Axis Cybersecurity Hardening Guide Examined

Author: Ethan Ace, Published on Nov 19, 2015

In most IT areas, 'hardening' guides are commonplace, providing best practices for improving the cybersecurity of network products (e.g., see this Cisco hardening guide).

However, cybersecurity is generally an after thought in the physical security industry, despite an increasing number of hacking incidents.

In a rare proactive move, Axis has released a cybersecurity hardening guide, walking users through recommendations on how to close common security holes and better secure their networks.

In this note, we review this guide, provide a video showing where these settings may be found in the camera, and give our analysis of their practical impact.

** **** ** *****, '*********' ****** *** ***********, ********* **** ********* for ********* *** ************* ** ******* ******** (*.*., *** ********* ********* *****).

*******, ************* ** ********* ** ***** ******* ** *** ******** security ********, ******* ************ *************** *********.

** * **** ********* ****, ******* ******** * ************* ********* *****, ******* ***** ******* *************** ** *** ** ***** ****** security ***** *** ****** ****** ***** ********.

** **** ****, ** ****** **** *****, ******* * ***** showing ***** ***** ******** *** ** ***** ** *** ******, and **** *** ******** ** ***** ********* ******.

[***************]

Protection ******

*** **** ********* ***** ******* **** ****** ** ********** ******** at ******* ******** *** ********** ** ******** (*** **********).

***** ****** *** ***** ** *************** **** ******* ****************** *** ******** ********, ***** ********* ******** ******** ********. **** *** *********** ****** **** ***** ****** ********* **** steps ***** ***** ** ** ***** ********. 

Video ***********

*** * ****** ***** ***** ***** ******* *** ****** *** key ******** *** ****** ** ****** *** **** *******:

Default, ***** *

**** ******* ***** * ** "**** *********** *** **** ******** and **** *********":

**** ***** ** ******* ** ** ******, ***** ******* ****** settings. **** ***** *** ****** ************ ***** *** ******* ****/**** ***********, allows ********* ******* *** *** *******, *** ****** *** ** address ** ** ******* *** *** **** *** *******, *** insecure *********. ** ** **** ******* *** **********, *** ** these *** *** ********* *** *** **** ****** ****** ****** in ***** ********.

*** *** ***** ** ******* *********** ****** ********* - ****, *****, *******, *** ******* ******** *** ** ***** ************ *** **** ***********.

Standard, ***** *

***** * ** ******* ** "******* *********** ***** ** **********. This ***** ** ******** *** ***** ******** ** ****** ************* where, *********, *** ******** ** **** *** *************."

**** ******** ******* ****** ***** ******** *********:

  • *********:**** ***** **** **** ** ******** ****** *********, *** ********** "** ***** * **********, ********** ***** * password *********."
  • ******* ********* ******: **** ********* ****** *******, ****** **** *** *** ******* ** *** camera *** ****** **** ***** *** *** ********. ** ******* *********, anonymous ****** ** ******** ** *******. ***** ****** ****** ***** settings **** *** ******* ************* ** ************ (***** **** ********).
  • *** ****/****:*** ***** ********** ******** ******** ** ******** ******* *** **** and ****. **** ** *** ******** *** ***** *******, ******* proper ****/**** *** *** ****, *** ***** ****** **** ******, and ************ ** ********** ****** **** ** *****.

**** ***** ******* ** ***** ** *** *** ******** ** Level *, ****** ******** ** ** * ************** ** **** detail *****, ** ***** *.

Enterprise, ***** *

***** * ** "*********** ******** *** ************ **** **** * dedicated ****** *************."

***** * ********** **** ******** ********, *** **** ** ***** involve turning ** ***** *** *** *** *********/***** ****, ** **** as ********* ****** ***** *** ********* (***, *******, ****, ***.). 

*****

*** *** ************** **** ***** **** ***** **** *** ** unfamiliar **** ** ******** ********** (*****). ** *******, ********* *** passwords *** **** ** *** ****** ** ***** **** ***** may ** ****** *********** *** ********* ** ***** ****** ********. ******** **** option ******** ********* ******* ****** *** ****** ** **** *** not ** ****** ********. 

