Widely reported news of a hack of up to 150,000 security cameras installed in schools, hospitals and businesses has again raised the issue of cybersecurity. Verkada cameras are reportedly used by Tesla, Cloudflare, Virgin Hyperloop and the manufacturer’s own offices, as well as a host of hospitals, police stations and prisons. The attack reportedly made use of a super admin account. When it was reported, the manufacturer disabled internal administrator accounts to prevent further unauthorised access.
Cyber attacks are a major issue for the video surveillance industry. The recent publicity about a security video solutions provider taking a casual attitude in terms of restricting access to end-users’ confidential information should serve as a reminder for all stakeholders in the video surveillance supply chain to work together to promote best practice.
Secure by Default
Whilst the majority of video cameras may not be installed for mission critical or high security purposes, there are many businesses and organisations which trust video surveillance systems to help protect their assets, people and property. In doing so, they should be able to expect their confidential data is kept safe from hackers. This is the reasoning behind the Secure by Default standard, which was introduced in 2019 by the UK’s Surveillance Camera Commissioner.
Hanwha Techwin was among the manufacturers invited to participate in the development of the Secure by Default standard, the objective of which was to ensure security surveillance-based products are secure by default, out of the box. This ensures higher levels of cybersecurity and actively increases protection for the network.
The standard sets out requirements for manufacturers in the video security industry, setting best practice in order to enshrine customers’ privacy rights, whilst also promoting compliance with data protection regulations, such as GDPR.
At its core, the standard ensures manufacturers adopt an approach which makes cybersecurity a fundamental feature of a video surveillance solution, with privacy and data protection being taken into account throughout the camera design process, and not just treated as an afterthought.
Essential elements of password protection
Having a good level of password protection protocols is a minimum starting point for establishing cybersecurity best practice. Whilst passwords need to be easy to implement, they should be secure. This means having minimum mandatory and auto-enforced standards, such as prohibiting the consecutive use of the same letter or number, encouraging the use of special characters, and use of a combination of letters and numbers. Such criteria should be designed into a device’s firmware to prevent the use of weak or insecure options. It is also critical that manufacturers do not supply products with pre-configured weak passwords where the user is not required to make changes. These are typically passwords which all have the same letters or numbers, or use a basic and easily guessable sequence.
The Secure by Default standard stipulates installers and integrators should be forced to change the manufacturer’s default password on boot up. The password change menu should include a strength indicator or a facility to reject weak passwords. Devices must not have hidden user accounts, sometimes added by manufacturers to simplify maintenance, and additionally hardcoded account passwords cannot be used. Finally, manufacturers must not be able to assist users recovering lost or forgotten device passwords.
While it must be accepted no manufacturer can offer 100 per cent guarantees on cybersecurity, it is critical that consultants, system designers and system integrators only work with manufacturers who support the objectives of the Secure by Default standard, and can demonstrate they fully understand the importance of keeping end-user clients’ data safe by doing their utmost to counter the risk of a cyber attack. This will include those who have removed any ‘back doors’ which might have originally been created to give engineers easy access to a device. Such features can also provide opportunities for hackers.
It is also important to seek manufacturers who recognise the importance of being open and honest with customers when new cybersecurity threats are identified, and are able to move quickly to update firmware to combat them. Hanwha Techwin’s Security Computer Engineering Response Team (S-CERT) is focused on addressing any potential security vulnerabilities in the Wisenet product and solution range. Members of the team have been hand-picked for their expertise in identifying, analysing and responding to cyber threats with effective countermeasures.
It is also wise to look for manufacturers who use third-party testing agencies to evaluate their products against the latest methods of hacking, as well as offering training to installers and systems integrators which covers the importance of configuring cybersecurity features as an essential part of the commissioning process for cameras and recording devices.
The ability for businesses and organisations, as well as homeowners, to view live or recorded video from any network=-connected device has revolutionised how property or assets are protected. However, it has also resulted in data protection becoming a significant issue for the video surveillance sector.
The good news for end-users, and all involved in the supply chain, is that there is no shortage of professional and socially responsible manufacturers whose products meet the Secure by Default standard by being designed with data protection in mind.