Cyber Security For Video Surveillance Study 2016

By IPVM Team, Published on Apr 27, 2016

This study provides the foundations for video surveillance professionals to understand the importance of cybersecurity, what is being done to enhance cybersecurity and what providers are viewed as the best and worst at cybersecurity.

100 integrators answered the following 5 open-ended questions on cyber security:

  • How important is cyber security in your customers' decision making process?
  • What type of customers are most concerned about cyber security? Why?
  • What steps do you take to ensure cyber security for your customers video surveillance systems?
  • Which security manufacturers do you feel are strongest in terms of cyber security? What do they do that makes you feel this way?
  • Which security manufacturers do you feel are weakest in terms of cyber security? What do they do that makes you feel this way?

They provided detailed color commentary on each point, so you can understand their mindset and approach.

Summary

The key trends revealed in the study:

  • Overall, cyber security is not very important for customer's decision making process.
  • The 4 segments showing highest cybersecurity concern were government, banking, education and healthcare
  • Steps taken to secure systems were generally basic. While various techniques were mentioned, changing default password was the most common.
  • Western video surveillance manufacturers were viewed as the strongest in cyber security.
  • Chinese, and specifically Hikvision, was selected as the weakest in cyber security.

Full details, integrator explanations and our analysis is shared inside.

Low Importance

Most customers rank cyber security of low importance in their decision making process. Nearly half of all responses indicated this:

Customer indifference was often noted as the reason for low priority:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

  • "It is not important at all"
  • "My customers rarely express a concern over cybersecurity in their decision making process."
  • "Low but because most don't know the risks"
  • "A majority of the customers that we have interacted with don't really care about cyber security related to the surveillance systems."
  • "Customer are pleasantly ignorant of the issue, and when they are not the spectre of cost drives them back into the cave where the shadows show them what they prefer to see."

Several integrators indicated they actively try to make customers more aware of cyber security risks:

  • "We have yet to find clients worried about this yet, but we try our best to make a case for why it is crucial."
  • "Not sure most are thinking about this when they should be."
  • "It is often overlooked until brought to their attention."
  • "I'd say mostly unimportant. The only time they perceive a threat is when I point out vulnerabilities."
  • "At this time, most client do not seem too worried still, but we are definitely bringing it up to their attention."

Government, Banking, Education, Healthcare - Most Cyber Security Aware

Large customers and those with regulatory requirements were most likely to have higher concerns around cyber security.

  • "Critical for mid to large size customers. IT resources view remote access to VMS solutions as points for potential breach. Some insist on AV and other lockdowns via Group Policy."
  • "Larger corporate, municipal or institutional clients are much more concerned"
  • "Clients who have been breached, clients with big business backgrounds & clients with something really important to lose whether that be valuable data or confidential data."
  • "Our big customers, they know the Topic and they look at it and is very important."

Banks, government entities, schools and healthcare organizations commonly have an IT department that is responsible for network security. These organizations have high awareness of risk, as comments indicated.

  • "Education and IT companies as they see the risks more often"
  • "Medium to large businesses due to either contracted or on site IT management staff with an understanding of and instruction to keep networks safer."
  • "Government - most likely due to previous scandals"
  • "Banking, because they need maximum security"
  • "Financial sector, Law firms, Government. They are worried about hackers taking over their systems and spying on them using the video surveillance system, or using the video surveillance system as a backdoor to their network."
  • "Government and Banks are most concerned since they have valuable data in case the physical security network and data network were connected."
  • "Financial, medical, education. They have been breached and are getting FBI bulletins etc"
  • "The bulk of our client base is financial, so the concern is obvious and governed by law and documented policy. It is easier in those cases. Some of our manufacturing clients are just as concerned, but they have dedicated staff to work with us."

From the responses, smaller customers do not rank cyber security as a primary consideration the way larger organizations do. Smaller organizations are less likely to be direct targets, and a data breach is less likely to become headline news.

Methods For Securing Equipment Vary

Changing default passwords was the most common step taken to enhance cyber security.

About 10% of responses indicated VPNs were used to enhance security.