** ***** ** ****** *****, ***** *** ****** * ****-****** certificate, ***** ** *** ******** ** *** *********** ******* ********* and ********* *** ******** ** ***** ******, ** ****** * request ** **** ** * *********** ********* ** ****** * signed ***********.

*********** ***** ****** ********* ** *** ******, ********, *** ********** ********/******** included, though ********* ***** * *** ******* *** ***********. **** ******* offer ********* ***** *** ******* ******* ******* *** ****, ***** may ** **** ** ***** ***** *********** ******* ** ****** per ******.

**** **** **** ** ***** ** ***** *** **** ***/**** video *** *** ********* ** *******, *** ***** ******** ***** only ** **** ******* ******* *** *** ******.***** ********* ****** ** ******* **** *** ***, ***** ** *** *********. ***** and ******** ** *** ******* ***** *** *****, *** *******, while ********* *** ******* **.

***** ***************

**** *********** **** *** ***** ********* *** ***** *********** ** ** video ********:

  • ****** ***** *******:**** ********** ******** * ****** ***** ******* **** * ********* password **** *** ******* *******, ** ***** *** ***** *** in ****** ****** ******* ****** ***********. **** ** ****** ** ** systems, *** ****** **** ** ******** ********. **** ***** **** use *** ******* ***** ******* ** *******.
  • ******/*** *******:************, **** ********* ******** * **** ** *** ****** *** the ***/*** *****, ******** **** *** ***** *******(*). **** ******* the ******** ** *** ***** *******. *******, **** ***** *** require ************** ********** *** ****** ********* (****** * ******** ***** account *** *** ********** ** ***** **** ********).
  • ** ******* *********:*******, **** ********** ******** **** *** ******* *** ***** ******* to ****** ******* ********, *** ** ******* *********. **** ** a ******, *** ***** ********** ***** ** ******** ****** ** cameras, ***** *** ******* **** **** ** **** **** *** authorized ********. **** ***** **** * ********** *** *** **** these *********** ******** ** ****** ********, ***** **** *** **** annoying.

Managed **********, ***** *

*******, ***** * ** ********* ** "***** ******* ************** **** ** IT/IS **********. *** ************ ***** ******* *** **** ** ** integrated **** ** ********** ******* **************."

***.**

** **** *****, **** ********** ***** ***.**, ***** ******** ******* ** be ************* ** * ****** ****** ***** ******* ** ******* to *** *******. ******* ******* *********** ****** ** *** ****. ***.** ** typically ********** ** *** ******* ******.

***.** ** ********* *********** ** ***** ********** ********, ** ** adds *********** ********** *** ************** ** *** *******. ** ** very ******, *** ****** *** ************ ** **** *****, *** likely ******** *** **** ************ *************.

**** **********

**** ********** ***** **** ********** ** *** *******. ******* **** ******* offer ******* ******** ******** *****, ********* "************** ******" ************, ** notify ************** ** ****** ******, ** **** ** ******* ****** tampering ******.

** **** ***.**, **** ** ********* **** ** **** **** sophisticated ** *************, ** ** ******** **** ******* ***** *** knowledge. *******, **** **** ** *** **** ******* ********** ********* becoming **** ******, ***** ********** *** ** ********* ** **** small ******** ** ******* **** ********** ******* *** ********* ** the ****** ** **** *** ***.

*** *** ******* ********** / **** *** ***** ************ ***** *** **** *********** *** *********, ********* *********** ** ****' ******** SNMP **************.

****** ****** ***

****** ******* ******* * ******* ******** *** ******** ******* ** dump *** ***** **. ******* ** **** **********, *** ********* by **** ** *** **** ******* ********** *****, ****** ***** log ****** ** **** **** ** *** ******, ***** **** checks ****** *** *** ****** ************** ** ******. **** ** these ****** *** ** ********* ** **** ** ******* ** use, ****** ****** **** ******, ********** ** ************.

Overall ****** ***************

*** **** ********* *****, ** ******** ** **** ******** ***********, provides ******* ********* *************** *** ********* ******** ** ** ***** networks. ***** **** *****, ***** ******** ********** ************* **** *** cost *** *** ****** *** ***********, *** *************** ** ****** 1 *** * ****** **** **** * *** ******* ** implement, **** ** *********** ******* ** ****. 

