I'm obviously biased as an integrator, but I think it takes all three (customer, manufacturer and integrator) to take efforts to secure these devices. For one of them to instantly say "NOT IT!" is just poor form and does not bode well for future interactions when these issues occur.
They may have well have just said that once it is off their loading dock it is someone else's issue. Way to commoditize your product Axis. You're better than this.
To Axis's defense, they appear to be quoting "Cyber security experts", and that group of experts is probably looking at a macro view of all IT security and not the more narrow view of IoT style hardware.
From a general IT perspective, I'm sure most attacks are indeed a result of misconfigured networks and software. But your ability to secure IoT devices are limited. You often don't have root access, or users/installers are not expected to SSH in and lock down the equipment. It would have been wise to comment about how vendors can help customers to secure their devices for Axis to make some relatively minor firmware updates available to apply industry standard authentication practices (HTTPS by default, strong password support, brute force protection etc).
I think the integrator is the person responsible for securing the system. If the integrator does a basic password and opens it up to the network, then shame on them at that point. I don't expect my bank to be responsible because I choose "cashmoney" as my online password. The first problem is the required education of integrators. My state has no required network security education, just a yearly "education fair" for credits where vendors come in and showcase their latest tech.
Now if it is an obvious security vulnerability that an integrator has no access to fix, then the manufacturer is at fault. Or if the customer decides to open their network to the internet then it is their fault.
While manufacturers cannot ensure that best practice is followed in each install, all of us must at least take on the responsibility of fixing obvious vulnerabilities
Manufacturers should make it mandatory that usernames and passwords are changed direct after the first login. Even when using cloud based applications the users email is known by the provider. They e.g. issue a warning when not changed they will be removed from that platform.
This is only addressing the username and password. Same old story over and over again. A shame that this happens.
For the other part and by that I mean the firmware and software I still think that a certification like ISO 27001 should be introduced. Especially since all these devices become more IP orientated and are connected to the Internet (IOT).
A part of this certification should be fines when not compliant or when a data leak is discovered. This would make the manufacturer more and more conscious and especially cautious when bringing out new products and firmware updates.
Another part is keep making the effort to create awareness with the users (read as installers, integrators and especially end-users).
IPVMU Certified | 12/15/16 03:44pm
It is the responsibility of purchaser to fully understand the product they are buying and installing and to know and understand the known risks at the time of purchase.
It is the responsibility of the manufacturer to engineer, design, fabricate and distribute their product with the minimum defects and communicate clear specifications and information that will assist the purchaser to decide 'suitability for use' in their implementation. It is also their responsibility to respond to defects in a timely manner once the issues become known.
Yes these are broad statements but there is no such thing as 'zero defect' manufacturing.
I am an end-user and project designer / implementer.
Smartvue at Johnson Controls | 12/15/16 03:50pm
Axis is wrong. As a manufacturer and software services supplier in this industry for 20 years, my humble opinion is that it is our responsibility to provide systems that protect the customer and the integrator. Solutions should automatically force password changes on cameras to prevent using default passwords along with rolling password changes and forcing of complex user passwords as just a few examples.
I've recently evaluated a series of IP cameras for security, including a number of Axis cameras.
Once you have followed Axis's own hardening guide, they are amongst the most secure of IP cameras. But they still give you more than enough rope to hang yourself with - not HTTPS by default, weak password policy, no brute force protection.
Certainly not secure enough to be exposed to the Internet.
Apply some of these same thought processes to automobile manufacturers:
How come they all make vehicles that can drive at speeds better than 100mph - when doing so would be quite dangerous.... both to the 'user' and to those around them?
I think the onus is on the user to use the camera in a safe manner - and if they hire a professional to install/configure their cameras, then this responsibility falls squarely on these 'experts'.
So, since cameras ship with HTTP authentication, how many cameras out there use DIGEST authentication to prevent clear text passwords from flying through the network?
I know some brands have an option (with HTTPS disabled) of a) Basic, b) Digest c) Digest or Basic. The problem with option C, which was their default, was the client could simply reply that they didn't support digest and be given basic authentication, negating the benefit at preventing an attacker from seeing clear text passwords. They should have only had options A & B. Make B the default, and if needed for 3rd party integration, back it down to A...
It is obious.
I think Axis had to first give a choice to use a strong security functions, then choose whether to use it or not, only by the user.
Responding to Axis new tweet on responsibility:
10 Percent of Hacks ARE the manufacturer's fault !! That is totally unacceptable.