FOCUS: cyber security & IP video surveillance Bosch is one of a few IP camera manufacturers that place emphasis on data security when selling cameras. The reason is that cameras are easy targets for hackers. ”Manufacturers do not want to talk about this before they have a good solution, but I would be very surprised if several manufacturers are not highlighting data security at the upcoming security exhibition ISC west in Las Vegas”, says Anders Karlsson, Bosch Security Systems. By Henrik Söderlund Anders Karlsson, Bosch Security Systems: Anders Karlsson, Bosch’s Product Marketing Manager in Northern Europe. “Manufacturers do not want to talk about this before they have a good solution” After several notable distributed denial-of-service (DDos) attacks with security cameras, the lack of security in cameras has become an increasingly hot topic of conversation. ”The biggest and most common problem today is that the passwords and user management systems are weak, or if the firmware is old and has not been updated and so the products might have open ports. It does not matter how safe your products are if you do not handle these fundamental things correctly”, says Anders Karlsson, Bosch’s Product Marketing Manager in Northern Europe. He believes that the security of Now, there are many indications that more importance will be placed on how the cameras can be protected from hacker attacks. “Those responsible for IT security will not allow manufacturers to bring their security products with their own security solution, and add them to their secured networks without question”, says Anders Karlsson. Many large surveillance systems are and have been sealed and not connected to the internet, but when the software needs to be updated, they are exposed to risks, for example if the update is put on a USB stick or it is downloaded online. it can be both about blackmailing and pressures of various kinds”, says Anders Karlsson. Another risk is that someone installs software or infects cameras with malware in order to shut down the system or manipulate it. A major problem is that cameras are not being updated. According to Anders Karlsson, most manufacturers have ways to inform the camera, the storage solution or the software that it needs to be updated but often the technician is not used to programming it. “It is a matter of education. Some technicians become upset because we make their job more difficult: they must educate themselves and keep track of passwords, but on the other hand, those who make demands on system security will become more satisfied. However, for IT technicians, this is not a disadvantage because they will be working more with tools, protocols and services that they are already familiar with.” IP cameras normally have had many open ports to configure products and universal plug-andplay functionality. ”A year ago, we had lots of open ports, but today they are considered as risks rather than opportunities and they are being closed down. Instead, one refers to secure ports with certificate management and encryption in order to communicate with the product”, says Anders Karlsson. Another reason for why safety has not been a priority for IP cameras is that the system’s performance will decrease if, for example, a virus scan is conducted at the same time as video is being recorded. Anders Karlsson believes that stories about IP cameras being hacked, and the rumour that the Chinese government has access to video footage from for example Hikvision cameras, have had a major impact on the market – no matter whether it is true or not – and not least for the manufacturers. He says: “We, who claim that our cameras are safer, want to quickly develop the security and those whose cameras are not safe become very eager to change them. More resources are devoted to camera security than before, perhaps this may even result in other performance enhancing features being less prioritised.“ Firewalls and VPN tunnels In 2016, Bosch began to put emphasis on data security and the company has added security both to software and hardware, and equipped its cameras with a Trusted Platform Module to safely store certificates needed for authentication and encryption. Anders Karlsson says there is also a type of firewall in the system, which studies behaviour: where is the login taking place, is it a known user/ unit that has logged in before or is it a new one? Depending on this, the logins are sorted into different categories. Some manufacturers use a VPN tunnel to protect themselves against DDos attacks, while some do not protect the data at all. “A year ago, we had lots of open ports, but today they are considered as risks rather than opportunities and they are being closed down.” an average IP video surveillance system is mainly based on the username and their chosen password. ”In this industry, we do not have very strict requirements on how to set the username and password. There are still not many systems that require the user to change the original password.” Instead, many end customers rely on suppliers of infrastructure and IT equipment to handle safety. Improvement is needed Since IP cameras broke through into the market, most of the debate has been focused on improved image resolution, ease of use, light sensitivity and intelligent features. “The security industry has made a journey to a connected world, and the new type of users and installers which originate from the world of IT will set demands. The implementation of penetration tests is becoming much more common”, says Anders Karlsson. More aware of risks There are several risks associated with IP cameras. For example, someone might want to hack into a surveillance system in order to watch recorded video or live footage. “The purpose may be to access critical business information, or to violate an individuals’ privacy, Security News Every Day – www. securityworldhotel.com dete kto r in te r n at i on al • 1 5