Axis Cybersecurity Hardening Guide Examined

Author: Ethan Ace, Published on Nov 19, 2015

In most IT areas, 'hardening' guides are commonplace, providing best practices for improving the cybersecurity of network products (e.g., see this Cisco hardening guide).

However, cybersecurity is generally an after thought in the physical security industry, despite an increasing number of hacking incidents.

In a rare proactive move, Axis has released a cybersecurity hardening guide, walking users through recommendations on how to close common security holes and better secure their networks.

In this note, we review this guide, provide a video showing where these settings may be found in the camera, and give our analysis of their practical impact.

** **** ** *****, '*********' ****** *** ***********, ********* **** ********* for ********* *** ************* ** ******* ******** (*.*., *** ********* ********* *****).

*******, ************* ** ********* ** ***** ******* ** *** ******** security ********, ******* ************ *************** *********.

** * **** ********* ****, ******* ******** * ************* ********* *****, ******* ***** ******* *************** ** *** ** ***** ****** security ***** *** ****** ****** ***** ********.

** **** ****, ** ****** **** *****, ******* * ***** showing ***** ***** ******** *** ** ***** ** *** ******, and **** *** ******** ** ***** ********* ******.

[***************]

Protection ******

*** **** ********* ***** ******* **** ****** ** ********** ******** at ******* ******** *** ********** ** ******** (*** **********).

***** ****** *** ***** ** *************** **** ******* ****************** *** ******** ********, ***** ********* ******** ******** ********. **** *** *********** ****** **** ***** ****** ********* **** steps ***** ***** ** ** ***** ********. 

Video ***********

*** * ****** ***** ***** ***** ******* *** ****** *** key ******** *** ****** ** ****** *** **** *******:

Default, ***** *

**** ******* ***** * ** "**** *********** *** **** ******** and **** *********":

**** ***** ** ******* ** ** ******, ***** ******* ****** settings. **** ***** *** ****** ************ ***** *** ******* ****/**** ***********, allows ********* ******* *** *** *******, *** ****** *** ** address ** ** ******* *** *** **** *** *******, *** insecure *********. ** ** **** ******* *** **********, *** ** these *** *** ********* *** *** **** ****** ****** ****** in ***** ********.

*** *** ***** ** ******* *********** ****** ********* - ****, *****, *******, *** ******* ******** *** ** ***** ************ *** **** ***********.

Standard, ***** *

***** * ** ******* ** "******* *********** ***** ** **********. This ***** ** ******** *** ***** ******** ** ****** ************* where, *********, *** ******** ** **** *** *************."

**** ******** ******* ****** ***** ******** *********:

  • *********:**** ***** **** **** ** ******** ****** *********, *** ********** "** ***** * **********, ********** ***** * password *********."
  • ******* ********* ******: **** ********* ****** *******, ****** **** *** *** ******* ** *** camera *** ****** **** ***** *** *** ********. ** ******* *********, anonymous ****** ** ******** ** *******. ***** ****** ****** ***** settings **** *** ******* ************* ** ************ (***** **** ********).
  • *** ****/****:*** ***** ********** ******** ******** ** ******** ******* *** **** and ****. **** ** *** ******** *** ***** *******, ******* proper ****/**** *** *** ****, *** ***** ****** **** ******, and ************ ** ********** ****** **** ** *****.

**** ***** ******* ** ***** ** *** *** ******** ** Level *, ****** ******** ** ** * ************** ** **** detail *****, ** ***** *.

Enterprise, ***** *

***** * ** "*********** ******** *** ************ **** **** * dedicated ****** *************."

***** * ********** **** ******** ********, *** **** ** ***** involve turning ** ***** *** *** *** *********/***** ****, ** **** as ********* ****** ***** *** ********* (***, *******, ****, ***.). 

*****

*** *** ************** **** ***** **** ***** **** *** ** unfamiliar **** ** ******** ********** (*****). ** *******, ********* *** passwords *** **** ** *** ****** ** ***** **** ***** may ** ****** *********** *** ********* ** ***** ****** ********. ******** **** option ******** ********* ******* ****** *** ****** ** **** *** not ** ****** ********. 

** ***** ** ****** *****, ***** *** ****** * ****-****** certificate, ***** ** *** ******** ** *** *********** ******* ********* and ********* *** ******** ** ***** ******, ** ****** * request ** **** ** * *********** ********* ** ****** * signed ***********.

*********** ***** ****** ********* ** *** ******, ********, *** ********** ********/******** included, though ********* ***** * *** ******* *** ***********. **** ******* offer ********* ***** *** ******* ******* ******* *** ****, ***** may ** **** ** ***** ***** *********** ******* ** ****** per ******.

**** **** **** ** ***** ** ***** *** **** ***/**** video *** *** ********* ** *******, *** ***** ******** ***** only ** **** ******* ******* *** *** ******.***** ********* ****** ** ******* **** *** ***, ***** ** *** *********. ***** and ******** ** *** ******* ***** *** *****, *** *******, while ********* *** ******* **.

***** ***************

**** *********** **** *** ***** ********* *** ***** *********** ** ** video ********:

  • ****** ***** *******:**** ********** ******** * ****** ***** ******* **** * ********* password **** *** ******* *******, ** ***** *** ***** *** in ****** ****** ******* ****** ***********. **** ** ****** ** ** systems, *** ****** **** ** ******** ********. **** ***** **** use *** ******* ***** ******* ** *******.
  • ******/*** *******:************, **** ********* ******** * **** ** *** ****** *** the ***/*** *****, ******** **** *** ***** *******(*). **** ******* the ******** ** *** ***** *******. *******, **** ***** *** require ************** ********** *** ****** ********* (****** * ******** ***** account *** *** ********** ** ***** **** ********).
  • ** ******* *********:*******, **** ********** ******** **** *** ******* *** ***** ******* to ****** ******* ********, *** ** ******* *********. **** ** a ******, *** ***** ********** ***** ** ******** ****** ** cameras, ***** *** ******* **** **** ** **** **** *** authorized ********. **** ***** **** * ********** *** *** **** these *********** ******** ** ****** ********, ***** **** *** **** annoying.

Managed **********, ***** *

*******, ***** * ** ********* ** "***** ******* ************** **** ** IT/IS **********. *** ************ ***** ******* *** **** ** ** integrated **** ** ********** ******* **************."

***.**

** **** *****, **** ********** ***** ***.**, ***** ******** ******* ** be ************* ** * ****** ****** ***** ******* ** ******* to *** *******. ******* ******* *********** ****** ** *** ****. ***.** ** typically ********** ** *** ******* ******.

***.** ** ********* *********** ** ***** ********** ********, ** ** adds *********** ********** *** ************** ** *** *******. ** ** very ******, *** ****** *** ************ ** **** *****, *** likely ******** *** **** ************ *************.

**** **********

**** ********** ***** **** ********** ** *** *******. ******* **** ******* offer ******* ******** ******** *****, ********* "************** ******" ************, ** notify ************** ** ****** ******, ** **** ** ******* ****** tampering ******.

** **** ***.**, **** ** ********* **** ** **** **** sophisticated ** *************, ** ** ******** **** ******* ***** *** knowledge. *******, **** **** ** *** **** ******* ********** ********* becoming **** ******, ***** ********** *** ** ********* ** **** small ******** ** ******* **** ********** ******* *** ********* ** the ****** ** **** *** ***.

*** *** ******* ********** / **** *** ***** ************ ***** *** **** *********** *** *********, ********* *********** ** ****' ******** SNMP **************.

****** ****** ***

****** ******* ******* * ******* ******** *** ******** ******* ** dump *** ***** **. ******* ** **** **********, *** ********* by **** ** *** **** ******* ********** *****, ****** ***** log ****** ** **** **** ** *** ******, ***** **** checks ****** *** *** ****** ************** ** ******. **** ** these ****** *** ** ********* ** **** ** ******* ** use, ****** ****** **** ******, ********** ** ************.

Overall ****** ***************

*** **** ********* *****, ** ******** ** **** ******** ***********, provides ******* ********* *************** *** ********* ******** ** ** ***** networks. ***** **** *****, ***** ******** ********** ************* **** *** cost *** *** ****** *** ***********, *** *************** ** ****** 1 *** * ****** **** **** * *** ******* ** implement, **** ** *********** ******* ** ****. 

**** ******* *** ***** **** *** ********** ** *****, ***** we ****** **** ***** **** *** *********, ***** ***** *************** do **** ** ******* ****** ****** ****** ** ******** ********.

Other ************* *** *********

** *** *** ***** ** *** ***** ** ****** ************* with ********* ******. ***** *********'* ***** ******, ** ********** ******* with **** **** **** * **** *** *** **** *** received * ******** *** ******* **** ** *** **** ***.

Comments (12)

** ******* *********, ********* ****** ** ******** ** *******.

*'* *** **** **** **** ****** ** ********* ******, *** I ** *** ** * *** **** ***** ****** **** full ****** *** ******* ** ******* **** ** **** **** or ******** ******, *** **** **** ****.

** **** ******* ******* ** ** ******** ********?

** ** ****** ********* ** *******, *** **'* ******** ** soon ** *** ****** * **** ********.

********* ****** ****** ** *******/*** ******* *** *** *** ********* without *****.

** ** ****** ********* ** *******, *** **'* ******** ** soon ** *** ****** * **** ********.

***** *** **** ***** **, ** ***** * ***.

****, ****'* ****, *** **'* ********.

***** ***, **** ***** ******* ****** **** ******* *** ******* are ********** ** ****. *************** ** ****** ******** ***** ** **** ******* ** ******* alternatives *** ***** ** **** **** *** *** *** ***** driver, ***** ******** ******** *** ********.

******, ** *** ***** ***** *** *** *********, *** ****** will *** ** **** ** ********* ******* ******. ***** ****** like ******** ***** ******** *** *** ** *******, *** **** and **** *** ****** *** *** ***, **** ********/******, *********, etc., ***. ** **** ** ******** ******** ***** ****** **** to *** **** ***, **** *********, **** ************, *** ****. You ***'* ****** ******** ******* ******* *** ********, ******, ***** it's **** *** *** *** ** **** ****** ********** ******.

*** **** ******** ** ****** ******** ***** ** **** ******* of ******* ************ *** ***** ** **** **** *** *** the ***** ******, ***** ******** ******** *** ********.

*** *** **** **** ****** * ********* **** ****** */**** driver ******** ******** * *** **** ********?

**** ******* **** *** *** ** *** **** *** *** before *** **** ******* **? **** ** **** ****?

***** ** *** ******* *****, *** **** * ****** ** it * *** ****** *** ** ****** ** ***** **** the ***** ****:

*** ***** **** * **** ****** *** ****** ***** *** web ********* * ******** *** *** ******* **** ** ** illustrated...

**** *** **** **** *** * ******** *** ****** **** accepts ****** ********* ** *** ****** ***********...

*******, ** *** ****** ** ***** ******** ***** *** ***** API (*.*. *** *** ***)there ** ** **** *********** **** *** ****** ** ***** ***** **** ****** ***********. Instead, as this is the normal way a camera is plugged into a VMS, the client application is trusted to add proper users to the device to control the access as described above. -**** ************** *****

* ***** ** ******* **** *****, *** ***, ******. ******** 5.80.1.2

****'* ******* **** * ** ******* *****, ***** ** **** video.

  • *:** - **** **** - ******** ***
  • *:** - ****** ******** ***** - *.*.*
  • *:** - ***** *** ********** ** ******* *******
  • *:** - **:** ******* - (** ********** *** ****** ********)
  • *:** - ***** ******* **** **** *********
  • *:** - **** **** ********* - ******** ******** ** **** password
  • *:** - ******* *******
  • *:** - *** **** ******* ****** ****://****:****@***.***.***.**:***/****-*****/*****.***
  • *:**Stream ****** **** ******* ****:**** **********

***** *.*.* ** ***?

* ***** **** **** ***** ** **** *** ** **** failed **** * ****** ******* ***** *****.

***, ** *** ***** ****, ***** ********* ** **** **** root:pass (*** **** ****:****).

********, ***** ****'* * ***** *******, **** ****** ***** ** no ***** (**** *****), ** **** ** *** *** ****** and **** **** ** *** ****** ****** **** *** ********** and *** ***** ****. ********* ***** ** ******* ** **** VAPIX ******** *** ********* ** ******.

** ********* ******* ** *******, ** *****.

*** **** **** ***** ***** ***** **, *** ** *****'* seem ****** **** **** ** ****' ******** ********, ***** *** agree?

***'* ***** ****** **** ******* ** ***** *** ********** *** camera ** * ***?

**** ********, *** ***. ** *** *** *****'* ******* ***** via *****, ** **** **** ** *******. * **** ****** an **** * ****** ** ***** *** ***** *** ***** fails ** *******.

