Securing Video Streams!

Topic: “Securing Video Streams”

Many camera manufacturers mention in their technical sheets “Encrypted file transfer using Hyper Text Transfer Protocol Secure (HTTPS)”, and this even for the video streams.

During PEN testing the findings show that the video stream, which are in RTP or RSTP, are not secured with SSL or TLS HTTPS. Thus only the communication to the camera resides under the HTTPS (port 443) and not the video streams.

In our setup all other security measures are enforced, such as 802.1X with NAC certificate (Radius server) and strong passwords. Even then the video streams can still be viewed and even replaced. For security reasons this is not acceptable.

Also mentioning that at this time we are not using VPN tunnels for every camera which are in Unicast streaming to an VMS system, although this could be an answer. At this time we were counting on the built in security of the mentioned “encryption techniques offered by the camera setup”. We are using the strength of the company network in a separate VLAN, thus not separating the video segment for physical access.

Are these findings correct?

Is HTTPS the answer to security?

If not, why couldn’t the camera manufacturers straiten this out as they are contradictory to their claims in the Spec Chart?

Login to read this IPVM discussion.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

***** **** ***** ******** **********?

*** **** **, ****, *****, **** ** **** * ***.

** *** ***** ****** **** ***** @ **** **** ********* Specifications ***** ******* ********. **** *** ******* ***** **********, **** as ********* *********.

** ****** ** ****'* *****, **** ****** *********** ** *****:

"***** (***** **** ******** ******** ******) ** ********* ** **** but **** *** *** **********: *** **** *********** ** ********* using ****** ****** ***** (***) ** ********* ***** ******** (***). This ******** ******applies ********** ** *** **** ******. Many Axis network video products have built-in support for HTTPS, which makes it possible for video ** ** ******** ****** using a web browser." [Emphasis Added]

** ***** ** ** **** **** ** ******** **** *** video ****** ** ********* ** **** (*** ****** **** ****).

***, **** ****** ***** ****, *** **** ***’*.****’* **** * **** ** ***** ***, *** **** *** not *** **** ***.

****, * ******* *** ** **** *** ******* ** **** as * *** *********** ** **** ****. ****** *** ******** this **.

**** ******* *** * ****** ********, ***** *** ** ********* than **** *** *****. **** ***** * ************'* ******* ********, that *** **** ** ********* **** ***** ***/*****/***.

* *** ***** ***, *** **** ******* *** ********/******** *******, whereas ***** ****** ******** ** *** * ***** *******. ** addition, **** ******* *** ****** ********** *** ********/******** ******** **** with *** ********.

**** ** ***** **** ** ******** ***** ** ** **** likely **** **** **** *** ******** ** ***** ** *** broader ******. ****** **** ********** **** ***** ***** *** ****** network ******** **** *********, * ****** **** **** ** ***** a *** ***** ***. *** *** **** ****, ** ** *truly* *********, **** ************* ***** **** ** **** ****** ****-******** firmware, **** * *** ** ****** ******** (*****, ***, ***.) stripped ***, *** ***** ****** (******** ****, ****** ***** **********, unqie ***** *** **** ******, ************* ************** *******) ***** **.

** ******* *** ******* **** ****** **** *** ** ******* for ***** ********. **** *** ***** **** **** **** ********** best ********* (******** ** ******/******* *****, *****, ******** ***********, ******** encryption, **** **** **/**** **** ****** **** ********) *** *** have ********* **** ***** ** ****** ******* ******** ***** **** a **** ********* *******, ** ***** **** *** *********** **** no **** ********. *** *** ** *** **** ******* *** add ****** ******** ** ********, *********** ********, *** ****** **** that ** ****. **'* **** ****.

*** ****** ****** ****** ** **** **% ** *** ****** doesn't **** ***** ******* ******** ** **** ***** ** *****. I **** ** * *** ********* **** ***'* *** *** IP ****** ** *** ******* ** ***** ******** (*** **** of ******* ******* ******* ******* ********** *****), ****** **** ** them *** ****** ****** ******* **********.

**** (********) *** *** ****** ** ******/**** ** **** *********** threat? *** *** ******* ***** ******* ******* ****** ** *** video *****? (**** ** ********?) *** *** ******* ***** **** attacks ***** ***** ***** *** ********/*******? ********* ****?

******, **** ** ** **** * ********, *** ****** **** not **** ****** ** **** *****. * ***** **** *** do ****** ** ****** ******* ******* *** ***** *****.

