutions
Geovision GV-FER5303 5MP Outdoor IR Fisheye IP Camera
MOBOTIX M16 Body for M16/M15 Sensor Modules (Day/Night) MX …
TCP vs UDP, Why use UDP for IP Camera’s Connection?
Mobile Shutdown Systems B.V.
Dummy Security Camera
2 Megapixel 5-50mm CS Mount Lens, AHD CCTV, HD-TVI, HD-SDI …
AC3150 Ultra Wi-Fi Router
IBM Simon, World’s First Smartphone, Enters Science Museum
Wholesale 2200 Lumens Projector
How Hacking Team and FBI planned to Unmask A Tor User
Is Business And Personal Cloud A Marriage Made In Hell?
Integrated Security Systems