Axis Cybersecurity Hardening Guide Examined

Author: Ethan Ace, Published on Nov 19, 2015

In most IT areas, 'hardening' guides are commonplace, providing best practices for improving the cybersecurity of network products (e.g., see this Cisco hardening guide).

However, cybersecurity is generally an after thought in the physical security industry, despite an increasing number of hacking incidents.

In a rare proactive move, Axis has released a cybersecurity hardening guide, walking users through recommendations on how to close common security holes and better secure their networks.

In this note, we review this guide, provide a video showing where these settings may be found in the camera, and give our analysis of their practical impact.

** **** ** *****, '*********' ****** *** ***********, ********* **** ********* for ********* *** ************* ** ******* ******** (*.*., *** ********* ********* *****).

*******, ************* ** ********* ** ***** ******* ** *** ******** security ********, ******* ************ *************** *********.

** * **** ********* ****, ******* ******** * ************* ********* *****, ******* ***** ******* *************** ** *** ** ***** ****** security ***** *** ****** ****** ***** ********.

** **** ****, ** ****** **** *****, ******* * ***** showing ***** ***** ******** *** ** ***** ** *** ******, and **** *** ******** ** ***** ********* ******.

[***************]

Protection ******

*** **** ********* ***** ******* **** ****** ** ********** ******** at ******* ******** *** ********** ** ******** (*** **********).

***** ****** *** ***** ** *************** **** ******* ****************** *** ******** ********, ***** ********* ******** ******** ********. **** *** *********** ****** **** ***** ****** ********* **** steps ***** ***** ** ** ***** ********. 

Video ***********

*** * ****** ***** ***** ***** ******* *** ****** *** key ******** *** ****** ** ****** *** **** *******:

Default, ***** *

**** ******* ***** * ** "**** *********** *** **** ******** and **** *********":

**** ***** ** ******* ** ** ******, ***** ******* ****** settings. **** ***** *** ****** ************ ***** *** ******* ****/**** ***********, allows ********* ******* *** *** *******, *** ****** *** ** address ** ** ******* *** *** **** *** *******, *** insecure *********. ** ** **** ******* *** **********, *** ** these *** *** ********* *** *** **** ****** ****** ****** in ***** ********.

*** *** ***** ** ******* *********** ****** ********* - ****, *****, *******, *** ******* ******** *** ** ***** ************ *** **** ***********.

Standard, ***** *

***** * ** ******* ** "******* *********** ***** ** **********. This ***** ** ******** *** ***** ******** ** ****** ************* where, *********, *** ******** ** **** *** *************."

**** ******** ******* ****** ***** ******** *********:

  • *********:**** ***** **** **** ** ******** ****** *********, *** ********** "** ***** * **********, ********** ***** * password *********."
  • ******* ********* ******: **** ********* ****** *******, ****** **** *** *** ******* ** *** camera *** ****** **** ***** *** *** ********. ** ******* *********, anonymous ****** ** ******** ** *******. ***** ****** ****** ***** settings **** *** ******* ************* ** ************ (***** **** ********).
  • *** ****/****:*** ***** ********** ******** ******** ** ******** ******* *** **** and ****. **** ** *** ******** *** ***** *******, ******* proper ****/**** *** *** ****, *** ***** ****** **** ******, and ************ ** ********** ****** **** ** *****.

**** ***** ******* ** ***** ** *** *** ******** ** Level *, ****** ******** ** ** * ************** ** **** detail *****, ** ***** *.

Enterprise, ***** *

***** * ** "*********** ******** *** ************ **** **** * dedicated ****** *************."

***** * ********** **** ******** ********, *** **** ** ***** involve turning ** ***** *** *** *** *********/***** ****, ** **** as ********* ****** ***** *** ********* (***, *******, ****, ***.). 

*****

*** *** ************** **** ***** **** ***** **** *** ** unfamiliar **** ** ******** ********** (*****). ** *******, ********* *** passwords *** **** ** *** ****** ** ***** **** ***** may ** ****** *********** *** ********* ** ***** ****** ********. ******** **** option ******** ********* ******* ****** *** ****** ** **** *** not ** ****** ********. 

** ***** ** ****** *****, ***** *** ****** * ****-****** certificate, ***** ** *** ******** ** *** *********** ******* ********* and ********* *** ******** ** ***** ******, ** ****** * request ** **** ** * *********** ********* ** ****** * signed ***********.

*********** ***** ****** ********* ** *** ******, ********, *** ********** ********/******** included, though ********* ***** * *** ******* *** ***********. **** ******* offer ********* ***** *** ******* ******* ******* *** ****, ***** may ** **** ** ***** ***** *********** ******* ** ****** per ******.

**** **** **** ** ***** ** ***** *** **** ***/**** video *** *** ********* ** *******, *** ***** ******** ***** only ** **** ******* ******* *** *** ******.***** ********* ****** ** ******* **** *** ***, ***** ** *** *********. ***** and ******** ** *** ******* ***** *** *****, *** *******, while ********* *** ******* **.

***** ***************

**** *********** **** *** ***** ********* *** ***** *********** ** ** video ********:

  • ****** ***** *******:**** ********** ******** * ****** ***** ******* **** * ********* password **** *** ******* *******, ** ***** *** ***** *** in ****** ****** ******* ****** ***********. **** ** ****** ** ** systems, *** ****** **** ** ******** ********. **** ***** **** use *** ******* ***** ******* ** *******.
  • ******/*** *******:************, **** ********* ******** * **** ** *** ****** *** the ***/*** *****, ******** **** *** ***** *******(*). **** ******* the ******** ** *** ***** *******. *******, **** ***** *** require ************** ********** *** ****** ********* (****** * ******** ***** account *** *** ********** ** ***** **** ********).
  • ** ******* *********:*******, **** ********** ******** **** *** ******* *** ***** ******* to ****** ******* ********, *** ** ******* *********. **** ** a ******, *** ***** ********** ***** ** ******** ****** ** cameras, ***** *** ******* **** **** ** **** **** *** authorized ********. **** ***** **** * ********** *** *** **** these *********** ******** ** ****** ********, ***** **** *** **** annoying.

Managed **********, ***** *

*******, ***** * ** ********* ** "***** ******* ************** **** ** IT/IS **********. *** ************ ***** ******* *** **** ** ** integrated **** ** ********** ******* **************."

***.**

** **** *****, **** ********** ***** ***.**, ***** ******** ******* ** be ************* ** * ****** ****** ***** ******* ** ******* to *** *******. ******* ******* *********** ****** ** *** ****. ***.** ** typically ********** ** *** ******* ******.

***.** ** ********* *********** ** ***** ********** ********, ** ** adds *********** ********** *** ************** ** *** *******. ** ** very ******, *** ****** *** ************ ** **** *****, *** likely ******** *** **** ************ *************.

**** **********

**** ********** ***** **** ********** ** *** *******. ******* **** ******* offer ******* ******** ******** *****, ********* "************** ******" ************, ** notify ************** ** ****** ******, ** **** ** ******* ****** tampering ******.

** **** ***.**, **** ** ********* **** ** **** **** sophisticated ** *************, ** ** ******** **** ******* ***** *** knowledge. *******, **** **** ** *** **** ******* ********** ********* becoming **** ******, ***** ********** *** ** ********* ** **** small ******** ** ******* **** ********** ******* *** ********* ** the ****** ** **** *** ***.

*** *** ******* ********** / **** *** ***** ************ ***** *** **** *********** *** *********, ********* *********** ** ****' ******** SNMP **************.

****** ****** ***

****** ******* ******* * ******* ******** *** ******** ******* ** dump *** ***** **. ******* ** **** **********, *** ********* by **** ** *** **** ******* ********** *****, ****** ***** log ****** ** **** **** ** *** ******, ***** **** checks ****** *** *** ****** ************** ** ******. **** ** these ****** *** ** ********* ** **** ** ******* ** use, ****** ****** **** ******, ********** ** ************.

Overall ****** ***************

*** **** ********* *****, ** ******** ** **** ******** ***********, provides ******* ********* *************** *** ********* ******** ** ** ***** networks. ***** **** *****, ***** ******** ********** ************* **** *** cost *** *** ****** *** ***********, *** *************** ** ****** 1 *** * ****** **** **** * *** ******* ** implement, **** ** *********** ******* ** ****. 

**** ******* *** ***** **** *** ********** ** *****, ***** we ****** **** ***** **** *** *********, ***** ***** *************** do **** ** ******* ****** ****** ****** ** ******** ********.

