by Jeffrey Cheng (Trend Micro IoT Security)
The security for devices connected to the internet of things (IoT) has been a hot topic, and Internet Protocol (IP) surveillance cameras, in particular, have been the subject of growing scrutiny.
IP cameras have become a top target for hackers because of their relatively high computing power and good internet traffic throughput. A case in point was the incident toward the end of 2016 where a Linux-based botnet called Mirai was used to facilitate the largest distributed denial-of-service (DDoS) attack in history. As a result, packet flow experienced outbursts of up to 50 times higher than its normal volume, with internet traffic estimated at a record high of 1.2 Tbps. The traffic was triggered by remote commands, and the hijacked devices were primarily IP surveillance cameras.
Multiple variants of Mirai-like malware have since surfaced to further take advantage of vulnerable IP surveillance cameras. Rightfully, cybersecurity is now becoming a major consideration for IP surveillance devices, with some governments, for instance, already at work on regulations to elevate cybersecurity implementation. It is becoming a new decisive factor in the market of IP surveillance cameras.
One of the major motivations for hacking IoT devices is financial gain. And when it comes to monetization, IP surveillance cameras are distinct targets for the following reasons:
The typical attack chain around IP surveillance cameras consists of the following steps.1. Initial infection. After locating a device with open ports — such as Telnet, Secure Shell, and Universal Plug and Play (UPnP) — the attacker uses the device’s default credentials (as with Mirai) or exploits unpatched system vulnerabilities (as with Persirai and Reaper) to gain access control.
Most home IP cameras offered in the traditional, do-it-yourself (DIY) consumer market are connected directly to the internet. This means that home IP cameras are exposed to the internet at a very similar level as personal computers in homes, but lacking the user capability to install security software. Although home IP cameras amount to only a small portion of all installed devices, they make up a fast-growing market because of their increasing affordability and accessibility to the general public.
On the other hand, many people claim that IP cameras are not exposed to that level of risk because most products are usually designed for enterprises, which basically deploy IP cameras in local area networks and make them unsearchable on the internet. This claim may hold true, but it may overlook several real-world factors:
Hooking up IP cameras to the internet at large is a clear trend. Given the considerable number of IP cameras deployed globally, a small portion of IP cameras that expose themselves on the public domain can serve as a great incentive for hackers.
Another thing to consider is how network isolation is one of the frequently mentioned approaches for cybersecurity. Being in a local area network, though, does not guarantee the protection of IP cameras against hacking. For one thing, well-designed malware can easily spread across the local area network, and any portable device brought into the same local area network can easily turn into an infection vector. Take the infamous Mirai botnet as an example: A Windows-based trojan plays an important role to distribute it, even though the targets are IP cameras that run on Linux.
A complete functionality offered by an IP camera often consists of the camera itself, the network capability, and the cloud services. To offer a secure product, manufacturers need to implement security strategies in an overarching approach — from the device to the cloud:
1. IP camera hardware. Since finding a system vulnerability is one of the most critical factors for hackers to penetrate into an IP camera, leading manufacturers in the industry pay close attention to monitoring the firmware and patching the vulnerable system components of products. However, to raise the bar on security, further enhancements can be applied, such as:
2. Networking. Deploying IP cameras within a closed network is already a highly adopted mechanism to ensure a better level of security. Virtual private networks (VPNs) can be used to enable remote access with a secure connection. Other network-related security implementations include:
As with other IoT devices, there are a lot of moving parts in a complete IP camera-based application. Accordingly, no one could and should be held solely responsible in the event of a security incident. From a cybersecurity standpoint, we believe everyone plays a role in making security fully realized.
The traditional business model for an IP surveillance system is a one-time payment. In a DIY market, the end users simply purchase the IP cameras and install them in the existing network environment. More complicated cases will introduce system integrators, who basically handle everything for the users, including selecting the right hardware, fixing them at desired locations, wiring them to outgoing routers, and setting up the network. It’s also a one-time payment if the maintenance contract is not figured in.
As more parties are trying to monetize on the basis of IP surveillance services, many different business models crop up to fulfill different needs. Surveillance service providers now charge users monthly fees instead of a one-time payment, and so do internet service providers (ISPs). New players in this business not only provide video surveillance systems for users, but also offer value-added services such as cloud recording and all sorts of smart features. To this point, the lines between the involved parties in this industry are getting blurred. For example, Nest is not only the manufacturer of the Nest Cam™ security camera, but it’s also the service provider that facilitates the associated cloud recording service.
Regardless of all the working components in the industry, there are groups of people and entities that play critical roles in the cybersecurity of surveillance systems:
Identifying the roles and responsibilities for security is not a matter of knowing who one is but rather a matter of knowing what one does. In a DIY market, the home user also plays the role of a system integrator. In the same manner, the IP camera vendor not only plays the device manufacturer role but also the service provider role since all the apps and cloud services are also developed and maintained by the vendor itself. In all scenarios that we can think of, we find it easy to communicate security accountability and responsibility by mapping an involved entity into any of the four aforementioned roles.
Security is a common issue for manufacturers of internet-connected devices — and IP camera hardware manufacturers are no exception. To be sure, the more cybersecurity implementations are added, the more obvious the increase in cost will be from the bill of material (BOM) list. On the other hand, since cybersecurity is now a topic with high awareness in the industry and even among end users, IP camera manufacturers can also take this opportunity to create unique value in the market instead of pursuing an endless price war. Cybersecurity implementations can also be used to put forth decisive factors for requests for quotations (RFQs), especially those from public domains, now that cybersecurity has attracted further government scrutiny. For service providers or system integrators, this cost issue may become less critical because security implementations can be an optional item and can be transferred to the monthly bill of the end users who really care about such matters.
Complexity is another form of cost for better cybersecurity. The easiest way to get everything set up is always the cheapest and the most unsecure one. Trading ease of use for cybersecurity is common sense among IT experts but not for general users. For example, if a surveillance system is to allow remote access over the internet, the adoption of VPNs is often on the list of top suggestions for security. However, accessing a device with a VPN is not a common practice among general users, especially smartphone users.
The never-ending debate between the costs and the benefits of cybersecurity can only be expected to keep on, with companies, no matter the size, continuing to weigh all the contributing factors to their IoT implementations while striving to maintain functionality and security.
Although classified as IoT products, IP cameras had already been in the market even before the term internet of things or IoT was coined. But in spite of the market maturity of IP cameras, the cybersecurity concerns surrounding them are still a big challenge for the entire industry. As with other IoT devices and services, the information flow for IP cameras is a long chain and malicious attacks can surface anywhere. Companies that monetize on IoT-related businesses have developed awareness of cloud security for quite some time as well as the cybersecurity matters on the network connection.
The lack of sufficient cybersecurity implementations in devices is the next thing to tackle, not only for the IP surveillance industry but for all IoT-based businesses. A world where everything is connected may look great, but only with adequate cybersecurity would this connected world be as secure as it is smart.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.