Dedicated or segregated networks were frequently listed:

  • "Segregated camera / device networks if at all possible (virtually or physically)"
  • "Separate network segments"
  • "We setup a separate physical network for the video system or use VLANs."
  • "We physically separate the video surveillance network from other networks (internet, corporate LAN etc.)"
  • "Keeping the video system on a separate network or secure VLAN if possible"

Encryption in various forms is also used, though not as consistently as might be expected:

  • "Use of Encryption (for remote connections, for wireless connectivity."
  • "In high end systems, we use 256 bit SSL encryption between camera's and server."
  • "Typically through a VPN. Small business and residential customers who also have a DMP alarm system use the virtual keypad app from DMP; it uses a 2048RSA certificate and 256AES encryption for the VPN, this is, in my opinion, the most secure solution we offer."
  • "Proper encryption and passwords in place."
  • "enable encryption(HTTPS, SSL) to communicate with cameras, encryption of video on hard drives, using certificates to confirm authenticity of devices, etc."
  • "Use strongest available encryption when using wireless gear."

Keeping software and firmware updated, and deploying anti-virus software were listed, but not as frequently as the above steps.

Penetration tests, or regular outside testing/verification was not commonly mentioned.

Relying on the customers IT department to take responsibility for cyber security was also referenced:

  • "We install equipment behind their security equipment. If they would like to add any other protection it is up to them."
  • "Our larger customers who have in-house IT personnel or contract third party IT companies set up remote access themselves."
  • "We also work closely with their IT departments to conform to their rules and configurations."
  • "Defer to their IT support"
  • "We leave it up to client's IT departments for the internal portion"
  • "We installed the system the client has implemented security measures on the system servers."
  • "Very little if any - it's my customer's corporate security and IT department responsibility"

This approach would not work for a small customer who has no IT department, but in the case of larger organizations it may be wise to allow the customer to decide how their physical security devices are going to be remotely accessed, secured, or connected to other networks.

Manufacturers Listed As Most Secure

Camera manufacturers received a lot more votes than VMS companies in terms of perceived security.

Axis was by far the most cited, with nearly one third of responses:

  • "Axis. They offer the ability to configure 802.1x and set up HTTPs through the camera configuration pages and they address cybersecurity issues in some of their whitepapers and technical guides."
  • "Axis, they are a true network solution provider."
  • "Axis Communications. They're the only manufacturer we talk to who actually talks about cybersecurity"
  • "Axis and Exacq are aware of these problems and have specific development that is sensitive to this."
  • "Axis has had a cyber security focus for years with dedicated personnel. Their cyber hardening guide is pretty solid, though if you're not careful, they can still be compromised"
  • "The larger manufacturers, like AXIS, allow the integrators to implement any changes within their products, that we see fit. Other manufacturers, don't allow us to change their default users and related passwords."
  • "AXIS with up to 5 layers of security."
  • "Axis comes to mind as they don't have default passwords on their products, making you set one upon installation."

Axis also has a hardening guide that provides recommendations for enhancing security for Axis products.

A few integrators disagreed about Axis, with one noting the risk of adding third party apps to Axis cameras and another commenting:

"Axis - because of their Windows only .NET platform for software (Axis Media Control plugin), reliance on Java for plugins (VMD3, etc), reliance on Windows only for certain functionality of cameras (anything audio related, AMC) and 100% Windows-only VMS (not that we would use their VMS). Also, they allow short passwords and allow brute force hacking attempts with unlimited password guesses."

Avigilon:

  • "Avigilon's built-in mass password update, stupid simple firmware updates, and easily-visible status of encrypted/unencrypted control comms puts them high on my list as well."
  • "Avigilon they are applying multiple level of authentication, adopting encryption (between cameras & NVR, between clients & servers)"
  • "Avigilon - They do talk to some ONVIF devices, but their own cameras seem to have a better encryption between their software."

Bosch:

  • "Bosch - additional password and video transport security"
  • "Bosch cameras, multiple certificates for accessing securely."
  • "Bosch is using COA's in all their IP cameras with the option of a 3rd party COA that's used by the DOD and other agencies within the government that really takes it to the next level in terms of true cyber security at the edge."

Bosch also has a data security guide.

Genetec:

  • "We are using Genetec and Bosch mostly, they have advanced security features, stream encryption, for example. Probably because they provide Enterprise systems solutions for enterprise customers who have bigger requirements regarding IT security."
  • "Genetec is making large strides to implement encryption and is easily configured to control access."
  • "Genetec - They are more of an IT related company"

Genetec makes a hardening guide available in their partner portal

Milestone:

  • "Milestone is pretty good - they have some interaction required to change devices etc."
  • "Milestone - They keep up with windows updates and seem to write to the latest camera software. Avigilon - They do talk to some ONVIF devices, but their own cameras seem to have a better encryption between their software."
  • "Milestone, Axis, Brivo - They all have take a good hard look at their own technology and products, vulnerabilities, written white papers on best practices and put their products through audits."

China / Hikvision As Least Secure

For the least secure products, Hikvision was the predominantly mentioned brand, Dahua came up repeatedly, and several others mentioned "Chinese cameras" as insecure overall.

  • "Hikvision - only because of what has been reported."
  • "Hikvision, we faced many security problems during the implementation of their VMS. easy to be hacked."
  • "Hikvision, I heard rumors about Chinese government spying on customers via Hikvision DVRs and camera's."
  • "Hikvision has a bad reputation, again and again"
  • "Hikvision and any cheap manufacturers. They either don't care or don't have the resources to insure their systems are secure."
  • "Hikvision - Backdoor recently discovered and Chinese government involvement with the company."
  • "Hikvision. They changed their login to make you change the default usernames and passwords with their updated firmware versions but I still don't entirely trust the security of the products."
  • "Most brands we have used have some sort of flaws, but Dahua is by far the worst. Hikvision, Samsung/Hanwha/Techwin, and others have also had security issues too. Specifically, Dahua still allows ONVIF access using default creds and this cannot be disabled. Hikvision has had many known flaws, most of which have been fixed. Samsung Wisenet cameras were shipped with a bug that once logged into the web interface of the camera, that browser maintained an authenticated session that could not be logged out of. You were forced to clear all browser data in order to log out."
  • "Hikvision, it seems like they are trying to cover something up. I no longer trust them. Love their cameras but don't trust them. We're looking for a new recording solution."
  • "Hikvision. Though they made some improvements after being thoroughly pwned, they only did so in response to outside pressure. There needs to be a culture of security as a primary concern--not an afterthought."
  • "Hikvision has a division of the communist party inside their offices."
  • "Dahua. They have their back door passwords that are easy to find on the internet so no matter how well you protect the system with a good password or HTTPS, anyone that has IP access to the camera can get in."
  • "Off brand Chinese cameras are the worst... I've scanned some that have had open ports which were not even listed as a service in the firmware."

Hikvision does have a Security Center page on their website, with a link to report issues and a cyber security best practices video.

5 reports cite this report:

Hikvision Backdoor Confirmed on May 08, 2017
The US Department of Homeland Security's Industrial Control Systems Cyber...
Top Surprises in the Video Surveillance Industry 2016 on Nov 29, 2016
The top 3 surprises of 2016 for integrators surveyed by IPVM were: The...
Why Surveillance Pros Rationally Won't Care About The Massive Dahua Mirai Attack on Oct 05, 2016
The physical security industry has been fairly indifferent to cyber security...
Axis Critical Security Vulnerability on Jul 06, 2016
Axis has disclosed a 'critical security vulnerability' in most Axis products...
Hikvision Rejects Responsibility for Hacked Hikvision Cameras on May 10, 2016
After a massive number of Hikvision cameras were hacked, Hikvision has added...
Comments (3) : Members only. Login. or Join.

Related Reports

Access Control and Video Integration Statistics 2020 on Oct 08, 2020
Video Surveillance and Access Control are two of the most common security...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Worst Manufacturer Technical Support 2020 on Oct 15, 2020
4 manufacturers stood out as providing the worst technical support to ~200...
Worse: ZKTeco 8" Worse Temperature Results Than 5" Tested on Jun 16, 2020
While ZKTeco USA's CEO objected to IPVM's SpeedFace+ 5" test results, saying...
China's SMIC Hit By US Trade Restrictions, Impact On Video Surveillance on Oct 13, 2020
US trade restrictions have hit Semiconductor Manufacturing International...
Verkada Video Analytics Tested 2020 on Oct 08, 2020
In 2019, Verkada released people and face analytics but our testing then...
Facial Recognition: Weak Sales, Anti Regulation, No Favorite, Says Security Integrators on Jul 07, 2020
While facial recognition has gained greater prominence, a new IPVM study of...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
K7 Wall Mounted IR Temp Gun Tested on Jun 26, 2020
The original K3 model was missing a number of important features but the...
Temperature Screening Is Ineffective, Says US, UK, Canada, Israel, And Ireland Health Leaders on Aug 25, 2020
Health leaders around the world are increasingly speaking out about the...
Huawei HiSilicon Shortage Impacts Surveillance Manufacturers on Aug 14, 2020
Huawei acknowledged problems and challenges for its HiSilicon chip business,...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...

Recent Reports

VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...