Kiran Pillai, Senior Product Marketing Manager, Bosch Security
Surveillance camera data is interesting to cybercriminals, reflected by a growing number of exploits including man-in-the-middle attacks: hackers hijack communications between a camera and VMS to spy on people or industrial processes, inject alternate video image feeds to conceal illicit activity, or manipulate live camera footage to selectively remove details or persons from the scene.
Aside from attacks on live video feeds, stored data also presents an attractive target. In June 2015, an Italy-based developer of government-level surveillance software became the victim of a major breach, leaking sensitive data onto the Internet. In 2016, hackers seized control of over 25,000 devices to create a botnet that carried out attacks against websites.
Minimising the effect of these types of security breaches is a fundamental mission for integrators and installers. The challenge of offering users the highest level of data security in their video security applications involves every single product the company brings to market. Because video data is often highly critical and sensitive, Bosch is driving a systematic approach to protect private data by considering physical safety and cybersecurity simultaneously.
A systematic approach starts by considering the entire security camera infrastructure as a whole, not just individual components. In order to minimise the risk of hacking, firmware must be updated to address threats and vulnerabilities. All video data should be encrypted at the camera level, using a cryptographic key that is safely stored in an integral Trusted Platform Module (TPM). Ensuring only authorised individuals have access to video data is essential, as is support for the set-up of a Public Key Infrastructure.
Even a single camera can provide a gateway to hackers, potentially exposing entire networks to cybercrime. Data security starts with encrypting data at the hardware level. A TPM can safely store cryptographic keys, with all operations for authentication and encryption executed inside the TPM.
Encrypted data should be sent via a secured connection using SRTP (Secure Real-Time Transport Protocol).
Bosch creates trust by assigning every component in the network an authentication key to allow only trusted devices to share data. This certificate-based authentication avoids man-in-the-middle attacks. Network authentication relies on the industry-standard 802.1x protocol.
Cameras should support AES encryption and Public Key Infrastructure. Unsecure ports, such as UP&P, should be disabled. Password enforcement at initial set up shows the manufacturer takes cybersecurity seriously, and a built-in firewall can eliminate loopholes.
Aside from technological vulnerabilities, humans are the biggest cause of security breaches. Edge devices should offer easy ways to manage user access rights, including the support of Microsoft Active Directory, ensuring that only authorised users have access to data.
This is critical given that humans are the main cause for online breaches (85 per cent), far exceeding issues such as unpatched software (10 per cent), and a lack of security software (5 per cent). In order to limit security issues from human error, users require full and flexible control over who has access rights to sensitive security data .
In this era of hyper-connected devices, data security becomes a community effort. Cameras can be factory-loaded with digital certificates used for authentication and encryption. Alternatively, customer-specific certificates can be used via the set-up of a Public Key Infrastructure for the management of digital certificates.
Looking ahead, IoT deployments are driving the evolution of security cameras from mere image capturing devices into sources of vital business data with applications beyond the realm of security. In the process, the data collected by cameras is bound to become increasingly relevant and in need of data protection.
Supporting this development, the latest ‘i’ cameras developed by Bosch operate on platforms that offer built-in video analytics to interpret data together with the latest data security measures to protect this information.
The ability to interpret video metadata directly at the source also helps to keep data secure, since based on pre-defined criteria it can be decided whether certain sensitive information needs to be transmitted or stored at all.