If you have any access to the news at all today, you will probably have already heard about the killer zombie botnet that took down one of the larger web service providers DYN. This botnet (collection of hacked devices) flooded DYN servers with billions of bogus requests, causing delays and even crashes to many of the services that were hosted or provided for some pretty major websites. Security cameras were in part to blame for this major and foreboding attack. The first step towards ensuring your cameras are secure, is hiring the right company to help you design your system properly and select the right components.
Now security cameras, in and of themselves are not the cause of the attack by any means, but inadequate knowledge of the technology during installation or application is largely to blame. In order to see how this happens, lets take a look at the security camera technology that is on the market first, how it got the way it is, and why this was inevitable.
Since the propagation of smart phones throughout the world, users have wanted faster and easier access to everything. This included the ability to see what was happening at their home or business while they were on the go. While some companies, like ours had been pioneering this level of access for years before the smart phone arrived, many companies began a mad-scramble to deliver access to their customers.
In order to make access easy for their customers, many camera manufacturers have built-in direct access to the camera on any network. This type of access is called P2P (Peer to Peer) access. It does not involve any setup on the network at all, as soon as the camera is connected to the network, it contacts an off-site server to let it know the camera is live, and continues contacting that server at intervals to check for any inbound connections. Users simply download an app that connects to that off site server to look for their camera, usually identified by a serial number and password. This is dangerous, and even a little bit creepy!
Technically, this means that your camera is always using your internet connection to connect to an outside server somewhere in the world that was set up by the camera manufacturers, which now contains all of the information that is needed for any 3rd party to connect into the camera directly. The only weak level of security is the password that is set on the camera. The main problem: most people never even change that password. This means that by installing a security camera with P2P access, you have invited anyone with a grade-school level of hacking skills into your living room, bed room or other location to watch everything you are doing...that is creepy.
Unfortunately, this is not even where the danger ends as shown by recent events. These cameras, when left with internet access, are essentially small, unprotected computers that are sitting open on the internet, actively asking a server to connect into them. The P2P technology was designed for ease of access by the end user, allowing the cameras to bypass any firewall or router that is in place effectively...devices that are there to help protect your network and computers.
Once a hacker is able to connect into the camera, they have demonstrated that they can get into the basal software built into these cameras to reprogram them to do their bidding as a part of a zombie botnet. This was bound to happen just based on the fact that this technology was DESIGNED to bypass security in the first place. Ease of access often trumps security for the general public.
This is why hiring the right company to assist you with your security camera system design, and why we have been helping people set up camera systems the right way, knowing full well that eventually a problem would arise with these fly-by-night companies and bargain basement cameras that are sold in big box stores. We have gotten the question for years "Why are the cameras at (fill in the blank) so cheap? - Couldn't I just install those?" Yes, you can install those, but there have always been CRITICAL differences in the technology and setup. Now with security breaches and all out attacks on the internet, those problems are becoming very evident. I am almost glad (almost) that these attacks occurred, because it shows exactly what I have been telling people for 10 years to be true.
Three Steps to Secure:
1. The Technology
While the majority of cameras on the market have P2P capabilities, we have NEVER advocated using it, and even though our cameras have that capability as well, we have disabled it by default because we do not want people to use it at all. There have been less than a handful of customers who we have helped enable the P2P settings in their cameras in the past 5 years since this connection type started becoming available, and we warned them against it heavily first.
IP Cameras are not the only danger in being hacked. Standalone NVRs and DVRs were also hacked for the botnets, as they run the same insecure software as many of the budget IP cameras. This is one of the big differences between those pre-packaged sets of cameras and a properly designed system. The recorders that we recommend are full PCs, running windows that receive the benefits and security that a PC that is updated regularly has, and is not used for browsing the internet or picking up emails to prevent from intrusion through other methods (viruses and malware you inadvertently download).
2. The Setup
Please, don't just stop at disabling the P2P in our cameras, also isolate cameras when installing them. The HD IP Cameras that we install, or installations we consult on throughout the country, include a completely physically isolated network for the IP cameras. This means that even if the camera's P2P settings were enabled, the camera itself would not be able to access the internet even if it tried. This is done for the security of the camera, but also for the traffic on your network. See our article about Setting up IP camera circuits for more details on this. By keeping all of the IP camera traffic isolated on the network, you also lower the interference and traffic on your main network, to help ensure that no matter how many security cameras you are running, you will not end up with a network that slows down due to the bandwidth.
This ideal setup cannot be used with any of the budget pre-packaged systems on the market. These camera systems are designed to have the cameras and NVR plug into your main internet connection, causing your network to slow down, but more importantly reducing or eliminating the security benefits of a truly isolated camera network. with these systems, your cameras are exposed, and generally running the P2P dangerous network configuration.
3. Setting up secure remote access
As I have said on many occasions, we were some of the first that allowed our customers to access their security cameras over the internet from their phones, even back to the days of the flip phones...but there is a secure and responsible way to do this. For the best security, an encrypted VPN should be used. The NVR (Network Video Recorder) would be connected to the IP camera network to allow recording of the video, and then connected to your secure VPN network with another network card in the server. This allows you to connect in from any secured VPN device or phone to view the cameras from anywhere in the world. While VPNs can be hacked as well, they are much, much, much more difficult to do so, due to the level of encryption that is provided. For those that do not have business grade VPN hardware, no problem, you can still achieve the access while isolating the cameras. In these cases, the NVR's second network card is connected to your Internet router, then ports are opened on the router to allow access from the internet to that camera.
This might be a step-down from a VPN security, but it is a light year ahead of the IP camera P2P access by far. This is because computers, unlike most IP cameras, get security updates regularly. Now I would not recommend this type of access with embedded type NVRs, because they do not have the security updates that even a 5 year old PC natively has in place, but for a well updated PC, limited exposure to the internet through a different network card is still a secure method of allowing connection from the outside world. In this configuration, more work is required than would be with a P2P remote access, but it lends a greater security to your cameras and their video feeds. When you connect in from your phone, you need to know the address, port, username and password. When your phone or computer connects into the camera system, it securely authenticates with the NVR PC, to ensure you have access. We also encourage, and often force our clients to change their username and password right during installation.
4. Bonus Security Features
Systems like our AVM systems, allow you an even greater level of security through alerting. The system can be configured to send you alerts if anyone even attempts to log into your camera system. This means that even the first time someone uses the wrong login or password, you can instantly know about it, alerting you to an attempted attack. This is crucial in keeping you informed about your security.
The moral of the story, cheap equipment = no security. Not only will your cameras be subject to possible intrusion, but you might be responsible in part for services on the internet shutting down with the next botnet attack.
But just paying more for equipment does not ensure security. Unfortunately, there are many security camera companies out there that do not understand the technology whatsoever and are often installing the same junk that is found in the big box stores. Make sure your security camera company understands network security, IP security and the technology that they are installing prior to letting them install it. Not certain? Ask them if they will need to configure anything on your router for remote access...if not, RUN LIKE THE WIND because that is P2P tech.
PLEASE Stop leaving your cameras on default user/pass configuration!!!
You don't leave your car unlocked and running do you? This is WORSE!
At Platinum CCTV, we have been helping our customers secure their businesses an homes with quality technology for over 14 years. We understand both the challenges of businesses, as well as the challenges of IT security to help ensure that you stay safe and secure. Contact us for a free consultation regarding your security today at (866) 537-5438