Lately our industry has been inundated with news and misleading information regarding network security, and the ‘FACT’ that IP cameras aren’t secure. Article after article has claimed that all of our surveillance systems are compromised with secret ‘back-doors.’
Do I deny that these ‘back-doors’ exist? Not necessarily. But any professional who has installed surveillance systems since the early 90’s can say, “I know how to secure those systems.”
Shifting gears
Did you know, for example, the Washington DC IP camera networks were compromised on inauguration day 4 years ago? Yes; the same systems that claim to have a corner of the market with regards to network and hardware security (Axis cameras). In fact, ransomware was planted on the system-recorders.
THIS is the nature of ANY IP based device. I’ve been heavily involved with BOTH industries for a very long time. I’ve witnessed – first hand – the vulnerabilities of Windows 95, 98, 00, ME (or even 3.1). I’ve studied system security architecture and ‘nerded out’ with security classes that teach how to secure software, or even, ‘The Kernel’ of an Operating System.
Each IP Based device, is a computer, quite simply. So, how can I protect the integrity of my IP based surveillance system,?
The answer?
We’ll have to defer to those who have been installing surveillance systems since the 90’s for this elaborate sage-wisdom.
Disconnect the device from the Internet.
No, it’s not rocket science. I’ll elaborate (a little). The only way to ‘truly’ secure an IP based system (regardless of the manufacturer or product type) is to install the system on a stand alone network! That’s it; it’s that simple. Yes, you lose some of the benefits of a “network” based system (remote connectivity being the big one), but it’s secure, and access to the cameras/recordings can ONLY be gained by physical – network access.
Case in point. Ring (which sits behind ‘government level’ encryption) was compromised recently because their model IS remote connectivity. In fact, their service encourages the sharing of your video to help ‘assist in crime prevention.’ It may prevent crime, but it also is vulnerable to it. I’m sure there’s a place for Ring, but this is just an example.
Disconnecting such a system from the Internet INCLUDES NOT attaching any internet-connected device to that stand-alone network. Are all the devices running reliably? Yes? If so, there’s no need to update/patch firmware. However, if you do need to update firmware, load the firmware from a USB drive or something of that nature.
Does this make the system boring? Maybe a little. BUT, disconnected, a surveillance system will still serve it’s primary function swimmingly; surveillance.
How can I know that I’m buying the devices with NO vulnerabilities?
I’m CERTAIN ANY IP camera on the market has technical vulnerabilities that are – at present – undiscovered. They may even have a ‘back-door’ (which, at this point, even HIKVision has released their source code to DC in order to prove there was no back-door only to be re-buffed by competing lobbyists).
The quality of imaging, the ability to rely on a system to automatically dump old footage and replace it with new footage (as opposed to swapping tapes), makes the migration to IP worth it. The optical technology is superior, and it’s simple to secure a network by ‘disconnecting it from the internet.’
In any case, our recommendation is to ALWAYS build a stand-alone network for systems like this. While we say this, we don’t necessarily mean that they shouldn’t be connected to the Internet, we simply mean that all of the devices should operate on their own dedicated hardware and software. The purpose of this post is to mention that by removing the internet connection from this network, you’re creating a self-contained virtual-SCIF.
IT guys will promise that their networks are “bullet proof.” They may be right, but it’s far easier to manage these kinds of things when you’re controlling your own network. When you can be certain your devices aren’t competing for addresses, or being polled by some service running on the network, you don’t worry as much about network up-time. There is little difference from when you home-ran coax and power from each camera to the headend equipment. If you think about it, those systems were isolated, self-contained networks.