Reduce The Possibility Of Network Sniffing For Passwords To Cameras

Hi Vasiles,

The reason vendors don't like to support HTTPS or other encrypted communication is because it adds overhead to the channel both in terms of bandwidth and in terms of the CPU power required at both ends to encrypt/decrypt the stream. It also adds some comlexity to secure certificates. Systems using these protocols are not guaranteed secure, they're just harder to hack. And that fact begs the question "is it worth it?"

It's certainly doable and if you'd like to make it a requirement of the camera/VMS vendors you should make that clear to them.

The general question of how to keep my IP (video) secure comes up from time to time. Just a few days ago there began quite a bit of discussion on the worries of ip video security.

Thanks for the reply. I have added my bit to the other post. I saw an option in Lenel LNVR that allows to select an option which allows one of

RTP over RTSP

RTP over RTSP over HTTP

RTP over UDP

I presume this is all about getting past network blocks and firewalls. So would RTP direct or RTP over RTSP provide an added level of cyber security through obscurity, since its dead easy to get to stuff over HTTP.

I think it's possible to ensure a password isn't sent in the clear (but instead in digest format) over RTSP. But I imagine that can still get botched depending on the implmementation. You might need to experiment using wireshark. This assumes authentication is actually going to happen with RTP/RTSP.

Also note that outside the streaming interaction between VMS and camera there's often a camera API which may also require authentication. These are often over HTTP/HTTPS.

I gather from this question that you're not so concerned with encrypting all communication between the VMS/Camera but rather to ensure passwords are not sent in the clear. This is a little easier task. But may require you do your own snooping to confirm.

Thanks Steve, appreciate your responses. In fact passwords are our biggest concerns.

We go to great lenghts to protect our network but the weakest area is in the security surveillance systems. We can segment them out but then we run into different levels of network infrastructure which we want to eliminate. I think the easiest is just to put the cameras behind the NVR so that the only access is thru the NVR. That way we have more control on the NVR rather than pushing camera manufacturers to provide built in security in their cameras.

Unless of cause, this forum can provide some influence to the camera manufacturers to do more to protect their systems.

- built in standard encryption

- secure FTP and SMTP protocols

- tighter contol on embedded driver code

Todays cyber criminals are using these systems as jump hosts for back door entry to other infrastructure systems.

I don't expect a response on the above, just to raise the issues that IT departments see as risks on their networks.

I beleive we need to evolve from the traditional thinking "security thru obscurity" todays cyber criminals have tools that don't care if a system is hidden or not, they will find them and they wont even be working hard to do it.