*** ******** **** ******** ******* *** **** ** ** ***. Hacker **** *** ********** ** ******* * **** ***** *** PEN-testing. *** *** ********** **** *** *** ** ******** **** it *** ** ******** ** ***** ** ******* ************.

* ***** **** *** ** ****** ** ****** ******* ******* the ***** *****.

***** ******* ** **** * *******? **'* ********* *** ********* you **** ****** *********** ***** ** ***-**-*** *************. *** *** proposing **** ******** ******* ******* *** **** * ****-**** *********** threat, ** ****** ******* **** ** ************* ********?

*** ** "******* *** ***** *****" *'* ***** *** ***** if ***'** ******* ***** ************ *******, ** ****** ********* ***** feeds **** *** ****** (** ****)?

*** ******** ** ****'* ****** ** ***** ** ******** **** manage ** ********* ** **** ***** *****? ** **** *****, not ****. **** *** **% ** *** ***** ** *** business ** ***** *******, *** *** **** ******--**'* ****** ** all ****.

***, * **** ***** *** **** ************ ***** ******** ***** gain **** ********* *** ***** **** **** ***** *** ******* you ** ***** ****. *** ***** ** ****'** ********** **** network ********** ** *** ***** **** ****'** ******** **** ** streams ***'** ****** *** ****** ********.

* ******'* ***** *** **% ** *** ****** *****'* **** about ******* ********, **** ******** ** ***** ***** *******. ******* security ** * *** ****, *** ** ***** ** * payload ** **** *******. **'* *** ****/****** ** ********* ******* that ***** **** ******* ****'* ** ********.

****'* **** *********** ** ** ***'* ******** ******** ** ***** but ****** ******** ***** * ****** ** ******* ****** ** in **** *** ******* ** **** ******** ** *****. ****** down * ****** ** * ******** ** * ****** *************, with *********** **** ** *****, **** ** ************* ** *****.

**** ********:

"**** ********* **** ***** **** ********** ** ********* ********* *** *****. VMS ******** ***** **** ** ** **** ** ******* ******* RTSP **** ***** **** *** ****** ** ****."

**** **** ***** ** *** ****** ** ****, *** **** I ***'* **** ***** ***** ************** ** **** **** ******* RTSP **** ***/*** ** *** **** ****? ** ***** * setting ** ***** *** ****** ** **** ** **** **** HTTPS, ** ***** *** ***** ****** "***" **** **** ***/***?

** **** **** ** ** **, **** *** *** ** the ******’* ****. **** **** ********** *** **** ********?

* **** **** **** ******* **** *** ***** **** **** you ** **** ** *** **********, *** *** ***** * huge *** ** ***********, *** *** *** ********* ** ****** down, ********* ** ******** *** ******, *** *** ***** *** number ** ******* **** *** *******.

********* ***** *********** ** ******* **** **** *** ** ****** this, ** ***** **** ******** *** ********** **** *** ***...??

*** *** **** ** ******* *** ******** ****. **** ***** the ***** ******* ***.

* ***'* ***** ***.** ** ****** ** **'* *** *********** for *** *** *** **** **** ****** ******* ************. ***** between ******** ** ******* *** *** *** ** ** ******** answer, *********.

******** **** ******* ***'* **** ***** *** *** ***** ***, claiming ******* *** *** **** ** *** *** (***** ******* H.264, ** **** ** * **** ********...)

** *** ***, ****'* ***, *.*, **** *** *** *** SHA-256, ***** ******** ******** **** *** *** ****...

**,

*****, ***** *** **** * ***-*********** **** ** ******* *****: Rtp, *** *********** **** ****, *********** ******** ** **** *** interleaved ******** *** *****.

** ***** ***** *** **** ***, **** *** **** ****** be ********** ****** ***.

**** ***** ***********, ** ****** ******* *****, ** **** ******* video **** *****. ** *** **** ****, ***** *********** ** not ******* ****** ****** ** ***** ******* - **** ** the ******** ** *** ******* * (******** ********), ****** **** year.

*******: ** ****** ** ***** ******* * ********** *** ******* https *** ** ** ******** ** ***** *** **** *** http *** *** ********* - ***** *** ******* **** *** will **** ****** ******. *** * **** ** **** ***** vms **** *** ****** **.

* ****** **** **** ******, **** ***** **** ** ******* and *** ********** ** ******** * *** *, *** **** be ** * **** ****.