IP CCTV – is it good idea?
Video monitoring devices can be easily classified into a wider range of products that can form the Internet of Things (IoT). Many devices used in everyday life, such as TV sets, refrigerators or washing machines with embedded electronic systems and equipped with network interfaces can process and transfer data via network connections. Virtually every DVR and every IP camera has a connector that allows for connecting it to the Internet. Thanks to the internet connections, the users can:
- remotely configure the equipment,
- remotely preview live images and play back recordings,
- record the video coverage on a remote server or in a cloud service.
The rear panel of an HD-TVI DVR. The "LAN" connector, after appropriate configuration,
is the gate to the global network.
is the gate to the global network.
The remote access functions are a departure from the traditional vision of creating isolated, secure CCTV systems (Closed-Circuit TeleVision), in which the preview from cameras and viewing archival materials is only possible at the monitoring center.
Today, the idea of total system separation goes away - connecting video surveillance devices to the Internet is a normal practice. However, it must be known that every system accessed from the Internet is exposed to the risk of a cyber attack. This applies to both objects of strategic importance as well as an ordinary store. To connect such devices to the Internet, the installer and user(s) must have the knowledge to secure them against attacks. By following the appropriate safety procedures, the chance to conduct a successful attack is very small. These procedures are similar for each IoT device. Despite the fact that the ability to create safe installations is required above all from contractors, the users of such systems must also follow the relevant rules, and ideally - have a knowledge of cyber security issues.
What is the danger?
Hackers attempt to attack any devices operating on the Internet. They use vulnerabilities to get a preview or even take control of the hardware. Infected devices can work normally, so the users do not even know that they have been the victims of a burglary.
If the attackers take control over a large number of devices, they can create so-called "botnet." Such botnet carries out attacks on other devices operating on the Internet, causing them to destabilize, and allowing for subsequent burglaries. Such massive actions pose a serious threat to the stability and integrity of the Internet. An example is the attack in 2016 with the use of IoT devices, including many DVRs and IP cameras. It caused temporary disabling of important websites, such as Amazon, Twitter, Reddit.
Cybercriminals often use the computing power of the overtaken devices and try to make money on it, for example by using the devices as cryptocurrency excavators.
How to minimize the risks?
Ten commandments of cybersecurity
1. Change default passwords into strong, secure passwords.
The first time you start the device, set your own password. It is important that it should be resistant to dictionary attacks - it should have a minimum of 8 characters and be a combination of letters (upper and lower case), numbers and special characters. If other users login to the system, they should have accounts with limited privileges.
Attacks on devices secured with factory passwords are widespread. Even special services have been created in the network, which search for such equipment. Looking at them, we can notice with amazement that among poorly secured systems there are not only home installations, but also those in stores, restaurants, warehouses and various types of companies.
The problem of factory passwords affects not only users of monitoring systems, but generally IoT devices and other network devices such as routers. It is good practice for manufacturers to enforce the setting of new passwords at the first start-up and blocking the devices after repeated, incorrect login.
2. Periodically update the software
The device developers usually provide updated versions of the firmware/software. Most often these are improvements concerning the operation of the device, implementation of new features and the most important - security patches. Today's devices more and more often have the function of automatically finding and downloading updates. If it does not exist, the updated firmware/software should be available on the servers of the producer or distributor.
3. Change the default communication ports and ensure a secure configuration of the access device
Devices usually connect to the Internet using a router that has a firewall blocking by default the incoming communication. It is important to configure the router properly by creating appropriate connection rules, e.g. port forwarding. More information on port forwarding can be found in the How to forward router ports to view online video from a DVR? article.
We do not recommend to use the automatic port forwarding function, i.e. DMZ, because its operation consists in providing communication ports for all available protocols. With unconfigured and less secure protocols, you run the increased risk of an attack.
4. Enable IP filtering in CCTV devices
IP and MAC address filtering allows you to restrict access to a given device. Only the other device with a specific IP address or physical address of the MAC card can connect to it. Depending on the manufacturer, the function may be available in the device itself or it must be included in the router configuration.
5. Switch off unused protocols and network services
If you do not use some of the device's network functions, you should turn them off. An unconfigured function can be a security hole and allow the device to be hacked. We recommend disabling the following functions: UPnP, SNMP, multicast, SSH, telnet.
6. Use an encrypted connection
The HTTPS protocol is an extension of standard HTTP. It provides greater security thanks to the SSL / TLS mechanism. If you choose to use HTTPS, then the data transferred through a browser (e.g. user name, password) will be protected against eavesdropping and "man-in-the-middle" attacks.
Example of HTTPS configuration in a Hikvision device. The corresponding options are available in the advanced network settings menu. You can create a certificate signed manually or by an accredited certification authority.
The default communication port for HTTPS is 443. In the example above, a self-signed certificate can be generated on the device, or a certificate signed by a certification organization (CA) can be installed. If we use the free self-signed certificate, then browsers will communicate that the connection is provided through an untrusted website. Certificates signed by certification organizations are payable.
7. Periodically check the device logs for remote login attempts
System logs allow administrators to get a lot of diagnostic information about the device. The logs of a CCTV device are stored in the mass memory of the device, i.e. on the hard disk of a DVR/NVR or on the memory card of an IP camera. Each log contains the date and time of each event, the channel number, and, in the case of remote access, the logon user name and IP address. If a system function has been changed, it will also be reflected in the logs. Looking at the registry is the initial diagnostic step in the case of any problems.
8. Configure the network so that it can be accessed only by the required devices
The network used by a CCTV monitoring system should be separated. Physical or logical network separation is allowed. The physical separation consists in the construction of a dedicated network only for CCTV monitoring, while logical separation means the creation of a separate subnet and the appropriate configuration of the routing.
It is good practice to create logically separated VLANs. Within it, virtual networks are created. Devices that stay within different virtual networks do not see each other and cannot communicate with each other. Thanks to this, CCTV devices are protected against intentional or accidental activity of users of the same physical network - for example, employees of a company protected by the CCTV system will not be able to disrupt it after connecting to the network accidental devices or installing malicious software. To add a new device to the network, you must first add it to the virtual network (e.g. by configuring a switch port). It significantly improves security and limits broadcasting traffic+.
9. Use cloud services
Some manufacturers of CCTV equipment enable access via the cloud. The cloud, which is the producer's server network, provides encrypted access to the registered devices. Such connection is possible only through dedicated applications (on a PC and a smartphone).
The connection security is guaranteed by the producer, that's why it is worth choosing among renowned companies and asking for certificates. For example, the Hik-Connect service provided by Hikvision (the largest CCTV equipment manufacturer in the world) has the ISO/IEC 27001:2013 certification. This means that it meets the requirements set out in the generally known and internationally recognized standard for information security management.
Remote access to CCTV devices via Hik-Connect cloud service
10. Protect devices against physical access
This is an additional requirement for building a secure video monitoring system. All monitoring devices, servers, routers or switches should be protected against access from unauthorized people. All the devices should be placed in a closed RACK cabinet or a special enclosure in a separate, secure room.
View of a Signal rack cabinet with equipment installed