pro-grade security systems at DIY prices

866-414-2553

Best Practices for preventing IOT Security Camera Hacks

What's been happening?

Ealy in 2016, PC Word found a 25,000 camera network that were compromised and being prepared for an attack.

On Sept. 30, 2016, several addiitional major manufacturers of security camera were hacked in a different attack and the cameras and recorders were used to wreck havoc on US companies and USA network infrastructure, resulting in massive amounts of lost productivity when the internet was down for nearly 24 hours in most of the USA.

Vice news called this hack in 2016, "the biggest attack we've ever seen."

***

On Sept 25th 2017, a major competitor of SCW had all of their camera systems hacked and customer's lost their video feeds.

On Oct 23rd 2017, Forbes called the vulnerability "The Next Web Crisis" since the hackers have access but have hardly used the devices, yet.

On Nov 15 2017, The Washington post claimed that Dahua added this backdoor "deliberately based on the way the code was written."

security camera hacks and botnets, WSJ

Why does it matter?

You're probably thinking, "I don't have anything important enough for a hacker to look at, so this doesn't concern me," but that's not what's happening: the real issue isn't hackers looking into the camera feeds (although that can be a very big invasion of privacy) as much as they are using the camera's processor's to do something that the camera was not designed to do.

Some installers of cheaper systems are reporting things like "One of our property managers had her bank account compromised because of the back door access to her network." but this is nearly impossible to validate and confirm the claim.

Other's are reporting wide scale disabling of camera feeds. Most troubling is that some hackers are using the cameras to create a botnet.

Dahua camera hacks

What's a botnet?

A botnet is a collection of internet-connected devices that have malicious code on them that can be used to collectively attack other high value targets. Botnets can include PCs with viruses or IOT (internet of things) devices like smart thermostats or security cameras that have malware or have such easy access to their admin accounts, that they can be collectively controlled by remote code execution. In other words, a botnet is when 10,000 or 10,000,000 devices with a processor (like most modern security cameras) can be controlled in mass remotely and are directed to perform a DDOS attack (Distributed Denial of Service).

IOT Hacks and Security Cameras

Even before this latest attack, there's been a lot of news lately about hacked security cameras. Even worse, it was discovered that several camera manufacturers were found to have backdoor accounts and special manufacturer credentials for who knows what reason.

Because of the increase in these sort of attacks, we have made a list of best practices for reducing the likelihood of these events happening.

What SCW does to prevent IOT hacks: an isolated network within a network

The cameras plugged into the Admiral line NVR's POE ports directly or plugged into the Imperial Line NVRs Lan2 Network directly are not visible or accessible on your computer network. They run on an isolated networksimilar to an air gap. The only way to access these cameras is to plug a computer into those POE ports or hack into the NVR. There's a physical barrier from the cameras to the main network. In addition, there's also a subnetwork running on the NVRs, which means that even if you do plug a computer into the NVR's physically separate, isolated network, you would also need to know their subnet mask.

This has several advantages:

1. Faster Networks. Unlike traditional NVRs, when plugged into NVR' isolated network, the camera's video feeds do not slow down your main computer network.

2. Isolated Cameras. Since they are on both a physically separated network and a subnet, your cameras are not visible on your computer network or to outsiders. You can connect to the NVR remotely and log in and the use the NVR as a bridge to watch the cameras, but neither you nor a hacker cannot log into the cameras themselves, without either logging into the NVR or being physically present to plug into the NVR and possessing knowledge about your NVR's specific camera subnet mask. (You can customize this camera's subnet, if you want). 99% of all security camera IOT hacks are through the cameras - not the NVR.

3. Less maintenance. Our new 2018 line has 1 click firmware updates straight from the NVR/Camera: meaning: you don't even have to search for, find, or download the footage on a computer. You just click a button when using the device and update the firmware automatically. So, the update process is not difficult to begin with. In addition, you don't have to worry about updating the cameras for cyber security reasons, since the NVR is the only device that can be accessed remotely. It is much easier to keep one device up to date than dozens or hundreds.

Best Practices for Preventing IOT Security Camera Hacks

1. Change your password.

We publish the default password for our devices on our website. If you don't change the password, assume anyone who can do a 5 minute Google search has access.

2. Plug the cameras into the POE ports on the back on our Vanguard/Networker/Admiral NVRs.

All of our NVRs have the ability to record cameras on your main, computer network. This is insecure. Avoid this whenever possible.

All of our NVRs have the ability to record cameras from a remote location through the internet. This is extremely insecure, please do not do this. Most externally facing networks also do not have ability to handle the amount of data that a 24/7 HD security camera creates. You'll get bad video and framerate results from this and your very likely to be hacked. Please do not do this.

Do this.

cameras on isolated camera network

Try not to do this.

cameras on computer network

By plugging the cameras into the POE ports on the NVR, you use the physically separated network and subnet built into the NVR. This will separate the cameras off your main network by creating a sub network (subnet) for the cameras. The number #1 rule on hacking is that you can't hack what you can't connect to, and this will create a physical barrier between your cameras and your network - The NVR.

3. Use the NIC#1 on our Executive/Super/Edge/Imperial lines to connect to your computer network and NIC#2 to make a physically separated network and subnet for your cameras.

Do this.

cameras on isolated camera network

Try not to do this.

cameras on computer network

Although it is possible to add our cameras to your main network, it is always advisable to separate your camera network physically from your computer network. Even in situations where you have no internet connection, this is preferable as it keeps your main computer network from getting congested by all that video footage being transferred by your surveillance system. Again, you can't hack what you can't connect to.

4. In the event that you can't physically separate the network, corporations and large business should have their network administrators VLAN the cameras.

A VLAN is a Virtual Lan, which create a hidden network within your network that only other devices on that VLAN can see. It is the virtual (which is where they get the V) equivalent of the physical barrier created by subnetting your cameras.

No company can ever make a hack proof product that you can view remotely. However, if you use our products in the way that we recommend, your cameras should not be visible on the network at all. Only the NVR should be on the network and the security in an NVR is usually a whole great deal better than in the cameras. Not to mention if you are hacked, having to upgrade one NVR's firmware is a whole lot easier than dozens of cameras.