Other ************* *** *********

** *** *** ***** ** *** ***** ** ****** ************* with ********* ******. ***** *********'* ***** ******, ** ********** ******* with **** **** **** * **** *** *** **** *** received * ******** *** ******* **** ** *** **** ***.

Comments (12)

** ******* *********, ********* ****** ** ******** ** *******.

*'* *** **** **** **** ****** ** ********* ******, *** I ** *** ** * *** **** ***** ****** **** full ****** *** ******* ** ******* **** ** **** **** or ******** ******, *** **** **** ****.

** **** ******* ******* ** ** ******** ********?

** ** ****** ********* ** *******, *** **'* ******** ** soon ** *** ****** * **** ********.

********* ****** ****** ** *******/*** ******* *** *** *** ********* without *****.

** ** ****** ********* ** *******, *** **'* ******** ** soon ** *** ****** * **** ********.

***** *** **** ***** **, ** ***** * ***.

****, ****'* ****, *** **'* ********.

***** ***, **** ***** ******* ****** **** ******* *** ******* are ********** ** ****. *************** ** ****** ******** ***** ** **** ******* ** ******* alternatives *** ***** ** **** **** *** *** *** ***** driver, ***** ******** ******** *** ********.

******, ** *** ***** ***** *** *** *********, *** ****** will *** ** **** ** ********* ******* ******. ***** ****** like ******** ***** ******** *** *** ** *******, *** **** and **** *** ****** *** *** ***, **** ********/******, *********, etc., ***. ** **** ** ******** ******** ***** ****** **** to *** **** ***, **** *********, **** ************, *** ****. You ***'* ****** ******** ******* ******* *** ********, ******, ***** it's **** *** *** *** ** **** ****** ********** ******.

*** **** ******** ** ****** ******** ***** ** **** ******* of ******* ************ *** ***** ** **** **** *** *** the ***** ******, ***** ******** ******** *** ********.

*** *** **** **** ****** * ********* **** ****** */**** driver ******** ******** * *** **** ********?

**** ******* **** *** *** ** *** **** *** *** before *** **** ******* **? **** ** **** ****?

***** ** *** ******* *****, *** **** * ****** ** it * *** ****** *** ** ****** ** ***** **** the ***** ****:

*** ***** **** * **** ****** *** ****** ***** *** web ********* * ******** *** *** ******* **** ** ** illustrated...

**** *** **** **** *** * ******** *** ****** **** accepts ****** ********* ** *** ****** ***********...

*******, ** *** ****** ** ***** ******** ***** *** ***** API (*.*. *** *** ***)there ** ** **** *********** **** *** ****** ** ***** ***** **** ****** ***********. Instead, as this is the normal way a camera is plugged into a VMS, the client application is trusted to add proper users to the device to control the access as described above. -**** ************** *****

* ***** ** ******* **** *****, *** ***, ******. ******** 5.80.1.2

****'* ******* **** * ** ******* *****, ***** ** **** video.

  • *:** - **** **** - ******** ***
  • *:** - ****** ******** ***** - *.*.*
  • *:** - ***** *** ********** ** ******* *******
  • *:** - **:** ******* - (** ********** *** ****** ********)
  • *:** - ***** ******* **** **** *********
  • *:** - **** **** ********* - ******** ******** ** **** password
  • *:** - ******* *******
  • *:** - *** **** ******* ****** ****://****:****@***.***.***.**:***/****-*****/*****.***
  • *:**Stream ****** **** ******* ****:**** **********

***** *.*.* ** ***?

* ***** **** **** ***** ** **** *** ** **** failed **** * ****** ******* ***** *****.

***, ** *** ***** ****, ***** ********* ** **** **** root:pass (*** **** ****:****).

********, ***** ****'* * ***** *******, **** ****** ***** ** no ***** (**** *****), ** **** ** *** *** ****** and **** **** ** *** ****** ****** **** *** ********** and *** ***** ****. ********* ***** ** ******* ** **** VAPIX ******** *** ********* ** ******.

** ********* ******* ** *******, ** *****.

*** **** **** ***** ***** ***** **, *** ** *****'* seem ****** **** **** ** ****' ******** ********, ***** *** agree?

***'* ***** ****** **** ******* ** ***** *** ********** *** camera ** * ***?

**** ********, *** ***. ** *** *** *****'* ******* ***** via *****, ** **** **** ** *******. * **** ****** an **** * ****** ** ***** *** ***** *** ***** fails ** *******.

********* *******. ** ********* *** **** ******* ** *** *********** so **** ** **** ****** ***********.

******: ***** *** *** *'**** ********' / ********* ********.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Hacked Hikvision IP Camera Map USA And Europe on Jan 22, 2018
The interactive map below shows a sample of hacked and vulnerable Hikvision IP cameras across the USA and Europe. Hover over a marker to see an...
Hanwha Wave VMS Tested on Jan 22, 2018
Hanwha has released their first open platform VMS, Wisenet Wave, an Network Optix OEM (see test results) enhanced with integrations and...
PoE Powered Access Control Tutorial on Jan 19, 2018
Powering access control with Power over Ethernet is becoming increasingly common.  However, access requires more power than cameras, and the...
Chinese Government Hikvision Surveillance System On US Government Network on Jan 18, 2018
Hikvision, the Chinese government-owned manufacturer, has publicly claimed that their products are running on a US government network. Moreover,...
VSaaS Usage Statistics 2018 on Jan 18, 2018
VSaaS has been a 'next big thing' for more than a decade. The prospect of managing, storing and streaming video from the cloud rather than...
The 2018 Surveillance Industry Guide on Jan 16, 2018
The 300 page, 2018 Video Surveillance Industry Guide, covering the key events and the future of the video surveillance market, is now available,...
"First Of Its Kind" Stove Knob Alarm Sensor (2GIG) on Jan 15, 2018
At CES 2018, 2Gig/Nortek announced the Stove & Grill Guard, a "first of its kind" sensor in the security industry, allowing users to be...
Amazon Deep Learning Partnership With AgentVi on Jan 15, 2018
Amazon is aiming to grow its Kinesis Video Streams offering that "enables you to quickly build computer vision and ML applications" in the cloud....
Hikvision Removed From US Army Base, Congressional Hearing Called on Jan 12, 2018
Hikvision has been removed from a US Army Base and a US congressional committee is planning a hearing on cybersecurity risks and specifically,...
Hikvision Declares 'Never Click On Links In Emails' on Jan 09, 2018
Hikvision is stepping up its cybersecurity efforts with a clear recommendation - to never click on links in emails: It is a surprising change...

Most Recent Industry Reports

Hacked Hikvision IP Camera Map USA And Europe on Jan 22, 2018
The interactive map below shows a sample of hacked and vulnerable Hikvision IP cameras across the USA and Europe. Hover over a marker to see an...
Hanwha Wave VMS Tested on Jan 22, 2018
Hanwha has released their first open platform VMS, Wisenet Wave, an Network Optix OEM (see test results) enhanced with integrations and...
Resolution Usage Statistics 2018 - Moving Up From 1080p on Jan 22, 2018
In 2016, IPVM statistics showed the most common camera resolution used was 1080p, rising from 2014's 720p. Now, new IPVM statistics of 200+...
PoE Powered Access Control Tutorial on Jan 19, 2018
Powering access control with Power over Ethernet is becoming increasingly common.  However, access requires more power than cameras, and the...
If You Have 4 Cameras, You Can Throw Them Away, If You Have 400, They Throw You Away on Jan 19, 2018
Do users care about anything but price? Do user care about cybersecurity? Do users care about trusting their supplier? These have become...
Chinese Government Hikvision Surveillance System On US Government Network on Jan 18, 2018
Hikvision, the Chinese government-owned manufacturer, has publicly claimed that their products are running on a US government network. Moreover,...
Winter 2018 Camera Course on Jan 18, 2018
Learn video surveillance and get certified. Register now. Save $50 on the course, ending this Thursday the 18th, plus get access to 2 class times...
VSaaS Usage Statistics 2018 on Jan 18, 2018
VSaaS has been a 'next big thing' for more than a decade. The prospect of managing, storing and streaming video from the cloud rather than...
Vivint Streety Video Strengthens Door Knocking on Jan 17, 2018
Vivint is famous (or infamous depending on your perspective) for mastering large scale door to door selling. The company has skyrocketed from a...
Axis: "It’s A Question Of Trust And Who You Want To Be Associated With" on Jan 17, 2018
Who do you trust? Who do you want to be associated with? Axis is raising hard questions to start 2018. In this note, we examine these questions,...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact