Modern video security systems are more secure than ever. Gone are the days when network video recorders and cameras were allowed to be default credentials (like a 12345 password), which attackers used to mobilize tens of thousands (or more!) devices in a botnet. It’s important to remember that security at times can be simple. Just requiring login credentials to be changed upon first use resulted in a drastic reduction of compromised security systems. But simple doesn’t always mean ‘easy’. Attackers adapt, and defenders need to do their best to stay ahead. The best systems are designed to make it easier for defenders than for attackers, and there’s a lot that can be done with some additional (and simple) configuration decisions.
In a typical small security system, you may have a dozen or more IP cameras connected to Network Video Recorders (NVR). Best practice configurations usually place the IP cameras on a network subnet; that allows you to disable access from the internet and keep bandwidth intensive IP cameras streams from interfering with other traffic. However, to access the NVR from outside your network, you’d have to expose it to the internet. Doing so potentially puts your assets at risk, as hackers can more easily use the open internet to break into your system.
Anatomy of a Hack
Any IP device that’s remotely accessible from the Internet is potentially at risk. Many times the device is available from a network that has a fixed IP address and port. If so, that’s easily detectable from anywhere in the world by using port scanning (Port scanning is a standard technique that is used to determine what ports a target system may be listening on). This can help attackers determine as well what services may be running on the system, because certain ports are usually associated with particular services. If the device is an NVR for example, it’s likely to have Port 80 open, so the legitimate user can access the NVR’s web interface. But to the hacker, an open Port 80 is a big clue that the device has a web server running on it. Port scanning is essentially a way of ‘fingerprinting’ the remote operating system to understand what services and software versions are running on the target. This is a problem because if there are known exploits of that version of an OS or particular services, then its good news for the attacker if your device is not up-to-date on patches or otherwise unprotected.
However, there are a number of practical ways to minimize that risk. Most NVR’s have a mobile app that can connect via Peer-to-Peer (P2P). This setup uses an intermediary server to query the NVR, and request a port to be opened. Once that occurs, the Mobile app connects to the NVR. When the connection is closed, the port is closed. The big advantage of this approach is the port is open only for the duration of the session. At any other time, a port scanning won’t reveal much of anything to a potential attacker. It’s the equivalent of opening your garage door when you pull up to your house, then shutting it right after you pull your car in, and leaving it shut until you need to take your car out again.
Another way to minimize exposure is to use IP address blocking. Also known as a Geolocation feature in many firewalls, this allows you to block access to your system from a range of IP addresses. Some allow you to block access from IP addresses in specific countries.
Some security experts believe this is a very blunt instrument to deploy, so it’s fair to ask if IP address blocking is worthwhile to do. Let’s site a scenario to better understand this matter:
A manager periodically checks the logs, which gives great insight especially when things aren’t working correctly. By doing so, he noticed abnormal numbers of admin login attempts from a specific IP address in less than one day. It turns out that the recorded IP address is from a city that famously hosts a troll farm which the security community strongly suspects is engaged in online influence operations on behalf of business and political interests from a particular country. Since the manager’s website serves only users in North America, they chose to block the entire domain of IP addresses in that geographical area. What he did won’t prevent whoever it was from initiating a brute force password attempt again, but it makes it considerably less convenient. And that’s a win on their part.
For many businesses, it’s far easier to secure access to your NVR because it’s likely there’s only a few people who are authorized to access it. In that case, you can change the default and setup an IP allow list, which will block all access attempts unless they come from the IP addresses specified. That makes it even harder on attackers.