Subscriber Discussion

Alternates To Old Cameras?

U
Undisclosed
Oct 22, 2014

I've got a client site where I'm that rude person in IT Security who runs the network scans that knock over the old cameras. Fortunately, I'm also empowered to go to the CFO and fight for funding for Physical Security to do their job. They want to re-deploy an old Axis 216 camera. I've had to write the "dude, please stop using that antique" memo already. Suggestions on how to recommend alternate cameras? Yeah, they find Axis' prices a bit steep so alternate vendor recommendations are most definitely in order. If we had a big bucket of money I'd just suggest getting whatever Q-series replaced it (Q1604?) (I'm assuming "alternate camera vendor" is an apropos question here, appologies if I failed to notice this has already been covered with IPVM material I shoulda just studied.)

Avatar
Brian Rhodes
Oct 22, 2014
IPVMU Certified

I'm fairly sure the Axis 216 was replaced by the P33 series.

Either way, what specific requirements does a camera need to meet your network security requirements? (ie: so it cannot be 'knocked over' by your network scan?)

Avatar
Ari Erenthal
Oct 22, 2014
Chesapeake & Midlantic

The P3301 is only about $500 or so. Cheaper than that?

U
Undisclosed
Oct 23, 2014

Thank you for the input.

The camera has to have a tcp/ip protocol stack that works. In the IT world this got worked out last century. You have to actually bother to engineer the network stack. Amazingly that message only barely has made it to the physical security world. The concept this is consider something special is the really really bad. It implies issues in the engineering of the device, or issues in the manufacturer's priorities.

(1)
Avatar
Brian Rhodes
Oct 23, 2014
IPVMU Certified

"The camera has to have a tcp/ip protocol stack that works. In the IT world this got worked out last century. You have to actually bother to engineer the network stack."

So are there brands that you would discount outright for offending this?

Or would you evaluate each potential model individually?

I suspect some brands are better and more organized at this level of design than others. I'd guess many premium brands like Sony, Bosch, Avigilon have 'a protocol stack that works', but I also know this is what you do every day, so your insights are appreciated.

U
Undisclosed #1
Oct 23, 2014

Its your lucky day, because the network stack is most oft part of the firmware and

the last issued firmware for the 216 was 4.47.5 on 7/05/12, 21st Century, AD that is.

Though time's a wastin', online support runs out in about a week!

U
Undisclosed #2
Oct 23, 2014

What is specific to your scan that "knocks over" the camera?

Is something about the camera going offline due to the scan considered a security risk?

UE
Undisclosed End User #3
Aug 10, 2017

I hope this pastes easily. This is a doc my InfoSec team and I use the review devices. I1, I2, I3 (I now work with my InfoSec team and ask them to scan the device to see how it performs... review test results and review how it withstood the scan... does it still work like it is supposed to?) I9 & I10 are important.

 

Category

IoT Security Consideration

I1: Insecure Web Interface

  • Ensure that any web interface in the product disallows weak passwords
  • Ensure that any web interface in the product has an account lockout mechanism
  • Ensure that any web interface in the product has been tested for XSS, SQLi and CSRF vulnerabilities
  • Ensure that any web interface has the ability to use HTTPS to protect transmitted information
  • Include web application firewalls to protect any web interfaces
  • Ensure that any web interface allows the owner to change the default username and password

I2: Insufficient Authentication/Authorization

  • Ensure that any access requiring authentication requires strong passwords
  • Ensure that user roles can be properly segregated in multi-user environments
  • Implement two-factor authentication where possible
  • Ensure password recovery mechanisms are secure
  • Ensure that users have the option to require strong passwords
  • Ensure that users have the option to force password expiration after a specific period
  • Ensure that users have the option to change the default username and password

I3: Insecure Network Services

  • Ensure all devices operate with a minimal number of network ports active
  • Ensure all devices do not make network ports and/or services available to the internet via UPnP for example
  • Review all required network services for vulnerabilities such as buffer overflows or denial of service

I4: Lack of Transport Encryption

  • Ensure all communication between system components is encrypted as well as encrypting traffic between the system or device and the internet
  • Use recommended and accepted encryption practices and avoid proprietary protocols
  • Ensure SSL/TLS implementations are up to date and properly configured
  • Consider making a firewall option available for the product

I5: Privacy Concerns

  • Ensure only the minimal amount of personal information is collected from consumers
  • Ensure all collected personal data is properly protected using encryption at rest and in transit
  • Ensure only authorized individuals have access to collected personal information
  • Ensure only less sensitive data is collected
  • Ensuring data is de-identified or anonymized
  • Ensuring a data retention policy is in place
  • Ensuring end-users are given a choice for data collected beyond what is needed for proper operation of the device

I6: Insecure Cloud Interface

  • Ensure all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces)
  • Ensure that any cloud-based web interface disallows weak passwords
  • Ensure that any cloud-based web interface has an account lockout mechanism
  • Implement two-factor authentication for cloud-based web interfaces
  • Ensure that all cloud interfaces use transport encryption
  • Ensure that any cloud-based web interface has been tested for XSS, SQLi and CSRF vulnerabilities
  • Ensure that users have the option to require strong passwords
  • Ensure that users have the option to force password expiration after a specific period
  • Ensure that users have the option to change the default username and password

I7: Insecure Mobile Interface

  • Ensure that any mobile application disallows weak passwords
  • Ensure that any mobile application has an account lockout mechanism
  • Implement two-factor authentication for mobile applications (e.g Apple's Touch ID)
  • Ensure that any mobile application uses transport encryption
  • Ensure that users have the option to require strong passwords
  • Ensure that users have the option to force password expiration after a specific period
  • Ensure that users have the option to change the default username and password

I8: Insufficient Security Configurability

  • Ensure password security options are made available (e.g. Enabling 20 character passwords or enabling two-factor authentication)
  • Ensure encryption options are made available (e.g. Enabling AES-256 where AES-128 is the default setting)
  • Ensure secure logging is available for security events
  • Ensure alerts and notifications are available to the user for security events

I9: Insecure Software/Firmware

  • Ensure all system devices have update capability and can be updated quickly when vulnerabilities are discovered
  • Ensure update files are encrypted and that the files are also transmitted using encryption
  • Ensure that update files are signed and then validated by the device before installing
  • Ensure update servers are secure
  • Ensure the product has the ability to implement scheduled updates

I10: Poor Physical Security

  • Ensure the device is produced with a minimal number of physical external ports (e.g. USB ports)
  • Ensure the firmware of Operating System can not be accessed via unintended methods such as through an unnecessary USB port
  • Ensure the product is tamper resistant
  • Ensure the product has the ability to limit administrative capabilities in some fashion, possibly by only connecting locally for admin functions
  • Ensure the product has the ability to disable external ports such as USB

 

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions