FOCUS: cyber security & IP video surveillance Michael Simovits, IT security expert: “Many manufacturers skip the encryption” Security cameras are easy to hack because encryption is not a priority, software updates are lagging behind and the cameras are connected to general IT networks, argues IT security expert Michael Simovits. ”Some cameras are completely unprotected”, he says. By Henrik Söderlund Mikael Simovits is the founder of the Stockholm based Simovits Consulting, specialising in information and IT security services. He has taught cryptography at Chalmers University of Technology and has been named one of the best security experts in Sweden. Since 2004–2005, he has worked with high-end security solutions where cameras have been included. “The camera processors are not always so powerful and encryption takes a lot of energy from image processing. If you are using high resolution and want to encrypt, the product will become more expensive to manufacture. Therefore, many manufacturers skip the encryption”, he says. initiate which communication. A surveillance system can consist of hundreds of cameras and if one camera fails in security, you may lose the whole surveillance solution. A camera should not initiate contact with a server and transfer video; instead the server should initiate communication with the camera and download video. However, when we scrutinise high-end security solutions, they cannot always keep up with all the security requirements because it simply prevents the function of the cameras. If you have 300 cameras, it is not always easy to constantly update and be on watch, it requires a lot of resources.” “If someone steals your camera, you have to keep in mind that the thief might carry out an attack later.” How important is data security for security cameras? “It depends what they are used for. If it is just about monitoring a construction site in order to show how fast things are being built, it is not the most important feature, even though it would be embarrassing if anyone in the world could go online and look at the hacked cameras. However, if you add intelligence, for example by allowing the cameras to react to motion and connecting them to an alarm system, then the entire infrastructure should be secured; it is not enough only securing the cameras because threats are directed towards the whole surveillance system.” How do you secure the whole infrastructure? “You must implement a concept that covers everything from cameras to the network equipment, servers and firewalls and have a clear policy on which device should How often do security cameras get hacked? “It is very common and there are a number of websites that have links to hacked cameras. Usually it is not cameras in high-end security applications, but for example cameras on highways, in cities or cameras in people’s private homes.” How secure are security cameras? “This might sound a bit harsh, but the cameras have the same kind of security issues as IoT devices. They have a small, usually Linuxbased operating system which is customised and – just as IoT devices – tend to fail in the way that there is no good solution for patching and updating the cameras in a simple and efficient way. So, I equate security cameras with IoT devices.” … which you can buy off the shelf in retail? “Again, it might sound a bit harsh, but in general, yes.” How can the update problem be solved? “You must be online in order to get the patches quickly into the cameras but if you do so, another security issue that must be handled arises. Some of our customers have solved this by sending out security watchmen as soon as a camera has been stolen, if the image goes black or becomes blurry or if there are any other indications of tampering. If someone steals your camera, you have to keep in mind that the thief might carry out an attack later. Often, all cameras in a setup are configured to have the same encryption key and very conveniently, the same password. So if it happens, you directly have to change all the encryption keys.” What can happen if someone hacks into the system? “The attacker could disable the entire system, freeze the image, or turn off alarms. If you get in, you can do anything and it is not certain that anyone will even notice that there has been an attack.” What responsibilities should be put upon the camera manufacturers? “They may have to change their threat scenarios when designing their cameras, because security systems were previously isolated islands and were not connected to anything else. Today, I see more examples of security networks being connected to the general IT network, and even if there is a firewall between them, that changes the whole foundation of security. The isolation of networks has also led to software updates lagging behind.” Why has this issue not been discussed earlier? “Customers see, for example, the benefits of being able to watch video footage directly on a smart phone when there is an alarm, and Mikael Simovits is the founder of the Stockholm based Simovits Consulting. therefore they have to be connected to the internet. This means that security networks are sewn together with the general networks and the internet, and that, consequently, forces security companies to market themselves in a completely new way when it comes to IT security.” If an end customer wants to be able to view live video on a smart phone, what is your solution? “Do not use the existing network in order to send the video without first building a separate network with an internet connection of its own. In this way, the vulnerability area will decrease: if the mail server is hacked, the video surveillance system will not be affected. Ideally, video should only be able to be seen from a dedicated device and therefore, encryption keys have to be installed in that device and a VPN tunnel must be built between the customer’s network and the device so username and password will not be enough in order to get connected.” Has the end customer’s awareness of IT security increased? “Well, I think they do not have a choice but to follow and secure. IP cameras are here to stay, and the camera’s level of security must be adapted so they can withstand the environment they are in.” Are they not today? “No, not really.” Security News Every Day – www. securityworldhotel.com 14 • d etektor internati onal