Phoenix, Arizona-resident, Andy Gregg was in his backyard when he heard a voice he didn’t recognize talking inside the house.
The source of the voice was his Nest Cam IQ security camera.
The man speaking through the camera told him he was a white hat hacker with the group Anonymous. He then informed Gregg his private information had been compromised.
The hacker said he couldn’t see images through the camera and didn’t know where Gregg lived, but he added, the information wouldn’t be hard to find. He then recited a password Gregg used for multiple websites.
The hacker informed Gregg he had accessed his camera to alert him to its security vulnerabilities. He warned other hackers might access the system to do harm.
Gregg changed his passwords and unplugged the camera that day.
His story made national news. But it is not an isolated situation.
The case of a possessed baby monitor shouting obscenities at a Texas tot also provides a terrifying view into the security considerations of connected devices. Here, a hacker bypassed a fire-walled and password-protected wireless network to control the monitor’s camera and voice mechanisms to terrorize the end user.
These examples highlight that employing Internet-connected products without a cyber-security plan is a lot like playing the trust fall game without a person to catch you. The one thing that has been a constant since the first computer went online is that almost any technology, including remotely accessed security camera systems, can be hacked.
However, businesses can avoid these situations by having their CCTV remote viewing systems professionally installed and by instituting good security practices as part of their remote access video security system.
How Hackers Get In
Remote access puts users in constant control of their security cameras. All they need is a smartphone, laptop or tablet computer to keep a close watch over their property, personnel, and their profits.
Remote access security systems also allow users to remotely control alerts. They can set up email or text notifications then view captured video footage when the system notifies them of a potential intruder. They can disable the alarm if it is false and call the police if it is not.
The advantages add up, but the disadvantage is when improperly installed and managed these remotely accessed systems can be a doorway to unauthorized access. Companies must implement necessary controls to secure access to their security systems.
Companies can secure their video surveillance systems with remote access and a DVR with smartphone access by putting some simple protections in place.
1. Password Protection
Every remote access security system requires a hardened password system. Unfortunately, that is often not the case.
Insecam.com links to 73,000 unsecured IP cameras in 256 countries. Over 11,000 camera links are in the United States, where each link has up to 16 cameras.
This site lets people see video footage from security cameras across the globe. And, it adds new members daily, due to poor manufacturing practices and improper installation and operation.
Better passwords can make a difference, but Splash Data finds that one in five users relies on vulnerable passwords. The organization reports the Top 10 passwords of 2018 were:
Security camera systems with remote access need a secure password. Surveillance cameras typically have a web-based graphical user interface (GUI). They also come with a default username and password, which is published on the Internet. If users do not change these passwords during installation, their security systems are vulnerable.
Good installers work with users to set unique and long passwords using numbers, letters and characters to minimize vulnerability. And, they set a password for each camera, as opposed to using the same password for all cameras on a network.
2. Focus on Firewalls
Business owners and operators desiring to access their security system from their mobile phones, introduce vulnerability to the overall security system. It exposes the cameras, DVR, NVR or VMS to the internet.
Do not connect an unprotected server to the internet. And, if you do, utilize a firewall to protect and block hackers from getting in. All on-premise DVR, NVR and VMS should have firewall protection when they are exposed to remote access. Cloud-based systems have this protection built in.
A professional video system installer can verify and configure a firewall that keeps hackers out. They can also monitor the system regularly to ensure optimal operation.
3. Consider the Network
When a security system connects to a company’s main network and is accessed remotely, it creates a doorway for hackers to walk through. They can then access proprietary data and account information from the main server.
Instead, connect the security camera system to a separate network. In other words, one that is not connected to your company’s main server. Use a VLAN if the two systems cannot be separated.
4. Update Operating Systems Regularly
All security systems rely on operating systems. They can be Windows- or Linux-based. Both come with inherent security vulnerabilities.
The best way to avoid problems is to track known system vulnerabilities and install all security updates to your operating systems.
This must be done for every component in a security system, from the DVR, NVR and VMS to the cameras themselves. Your security system provider can help you update your operating systems regularly.
5. Practice Good Encryption
There are three ways to encrypt network video streams, according to “Encrypting network streams: An overview of why and how to encrypt network video” by Axis Communications.
- HTTPS is the standard means of protection used to encrypt traffic between clients and servers.
- TLS (Transport Layer Security) is used to create a secure channel where the HTTPS traffic is tunneled.
- If the server has a Certificate Authority (CA)-signed certificate, companies can validate that they are accessing a legitimate server and not a malicious computer impersonating the camera.
The Axis document further notes that video is transmitted using RTP (Real-time Protocol). For encrypted video the client needs to request that RTP stream over HTTPS.
HTTPS (TLS) may use different types of ciphers. The cipher that is most commonly used is AES (Advanced Encryption Standard), which provides key lengths of either 128 or 256 bits. Axis cameras come preloaded with a self-signed certificate and are HTTPS-enabled. This is enough for a client to safely access the camera remotely.
SRTP is an extension of the Real-time Transport Protocol (RTP). It is used for point-to-point and multi-point data transmissions. SRTP encrypts each RTP packet. SRTP can only be used to encrypt streaming media. If you need to perform administrative tasks, such as changing a camera configuration, HTTPS must be used.
VPN provides a secure tunnel and can be used to securely link two remote networks. VPN can be implemented in different ways and using different protocols, such as Point-to-Point Tunneling Protocol, Internet Protocol security or OpenVPN.
VPN is typically used to secure connections to remote cameras in a network video system. While HTTPS could be used for the same purpose, HTTPS exposes the camera’s public IP address to different types of attacks. A VPN solution provides a local IP address for the camera to reduce public exposure while encrypting the traffic.
Most cloud vendors encrypt connections, but it’s important to double check this with your installer. A professional installer also can make sense of this alphabet soup of acronyms to put the right security protocols in place for your application.
Protect Your System and Your Data
Some hackers may break into your security system with mobile phone access to have a little fun or just to prove they could. But others may do so for nefarious reasons.
With more and more devices connecting to the internet, it puts your physical security systems at risk. Your system may experience a direct attack or it may enable hackers to gain access to the rest of your network.
Here, a good offense is the best defense. Protect your company’s surveillance system by reaching out to a qualified security installer who can design and implement a system that prevents, instead of reacts, to cyber-attack.