Securing IP Surveillance Cameras in the IoT Ecosystem
by Jeffrey Cheng (Trend Micro IoT Security)
The security for devices connected to the internet of things (IoT) has been a hot topic, and Internet Protocol (IP) surveillance cameras, in particular, have been the subject of growing scrutiny.
IP cameras have become a top target for hackers because of their relatively high computing power and good internet traffic throughput. A case in point was the incident toward the end of 2016 where a Linux-based botnet called Mirai was used to facilitate the largest distributed denial-of-service (DDoS) attack in history. As a result, packet flow experienced outbursts of up to 50 times higher than its normal volume, with internet traffic estimated at a record high of 1.2 Tbps. The traffic was triggered by remote commands, and the hijacked devices were primarily IP surveillance cameras.
Multiple variants of Mirai-like malware have since surfaced to further take advantage of vulnerable IP surveillance cameras. Rightfully, cybersecurity is now becoming a major consideration for IP surveillance devices, with some governments, for instance, already at work on regulations to elevate cybersecurity implementation. It is becoming a new decisive factor in the market of IP surveillance cameras.
Motivations for targeting IP surveillance cameras
One of the major motivations for hacking IoT devices is financial gain. And when it comes to monetization, IP surveillance cameras are distinct targets for the following reasons:
- Constant connectivity. Like many other devices, IP cameras need to be internet-connected to function properly. However, exposure to the internet also makes it easy for hackers to find the cameras and potentially exploit the devices. Once hacked, the devices will be able to serve the hackers’ needs.
- Low hacking investment. Unlike with hacking a PC, once hackers see a way to break the security of an IoT device such as an IP camera, the same approach can usually be applied to other devices of similar models, resulting in a very low per-device hacking cost.
- Lack of supervision. Unlike PCs, especially those used in offices, IP cameras have low user interaction and are not well-managed in terms of security. Installation of an aftermarket anti-malware application is not available either.
- High performance. The idle computing power of an IP surveillance camera is usually good enough to perform hacking-related tasks such as cryptocurrency mining, and without being noticed by end users at that.
- High internet-facing bandwidth. The always-connected, fast, and huge bandwidth designed for video communications makes for a suitable target for hackers to initiate DDoS attacks.
Typical attack chain
The typical attack chain around IP surveillance cameras consists of the following steps.
2. Command and control. After gaining control of the device, the attacker downloads and executes malicious scripts or samples that report to the command-and-control (C&C) server. That server issues commands instructing the affected IP camera to perform malicious activities such as cryptocurrency mining or DDoS attacks on other devices via User Datagram Protocol floods.
3. Propagation. Depending on its kind, the malware used can scan the network and employ the same infection methods to propagate itself to other vulnerable devices. The attacker can trigger this action automatically (as in the case of wormlike botnets), or manually by receiving instructions from the C&C server.
Risks to public and closed networks
Most home IP cameras offered in the traditional, do-it-yourself (DIY) consumer market are connected directly to the internet. This means that home IP cameras are exposed to the internet at a very similar level as personal computers in homes, but lacking the user capability to install security software. Although home IP cameras amount to only a small portion of all installed devices, they make up a fast-growing market because of their increasing affordability and accessibility to the general public.
On the other hand, many people claim that IP cameras are not exposed to that level of risk because most products are usually designed for enterprises, which basically deploy IP cameras in local area networks and make them unsearchable on the internet. This claim may hold true, but it may overlook several real-world factors:
- The system integrators may not install the IP cameras as expected. In many cases, people just choose whichever approach is more convenient for them to install everything and get the devices working. Ease of maintenance is another incentive for them to do so. This explains why the IP addresses of many IP cameras that are supposed to stay in a local area network can still be found.
- The business model around IP cameras is changing. Service providers are using IP cameras to run customized services (such as elderly care), and making the cameras available on the internet is the easiest way for both users and remote operators to access the cameras as needed at the same time.
- Modern value-adding functions such as video analysis features are often deployed in the cloud to reduce the overall hardware and software costs, with the flexibility to switch specific features on or off, or to add a new feature regardless of the hardware performance of the cameras.
Hooking up IP cameras to the internet at large is a clear trend. Given the considerable number of IP cameras deployed globally, a small portion of IP cameras that expose themselves on the public domain can serve as a great incentive for hackers.
Another thing to consider is how network isolation is one of the frequently mentioned approaches for cybersecurity. Being in a local area network, though, does not guarantee the protection of IP cameras against hacking. For one thing, well-designed malware can easily spread across the local area network, and any portable device brought into the same local area network can easily turn into an infection vector. Take the infamous Mirai botnet as an example: A Windows-based trojan plays an important role to distribute it, even though the targets are IP cameras that run on Linux.
A layered defense for IP cameras
A complete functionality offered by an IP camera often consists of the camera itself, the network capability, and the cloud services. To offer a secure product, manufacturers need to implement security strategies in an overarching approach — from the device to the cloud:
1. IP camera hardware. Since finding a system vulnerability is one of the most critical factors for hackers to penetrate into an IP camera, leading manufacturers in the industry pay close attention to monitoring the firmware and patching the vulnerable system components of products. However, to raise the bar on security, further enhancements can be applied, such as:
- Enforcing the changing of default credentials.
- Applying secure boot to prevent compromised devices from functioning.
- Implementing firmware over-the-air (FOTA) updates to patch issues if necessary.
- Employing the principle of least functionality by minimizing open ports on the device if not necessary.
2. Networking. Deploying IP cameras within a closed network is already a highly adopted mechanism to ensure a better level of security. Virtual private networks (VPNs) can be used to enable remote access with a secure connection. Other network-related security implementations include:
- Encrypting connections to deter attempts at compromise.
- Connecting with a security tunnel.
- Using a hardware component to store encryption keys.
IoT security accountability and shared responsibility
As with other IoT devices, there are a lot of moving parts in a complete IP camera-based application. Accordingly, no one could and should be held solely responsible in the event of a security incident. From a cybersecurity standpoint, we believe everyone plays a role in making security fully realized.
The traditional business model for an IP surveillance system is a one-time payment. In a DIY market, the end users simply purchase the IP cameras and install them in the existing network environment. More complicated cases will introduce system integrators, who basically handle everything for the users, including selecting the right hardware, fixing them at desired locations, wiring them to outgoing routers, and setting up the network. It’s also a one-time payment if the maintenance contract is not figured in.
As more parties are trying to monetize on the basis of IP surveillance services, many different business models crop up to fulfill different needs. Surveillance service providers now charge users monthly fees instead of a one-time payment, and so do internet service providers (ISPs). New players in this business not only provide video surveillance systems for users, but also offer value-added services such as cloud recording and all sorts of smart features. To this point, the lines between the involved parties in this industry are getting blurred. For example, Nest is not only the manufacturer of the Nest Cam™ security camera, but it’s also the service provider that facilitates the associated cloud recording service.
Regardless of all the working components in the industry, there are groups of people and entities that play critical roles in the cybersecurity of surveillance systems:
- Device Manufacturers. Responsible manufacturers should always bear the security considerations in mind for every feature designed and delivered. One may argue that users often ignore or forget to adopt basic security measures, and that may just be the root cause of widespread malware across the world today. Governments are paying attention to this now and are working to enforce a certain level of security implementation with their authority. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), operated by the U.S. government, discloses system vulnerabilities of existing IP camera products from time to time in order to create more visibility around cybersecurity issues. In addition, the government of Taiwan, where at least a quarter of IP cameras shipped around the world are produced, is drafting a series of regulations aimed at ensuring the cybersecurity of the devices. Safety science companies like UL are also working on their cybersecurity verification programs to create further visibility on cybersecurity implementations.
- Service Providers. Those who build the system and operate their services with IP cameras should be responsible for the cybersecurity on a system level. By integrating the essential features of IP cameras and other premium features, service providers basically shape the whole system — from the device to the network to the cloud. Service providers, along with integrators, not only put things together, but they also make sure the devices and systems operate as intended during the entire service life. As they should, service providers have to prioritize cybersecurity along with promised features.
- System integrators. Those who set up the hardware and the software and initiate everything to start the service of the surveillance system also play a role in employing security. The principle of least functionality is the key guideline here, and enabling just as many features as needed is the goal. Unused features, especially the network functions such as open ports, are normally the shortcut for hackers.
- End users.There is typically a security guideline or a user manual that goes with an IP camera product. Reading through it and setting up the cameras as instructed play a crucial role in cybersecurity. Mirai’s success, for instance, can be attributed mainly to failure in changing default passwords.
Identifying the roles and responsibilities for security is not a matter of knowing who one is but rather a matter of knowing what one does. In a DIY market, the home user also plays the role of a system integrator. In the same manner, the IP camera vendor not only plays the device manufacturer role but also the service provider role since all the apps and cloud services are also developed and maintained by the vendor itself. In all scenarios that we can think of, we find it easy to communicate security accountability and responsibility by mapping an involved entity into any of the four aforementioned roles.
Costs vs. benefits
Security is a common issue for manufacturers of internet-connected devices — and IP camera hardware manufacturers are no exception. To be sure, the more cybersecurity implementations are added, the more obvious the increase in cost will be from the bill of material (BOM) list. On the other hand, since cybersecurity is now a topic with high awareness in the industry and even among end users, IP camera manufacturers can also take this opportunity to create unique value in the market instead of pursuing an endless price war. Cybersecurity implementations can also be used to put forth decisive factors for requests for quotations (RFQs), especially those from public domains, now that cybersecurity has attracted further government scrutiny. For service providers or system integrators, this cost issue may become less critical because security implementations can be an optional item and can be transferred to the monthly bill of the end users who really care about such matters.
Complexity is another form of cost for better cybersecurity. The easiest way to get everything set up is always the cheapest and the most unsecure one. Trading ease of use for cybersecurity is common sense among IT experts but not for general users. For example, if a surveillance system is to allow remote access over the internet, the adoption of VPNs is often on the list of top suggestions for security. However, accessing a device with a VPN is not a common practice among general users, especially smartphone users.
The never-ending debate between the costs and the benefits of cybersecurity can only be expected to keep on, with companies, no matter the size, continuing to weigh all the contributing factors to their IoT implementations while striving to maintain functionality and security.
Keeping security in check from here on out
Although classified as IoT products, IP cameras had already been in the market even before the term internet of things or IoT was coined. But in spite of the market maturity of IP cameras, the cybersecurity concerns surrounding them are still a big challenge for the entire industry. As with other IoT devices and services, the information flow for IP cameras is a long chain and malicious attacks can surface anywhere. Companies that monetize on IoT-related businesses have developed awareness of cloud security for quite some time as well as the cybersecurity matters on the network connection.
The lack of sufficient cybersecurity implementations in devices is the next thing to tackle, not only for the IP surveillance industry but for all IoT-based businesses. A world where everything is connected may look great, but only with adequate cybersecurity would this connected world be as secure as it is smart.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.