Security Lock down the IoT.
Sean D Conway’s real-world experience of securing IoT device data in use and in transport can help you secure and protect CCTV video on a network.
Sean Conway doesn’t want anyone to sneak a peek at what he’s doing at work, so he’s ensuring those CCTV streams are safe.
The boss came out of his office the other day, looking rather stressed. “Drop everything, worker bee, I need you to prepare some talking points for a presentation on securing video cameras at company buildings. The meeting with the executives is in 15 minutes!”
Rush-order requests, without the Dilbert cartoon tone, are not uncommon working in an information technology security department. They usually occur when there is an immediate need. If you’re the only player in the bull pen and the coach (your boss) calls for relief, you take the ball and head to the mound, even if you’re not a pitcher.
So, what is data security? CIA is a fundamental concept for security professionals. It’s not the US governmentfunded organisation—the letters correspond to confidentiality of information, integrity of information and availability of information. We tend to interchange the words information and data—information is data in a specific context. In this case, the information is video (context) data. CIA doesn’t only apply to the data; it can also be applied to the camera itself. Compromising a large number of cameras and turning them into a bot army for denial of service attacks is certainly a loss of availability. Confidentiality of information protects the information from disclosure to unauthorised parties. Companies, organisations and people have information they wish to keep a secret. Encryption, like a secret message you sent to a friend during school, is one method of protecting information confidentiality. Only those individuals who have the keys to decrypt the message can have access to the data.
Integrity of information is protecting information from being changed by unauthorised parties. The modification of information could prove costly. Just think of the impact of moving the decimal point to the left in a column of accounting numbers. Hashing the data is a cryptography method used to ensure its integrity. A hash or message digest is a number generated by processing a string of text through an algorithm. The hash value is smaller than the text itself and is unique to that text. The algorithms used to generate a hash are constantly under scrutiny to ensure they don’t generate collisions (ie hashing two different text strings and generating the same hash value).
To ensure integrity, a hash value is generated and sent along with the text message. The hash value the recipient generates matches the hash value sent if the data is unchanged. And no, it is not possible to regenerate the text by just reversing the hash.
Availability of information is ensuring the information can be accessed by authorised parties when needed. Having offsite backups of information establishes availability. In this
case, data can be restored after a hard drive failure. Redundancy, as in a main and a backup server, ensures the availability of the service when one server fails.
To secure the camera information (there we go again, switching the words information and data), we need to determine the data points. In any system, there may be data in transport, data at rest and/or data in use. Data in transport would be any data entering or leaving the system. Data at rest would be the data that is resident in the system or in storage on the system. Data in use would be the data called from the system, say from a web browser, to meet a business need. Identifying all the data points in a system is the first step in the process of securing the data.
The data of concern from a camera is the video. Images of sites that are being monitored are collected (input), processed (data at rest), streamed (data in use) and stored (output) on a network via the Wi-Fi connection. Knowing the data points, we can now look at possible controls that could be established to secure the data. Compensating controls, as they are called, compensate for weaknesses that prevent the data from being secured.
The anatomy of a camera
Let’s look at a model of a camera (below-right). The diagram shows three rings. The inner-most ring is hardware. This is the physical components that make up the camera. The next ring moving outward is the operating system (OS). The OS may be proprietary code developed by the vendor or a customised build of a full-blown OS, such as Linux, tailored to meet a need. The outer ring is the user interface(s). Think of this as services such as the web, GUI interfaces and/or management apps running on the camera for the user.
All three rings of the camera may have vulnerabilities (security weaknesses) that expose the data to threat vectors, a term for points of attack. If the vulnerabilities are exploited (ie nefarious people have found a way to attack them), the camera data you want to keep secure may become exposed to the public. When data is made available to those it was not intended for, it is said to be compromised.
Considering a network-ready camera is just an IoT device, using the same approach of identify data points and their vulnerabilities, you have a methodology for securing any IoT device. With this knowledge, you could analyse the IoT device to determine what compensating controls are required in order for it to be secure.
To expand our security awareness in a common installation, we’re going to put a camera in a typical home network. The wireless camera feeds the service provider’s (the company or ISP you purchase your internet service access from) modem and router/residential gateway via Wi-Fi. The network device provides access to the internet, as well as providing local area network (LAN) support for home PCs. As LinuxFormat has an international distribution, the drawing (overthepage) is an example of the author’s residential service installation in Manitoba, Canada; your internet access configuration may be different.
If the final destination of the camera’s data is a monitoring point outside the network, the rings of security that examine the vulnerabilities need to extend out from the camera to other components. Securing camera data so it is only available to authorised users – a monitoring point – a series of compensating controls from source to destination is necessary to ensure the data is secure from prying eyes.
A fast and easy method used to make the data available to the internet is to establish port forwarding on the network device. Port forwarding takes the port(s) from a private IP addressed device on the LAN side and makes it available on the internet via the network device’s assigned public IP address. Depending on how the camera or IoT device is designed, one or more ports may need to be forwarded in order to accommodate the task.
Remember that inside the rings of the camera there are vulnerabilities – port forwarding may expose those vulnerabilities to the internet.
Here is a quick exercise to gain some knowledge that could be used by the bad guys. Go to www.shodan.io and
conduct a search for a camera brand. The result should return known vulnerabilities for that brand. To prevent any negative responses from vendors, we are deliberately omitting any reference to a specific camera in this article, but the camera brand used for this test returned five hits between Europe and North America that showed exposed vulnerabilities waiting to be exploited.
Now that we have some theory regarding securing a device and its data, let’s look at some things that can be done to make the bad guys’ job much harder.
Prior to putting a device into service, it’s good practice to check with the vendor for any upgrades. The upgrade may include the operating system or applications supported by the device. Making sure the latest software is being used may correct some issues.
The camera vendor may already be aware of some vulnerabilities. It is important for the user to know that some known vulnerabilities will never be fixed. Upgrades supplied by a vendor are by no means free – there is a cost to the company. The device manufacturer may choose to ignore the risk to customers in favour of higher profit margins.
Rarely will a vendor welcome the opportunity to provide users access to its source code. One of the benefits of having a camera connected to an OS that you have full control over is the ability to make it secure. Think of a camera on a Raspberry Pi – you can tailor the OS how you choose and not have the vendor decide for you. Pause for a minute and place your hand on your heart and thank our digital forefathers for open source.
Now that the camera is upgraded, how about the default configuration for the device? Default usernames and passwords for devices are well known. If the default superuser password hasn’t been changed and the device is made available on a network, you have provided a door into the camera, with the keys to that door under the mat. Trust us, the bad guys will look. The chances of the camera being compromised are pretty high if the defaults are not changed before being deployed.
When the camera data is on the network, it is in transport. If the http protocol is employed to move the data, not only is the camera data available publicly, but the credentials used to access the camera are also publicly available. The data in the http protocol is sent in clear text. And that includes the username and password used to log in to the camera that you remembered to changed from the defaults. If, instead, https is the protocol deployed to move the camera data, then the data in transport is encrypted or secure.
Did you take note of what encryption method was enabled when configuring the Wi-Fi connection? Don’t use WEP. Try doing an internet search of WEP vulnerabilities and you will discover techniques that take less than a minute to compromise WEP-enabled devices and allow an intruder access. If the camera is wireless, turn on WPA2 encryption. If you want to secure any device on a Wi-Fi network, you should opt for WPA encryption.
Firewall software is common on networking devices provided by service providers. Firewalls are devices that separate one network from another using controls. The controls can be IP addresses or ports. Configuring the firewall with an access control list that is tailored to the data requirements limits exposing the camera, as well as other LAN devices. The firewall can be configured to only permit specific IP addresses, and the IP addresses could be for those devices that will monitor the cameras connected to the network.
Secure the perimeter
Building a DMZ using multiple firewalls creates a layered defence architecture for a network. The bad guys have more layers of security to overcome in order to get to the prize.
The DMZ is responsible for isolating the untrusted network (internet) from the trusted network (LAN). The perimeter firewall is configured to control access to the DMZ, and the other DMZ firewall is configured to control access into the local area network. Establishing a firewall rule that permits a public internet IP address through both firewalls into the internal network should be avoided. Such a configuration would raise the ire of any seasoned network administrator, because it creates a weak link in the chain of network security.
Within the DMZ, a reverse proxy server can be deployed to provide a bridge between outside and inside networks. The reverse proxy takes requests from the untrusted network and then forwards them to devices on the trusted network. The response from the destination device is returned via the proxy. The separation provided by the reverse proxy prevents the untrusted network from gaining
any knowledge of the trusted network. When any device on the trusted network has a vulnerability that is exploited and causes a compromise, it exposes all devices in the trusted network. If the cameras on the network cause the greatest risk, isolating the cameras to their own network, using firewalls, provides greater protection through separation. If the cameras become compromised on the isolated network, the firewall prevents the bad guys from having access to the rest of the network. You’re creating layers upon layers of security.
Depending on the model, firewall devices provide numerous options. Commercial-grade firewalls have the ability to throttle throughput on a network. You can think of firewall throttling as a valve on a water hose: the valve controls the flow of water, like a firewall can control the flow of data. The owner of a network must understand their network and its daily traffic patterns. If large ftp file transfer data dumps are not the norm, or if sending content from the camera to an unknown IP address is not part of the configuration, the owner should recognise this. Tailoring the rules on the firewall is one of the compensating controls to ensure the network and devices are safe.
So, there you have it, folks: a list of talking points for the boss on how to secure a camera. We hope it didn’t take you longer than 15 minutes or so to read, or he will be upset when he gets to his meeting. The list may appear long, but if you know the data you want to secure, and know the threat vectors you want to defend, you just have to implement compensating controls to prevent the vulnerabilities from becoming exposed. Not only can you now set up secure cameras, but your new knowledge also enables you to secure any IoT device.