In 2007, researchers discovered such a flaw in the settings pages of the administration Web application available on the 2100 network camera from Sweden-based Axis Communications. Through this vulnerability, the attacker could gain the login credentials from a legitimate user and access the camera’s administration. This would allow an attacker to essentially do anything with that camera and any other camera that they could discover that used the same administration login credentials. A similar weak link was discovered in several network cameras from Germany-based MOBOTIX Corp.
While an Axis 2100 fix was never made available, the model was later discontinued. When the product was introduced, in 1999, networked cameras were used less for security than for “Web attractions,” says Fredrik Nilsson, Axis’ North American general manager. “There was not a lot of standardized security for networked video at the time.” MOBOTIX fixed its problem with a firmware upgrade.
Another type of video application vulnerability was recently discovered in a March Networks DVR 3204. In that case, if users are able to send a specifically crafted URL to the DVR, they can download system log files that can include system IP addresses, usernames, and passwords. Such information can be used to build out an understanding of a security system’s topology to systematically discover and attack each node. March Networks says it plans to fix the vulnerability in a software release slated for this June or July.
It is important to emphasize that this article is not revealing any secrets that hackers don’t already know. Information on all of these vulnerabilities has already been posted online by leading IT security organizations. Flaws are usually discovered by private individuals and corporate security researchers and made public so that companies are motivated to fix them quickly, a policy known in the security community as full disclosure.
In most cases, when vulnerabilities are discovered, the vendor that owns the offending product is given a fair chance to create a fix so that the fix can be published simultaneously with the vulnerability information. While full disclosure does motivate vendors to fix their products and end users to patch their systems, the practice also makes vulnerability exploit information easily available to attackers. Security professionals charged with protecting corporate systems may wish that vulnerabilities weren’t posted, but the IT world has yet to back away from that practice. Consequently, security professionals have to operate within that reality. Their only choice is to stay informed and to actively manage patching and keep defenses up to date.
Validating user input. Securing applications typically involves more work than securing a network, but effective and simple countermeasures can be taken. The most powerful countermeasure for any kind of application threat is for the application to properly validate any user-provided input data before it is processed. If camera application codes are set to assess user input, they can prevent the execution of malicious code from cross-site scripting, for example. Security experts estimate that simple input validation could eliminate 80 percent of all application security vulnerabilities.
Application firewalls. Application firewalls provide an additional level of protection by attempting to block malicious input into systems. Application firewalls are like network firewalls in that they only allow certain traffic, but application firewalls analyze that traffic in a different manner.
A network firewall often restricts traffic based on an analysis of the source, destination, and payload of each piece of data passing through the network, but such measures have no domain knowledge of the type of data or application. An application firewall is more interested in inspecting the type of data to be accepted by an application. Data is blocked if it violates certain rules.
Software development. Ultimately, application security vulnerabilities are code problems. And remedies to code problems must be discovered and implemented during software development. To ensure that product development teams are producing secure code, they must be required to implement security assurance processes that include regular product testing.
It is up to everyone involved in video security system design and implementation to demand secure product development from industry vendors. Vendors should be able to prove that their software is fortified against hackers. Security professionals should ask suppliers tough questions about the testing during development. Systems integrators that design and install the systems should also thoroughly test the network and applications after installation.
Companies should also plan their reaction to a breach in advance. Decisions should be made about who is responsible for attack monitoring and response.
Digital and network advances are boosting surveillance possibilities, but staff must understand the risks. Security education and awareness is an important first step, but ultimately system specifiers, designers, installers, and operators must act to ensure system security.
Physical and IT security must work together toward a defense-in-depth approach that ensures access control and multilayer system protection. In so doing, they can help to ensure that networked surveillance fulfills its potential as a security tool rather than becoming a vulnerability.
Jason Schmitt is a product manager at Steelbox Networks, Inc., an Atlanta-based IP-video solutions provider. He has extensive experience in product management, product development, and technical consulting. He is the author of the digital short-cut book Secure ASP.NET AJAX Development, published by Addison-Wesley Professional.