Home / Securing Thermal Cameras against Network Vulnerabilities
February 07, 2021
Cybersecurity is a topical issue within the surveillance space (especially with thermal cameras), posing a wide range of security risks to critical systems. Reports from several years ago suggest that almost all IP-based cameras ship with default credentials; these were left unchanged by the customers, leaving cameras open to unauthorized access and cyber threats.
An organization can make large investments in security of physical systems. Still, technologies such as cameras can often be used as a backdoor, allowing unauthorized access into networks, negating network security and putting personal information and sensitive data at risk. Mike Sanchez, CISO of United Data Technologies. “They start in the surveillance system and go from there to the data center, and…to the accounting department.” [i]
An IP-based camera is an endpoint for a network; it will have a unique address and communicate back and forth with the system to which it is connected. All network endpoints represent vulnerable points of entry for cybercriminals. Attackers can use endpoints to execute code and exploit vulnerabilities.
According to Forbes, simple hacks give hackers access to vast networks of computing devices. In one incident, hackers used more than 25,000 cameras in an attack. In 2016 a massive Distributed Denial of Service (DDoS) attack, using a Mirai botnet, slowed or knocked offline a group of major websites, causing major outages across the Internet. [ii]
The alignment of security teams and integrators with IT/OT teams is more important than ever to ensure the highest cybersecurity protection level. The majority of cyberattacks stem from human error, and therefore without adequate IT/OT security policies, there can be severe consequences. All teams involved in working with endpoint devices should have relevant training to ensure they understand the potential risks. Cameras that are not updated, according to the manufacturer’s recommendations, are more susceptible to cyberattacks.
Cyber vulnerabilities are a continuous threat, but effective policies should prevent risks to the network, such as; password policies, encryption certificates, limiting network ports, and training.
This article demonstrates best practices for proactively implementing cyber defenses in camera devices. Based on best practices and considering the benefits of cybersecurity, Opgal has implemented multiple features into its thermal imaging cameras to help organizations improve network security. The examples in this article are based on the Opgal Sii OP Thermal Camera but apply to other such cameras, where the features exist.
Most electronic devices require a password-based login, and entering passwords has become an intrinsic part of our daily lives. Often people will opt for simple or repeat the same passwords to ensure they are memorable, but this creates a security risk. Organizations must adopt a password policy that provides the highest security level for their devices and networks.
Most cameras have a default username and password, which are available in manuals and online. Often integrators and end-users will neglect to change these credentials, making the devices an easy target for malicious attacks.
“These devices come from the manufacturer with a common user ID and password, something like ‘admin’ for both. People don’t bother to change that, or they don’t have a complex password policy, so the password is not strong enough,” Mike Sanchez says.
The most critical step in protecting devices, sensitive information and networks is to use a password unique to each device.
Opgal’s cameras ship with no default username or password, requiring the customer to determine a username and password combination for each device. This practice ensures that there are no backdoors in the camera from the initial configuration. There is also no option for guest access, but it’s possible to view the camera’s status and necessary information without login. Where possible Opgal will ensure data stored in an encrypted file, protecting sensitive information.
Opgal does not mandate strong passwords, but best practice suggests that all customers determine their secure password policy.
Authentication and Encryption
One method of securing the camera’s data across the network is to create a Secure Sockets Layer (SSL) encryption certificate. A known Certification Authority (CA) should sign the certificate. The CA’s root certificate should be installed on the computers accessing the camera to validate the certificate on the cameras and set a reasonable expiration date of a year or two. Once you upload a certificate to the camera, you can ensure all communications go through the HTTPS port (encrypted).
Opgal does not send plain text passwords except on the creation of a user. The best practice is to create the Admin user for the first time through a direct connection or secure environment to the camera and upload the SSL certificate before using it in an operational environment. Also, Opgal supports the protection of video access by requiring a username and password and tunnels ONVIF over HTTPS when it’s enabled.
Many hackers are using scanners to scan for connected devices. A simple way to impede these scanners is to change the ports of the networked cameras. Generally, cameras use default ports that are well known but changing these to alternative ports will require an extra step when entering the address into the web browser, hence protecting the camera from scanners or manual entries.
Opgal permits the changing of HTTPS and RTSP ports to ensure an additional layer of protection against scanners and other attempts to compromise the camera’s security.
Disabling Unused Ports, Services, or Protocols
Many cameras have the processing power of a computer with operating systems (edge computing). It is therefore essential to ensure that unused services and protocols are disabled or removed. Several attacks have occurred through services, such as telnet, which are not always necessary for a camera’s functioning.
Opgal uses a minimal custom Linux® operating system, where unused services, such as DDNS, QoS, and Bonjour, are removed from the operating system to prevent unnecessary risks. Opgal blocks the SSH network protocol by default and can be opened manually by the camera’s administrator if remote support from Opgal is required. The SSH session will open only for the computer from which the request was originated and only for one hour. There is also a timeout on all web-based Graphical User Interface (GUI) sessions.
It’s essential to regularly check the logs of the cameras to review changes made and by whom.
Opgal provides access to the camera log, which can be downloaded in an encrypted format and sent to Opgal for review. During a reset, the camera will retain the logs.
Opgal logs all login attempts across all protocols, and if there is something suspicious in the log file, a reset to factory defaults may be required. After the camera has returned to default, the administrator should change the password in case of a network breach. It is possible to retain network settings and users during a reset.
A regular backup is vital to ensure continuity in the case of an attack. This backup ensures that the administrator can quickly restore affected cameras to their configurations without causing lengthy interruptions to security.
Opgal allows the export of site defaults of all thermal cameras to ensure continuity of service.
Hackers prey on software vulnerabilities, particularly outdated software that doesn’t conform to current security standards. A hacker will promptly broadcast any security vulnerabilities online, effectively exposing the network to other individuals. It is vital to ensure that you have the latest firmware on your camera at all times.
“Our primary research data points to the fact that more than half of the cameras with out-of-date firmware (53.9%) contain known cybersecurity vulnerabilities. By extrapolating this to an average security network, nearly four out of every ten cameras are vulnerable to a cyber-attack,” Mathieu Chevalier, Lead Security Architect at Genetec, said in a statement. [iii]
Opgal often releases firmware updates as downloadable files, for its thermal cameras, tested against an application security verification standard to ensure peace of mind and help reduce the incidence of cyber threats, hence protecting sensitive information.
We are living in an increasingly connected world in which cyber threats and unauthorized access are increasing and hackers will continue to exploit network security vulnerabilities. Year on year, requirements for network cameras will increase, hence increasing the likelihood of an attack. It is crucial that cameras are appropriately secured to prevent them from becoming an open door to a network and exposing sensitive information. Ensuring that best practices and a strong cybersecurity strategy are adhered to can help prevent attacks and unauthorized access, provide network integrity, and the continuous operation of a critical function. The purpose of the camera is to protect people and assets; therefore, an investment in secure thermal cameras is essential.
This article is a short overview of cybersecurity features and by no means a comprehensive summary; for a more comprehensive explanation we recommend consulting with cybersecurity experts. For more information on how cyber threats may affect your security strategy or any other questions, please contact Opgal using the form below.
To learn more about Opgal’s Sii OP thermal camera, visit https://www.opgal.com/products/sii-op.
[i] Cyber-Securing Video Cameras – https://www.securitymagazine.com/articles/89377-cyber-securing-video-cameras
[ii] Hacked Cameras Were Behind Friday’s Massive Web Outage – https://www.forbes.com/sites/briansolomon/2016/10/21/hacked-cameras-cyber-attack-hacking-ddos-dyn-twitter-netflix/
[iii] Report: Majority of surveillance cameras running out of date firmware – https://www.securityinfowatch.com/video-surveillance/cameras/ip-network-surveillance-cameras/news/21117133/report-majority-of-surveillance-cameras-running-out-of-date-firmware