Axis Cybersecurity Hardening Guide Examined

Author: Ethan Ace, Published on Nov 19, 2015

In most IT areas, 'hardening' guides are commonplace, providing best practices for improving the cybersecurity of network products (e.g., see this Cisco hardening guide).

However, cybersecurity is generally an after thought in the physical security industry, despite an increasing number of hacking incidents.

In a rare proactive move, Axis has released a cybersecurity hardening guide, walking users through recommendations on how to close common security holes and better secure their networks.

In this note, we review this guide, provide a video showing where these settings may be found in the camera, and give our analysis of their practical impact.

** **** ** *****, '*********' ****** *** ***********, ********* **** practices *** ********* *** ************* ** ******* ******** (*.*., *** this***** ********* *****).

*******, ************* ** ********* ** ***** ******* ** *** ******** security ********, ******* ************ *************** *********.

** * **** ********* ****, ******* ******** * ************* ********* *****, ******* ***** ******* *************** ** *** ** ***** ****** security ***** *** ****** ****** ***** ********.

** **** ****, ** ****** **** *****, ******* * ***** showing ***** ***** ******** *** ** ***** ** *** ******, and **** *** ******** ** ***** ********* ******.

[***************]

Protection ******

*** **** ********* ***** ******* **** ****** ** ********** ******** at ******* ******** *** ********** ** ******** (*** **********).

***** ****** *** ***** ** *************** **** ******* ****************** *** ******** ********, ***** ********* ******** ******** ********. **** *** *********** ****** **** ***** ****** ********* **** steps ***** ***** ** ** ***** ********.

Video ***********

*** * ****** ***** ***** ***** ******* *** ****** *** key ******** *** ****** ** ****** *** **** *******:

Default, ***** *

**** ******* ***** * ** "**** *********** *** **** ******** and **** *********":

**** ***** ** ******* ** ** ******, ***** ******* ****** settings. **** ***** *** ****** ************ ***** *** ******* ****/**** credentials, ****** ********* ******* *** *** *******, *** ****** *** IP ******* ** ** ******* *** *** **** *** *******, all ******** *********. ** ** **** ******* *** **********, *** of ***** *** *** ********* *** *** **** ****** ****** points ** ***** ********.

*** *** ***** ********* *********,** ****** ********* - ****, *****, *******, ********** ******** *** ** ***** *************** **** ***********.

Standard, ***** *

***** * ** ******* ** "******* *********** ***** ** **********. This ***** ** ******** *** ***** ******** ** ****** ************* where, *********, *** ******** ** **** *** *************."

**** ******** ******* ****** ***** ******** *********:

  • *********:**** ***** **** **** ** ******** ****** *********, *** ********** "** ***** * **********, ********** ***** * password *********."
  • ******* ********* ******:**** ********* ****** *******, ****** **** *** *** ******* ** the ****** *** ****** **** ***** *** *** ********. ** current *********, ********* ****** ** ******** ** *******. ***** ****** ensure ***** ******** **** *** ******* ************* ** ************ (***** User ********).
  • *** ****/****:*** ***** ********** ******** ******** ** ******** ******* *** **** and ****. **** ** *** ******** *** ***** *******, ******* proper ****/**** *** *** ****, *** ***** ****** **** ******, and ************ ** ********** ****** **** ** *****.

**** ***** ******* ** ***** ** *** *** ******** ** Level *, ****** ******** ** ** * ************** ** **** detail *****, ** ***** *.

Enterprise, ***** *

***** * ** "*********** ******** *** ************ **** **** * dedicated ****** *************."

***** * ********** **** ******** ********, *** **** ** ***** involve ******* ** ***** *** *** *** *********/***** ****, ** well ** ********* ****** ***** *** ********* (***, *******, ****, etc.).

*****

*** *** ************** **** ***** **** ***** **** *** ** unfamiliar **** ** ******** ********** (*****). ** *******, ********* *** passwords *** **** ** *** ****** ** ***** **** ***** may ** ****** *********** *** ********* ** ***** ****** ********. Enabling **** ****** ******** ********* ******* ****** *** ****** ** they *** *** ** ****** ********.

** ***** ** ****** *****, ***** *** ****** * ****-****** certificate, ***** ** *** ******** ** *** *********** ******* ********* and ********* *** ******** ** ***** ******, ** ****** * request ** **** ** * *********** ********* ** ****** * signed ***********.

*********** ***** ****** ********* ** *** ******, ********, *** ********** features/services ********, ****** ********* ***** * *** ******* *** ***********. Many ******* ***** ********* ***** *** ******* ******* ******* *** year, ***** *** ** **** ** ***** ***** *********** ******* of ****** *** ******.

**** **** **** ** ***** ** ***** *** **** ***/**** video *** *** ********* ** *******, *** ***** ******** ***** only ** **** ******* ******* *** *** ******.***** *************** ** ******* **** *** ***, ***** ** *** *********. Exacq *** ******** ** *** ******* ***** *** *****, *** example, ***** ********* *** ******* **.

***** ***************

**** *********** **** *** ***** ********* *** ***** *********** ** IP ***** ********:

  • ****** ***** *******:**** ********** ******** * ****** ***** ******* **** * ********* password **** *** ******* *******, ** ***** *** ***** *** in ****** ****** ******* ****** ***********. **** ** ****** ** IT *******, *** ****** **** ** ******** ********. **** ***** even *** *** ******* ***** ******* ** *******.
  • ******/*** *******:************, **** ********* ******** * **** ** *** ****** *** the ***/*** *****, ******** **** *** ***** *******(*). **** ******* the ******** ** *** ***** *******. *******, **** ***** *** require ************** ********** *** ****** ********* (****** * ******** ***** account *** *** ********** ** ***** **** ********).
  • ** ******* *********:*******, **** ********** ******** **** *** ******* *** ***** ******* to ****** ******* ********, *** ** ******* *********. **** ** a ******, *** ***** ********** ***** ** ******** ****** ** cameras, ***** *** ******* **** **** ** **** **** *** authorized ********. **** ***** **** * ********** *** *** **** these *********** ******** ** ****** ********, ***** **** *** **** annoying.

Managed **********, ***** *

*******, ***** * ** ********* ** "***** ******* ************** **** an **/** **********. *** ************ ***** ******* *** **** ** be ********** **** ** ********** ******* **************."

***.**

** **** *****, **** ********** ***** ***.**, ***** ******** ******* to ** ************* ** * ****** ****** ***** ******* ** connect ** *** *******. ******* ******* *********** ****** ** *** work. ***.** ** ********* ********** ** *** ******* ******.

***.** ** ********* *********** ** ***** ********** ********, ** ** adds *********** ********** *** ************** ** *** *******. ** ** very ******, *** ****** *** ************ ** **** *****, *** likely ******** *** **** ************ *************.

**** **********

**** ********** ***** **** ********** ** *** *******. ******* **** devices ***** ******* ******** ******** *****, ********* "************** ******" ************, to ****** ************** ** ****** ******, ** **** ** ******* camera ********* ******.

** **** ***.**, **** ** ********* **** ** **** **** sophisticated ** *************, ** ** ******** **** ******* ***** *** knowledge. *******, **** **** ** *** **** ******* ********** ********* becoming **** ******, ***** ********** *** ** ********* ** **** small ******** ** ******* **** ********** ******* *** ********* ** the ****** ** **** *** ***.

*** ********** ********** / **** *** ***** ************ ******** **** *********** *** *********, ********* *********** ** ****' ******** SNMP **************.

****** ****** ***

****** ******* ******* * ******* ******** *** ******** ******* ** dump *** ***** **. ******* ** **** **********, *** ********* by **** ** *** **** ******* ********** *****, ****** ***** log ****** ** **** **** ** *** ******, ***** **** checks ****** *** *** ****** ************** ** ******. **** ** these ****** *** ** ********* ** **** ** ******* ** use, ****** ****** **** ******, ********** ** ************.

Overall ****** ***************

*** **** ********* *****, ** ******** ** **** ******** ***********, provides ******* ********* *************** *** ********* ******** ** ** ***** networks. ***** **** *****, ***** ******** ********** ************* **** *** cost *** *** ****** *** ***********, *** *************** ** ****** 1 *** * ****** **** **** * *** ******* ** implement, **** ** *********** ******* ** ****.

**** ******* *** ***** **** *** ********** ** *****, ***** we ****** **** ***** **** *** *********, ***** ***** *************** do **** ** ******* ****** ****** ****** ** ******** ********.

Other ************* *** *********

** *** *** ***** ** *** ***** ** ****** ************* with ********* ******. ***** *********'* ***** ******, ** ********** ******* with **** **** **** * **** *** *** **** *** received * ******** *** ******* **** ** *** **** ***.

Comments (12)

** ******* *********, ********* ****** ** ******** ** *******.

*'* *** **** **** **** ****** ** ********* ******, *** I ** *** ** * *** **** ***** ****** **** full ****** *** ******* ** ******* **** ** **** **** or ******** ******, *** **** **** ****.

** **** ******* ******* ** ** ******** ********?

** ** ****** ********* ** *******, *** **'* ******** ** soon ** *** ****** * **** ********.

********* ****** ****** ** *******/*** ******* *** *** *** ********* without *****.

** ** ****** ********* ** *******, *** **'* ******** ** soon ** *** ****** * **** ********.

***** *** **** ***** **, ** ***** * ***.

****, ****'* ****, *** **'* ********.

***** ***, **** ***** ******* ****** **** ******* *** ******* are ********** ** ****. *************** ** ****** ******** ***** ** **** ******* ** ******* alternatives *** ***** ** **** **** *** *** *** ***** driver, ***** ******** ******** *** ********.

******, ** *** ***** ***** *** *** *********, *** ****** will *** ** **** ** ********* ******* ******. ***** ****** like ******** ***** ******** *** *** ** *******, *** **** and **** *** ****** *** *** ***, **** ********/******, *********, etc., ***. ** **** ** ******** ******** ***** ****** **** to *** **** ***, **** *********, **** ************, *** ****. You ***'* ****** ******** ******* ******* *** ********, ******, ***** it's **** *** *** *** ** **** ****** ********** ******.

*** **** ******** ** ****** ******** ***** ** **** ******* of ******* ************ *** ***** ** **** **** *** *** the ***** ******, ***** ******** ******** *** ********.

*** *** **** **** ****** * ********* **** ****** */**** driver ******** ******** * *** **** ********?

**** ******* **** *** *** ** *** **** *** *** before *** **** ******* **? **** ** **** ****?

***** ** *** ******* *****, *** **** * ****** ** it * *** ****** *** ** ****** ** ***** **** the ***** ****:

*** ***** **** * **** ****** *** ****** ***** *** web ********* * ******** *** *** ******* **** ** ** illustrated...

**** *** **** **** *** * ******** *** ****** **** accepts ****** ********* ** *** ****** ***********...

*******, ** *** ****** ** ***** ******** ***** *** ***** API (*.*. *** *** ***)there ** ** **** *********** **** *** ****** ** ***** ***** **** ****** ***********. Instead, as this is the normal way a camera is plugged into a VMS, the client application is trusted to add proper users to the device to control the access as described above. -**** ************** *****

* ***** ** ******* **** *****, *** ***, ******. ******** 5.80.1.2

****'* ******* **** * ** ******* *****, ***** ** **** video.

  • *:** - **** **** - ******** ***
  • *:** - ****** ******** ***** - *.*.*
  • *:** - ***** *** ********** ** ******* *******
  • *:** - **:** ******* - (** ********** *** ****** ********)
  • *:** - ***** ******* **** **** *********
  • *:** - **** **** ********* - ******** ******** ** **** password
  • *:** - ******* *******
  • *:** - *** **** ******* ****** ****://****:****@***.***.***.**:***/****-*****/*****.***
  • *:**Stream ****** **** ******* ****:**** **********

***** *.*.* ** ***?

* ***** **** **** ***** ** **** *** ** **** failed **** * ****** ******* ***** *****.

***, ** *** ***** ****, ***** ********* ** **** **** root:pass (*** **** ****:****).

********, ***** ****'* * ***** *******, **** ****** ***** ** no ***** (**** *****), ** **** ** *** *** ****** and **** **** ** *** ****** ****** **** *** ********** and *** ***** ****. ********* ***** ** ******* ** **** VAPIX ******** *** ********* ** ******.

** ********* ******* ** *******, ** *****.

*** **** **** ***** ***** ***** **, *** ** *****'* seem ****** **** **** ** ****' ******** ********, ***** *** agree?

***'* ***** ****** **** ******* ** ***** *** ********** *** camera ** * ***?

**** ********, *** ***. ** *** *** *****'* ******* ***** via *****, ** **** **** ** *******. * **** ****** an **** * ****** ** ***** *** ***** *** ***** fails ** *******.

********* *******. ** ********* *** **** ******* ** *** *********** so **** ** **** ****** ***********.

******: ***** *** *** *'**** ********' / ********* ********.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Pelco Favorability Results on Dec 02, 2016
This is the first in a series of studies of manufacturer favorability. 100+ integrators rated and explained their views of each manufacturer. We...
CODEC Guide 2016 on Nov 30, 2016
CODECs are core to surveillance, with names like H.264, H.265, and MJPEG commonly cited. How do they work? Why should you use them? What issues may...
Selecting Wood Drill Bits For Installers on Nov 29, 2016
Running cables through studs is common for roughing in residential and some older commercial installs. To do this, you will need to drill holes in...
Exacq M Series Gets Aggressive Against Hikvision on Nov 22, 2016
The most common complaint against Western NVRs is too high prices. With Chinese recorders, such as Hikvision and Dahua, running sub $500 and...
Guide To Selecting And Using Ladders on Nov 15, 2016
Ladders are one of the most important pieces of worksite equipment for the surveillance technician. Too often, however, even highly experienced...
Hikvision 'Phone Home' Raises Security Fears on Nov 10, 2016
The escalating attention towards Hikvision's China government ownership and Genetec's removal of Hikvision due to cyber security concerns has...
$38+ Million Funding Powers VMS Challenger IronYun on Nov 09, 2016
VMS and video analytics have received little funding this decade. However, one Taiwan startup, IronYun, has bucked this trend, with a relatively...
Genetec Expels Hikvision on Nov 08, 2016
Genetec has removed support for Hikvision devices, deeming them 'untrustworthy', citing customer concerns about Chinese government ownership /...
Now Knocking A Country Offline - The Video Surveillance Driven Botnet Wreaks Havok on Nov 03, 2016
The video surveillance driven botnet is now attacking an entire country. The Mirai malware that took advantage of poor security in Xiongmai, Dahua...
'Legal Protection' From Eagle Eye Contract Vault Examined on Nov 02, 2016
"I was promised the high-end model for the entry level price." "Nobody said there would be a monthly service fee when I signed...

Most Recent Industry Reports

Pelco Favorability Results on Dec 02, 2016
This is the first in a series of studies of manufacturer favorability. 100+ integrators rated and explained their views of each manufacturer. We...
Hikvision CEO Declares 'We Do Not Cut Rates" on Dec 02, 2016
Hikvision has led another press trip to China, and this time Hikvision's CEO is sharing insights into their competitive strategy, including...
Network Security Audit App (March Networks) Examined on Dec 01, 2016
Verifying one's video surveillance devices are locked down against common cybersecurity vulnerabilities is increasing important, as hacks using...
FLIR Acquires Drone Manufacturer For $134M on Dec 01, 2016
FLIR has acquired Prox Dynamics, a Norwegian maker of small military-grade drones, for $134M.  FLIR president Andy Teich provided additional...
Down to $50 IP Cameras From Honeywell on Dec 01, 2016
$100 IP cameras are literally old news. And you do not need to buy from spam email vendors anymore to get $50 ones. [premium_content] You can...
Distributor Offers Local Job Site Delivery on Nov 30, 2016
Local distribution branches are a big differentiator for many integrators, as they facilitate quickly picking up supplies locally without having to...
Dump Axis and Hikvision, Arecont Will Pay You on Nov 30, 2016
Do you want to get rid of your Avigilon, Axis, Bosch, Hanwha Samsung, Hikvision, Pelco or Sony cameras? Now, Arecont will pay you to dump them for...
CODEC Guide 2016 on Nov 30, 2016
CODECs are core to surveillance, with names like H.264, H.265, and MJPEG commonly cited. How do they work? Why should you use them? What issues may...
Free Online NFPA, IBC, and ADA Codes and Standards on Nov 29, 2016
Finding applicable codes for security work can be a costly task, with printed books and pdf downloads costing hundreds or thousands. However, a...
Selecting Wood Drill Bits For Installers on Nov 29, 2016
Running cables through studs is common for roughing in residential and some older commercial installs. To do this, you will need to drill holes in...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact