Jump to content
varascope

IP Based Security Systems not as safe or as great

Recommended Posts

I find irony in the fact your purchase a security system to provide "Security" but security is lacking in design.

 

There are hundreds of reports of hacked IP cameras that range from Cisco, Foscam, Dlink, Mobotix and the list goes on.

 

Hacks range from denial of service, malicious reboots, drive erasure and video or audio injection. For example in injection attacks, alternate video or audio is sent in the stream. Your recorded/VMS then records movies, songs or the hackers own audio. Imagine a bank being robbed but when the police playback the video, they are watching a portion of the movie Heat.

 

I am sure you come across proponents of IP Security systems that believe there is nothing better. From my experience these individuals come from an IT background and not a SECURITY background. In my opinion in dealing with a large number of IT professionals is they have a narcissistic personality and they think THEIR way is the best way. I also have found, and even had this admitted, that IT personnel are tired of recovering lost passwords, removing viruses and diagnosing technical issues is mundane and taking on a new project that involves "Something cool" is a breath of fresh air to them. I can't fault them as I am certified in several IT disciplines and I know what they are talking about. But, I have been in security first and foremost and I see poor design and placement, trying to do something the right way but on the cheap, struggling to manage the system and bandwidth issues just to name a few.

 

The other problem is management deems the security system as technology and therefore if you plug it in and it requires electricity, the IT department most know best. To most people, physical security is something that is easy as common sense. 80% Yes but it is in the 20% that lies the details that could compromise security. What I have witnessed is ego getting in the way of correcting an issue and admitting your way is not always the best way.

 

One variable most noted, for years the security industry was pushing for real-time 24-30fps across all channels, for a reason. The best analogy is a photographer that just snaps away taking hundreds of photos. They then go back to the studio and sort through the best ones. That celebrities best moment or an athletes most exciting frame. Ask your self, do you want 30 chances or 7 chances to capture the perfect image? IP proponents will dismiss frame rate just so they can stick with IP because "It is IP and IP is the best technology and I have control over IP." Then there are those that will say their IP camera does 30fps (Half truth). Of course there is and my Porsche can do 132MPH...........when I am the only car on the road.

 

We lost an 88 camera installation for a facility that security had a high importance. The IT guy convinced management that IP was the best and "There can be only one!" The system turned out was more expensive in more ways than one. Due to the 3MP cameras they had to scale frame rate down to 6fps in order to stream and also maintain 30 days of storage. The cost of the equipment and infrastructure was over 27% more than our recommendation of HD-SDI. They have an estimated 4-6 incidents per month with 2 court cases in a years time that were thrown out for lack of evidence. There was not enough frames to accurately depict the incident. Sounds familiar? How about the nanny arrested for shaking a baby but later turned out the frame rate made it appear that way? Ever make a flip book? Your final result will vary based upon the number of pages you put into it.

 

This facility then required the IT department to spend a great deal of time on the surveillance system itself. Translate man hours into money and the system cost continues. Roughly a year later they called back wanting a quote on another adjacent facility and we told them we are not interested in being just another quote for quoting purposes. They said no they really want us to do this one. The difference is notable. 4 monitors on the security departments desk. 3 with the IP system displaying 6fps and the other monitor with HD-SDI at 30fps. For those IP only mindsets, the proof is apparent. Take away any knowledge of technology and anybody can clearly see which one is better.

 

If you can only fathom the variables that can cause things to go wrong with IP systems in comparison to direct connect systems, you would have to ask yourself if it is worth it. I think if I listed them all it would be a book. Look at the posts in this forum and notice the number of helps request for IP. Google IP camera hacks. The guy that had his camera hacked and while viewing, the audio was replaced with "Every breath you take."

 

For those IT professionals that say I have a secure network and nobody can hack us, your a fool. You just haven't been hacked YET. Maybe you will be lucky but in security luck is not a comforting thought.

 

Now that being said, IP does have a place but you need to be sure you know what it is.

 

My challenge to you: Submit posts on why you think IP is better for your organization, State the equipment used and the configuration and the time spent to install and maintain.

Edited by Guest

Share this post


Link to post
Share on other sites

I find irony in the fact your purchase a security system to provide "Security" but security is lacking in design.

 

I am sure you come across proponents of IP Security systems that believe there is nothing better.

 

My challenge to you: Submit posts on why you think IP is better for your organization, State the equipment used and the configuration and the time spent to install and maintain.

 

Are u related to Todd Rockoff ?

I am sure u know who He is

Share this post


Link to post
Share on other sites

First of all, you post comes off as the paranoid ravings of a luddite who doesn't understand - and is deathly afraid of - the technology. But maybe my impression is incorrect; perhaps if you provided some verifiable facts to back up your claims you might be more convincing.

 

There are hundreds of reports of hacked IP cameras that range from Cisco, Foscam, Dlink, Mobotix and the list goes on.

 

Hundreds? Really? OK, name 5. Provide verifiable citations.

 

We lost an 88 camera installation for a facility that security had a high importance. The IT guy convinced management that IP was the best and "There can be only one!" The system turned out was more expensive in more ways than one. Due to the 3MP cameras they had to scale frame rate down to 6fps in order to stream and also maintain 30 days of storage. The cost of the equipment and infrastructure was over 27% more than our recommendation of HD-SDI.

 

Your post reminds me of Aesop's Fable about the Fox and the Grapes...

Share this post


Link to post
Share on other sites

@ak357

 

That is another mistake in the industry. Saying one way is the only way is similar to extreme liberal vs extreme conservatism. Just like Todd Rockoff is to the HDcctv alliance you could say John Honovich is to IP. My point is not to say IP is bad for every situation but hearing news story after news stories and the complaints, it does not belong on the pedestal most people put it on.

 

I do admit at least John tries to be upfront on calling out the BS in the IP marketplace, such as the Avigilon commercials and claims.

 

In security you should be able to use tools in the toolbox, not 1 tool for every job.

Share this post


Link to post
Share on other sites
@ak357

 

That is another mistake in the industry. Saying one way is the only way is similar to extreme liberal vs extreme conservatism. Just like Todd Rockoff is to the HDcctv alliance you could say John Honovich is to IP. My point is not to say IP is bad for every situation but hearing news story after news stories and the complaints, it does not belong on the pedestal most people put it on.

 

 

In security you should be able to use tools in the toolbox, not 1 tool for every job.

 

And I do have few "tools" in toolbox

I do sell HD-SDI all the time

so far may be 30 sets are sold

In my opinion for do it your self and very small commercial jobs

for Enterprises solutions Only IP

By the way have u ever "play" with Avigilon ?

Share this post


Link to post
Share on other sites

It is not a matter of paranoia, conspiracy theory or such. It is a matter of preparation. Without creating a book or commercial, how do you bring attention to this? With limited space I have to get to the point while expressing the seriousness.

 

I am not trying to create an attack but to educate. Instead of denying that vulnerabilities do exist, we should be invoking conversations that say "Hey, I just found out that this is a problem."

 

IP cameras not being hacked is like saying, no virus exists to hack Target credit card machine and yes you can keep your current health care provider. It is like walking through the world with blinders. How can anyone call themselves a professional without seeing and understanding the CONS in any plan. It is all about research and trying to keep up with what is going on. IP is just that, Internet Protocol. Part of the IT world and susceptible to IT vulnerabilities. Have you ever heard the expression "The devils greatest miracle is convincing people he does not exist" ? I think you can find the relation if you believe IP systems are safe.

 

Here are more than 5.

 

1. Last week, TRENDnet, a California-based maker of residential security cameras announced that it has released a new IP camera firmware upgrade that neutralizes a recently discovered flaw that allowed Internet users to easily gain access to live footage without a password.

 

According to a statement issued by TRENDnet, the bug only affects camera models sold by the company since April 2010. So far, the company said that they have identified 18 cameras that may require the upgrade.

Side bar to same story: "To confirm the security issue was real, PC Mag followed the instructions and was able to find two cameras showing video feeds: one of an office in Nashville and the other of a thermometer in Minneapolis."

 

2. Mobotix IP Camera Multiple Cross-Site Scripting Vulnerabilities

 

The Mobotix IP camera is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the device to properly sanitize user-supplied input.

 

An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Mobotix Mobotix IP Camera M10 2.0.5 .2

Mobotix Mobotix IP Camera M1 1.9.4 .7 soource: http://www.securityfocus.com/bid/18022/discuss

 

3. AXIS Camera source: http://www.securityfocus.com/bid/7652/info

 

A vulnerability has been discovered in various Axis Communications products. By making a request for a specially formatted URL, it may be possible for remote users to access the administrative configuration interface without being prompted for authentication.

 

4. Camtron The CMNC-200 IP Camera ActiveX control identified by CLSID {DD01C8CA-5DA0-4B01-9603-B7194E561D32} is vulnerable

to a stack overflow on the first argument of the connect method. The vulnerability can be used to set the EIP

 

5. HikVision Multiple vulnerabilities have been found in Hikvision IP camera

DS-2CD7153-E [1] (and potentially other cameras sharing the affected

firmware [2]) that could allow a remote attacker:

 

1. [CVE-2013-4975] To obtain the admin password from a non-privileged

user account.

2. [CVE-2013-4976] To bypass the anonymous user authentication using

hard-coded credentials (even if the built-in anonymous user account was

explicitly disabled).

3. [CVE-2013-4977] To execute arbitrary code without authentication

by exploiting a buffer overflow in the RTSP packet handler.

 

6. FOSCAM Due to improper access restriction the FOSCAM FI8620 device [1] allows a

remote attacker to browse and access arbitrary files from the following

directories '/tmpfs/' and '/log/' without requiring authentication. This

could allow a remote attacker to obtain valuable information such as

access credentials, Wi-Fi configuration and other sensitive information

in plain text.

7. ZAVIO Multiple vulnerabilities have been found in Zavio IP cameras based on

firmware v1.6.03 and below, that could allow an unauthenticated remote

attacker:

 

1. [CVE-2013-2567] to bypass user web interface authentication using

hard-coded credentials.

2. [CVE-2013-2568] to execute arbitrary commands from the

administration web interface. This flaw can also be used to obtain all

credentials of registered users.

3. [CVE-2013-2569] to access the camera video stream.

4. [CVE-2013-2570] to execute arbitrary commands from the

administration web interface (post authentication only).

 

8. In its simplest form, the hack — conducted with two free tools developed by researchers at Sipera Systems’ Viper Lab — allows someone to intercept and copy video from IP surveillance cameras to spy on the secured premises. But it would also allow the hacker to replace a legitimate video stream with a bogus stream, permitting a thief or corporate spy to enter an office while the security guard sees only a still-image of an empty room on his monitor. source: http://www.wired.com/threatlevel/2009/07/video-hijack/

Share this post


Link to post
Share on other sites

@ak357

 

Yes I have played with Avigilon. I consider them in the Cadillac range of IP cameras and priced accordingly last price sheet I seen last spring.

 

I do admit their is limited reports on Avigilon hacks and the ones out there seem to be moderate in nature regarding information they broadcast on the network.

 

Additional kudos goes to Avigilon in educating against attacks. I rarely see articles from a manufacturer so upfront and not hidden in the web as Avigilons 5 ways to Protect your IP system.

 

Unfortunately in this industry we can't do a side by side camera install for a large installation to truly judge which one is better all around.

We do IP systems and they are a good money maker but trying real hard to look objectionably at the cost & risk, maybe I am missing something but the information seems propaganda in nature. I know about a year ago Avigilon pulled a commercial after getting called out on the view their camera can get in real time among other claims. http://ipvm.com/report/avigilon_ad_critique

 

And unfortunately the money spent on SEO can make anything look good or bad.

 

If you are an Avigilon aficionado, I have a project next quarter that you maybe interested in.

Share this post


Link to post
Share on other sites
Separate subnet and Sw with port/Mac security

will make u feel better

 

Yes that is part of it. Layer 3 switches etc etc. What if the camera has a firmware vulnerability?

 

Question: Would you personally put a $100k guarantee that if they follow your recommendations?

How about 10k? Would you create an ad right now with that claim?

Share this post


Link to post
Share on other sites

The issue you pose about hacking into ip cameras is only applicable if you open ports to an outside network. If you are paranoid about that you can keep then network closed and internal. Or set up vpn. The hacks you post are camera hacks and only those cameras that are port forwarded are exposed. Again, don't port forward the cameras themselves, use a software based NVR that is frequently updated. Finally, any sdi/analog system streams to the net has the same exposure as ip based systems.

Share this post


Link to post
Share on other sites
The issue you pose about hacking into ip cameras is only applicable if you open ports to an outside network. If you are paranoid about that you can keep then network closed and internal. Or set up vpn. The hacks you post are camera hacks and only those cameras that are port forwarded are exposed. Again, don't port forward the cameras themselves, use a software based NVR that is frequently updated. Finally, any sdi/analog system streams to the net has the same exposure as ip based systems.

+1

It's always amaze me who in right mind would open port direct to camera

Share this post


Link to post
Share on other sites

@Boogieman

 

Of course closing the network is another part and works for most companies. The issue is the good majority of customer that want to view remotely and on their smart phones.

 

1. You have the completely closed system, ideal. Hacking maybe solved, what about the frame rate at 2MP with 88 cameras on the network. Can you get 24-30fps? Is this mathematically possible?

2. The port forwarded system. Not so secure

3. The home owner setting up for their use? Does the average homeowner have the capacity to easily set up an IP correctly?

 

"any sdi/analog system streams to the net has the same exposure as ip based systems." True but as an example of an embedded system, one point of access Linux not 100% perfect but less hack attempts/viruses than Windows based platform, the risk does drop. It is not a matter of 100% because nothing is but the risk exposure.

 

Now getting to firewalls and port forwarding. This thinking is assuming "All attacks are from the outside." Most viruses and exploitations on the network originate from authorized traffic or from the inside.

 

Example: Susy the receptionist has her child birthday party over the weekend and she downloads pictures on to her USB stick. Her home computer has an infection. She brings it in to work to show her friends. She successfully bi-passed the firewall since it is local. Now you say, Anti-Virus should catch it. Anti-Virus definitions are created AFTER enough complaints are reported. How do you create a definition for something that is not known yet?

 

Back chatter on the Target virus was that is was executed from the inside unintentionally and was a sleeper viruses. There is also news about Cisco phones being hacked allowing listening in.

 

Also this post is not 100% about hack attacks but IP concerns in general.

Share this post


Link to post
Share on other sites
@Boogieman

 

Of course closing the network is another part and works for most companies. The issue is the good majority of customer that want to view remotely and on their smart phones.

 

1. You have the completely closed system, ideal. Hacking maybe solved, what about the frame rate at 2MP with 88 cameras on the network. Can you get 24-30fps? Is this mathematically possible?

2. The port forwarded system. Not so secure

3. The home owner setting up for their use? Does the average homeowner have the capacity to easily set up an IP correctly?

 

"any sdi/analog system streams to the net has the same exposure as ip based systems." True but as an example of an embedded system, one point of access Linux not 100% perfect but less hack attempts/viruses than Windows based platform, the risk does drop. It is not a matter of 100% because nothing is but the risk exposure.

 

Now getting to firewalls and port forwarding. This thinking is assuming "All attacks are from the outside." Most viruses and exploitations on the network originate from authorized traffic or from the inside.

 

Example: Susy the receptionist has her child birthday party over the weekend and she downloads pictures on to her USB stick. Her home computer has an infection. She brings it in to work to show her friends. She successfully bi-passed the firewall since it is local. Now you say, Anti-Virus should catch it. Anti-Virus definitions are created AFTER enough complaints are reported. How do you create a definition for something that is not known yet?

 

Back chatter on the Target virus was that is was executed from the inside unintentionally and was a sleeper viruses. There is also news about Cisco phones being hacked allowing listening in.

 

Also this post is not 100% about hack attacks but IP concerns in general.

1) I don't know about the frame rates because I have never done an 88 camera install. But with the proper hardware this should not be an issue.

2) I disagree about the Linux based nvr being more secure than windows. The reason is simply that the manufactures update firmware very rarely. A windows based machine updated regularly will be fine.

3) suzy the receptionist is not plugging her usb drive into the dedicated NVR server....there is a built in firewall and its on a separate network .

Share this post


Link to post
Share on other sites
@Boogieman

 

Of course closing the network is another part and works for most companies. The issue is the good majority of customer that want to view remotely and on their smart phones.

 

1. You have the completely closed system, ideal. Hacking maybe solved, what about the frame rate at 2MP with 88 cameras on the network. Can you get 24-30fps? Is this mathematically possible?

2. The port forwarded system. Not so secure

3. The home owner setting up for their use? Does the average homeowner have the capacity to easily set up an IP correctly?

 

"any sdi/analog system streams to the net has the same exposure as ip based systems." True but as an example of an embedded system, one point of access Linux not 100% perfect but less hack attempts/viruses than Windows based platform, the risk does drop. It is not a matter of 100% because nothing is but the risk exposure.

 

Now getting to firewalls and port forwarding. This thinking is assuming "All attacks are from the outside." Most viruses and exploitations on the network originate from authorized traffic or from the inside.

 

Example: Susy the receptionist has her child birthday party over the weekend and she downloads pictures on to her USB stick. Her home computer has an infection. She brings it in to work to show her friends. She successfully bi-passed the firewall since it is local. Now you say, Anti-Virus should catch it. Anti-Virus definitions are created AFTER enough complaints are reported. How do you create a definition for something that is not known yet?

 

Back chatter on the Target virus was that is was executed from the inside unintentionally and was a sleeper viruses. There is also news about Cisco phones being hacked allowing listening in.

 

Also this post is not 100% about hack attacks but IP concerns in general.

1) I don't know about the frame rates because I have never done an 88 camera install. But with the proper hardware this should not be an issue.

2) I disagree about the Linux based nvr being more secure than windows. The reason is simply that the manufactures update firmware very rarely. A windows based machine updated regularly will be fine.

3) suzy the receptionist is not plugging her usb drive into the dedicated NVR server....there is a built in firewall and its on a separate network .

Who cares about cameras

every day thousands computer being hacked and use to launch attack all over the world

Share this post


Link to post
Share on other sites

I find irony in the fact that you bought a gun to feel more secure, but you kept it loaded in your night table only to have it stolen by a bugler who shot you with it when you returned home to find him rummaging through your house. Does that mean that guns are bad? No, it does not. Does that mean that you are stupid? Yes, it most definitely does. Unfortunately, you were resuscitated at the hospital and now you will live to procreate and pollute the human genome. In the good ol' days people like you died, and the human race was far healthier as a result. This is what I call Q's Theorem on "The Subversion of Natural Selection by Modern Medical Technology." It's not a toaster. If you fail to secure your IP devices then you will suffer consequences; I believe the majority of us here know that.

Share this post


Link to post
Share on other sites

Ok, for starters that Mobotix vulnerability you posted was from 2006 and has LONG since been fixed.

 

Secondly, there are VERY few cases where 30fps is acutally required. I run a majority of my camera between 8 and 15 fps and the video is excellent. I have had 12 different cases go to court and not one of them was thrown out for bad video. Unless you are doing something in a casino, bank vault, or someplace with VERY fast movement 30fps is just a waste of bandwidth.

 

Yes it is true that a lot of the IP camera makers advertise 30 fps, but don't tell you that it cannot be accomplished at maximum resolution unless you read the fin print, but car makers and pretty much anyone with a marketing department will do the same thing with their brands so let's move one.

 

HD-SDI has it's place but if you follow even basic information security procedures (strong passwords, use of NAT/ VPN, etc.) then you are no more vulnerable than anything else on the network.

Share this post


Link to post
Share on other sites
What if the camera has a firmware vulnerability?

 

Irrelevant unless your cameras are directly connected to the Internet, which only an idiot would do. People with functioning brains put their IP cameras on a separate, dedicated network, isolated both from their other internal network(s) as well as the Internet using firewalls.

 

It should also be noted that, if you take an analog CCTV system and put your DVR on the Internet to allow remove viewing, your DVR is every bit as vulnerable to being hacked as an IP system's NVR. OTOH, if you put your NVR/DVR behind a firewall, and only allow access to it from the Internet via a VPN, that's about as secure as remote access gets.

 

Bottom line, the premise of your original post is clearly false.

Share this post


Link to post
Share on other sites

 

Are u related to Todd Rockoff ?

I am sure u know who He is

 

Alex, are you trying to imply that Todd is Jesus?

 

Surely the man has influence but...

 

S

Share this post


Link to post
Share on other sites

 

Are u related to Todd Rockoff ?

I am sure u know who He is

 

Alex, are you trying to imply that Todd is Jesus?

 

Surely the man has influence but...

 

S

I was sarcastic

Share this post


Link to post
Share on other sites

If its connected to the internet it can be hacked. Simple as that. So you have the same issues with any system whether it be IP, Analog, HD-SDI. Firewalls and VPNs wont do anything to stop a real hacker so all you do is simply install a true CCTV system. A closed circuit system that exists by its self inside the facility. You say most companies want remote access? Small business and residential want remote access large companies could care less. For example at Costco they pay a Loss Prevention specialist around $40k a year to sit in front of the surveillance I installed and monitor everything. So who would need remote access to that and out of a company that has 174k+ employees who would they give the access to?

 

So yes if a company is asking for a $100k security guarantee tell them to call me I'll give it to them and I'll walk in there and yank that cat5 cable out the DVR/NVR and collect my check. Companies spending big bucks on large systems have employees they pay to sit there and monitor that system day in and out and they dont need remote access.

Share this post


Link to post
Share on other sites
If its connected to the internet it can be hacked. Simple as that. So you have the same issues with any system whether it be IP, Analog, HD-SDI. Firewalls and VPNs wont do anything to stop a real hacker so all you do is simply install a true CCTV system. A closed circuit system that exists by its self inside the facility. You say most companies want remote access? Small business and residential want remote access large companies could care less. For example at Costco they pay a Loss Prevention specialist around $40k a year to sit in front of the surveillance I installed and monitor everything. So who would need remote access to that and out of a company that has 174k+ employees who would they give the access to?

 

So yes if a company is asking for a $100k security guarantee tell them to call me I'll give it to them and I'll walk in there and yank that cat5 cable out the DVR/NVR and collect my check. Companies spending big bucks on large systems have employees they pay to sit there and monitor that system day in and out and they dont need remote access.

 

 

QFT!! Preach it!

Share this post


Link to post
Share on other sites
If its connected to the internet it can be hacked. Simple as that. So you have the same issues with any system whether it be IP, Analog, HD-SDI. Firewalls and VPNs wont do anything to stop a real hacker so all you do is simply install a true CCTV system. A closed circuit system that exists by its self inside the facility. You say most companies want remote access? Small business and residential want remote access large companies could care less. For example at Costco they pay a Loss Prevention specialist around $40k a year to sit in front of the surveillance I installed and monitor everything. So who would need remote access to that and out of a company that has 174k+ employees who would they give the access to?

 

So yes if a company is asking for a $100k security guarantee tell them to call me I'll give it to them and I'll walk in there and yank that cat5 cable out the DVR/NVR and collect my check. Companies spending big bucks on large systems have employees they pay to sit there and monitor that system day in and out and they dont need remote access.

 

I agree with everything you posted but the last part. Most large companies with multiple sites will have their cameras accessible from one central command center. The remote connections will be connected via VPN or leased fiber.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×