Digital Video Vulnerabilities
In today’s world, it is not too difficult to imagine a coordinated attack on a transportation network or nuclear power facility, staged on multiple fronts to confuse defenses and thwart countermeasures. Video surveillance systems in mission-critical installations are one of the key defenses against such an attack and are designed specifically to deter, detect, and thwart terrorist or criminal threats. Surveillance video also serves to protect more mundane businesses from ordinary crimes. However, a clever and meticulously planned attack could conceivably neutralize the video surveillance system and eliminate the possibility of detection or forensic investigation via video. While digital, networked video technologies are rapidly enabling powerful and scalable surveillance applications, these same technologies also introduce additional security risks into systems.
The increasing popularity of networked video makes it an attractive target for hackers, yet the security integrators and consultants responsible for designing and installing these systems rarely possess the IT security expertise necessary for building secure systems. To ensure that digital networked video is secure, the company must attend to the security of the network itself as well as to the associated applications.
The primary security concern of any networked video surveillance system is the security of the network itself. Not only does the network need to be designed with common network security principles and products in mind but also the surveillance applications connected to the network need to be secured like any other node.
For example, most digital video recorders (DVRs) and network video recorders (NVRs) in surveillance applications are simply Microsoft Windows PCs in a different form.
While companies typically require that any Windows PC on a network run antivirus and antimalware software to protect the PC and the rest of the network, few, if any, companies realize that DVRs and NVRs, which are PCs, should be similarly protected.
A virus does not need to specifically target surveillance applications to have an impact on these systems. For example, the SQL Slammer Worm that wreaked havoc around the Internet in 2003 targeted a vulnerability discovered in Microsoft’s SQL Server. Many NVR applications rely on SQL Server database software and could have been impacted, although no known cases were reported.
Another type of network security threat of concern to surveillance systems is vulnerability to denial of service (DoS) attacks. In such attacks, access to a service is denied to legitimate users because of a barrage of data being sent to a part of the system. The most common problems seen during a denial of service attack are that the network traffic slows down or a Web application becomes inaccessible.
A DoS attack could cause a company to lose access to video from many of the cameras on the security network. The company would also likely lose any recording of the video during the attack.
Hacking utilities are readily available on the Internet for performing denial of service attacks, meaning that it doesn’t take a high level of knowledge for a hacker to implement. But such onslaughts are fairly simple to prevent with proper network design and readily available firewall technology.
A vulnerability to a denial of service attack was found in the NVR server software of Taiwan-based ACTi. In that case, researchers reported that the vulnerability would allow attackers to create, delete, or corrupt application files simply by executing a specific URL through a browser. The company says that it has fixed the weakness, and management emphasizes that it releases regular patches and service packs for its products.
The U. S. Computer Emergency Readiness Team, part of the Department of Homeland Security, also lists a denial of service vulnerability identified by researchers testing the DVR 3000 and 4000 models of Ottawa-based March Networks Corp. March Networks, however, disputes the finding, saying that it tested the vulnerabilities internally and with a third-party and found no such vulnerability, according to spokesperson Peter Wilenius.
Fortunately, network security protections are available and relatively easy to get right. Network designers help secure networks by properly segmenting the network to protect sensitive data from unauthorized access.
Virtual networks, or VLANs, can be established to isolate the video network from the rest of the back office. Physical segmentation of the network can be accomplished with routers that only allow certain traffic to pass through, again having the effect of isolating network sections. In both cases, this segmentation can prevent a breach from spreading from the video network to other parts of the network or vice versa.
The next step in secure network design is to actively prevent unauthorized access to network resources. Firewalls provide the first line of defense against attack by disallowing traffic that originates from an unauthorized or suspicious client. Firewalls can also effectively combat denial of service attacks because they are able to recognize that a large amount of traffic is coming from a small number of sources, at which point they block access.
Access control systems on the network are another way to manage network user and resource access. These systems, known as Authentication Authorization Accounting (AAA) servers, manage credentials of allowed system users and can actively block access by anyone who is not explicitly allowed.
Many companies supplement firewalls with intrusion detection and intrusion prevention systems (IDS/IPS). They are effective at guarding commonly used hardware and software platforms, but do not yet specifically address potential security problems in networked security products such as IP cameras, DVRs, and NVR servers.
No matter how well a company secures its network, the bottom line is that it has to allow Internet traffic in and out for business purposes, including remote viewing of surveillance video. That means that there is the potential that an unauthorized outsider will gain security equipment access remotely via the network. A second layer of protection at the application level can reduce that risk.
Application security issues are code-level problems within the products that are installed as part of the video surveillance system. Cross-site scripting is an example of an application code-level vulnerability that can be exploited with dire consequences.
In cross-site scripting, an attacker injects malicious code into a Web page that would be executed on a victim’s PC. If it were the page a manager used to access a company surveillance camera, the attacker would be able to steal the victim’s login credentials as they were entered on the Web site, thereby gaining the ability to access the camera.
In 2007, researchers discovered such a flaw in the settings pages of the administration Web application available on the 2100 network camera from Sweden-based Axis Communications. Through this vulnerability, the attacker could gain the login credentials from a legitimate user and access the camera’s administration. This would allow an attacker to essentially do anything with that camera and any other camera that they could discover that used the same administration login credentials. A similar weak link was discovered in several network cameras from Germany-based MOBOTIX Corp.
While an Axis 2100 fix was never made available, the model was later discontinued. When the product was introduced, in 1999, networked cameras were used less for security than for “Web attractions,” says Fredrik Nilsson, Axis’ North American general manager. “There was not a lot of standardized security for networked video at the time.” MOBOTIX fixed its problem with a firmware upgrade.
Another type of video application vulnerability was recently discovered in a March Networks DVR 3204. In that case, if users are able to send a specifically crafted URL to the DVR, they can download system log files that can include system IP addresses, usernames, and passwords. Such information can be used to build out an understanding of a security system’s topology to systematically discover and attack each node. March Networks says it plans to fix the vulnerability in a software release slated for this June or July.
It is important to emphasize that this article is not revealing any secrets that hackers don’t already know. Information on all of these vulnerabilities has already been posted online by leading IT security organizations. Flaws are usually discovered by private individuals and corporate security researchers and made public so that companies are motivated to fix them quickly, a policy known in the security community as full disclosure.
In most cases, when vulnerabilities are discovered, the vendor that owns the offending product is given a fair chance to create a fix so that the fix can be published simultaneously with the vulnerability information. While full disclosure does motivate vendors to fix their products and end users to patch their systems, the practice also makes vulnerability exploit information easily available to attackers. Security professionals charged with protecting corporate systems may wish that vulnerabilities weren’t posted, but the IT world has yet to back away from that practice. Consequently, security professionals have to operate within that reality. Their only choice is to stay informed and to actively manage patching and keep defenses up to date.
Validating user input. Securing applications typically involves more work than securing a network, but effective and simple countermeasures can be taken. The most powerful countermeasure for any kind of application threat is for the application to properly validate any user-provided input data before it is processed. If camera application codes are set to assess user input, they can prevent the execution of malicious code from cross-site scripting, for example. Security experts estimate that simple input validation could eliminate 80 percent of all application security vulnerabilities.
Application firewalls. Application firewalls provide an additional level of protection by attempting to block malicious input into systems. Application firewalls are like network firewalls in that they only allow certain traffic, but application firewalls analyze that traffic in a different manner.
A network firewall often restricts traffic based on an analysis of the source, destination, and payload of each piece of data passing through the network, but such measures have no domain knowledge of the type of data or application. An application firewall is more interested in inspecting the type of data to be accepted by an application. Data is blocked if it violates certain rules.
Software development. Ultimately, application security vulnerabilities are code problems. And remedies to code problems must be discovered and implemented during software development. To ensure that product development teams are producing secure code, they must be required to implement security assurance processes that include regular product testing.
It is up to everyone involved in video security system design and implementation to demand secure product development from industry vendors. Vendors should be able to prove that their software is fortified against hackers. Security professionals should ask suppliers tough questions about the testing during development. Systems integrators that design and install the systems should also thoroughly test the network and applications after installation.
Companies should also plan their reaction to a breach in advance. Decisions should be made about who is responsible for attack monitoring and response.
Digital and network advances are boosting surveillance possibilities, but staff must understand the risks. Security education and awareness is an important first step, but ultimately system specifiers, designers, installers, and operators must act to ensure system security.
Physical and IT security must work together toward a defense-in-depth approach that ensures access control and multilayer system protection. In so doing, they can help to ensure that networked surveillance fulfills its potential as a security tool rather than becoming a vulnerability.
Jason Schmitt is a product manager at Steelbox Networks, Inc., an Atlanta-based IP-video solutions provider. He has extensive experience in product management, product development, and technical consulting. He is the author of the digital short-cut book Secure ASP.NET AJAX Development, published by Addison-Wesley Professional.