********* *******. ** ********* *** **** ******* ** *** *********** so **** ** **** ****** ***********.

******: ***** *** *** *'**** ********' / ********* ********.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Axis Camera Vulnerabilities From Google Researcher Analyzed on Mar 23, 2017
A Google security researcher has reported 6 vulnerabilities for Axis cameras, affecting multiple models and firmware versions. In this report, we...
OpenEye Takes Aim At Exacq on Mar 23, 2017
First Milestone targeted Exacq with a takeover offer, and now OpenEye is gunning for them with an offer to swap out Exacq for their cloud-managed...
Lock Keyways For Access Control Guide on Mar 23, 2017
Lock keyways can be the difference between a lock working or not. Understanding keyways is important for access control. Indeed, a member recently...
VMS Update Automation Compared on Mar 20, 2017
Updating VMS software can be a tedious and time consuming processing, which historically has required users to access each machine, download update...
Simplisafe Warns Customers About Alarm Fines on Mar 17, 2017
Simplisafe markets themselves as a 'better way' than traditional professional alarm companies. However, in one key way, Simplisafe hides the...
Alarm Panic Switches Tutorial on Mar 16, 2017
Panic switches allow silently triggering an alarm system when it is otherwise disarmed. In this tutorial we explain and contrast the 7 most common...
Environmental Sensors For Burglar Alarm Tutorials on Mar 15, 2017
Intrusion detection systems can be used to alert users to environmental issues. By connecting sensors that monitor the heat, humidity, and...
Burglar Alarm Screens Tutorial on Mar 14, 2017
Many residential alarm subscribers arm their alarms before going to bed at night. Wiring window screens allow these subscribers to leave their...
Uniview Weak Local / Strong Remote Password Policy Tested on Mar 14, 2017
With the continuing onslaught of cyber-security breaches (see Dahua backdoor recently discovered, Hikvision defaulted devices getting hacked)...
Genetec Comments on Washington DC MPD Hack on Mar 13, 2017
This January, the Washington DC police video surveillance system was hacked with ransomware, impacting 123 of 187 cameras. Last month, IPVM...

Most Recent Industry Reports

Everbridge Mass Notification Service Examined on Mar 24, 2017
Everbridge is expanding in the security space. In January 2017 Everbridge acquired PSIM platform IDV, and have also begun integrating with other...
Hikvision Removing Auto 'Phone Home' on Mar 24, 2017
Facing pressure over their cameras auto phoning home and their Chinese government ownership, Hikvision has begun quietly removing automatic...
Axis Camera Vulnerabilities From Google Researcher Analyzed on Mar 23, 2017
A Google security researcher has reported 6 vulnerabilities for Axis cameras, affecting multiple models and firmware versions. In this report, we...
OpenEye Takes Aim At Exacq on Mar 23, 2017
First Milestone targeted Exacq with a takeover offer, and now OpenEye is gunning for them with an offer to swap out Exacq for their cloud-managed...
Lock Keyways For Access Control Guide on Mar 23, 2017
Lock keyways can be the difference between a lock working or not. Understanding keyways is important for access control. Indeed, a member recently...
Broken Browser Support for Video Surveillance on Mar 22, 2017
Modern web browsers have left the security industry behind. Current Chrome, Firefox, and Microsoft Edge browsers do not support NPAPI plugins,...
ADI Favorability Results on Mar 22, 2017
150 North American integrators provided feedback on 6 distributors, and why they do (or do not do) business with ADI. ADI is clearly a big name in...
1 Million Dahua Devices Exposed To Backdoor on Mar 22, 2017
Statistics show that 1 million Dahua devices are publicly exposed and vulnerable to the Dahua backdoor. Despite this, Dahua has downplayed the...
Hikvision Hires Crisis Communication Writer on Mar 21, 2017
Hikvision has hired a crisis communication writer as the company ramps up its efforts to deal with the 'crisis' it feels it is facing. 'Crisis...
Glass Break Sensor Tutorial on Mar 21, 2017
Burglars often break glass windows to get into a house. Using glass break detectors in conjunction with alarm contacts is a good way to protect the...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact