“These devices come from the manufacturer with a common user ID and password, something like ‘admin’ for both. People don’t bother to change that, or they don’t have a complex password policy, so the password is not strong enough,” Mike Sanchez says.
The most critical step in protecting devices and networks is to use a password unique to each device.
Opgal’s cameras ship with no default username or password, requiring the customer to determine a username and password combination for each device. This practice ensures that there are no backdoors in the camera from the initial configuration. There is also no option for guest access, but it’s possible to view the camera’s status and necessary information without login.
Opgal does not mandate strong passwords, but best practice suggests that all customers determine their secure password policy.
Authentication and Encryption
One method of securing the camera’s data across the network is to create a Secure Sockets Layer (SSL) encryption certificate. A known Certification Authority (CA) should sign the certificate. The CA’s root certificate should be installed on the computers accessing the camera to validate the certificate on the cameras and set a reasonable expiration date of a year or two. Once you upload a certificate to the camera, you can ensure all communications go through the HTTPS port (encrypted).
Opgal does not send plain text passwords except on the creation of a user. The best practice is to create the Admin user for the first time through a direct connection or secure environment to the camera and upload the SSL certificate before using it in an operational environment. Also, Opgal supports the protection of video access by requiring a username and password and tunnels ONVIF over HTTPS when it’s enabled.
Many hackers are using scanners to scan for connected devices. A simple way to impede these scanners is to change the ports of the networked cameras. Generally, cameras use default ports that are well known but changing these to alternative ports will require an extra step when entering the address into the web browser, hence protecting the camera from scanners or manual entries.
Opgal permits the changing of HTTPS and RTSP ports to ensure an additional layer of protection against scanners and other attempts to compromise the camera’s security.
Disabling Unused Ports, Services, or Protocols
Many cameras have the processing power of a computer with operating systems (edge computing). It is therefore essential to ensure that unused services and protocols are disabled or removed. Several attacks have occurred through services, such as telnet, which are not always necessary for a camera’s functioning.
Opgal uses a minimal custom Linux® operating system, where unused services, such as DDNS, QoS, and Bonjour, are removed from the operating system to prevent unnecessary risks. Opgal blocks the SSH network protocol by default and can be opened manually by the camera’s administrator if remote support from Opgal is required. The SSH session will open only for the computer from which the request was originated and only for one hour. There is also a timeout on all web-based Graphical User Interface (GUI) sessions.
It’s essential to regularly check the logs of the cameras to review changes made and by whom.
Opgal provides access to the camera log, which can be downloaded in an encrypted format and sent to Opgal for review. During a reset, the camera will retain the logs.
Opgal logs all login attempts across all protocols, and if there is something suspicious in the log file, a reset to factory defaults may be required. After the camera has returned to default, the administrator should change the password in case of a network breach. It is possible to retain network settings and users during a reset.
A regular backup is vital to ensure continuity in the case of an attack. This backup ensures that the administrator can quickly restore affected cameras to their configurations without causing lengthy interruptions to security.
Opgal allows the export of site defaults of every camera to ensure continuity of service.
Hackers prey on software vulnerabilities, particularly outdated software that doesn’t conform to current security standards. A hacker will promptly broadcast any security vulnerabilities online, effectively exposing the network to other individuals. It is vital to ensure that you have the latest firmware on your camera at all times.
“Our primary research data points to the fact that more than half of the cameras with out-of-date firmware (53.9%) contain known cybersecurity vulnerabilities. By extrapolating this to an average security network, nearly four out of every ten cameras are vulnerable to a cyber-attack,” Mathieu Chevalier, Lead Security Architect at Genetec, said in a statement. [iii]
Opgal often releases firmware updates tested against an application security verification standard to ensure peace of mind.
We are living in an increasingly connected world in which hackers will continue to exploit network security vulnerabilities. Year on year, requirements for network cameras will increase, hence increasing the likelihood of an attack. It is crucial that cameras are appropriately secured to prevent them from becoming an open door to a network. Ensuring that best practices are adhered to can help prevent attacks, provide network integrity, and the continuous operation of a critical function. The purpose of the camera is to protect people and assets; therefore, an investment in a secure camera is essential.
This article is a short overview of cybersecurity features and by no means a comprehensive summary. For more information on cybersecurity or any other questions, please contact Opgal using the form below.
To learn more about Opgal’s Sii OP thermal camera, visit https://www.opgal.com/products/sii-op.