Axis Cybersecurity Hardening Guide Examined

Author: Ethan Ace, Published on Nov 19, 2015

In most IT areas, 'hardening' guides are commonplace, providing best practices for improving the cybersecurity of network products (e.g., see this Cisco hardening guide).

However, cybersecurity is generally an after thought in the physical security industry, despite an increasing number of hacking incidents.

In a rare proactive move, Axis has released a cybersecurity hardening guide, walking users through recommendations on how to close common security holes and better secure their networks.

In this note, we review this guide, provide a video showing where these settings may be found in the camera, and give our analysis of their practical impact.

** **** ** *****, '*********' ****** *** ***********, ********* **** ********* for ********* *** ************* ** ******* ******** (*.*., *** ********* ********* *****).

*******, ************* ** ********* ** ***** ******* ** *** ******** security ********, ******* ************ *************** *********.

** * **** ********* ****, ******* ******** * ************* ********* *****, ******* ***** ******* *************** ** *** ** ***** ****** security ***** *** ****** ****** ***** ********.

** **** ****, ** ****** **** *****, ******* * ***** showing ***** ***** ******** *** ** ***** ** *** ******, and **** *** ******** ** ***** ********* ******.

[***************]

Protection ******

*** **** ********* ***** ******* **** ****** ** ********** ******** at ******* ******** *** ********** ** ******** (*** **********).

***** ****** *** ***** ** *************** **** ******* ****************** *** ******** ********, ***** ********* ******** ******** ********. **** *** *********** ****** **** ***** ****** ********* **** steps ***** ***** ** ** ***** ********. 

Video ***********

*** * ****** ***** ***** ***** ******* *** ****** *** key ******** *** ****** ** ****** *** **** *******:

Default, ***** *

**** ******* ***** * ** "**** *********** *** **** ******** and **** *********":

**** ***** ** ******* ** ** ******, ***** ******* ****** settings. **** ***** *** ****** ************ ***** *** ******* ****/**** ***********, allows ********* ******* *** *** *******, *** ****** *** ** address ** ** ******* *** *** **** *** *******, *** insecure *********. ** ** **** ******* *** **********, *** ** these *** *** ********* *** *** **** ****** ****** ****** in ***** ********.

*** *** ***** ** ******* *********** ****** ********* - ****, *****, *******, *** ******* ******** *** ** ***** ************ *** **** ***********.

Standard, ***** *

***** * ** ******* ** "******* *********** ***** ** **********. This ***** ** ******** *** ***** ******** ** ****** ************* where, *********, *** ******** ** **** *** *************."

**** ******** ******* ****** ***** ******** *********:

  • *********:**** ***** **** **** ** ******** ****** *********, *** ********** "** ***** * **********, ********** ***** * password *********."
  • ******* ********* ******: **** ********* ****** *******, ****** **** *** *** ******* ** *** camera *** ****** **** ***** *** *** ********. ** ******* *********, anonymous ****** ** ******** ** *******. ***** ****** ****** ***** settings **** *** ******* ************* ** ************ (***** **** ********).
  • *** ****/****:*** ***** ********** ******** ******** ** ******** ******* *** **** and ****. **** ** *** ******** *** ***** *******, ******* proper ****/**** *** *** ****, *** ***** ****** **** ******, and ************ ** ********** ****** **** ** *****.

**** ***** ******* ** ***** ** *** *** ******** ** Level *, ****** ******** ** ** * ************** ** **** detail *****, ** ***** *.

Enterprise, ***** *

***** * ** "*********** ******** *** ************ **** **** * dedicated ****** *************."

***** * ********** **** ******** ********, *** **** ** ***** involve turning ** ***** *** *** *** *********/***** ****, ** **** as ********* ****** ***** *** ********* (***, *******, ****, ***.). 

*****

*** *** ************** **** ***** **** ***** **** *** ** unfamiliar **** ** ******** ********** (*****). ** *******, ********* *** passwords *** **** ** *** ****** ** ***** **** ***** may ** ****** *********** *** ********* ** ***** ****** ********. ******** **** option ******** ********* ******* ****** *** ****** ** **** *** not ** ****** ********. 

** ***** ** ****** *****, ***** *** ****** * ****-****** certificate, ***** ** *** ******** ** *** *********** ******* ********* and ********* *** ******** ** ***** ******, ** ****** * request ** **** ** * *********** ********* ** ****** * signed ***********.

*********** ***** ****** ********* ** *** ******, ********, *** ********** ********/******** included, though ********* ***** * *** ******* *** ***********. **** ******* offer ********* ***** *** ******* ******* ******* *** ****, ***** may ** **** ** ***** ***** *********** ******* ** ****** per ******.

**** **** **** ** ***** ** ***** *** **** ***/**** video *** *** ********* ** *******, *** ***** ******** ***** only ** **** ******* ******* *** *** ******.***** ********* ****** ** ******* **** *** ***, ***** ** *** *********. ***** and ******** ** *** ******* ***** *** *****, *** *******, while ********* *** ******* **.

***** ***************

**** *********** **** *** ***** ********* *** ***** *********** ** ** video ********:

  • ****** ***** *******:**** ********** ******** * ****** ***** ******* **** * ********* password **** *** ******* *******, ** ***** *** ***** *** in ****** ****** ******* ****** ***********. **** ** ****** ** ** systems, *** ****** **** ** ******** ********. **** ***** **** use *** ******* ***** ******* ** *******.
  • ******/*** *******:************, **** ********* ******** * **** ** *** ****** *** the ***/*** *****, ******** **** *** ***** *******(*). **** ******* the ******** ** *** ***** *******. *******, **** ***** *** require ************** ********** *** ****** ********* (****** * ******** ***** account *** *** ********** ** ***** **** ********).
  • ** ******* *********:*******, **** ********** ******** **** *** ******* *** ***** ******* to ****** ******* ********, *** ** ******* *********. **** ** a ******, *** ***** ********** ***** ** ******** ****** ** cameras, ***** *** ******* **** **** ** **** **** *** authorized ********. **** ***** **** * ********** *** *** **** these *********** ******** ** ****** ********, ***** **** *** **** annoying.

Managed **********, ***** *

*******, ***** * ** ********* ** "***** ******* ************** **** ** IT/IS **********. *** ************ ***** ******* *** **** ** ** integrated **** ** ********** ******* **************."

***.**

** **** *****, **** ********** ***** ***.**, ***** ******** ******* ** be ************* ** * ****** ****** ***** ******* ** ******* to *** *******. ******* ******* *********** ****** ** *** ****. ***.** ** typically ********** ** *** ******* ******.

***.** ** ********* *********** ** ***** ********** ********, ** ** adds *********** ********** *** ************** ** *** *******. ** ** very ******, *** ****** *** ************ ** **** *****, *** likely ******** *** **** ************ *************.

**** **********

**** ********** ***** **** ********** ** *** *******. ******* **** ******* offer ******* ******** ******** *****, ********* "************** ******" ************, ** notify ************** ** ****** ******, ** **** ** ******* ****** tampering ******.

** **** ***.**, **** ** ********* **** ** **** **** sophisticated ** *************, ** ** ******** **** ******* ***** *** knowledge. *******, **** **** ** *** **** ******* ********** ********* becoming **** ******, ***** ********** *** ** ********* ** **** small ******** ** ******* **** ********** ******* *** ********* ** the ****** ** **** *** ***.

*** *** ******* ********** / **** *** ***** ************ ***** *** **** *********** *** *********, ********* *********** ** ****' ******** SNMP **************.

****** ****** ***

****** ******* ******* * ******* ******** *** ******** ******* ** dump *** ***** **. ******* ** **** **********, *** ********* by **** ** *** **** ******* ********** *****, ****** ***** log ****** ** **** **** ** *** ******, ***** **** checks ****** *** *** ****** ************** ** ******. **** ** these ****** *** ** ********* ** **** ** ******* ** use, ****** ****** **** ******, ********** ** ************.

Overall ****** ***************

*** **** ********* *****, ** ******** ** **** ******** ***********, provides ******* ********* *************** *** ********* ******** ** ** ***** networks. ***** **** *****, ***** ******** ********** ************* **** *** cost *** *** ****** *** ***********, *** *************** ** ****** 1 *** * ****** **** **** * *** ******* ** implement, **** ** *********** ******* ** ****. 

**** ******* *** ***** **** *** ********** ** *****, ***** we ****** **** ***** **** *** *********, ***** ***** *************** do **** ** ******* ****** ****** ****** ** ******** ********.

Other ************* *** *********

** *** *** ***** ** *** ***** ** ****** ************* with ********* ******. ***** *********'* ***** ******, ** ********** ******* with **** **** **** * **** *** *** **** *** received * ******** *** ******* **** ** *** **** ***.

Comments (12)

** ******* *********, ********* ****** ** ******** ** *******.

*'* *** **** **** **** ****** ** ********* ******, *** I ** *** ** * *** **** ***** ****** **** full ****** *** ******* ** ******* **** ** **** **** or ******** ******, *** **** **** ****.

** **** ******* ******* ** ** ******** ********?

** ** ****** ********* ** *******, *** **'* ******** ** soon ** *** ****** * **** ********.

********* ****** ****** ** *******/*** ******* *** *** *** ********* without *****.

** ** ****** ********* ** *******, *** **'* ******** ** soon ** *** ****** * **** ********.

***** *** **** ***** **, ** ***** * ***.

****, ****'* ****, *** **'* ********.

***** ***, **** ***** ******* ****** **** ******* *** ******* are ********** ** ****. *************** ** ****** ******** ***** ** **** ******* ** ******* alternatives *** ***** ** **** **** *** *** *** ***** driver, ***** ******** ******** *** ********.

******, ** *** ***** ***** *** *** *********, *** ****** will *** ** **** ** ********* ******* ******. ***** ****** like ******** ***** ******** *** *** ** *******, *** **** and **** *** ****** *** *** ***, **** ********/******, *********, etc., ***. ** **** ** ******** ******** ***** ****** **** to *** **** ***, **** *********, **** ************, *** ****. You ***'* ****** ******** ******* ******* *** ********, ******, ***** it's **** *** *** *** ** **** ****** ********** ******.

*** **** ******** ** ****** ******** ***** ** **** ******* of ******* ************ *** ***** ** **** **** *** *** the ***** ******, ***** ******** ******** *** ********.

*** *** **** **** ****** * ********* **** ****** */**** driver ******** ******** * *** **** ********?

**** ******* **** *** *** ** *** **** *** *** before *** **** ******* **? **** ** **** ****?

***** ** *** ******* *****, *** **** * ****** ** it * *** ****** *** ** ****** ** ***** **** the ***** ****:

*** ***** **** * **** ****** *** ****** ***** *** web ********* * ******** *** *** ******* **** ** ** illustrated...

**** *** **** **** *** * ******** *** ****** **** accepts ****** ********* ** *** ****** ***********...

*******, ** *** ****** ** ***** ******** ***** *** ***** API (*.*. *** *** ***)there ** ** **** *********** **** *** ****** ** ***** ***** **** ****** ***********. Instead, as this is the normal way a camera is plugged into a VMS, the client application is trusted to add proper users to the device to control the access as described above. -**** ************** *****

* ***** ** ******* **** *****, *** ***, ******. ******** 5.80.1.2

****'* ******* **** * ** ******* *****, ***** ** **** video.

  • *:** - **** **** - ******** ***
  • *:** - ****** ******** ***** - *.*.*
  • *:** - ***** *** ********** ** ******* *******
  • *:** - **:** ******* - (** ********** *** ****** ********)
  • *:** - ***** ******* **** **** *********
  • *:** - **** **** ********* - ******** ******** ** **** password
  • *:** - ******* *******
  • *:** - *** **** ******* ****** ****://****:****@***.***.***.**:***/****-*****/*****.***
  • *:**Stream ****** **** ******* ****:**** **********

***** *.*.* ** ***?

* ***** **** **** ***** ** **** *** ** **** failed **** * ****** ******* ***** *****.

***, ** *** ***** ****, ***** ********* ** **** **** root:pass (*** **** ****:****).

********, ***** ****'* * ***** *******, **** ****** ***** ** no ***** (**** *****), ** **** ** *** *** ****** and **** **** ** *** ****** ****** **** *** ********** and *** ***** ****. ********* ***** ** ******* ** **** VAPIX ******** *** ********* ** ******.

** ********* ******* ** *******, ** *****.

*** **** **** ***** ***** ***** **, *** ** *****'* seem ****** **** **** ** ****' ******** ********, ***** *** agree?

***'* ***** ****** **** ******* ** ***** *** ********** *** camera ** * ***?

**** ********, *** ***. ** *** *** *****'* ******* ***** via *****, ** **** **** ** *******. * **** ****** an **** * ****** ** ***** *** ***** *** ***** fails ** *******.

********* *******. ** ********* *** **** ******* ** *** *********** so **** ** **** ****** ***********.

******: ***** *** *** *'**** ********' / ********* ********.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Dahua Suffers Second Major Vulnerability, Silent on Jul 25, 2017
Less than 3 months ago, Dahua received DHS ICS-CERT's worst score of 10.0 for their backdoor. Now, Dahua has received another 10.0 score for a new...
Sports Stadium Security Design Recommendations on Jul 24, 2017
Sports stadiums pose many challenges for designing security systems. The facilities vary from being mostly vacant, to packed with tens of thousands...
Wireless Burglar Alarm Sensors Guide on Jul 21, 2017
Wireless sensors for burglar alarm sensors are an increasingly common option for the historical labor intensive wired alarm systems. However,...
PR Campaign Exploiting Manufacturer Cybersecurity on Jul 20, 2017
Manufacturers increasingly have a bulls-eye on their back. As cyber security solutions providers grow, they realize a great way to get publicity...
Manufacturer Favorability Guide on Jul 19, 2017
This 120 page PDF guide may be downloaded inside by all IPVM members. It includes our 20 manufacturer favorability rankings and 20 manufacturer...
Hikvision USA Head of Cybersecurity Exits on Jul 18, 2017
Hikvision USA's Head of Cybersecurity has exited the company. In this note, we review the move, share Hikvision's feedback and examine the...
Alarm.com Tested on Jul 13, 2017
Alarm.com has become the dominant force in smart home / remote service platform, with ~70% market share, combining their own traditional offering...
Genetec Mission Control Tested on Jul 13, 2017
Genetec continues to move up market with their Mission Control, "Decision Support System", bringing PSIM-like procedures and incident management to...
Wrongly Accused Critical Vulnerability for Vivotek on Jul 13, 2017
Vulnerabilities are an increasing branding and business problem for video surveillance manufacturers. However, sometimes vulnerabilities reported...
ONVIF Chairman Criticizes Low Cost Cameras (Also, He Works At Axis) on Jul 12, 2017
ONVIF Chairman Per Björkdahl has taken a strong public stance against low cost cameras that are 'much more vulnerable to attack' as he explains in...

Most Recent Industry Reports

Hikvision H.265+ Bullet Tested (2035) on Jul 24, 2017
Continuing our tests of Hikvision's new low cost Value Plus line, we bought and tested the 3MP DS-2CD2035FWD-I, now including H.265+. We shot the...
Sports Stadium Security Design Recommendations on Jul 24, 2017
Sports stadiums pose many challenges for designing security systems. The facilities vary from being mostly vacant, to packed with tens of thousands...
Competing Against Convergint on Jul 24, 2017
No integrator is more aggressively expanding than Convergint Technologies. Owned and funded by private equity firm KRG, Convergint has acquired...
Security Robots Are Just Entertainment on Jul 21, 2017
Great entertainment, no real security value.  That is the happy (or sad) state of security robots in 2017. Knightscope robot's drowning, the...
Wireless Burglar Alarm Sensors Guide on Jul 21, 2017
Wireless sensors for burglar alarm sensors are an increasingly common option for the historical labor intensive wired alarm systems. However,...
Competing Against ADT on Jul 20, 2017
ADT is one of the biggest players in the security industry, with ~$4 billion revenue. In 2017, they were acquired / merged with Protection...
Hikvision Launching Deep Learning Recorders on Jul 20, 2017
Hikvision has become a common choice for super low cost NVRs. Now, Hikvision is aiming to move up market, with deep learning NVRs that claim far...
PR Campaign Exploiting Manufacturer Cybersecurity on Jul 20, 2017
Manufacturers increasingly have a bulls-eye on their back. As cyber security solutions providers grow, they realize a great way to get publicity...
Axis Door Station Tested (A8105-E) on Jul 19, 2017
Axis continues their push into niche markets, especially audio, with network speakers, an IP horn, and video door stations. We bought and tested...
Manufacturer Favorability Guide on Jul 19, 2017
This 120 page PDF guide may be downloaded inside by all IPVM members. It includes our 20 manufacturer favorability rankings and 20 manufacturer...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact