FOCUSING ON minimising the cyber security threat posed to today’s IP network cameras, Uri Guterman and Elaine Moran have produced a jargon-busting explanation of video surveillance cyber security terminology, at the same time issuing a timely reminder that combating the activities of hackers needs to remain a top priority for businesses.
Concerns about the ability of hackers to access live images or retrieve recorded images captured by video surveillance cameras located in security sensitive areas have been around for a while. Many manufacturers of professional level cameras have responded to the threat by introducing device network set-up protocols which don’t allow for a default password (or one that has consecutive letters or numbers) to be used. However, hackers are likely to continue to look at other ways in which to gain access to data, including via a camera’s ‘back door’.
Regardless of whether it’s for criminal or malicious purposes, or just seen as a challenge by amateur hackers, it’s essential that surveillance system end users’ confidential data is kept secure. This applies just as much to the many thousands of small businesses that entrust video surveillance solutions to protect their assets, people and property as it does for high security and mission-critical end user applications, such as those for airports, banks, local authorities, Government, the military and the Emergency Services.
Cyber security in mind
Most responsible manufacturers of video surveillance cameras should have recruited appropriately skilled software engineers to quickly produce firmware updates as new threats emerge. Our Security Computer Engineering Response Team (S-CERT) is totally focused on addressing any potential security vulnerabilities in Wisenet products and solutions. Members of the team have been hand-picked for their expertise in being able to identify, analyse and quickly respond to any cyber security threats with effective countermeasures.
Manufacturers should also be using independent cyber security testing agencies to help them identify any vulnerabilities. However, as in all areas of life, prevention is better than the cure. This is why certain manufacturers are equipping their latest generation of cameras with chipsets which have been developed from the ground up so as to minimise the risk of unauthorised access by hackers and the infiltration of malicious firmware.
While no surveillance solutions manufacturer can offer a 100% guarantee that its products will never be hacked, the next generation chipsets on the horizon is likely to incorporate a long list of technologies which will significantly improve the cyber security credentials of the cameras into which they’re built.
Some of these technologies are new and have been developed specifically to combat cyber attacks while others, which were originally intended simply to make chipsets more efficient, are also able to contribute to camera security. When mentioned in video surveillance-related documents, datasheets or on the Internet, almost all are stated as acronyms or have names which do not make it obvious what they’re intended to do. On that basis, here’s an explanation of some of those you are most likely to encounter.
Anti-hardware clone functionality prevents a chipset from being cloned. In addition to protecting Intellectual Property, this ensures that a chipset with a manufacturer’s label is a genuine copy and removes the risk of a cloned device which may contain malicious software from being used to steal sensitive data such as passwords.
When applied to video surveillance solutions, crypto acceleration is normally referred to within the context of a camera chipset performing complex mathematical functions for encryption and decryption This is a very intensive operation requiring the chipset to use a large proportion of its resources. Equipping chipsets with a dedicated ‘engine’ for this purpose ensures that encryption/decryption is efficiently carried out without affecting other camera functionality.
Between the location of a camera and where the images it captures are remotely viewed, recorded and stored, there’s always the possibility that a cyber criminal could hack into the network and gain access to what may be confidential video and data. Image scrambling is the encryption of video prior to transmission over the network. This is achieved by randomly rearranging the pixels of each image so that it cannot be viewed by anyone maliciously hacking into the network.
JTAG ports are hardware interfaces used to programme, test and de-bug devices. However, they can be compromised by cyber criminals to gain low level control of a device and perhaps replace firmware with a malicious version. This can be prevented by securing the JTAG port via a key-based authentication mechanism to which only authorised personnel working for the manufacturer have access.
UART ports are serial interfaces typically used for de-bugging cameras. They allow administrator access to a camera and are therefore a target for hackers attempting to access sensitive information such as password keys. Hackers could also potentially access a camera’s firmware in order to reverse engineer it, as well as examine it for vulnerabilities in the device’s communications protocols. Enforcing restricted and secure access to the UART port will allow the de-bugging process to be safely completed without opening the door to cyber criminals.
This is an acronym for One Time Programmable Read-Only Memory which allows sensitive data, such as encryption keys, to be written only once on a chipset and then prevents the data from being modified. This protects the integrity of encryption keys which are used to validate the stages in a secure boot up sequence and allows access to the JTAG Port.
*Secure Boot Verification
Secure Boot provides an extra layer of security by sandboxing different elements of a camera’s operating system, which means they’re in a protected space. The system will complete a full boot before communicating with any other part of the system. This prevents an interruption to the boot process which could be exploited by a hacker.
*Random Number Generator
Computers are designed to create very predictable data and are therefore not very good at generating random numbers required for good encryption. A dedicated random number generator overcomes this problem by having a dedicated mechanism for the task.
Using a separate operating system (OS) for encryption and decryption – as well as for verifying that apps have not been modified or are forgeries – reduces the workload of a camera’s main OS. A separate Linux-based API is needed to access a Secure OS. Without this, there’s no way to make any changes from the outside of a camera. A Secure OS should always be used to process important stored information.
In a highly competitive market, there’s no shortage of camera manufacturers from which to choose. Consultants, system designers and systems integrators therefore have the freedom to narrow down their shortlist of preferred supplies to those who’ve fully embraced and incorporated Best Practice into their manufacturing process.
A clear demonstration of this would be if they’ve equipped their cameras with most (if not all) of the above functionality and technology.
Uri Guterman is Head of Product and Marketing and Elaine Moran is Technical Support and Field Engineer for Hanwha Techwin Europe
64 High Street