**** ******* *** ***** **** *** ********** ** *****, ***** we ****** **** ***** **** *** *********, ***** ***** *************** do **** ** ******* ****** ****** ****** ** ******** ********.

Other ************* *** *********

** *** *** ***** ** *** ***** ** ****** ************* with ********* ******. ***** *********'* ***** ******, ** ********** ******* with **** **** **** * **** *** *** **** *** received * ******** *** ******* **** ** *** **** ***.

Comments (12)

** ******* *********, ********* ****** ** ******** ** *******.

*'* *** **** **** **** ****** ** ********* ******, *** I ** *** ** * *** **** ***** ****** **** full ****** *** ******* ** ******* **** ** **** **** or ******** ******, *** **** **** ****.

** **** ******* ******* ** ** ******** ********?

** ** ****** ********* ** *******, *** **'* ******** ** soon ** *** ****** * **** ********.

********* ****** ****** ** *******/*** ******* *** *** *** ********* without *****.

** ** ****** ********* ** *******, *** **'* ******** ** soon ** *** ****** * **** ********.

***** *** **** ***** **, ** ***** * ***.

****, ****'* ****, *** **'* ********.

***** ***, **** ***** ******* ****** **** ******* *** ******* are ********** ** ****. *************** ** ****** ******** ***** ** **** ******* ** ******* alternatives *** ***** ** **** **** *** *** *** ***** driver, ***** ******** ******** *** ********.

******, ** *** ***** ***** *** *** *********, *** ****** will *** ** **** ** ********* ******* ******. ***** ****** like ******** ***** ******** *** *** ** *******, *** **** and **** *** ****** *** *** ***, **** ********/******, *********, etc., ***. ** **** ** ******** ******** ***** ****** **** to *** **** ***, **** *********, **** ************, *** ****. You ***'* ****** ******** ******* ******* *** ********, ******, ***** it's **** *** *** *** ** **** ****** ********** ******.

*** **** ******** ** ****** ******** ***** ** **** ******* of ******* ************ *** ***** ** **** **** *** *** the ***** ******, ***** ******** ******** *** ********.

*** *** **** **** ****** * ********* **** ****** */**** driver ******** ******** * *** **** ********?

**** ******* **** *** *** ** *** **** *** *** before *** **** ******* **? **** ** **** ****?

***** ** *** ******* *****, *** **** * ****** ** it * *** ****** *** ** ****** ** ***** **** the ***** ****:

*** ***** **** * **** ****** *** ****** ***** *** web ********* * ******** *** *** ******* **** ** ** illustrated...

**** *** **** **** *** * ******** *** ****** **** accepts ****** ********* ** *** ****** ***********...

*******, ** *** ****** ** ***** ******** ***** *** ***** API (*.*. *** *** ***)there ** ** **** *********** **** *** ****** ** ***** ***** **** ****** ***********. Instead, as this is the normal way a camera is plugged into a VMS, the client application is trusted to add proper users to the device to control the access as described above. -**** ************** *****

* ***** ** ******* **** *****, *** ***, ******. ******** 5.80.1.2

****'* ******* **** * ** ******* *****, ***** ** **** video.

  • *:** - **** **** - ******** ***
  • *:** - ****** ******** ***** - *.*.*
  • *:** - ***** *** ********** ** ******* *******
  • *:** - **:** ******* - (** ********** *** ****** ********)
  • *:** - ***** ******* **** **** *********
  • *:** - **** **** ********* - ******** ******** ** **** password
  • *:** - ******* *******
  • *:** - *** **** ******* ****** ****://****:****@***.***.***.**:***/****-*****/*****.***
  • *:**Stream ****** **** ******* ****:**** **********

***** *.*.* ** ***?

* ***** **** **** ***** ** **** *** ** **** failed **** * ****** ******* ***** *****.

***, ** *** ***** ****, ***** ********* ** **** **** root:pass (*** **** ****:****).

********, ***** ****'* * ***** *******, **** ****** ***** ** no ***** (**** *****), ** **** ** *** *** ****** and **** **** ** *** ****** ****** **** *** ********** and *** ***** ****. ********* ***** ** ******* ** **** VAPIX ******** *** ********* ** ******.

** ********* ******* ** *******, ** *****.

*** **** **** ***** ***** ***** **, *** ** *****'* seem ****** **** **** ** ****' ******** ********, ***** *** agree?

***'* ***** ****** **** ******* ** ***** *** ********** *** camera ** * ***?

**** ********, *** ***. ** *** *** *****'* ******* ***** via *****, ** **** **** ** *******. * **** ****** an **** * ****** ** ***** *** ***** *** ***** fails ** *******.

********* *******. ** ********* *** **** ******* ** *** *********** so **** ** **** ****** ***********.

******: ***** *** *** *'**** ********' / ********* ********.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

IP Networking Course May 2017 on Apr 21, 2017
NOTE: Registration ends this Thursday. This is the only networking course designed specifically for video surveillance professionals plus it...
PureTech Video Analytics Examined on Apr 21, 2017
PureTech's analytics were chosen for a US border protection system (see related post), which the company claims no other analytics vendor was able...
Axis Network Horn Tested on Apr 18, 2017
We bought and tested the Axis network horn C3003-E, examining setup and calibration, event audio, VMS integration, and sound pressure levels...
The 100MP Aqueti Mantis Camera Examined on Apr 14, 2017
One of the original gigapixel camera startups, Aqueti, which we first covered in 2012, is back. This time, they have partnered with NVIDIA,...
Bosch B-Series Intrusion Tested on Apr 10, 2017
Bosch is one of the biggest names in intrusion but their B-Series panels, targeted at smaller site installs and available through distribution, are...
VMS Vs NVR Usage Statistics on Apr 07, 2017
What is used more often? VMS software or NVR appliances? 160 integrators told us what they most commonly use and why. [premium_content] Key...
Panasonic Consolidates Video Insight on Apr 04, 2017
Panasonic has consolidated VideoInsight, the VMS provider it acquired in 2015. In this note, we examine Panasonic's goals and its potential...
Milestone / Lenel Resell Partnership on Apr 03, 2017
Lenel has never found success in video management. Nearly a decade ago Lenel OEMed an OEM of Milestone. Now, in an equally uncommon move,...
Deep Science - Active Threat Cloud Monitoring Startup on Apr 03, 2017
Deep learning for $2 a day for a system that automatically detects guns and masks, alerting the police to robberies and threats? A US startup is...
Burglar Alarm Strobes Guide on Mar 31, 2017
Strobes provide visual notification of alarm incidents, as sirens are used to give audible notification. Using a strobe gives alarm users and alarm...

Most Recent Industry Reports

IP Networking Course May 2017 on Apr 21, 2017
NOTE: Registration ends this Thursday. This is the only networking course designed specifically for video surveillance professionals plus it...
PureTech Video Analytics Examined on Apr 21, 2017
PureTech's analytics were chosen for a US border protection system (see related post), which the company claims no other analytics vendor was able...
US Border RVSS / Video Analytics System Examined on Apr 21, 2017
US Customs and Border Protection has been rolling out a video analytics-based detection system along the US/Mexico border, with detection ranges...
Beware The "Hit List" Ranking on Apr 21, 2017
The hit list. Kirschenbaum's recent newsletter complained about a 'hit list', bemoaning how a company took aim at ADT. Alas, that's the Google...
Ring Floodlight Cam Tested on Apr 20, 2017
Ring has released their latest entry, the Floodlight Cam, calling it the "Evolution of Outdoor Security", touting motion activated floodlights,...
Lenel President Is Out on Apr 20, 2017
Lenel's challenges continue. Now, Lenel's President is out, suddenly. This follows increasing challenges for the company who has broadly upset...
Dell EMC Surveillance Division Profile on Apr 20, 2017
With revenue growth from traditional IT customers slowing, Dell has set a focus on the security industry as a market where the company can offer...
PatriotOne Deep Neural / Radar Weapon Detection Examined on Apr 19, 2017
The bodyscanner/weapons detection sector has seen several new products, some using advanced approaches like metamaterials (Evolv) or terahertz...
Failing at Marketing, "ALL HIKVISION PRODUCTS" On Sale on Apr 18, 2017
The ballerinas are out. The price cuts are back. Hikvision is struggling to build a premium brand (i.e., 'The Art of Video Surveillance') so...
Axis Network Horn Tested on Apr 18, 2017
We bought and tested the Axis network horn C3003-E, examining setup and calibration, event audio, VMS integration, and sound pressure levels...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact