In 2006, there were a mere two billion connected devices worldwide. By 2020, that number is projected to top 200 billion, according to Intel. That’s more than 25 devices for every person on Earth based on population forecasts. Cisco is more conservative, pegging the number at closer to 50 billion, which is still staggering.

As a result of the rapidly expanding number of potential entry points for attackers, Juniper Research expects the cost of cybercrime to businesses will reach $2 trillion globally by 2019. At the same time, total cyber security spending from 2017 to 2021 is forecast to top $1 trillion, according to Cybersecurity Ventures. Yes, that’s trillion — with a T.

IP cameras are particularly susceptible, says Jeff Whitney, vice president of marketing, Arecont Vision, Glendale, Calif., because many models were not designed to address this type of challenge, making them easy to hack or be used to do things users don’t intend to happen.

“When the shift came to IP cameras from legacy analog devices, most vendors moved versions of their existing architectures from analog to IP cameras, without considering the potential long-term impact on the organization,” he says. “The network is no longer exclusively for the surveillance, access control, and other physical security systems. Instead, it may be a segment of the overall corporate network or part of the corporate network directly, and as such any device that becomes infected — including security cameras — can become a propagator or vehicle for cyber attacks on other platforms and networks.”

The main reason for this is the common operating systems — in many cases, Linux — employed by many cameras and DVRs. This simplifies the process of adding features, shortens time-to-market, reduces manufacturers’ costs, and lowers purchase prices for end users.

“Today, however, we now know that this approach can also expose the device to cyber weaknesses or exploits. Malware, worms and hackers use these exploits in their attacks,” Whitney explains.

“It’s been well known in the cyber security world for years that if you take a Windows XP machine and connect it to the Internet, it will get hacked into within minutes,” says Chuck Davis, director of cybersecurity for North America, Hikvision USA, City of Industry, Calif. “It’s not somebody sitting in their basement who all of a sudden gets an alert. It’s that there are automated programs or scanners constantly scanning the Internet looking for these devices, every single IP address on the Internet. When it finds something, it tries to compromise it or hack into it.”

Therefore, any device that is connected to the Internet must have a proper firewall and access control in front of it.

“Putting anything on the Internet needs to be done with extreme caution and responsibility. That’s why we need strong authentication so that when one of these scanners finds a device, it can’t compromise it unless it knows the password and can authenticate,” Davis says.

Once breached, cameras can be used to launch attacks on other devices or networks in an effort to collect valuable data stored within other systems.

Some of the incidents Alessandro Araldi, vice president of global product management, Honeywell Security and Fire, Melville, N.Y., has seen using video cameras have been among the largest cyber security breaches, where someone used cameras and recorders as a way to get into a corporation as a whole.

“It’s not just getting hold of the video data, but it’s using these devices as a Trojan horse into a corporation to then get to other servers in the network and other data in the network,” he says.

And in the age of the Internet of Things (IoT), no one wants to be the one who enabled potentially significant damage resulting from a breach.

“Any device that doesn’t have a high level of security is potentially the weakest link in the ecosystem and we’re doing everything we can to make sure we’re not the weakest link,” says Ryan Zatolokin, chief technologist, Axis Communications, Chelmsford, Mass.

In addition to the well-publicized Mirai malware attack that in 2016 turned millions of IP cameras into bots used to attack a number of high-profile websites in some of the largest distributed denial of service (DDoS) attacks, there have been other examples of large numbers of IP cameras being breached.

Whitney points to a high-profile incident that saw a ransomware attack infect 70 percent of the Washington, D.C., police department’s video cameras citywide just prior to the inauguration of President Donald Trump. A total of 123 of 187 NVRs had their data encrypted, and the content could only be accessed if a ransom was paid to those behind a cyber attack. Luckily, the city was able to resolve the problem without paying ransom by taking all devices offline, removing all software and restarting the system at each site — a costly endeavor.

“Whether cameras were purposely put on the Internet or if someone accidentally port forwarded or left it open, there have been so many cases like that,” says Aaron Saks, technical manager, Hanwha Techwin America, Ridgefield Park, N.J. “Nowadays, more people are saying they don’t need remote access and if they do, they’re going to use VPN or other technologies. They’re not just going to open these up to the Internet because there are so many different search engines out there that are designed to specifically find these IoT devices.”

Basically, the industry is trying to catch up to where the IT world has been for a while. As the industry has moved to IP, cyber security has taken on greater importance, says Sean Murphy, director of regional marketing – video systems, Bosch Security, Fairport, N.Y.

“As an industry, everybody’s becoming self-aware and trying to take action to make that a reality. It’s not reinventing the wheel, it’s just using a new wheel or even a wheel that was invented two or three generations ago,” he says. “I don’t think anyone in the industry takes it for granted anymore especially with the attacks that have happened.”

Balance

Cyber security best practices have to walk the line between reasonable protection while maintaining ease of use and accessibility. Today’s video systems are by design more accessible, which introduces greater potential for misuse.

“That’s the fundamental problem we’re facing that we didn’t face before. When it was a true closed circuit TV system, it meant that whoever had physical access to the cameras could be the one who watched it and that was the limit of it,” Murphy says. “Now that we’re wanting to do things like view cameras from across the world on various types of devices, keeping that information only available to the people you want to have access to it is much more complicated.”

Therefore, cyber security must be a complete approach that comprises factors beyond what may be considered “cyber.”

“A strong cyber security program needs to take into account all things which affect an IP camera, from software to network infrastructure, from installation to proper ventilation and from keeping the camera software up-to-date to performing regular hardware maintenance,” says James Hoang, integrations manager, Speco Technologies, Amityville, N.Y.

Passwords

The most important action, which can go a long way toward preventing breaches or compromises, is also a simple one: change default passwords and settings. Surprisingly, this step is all too often not completed.

“The number of IP cameras that remain on default settings is estimated to be in the hundreds of thousands, and websites listing these default settings and passwords are easily found,” says Alan Wang, systems engineering manager/Edison expert L2, Pelco, Clovis, Calif.

As rudimentary as it may sound, just getting a product installed with a strong password is absolutely required.

With Bosch’s latest firmware, creating passwords is no longer optional. Once a camera is activated, it must be assigned a password.

“For some of our customer base and installer base, it does make it a bit more difficult because depending on how they roll out the cameras, the first turn-on is not the point where they would prefer to put passwords in, but we thought it was absolutely necessary to be more ethically responsible and at least forcing that minimum level of protection,” Murphy says.

Simply having a password, though, isn’t enough. Those passwords have to be strong enough to withstand attempts to guess them, which is yet another task hackers are handling with automation.

“No device should be given access to the network without having a user ID and a 16-digit ASCII password, enabled after the device has been configured for use by the installer and turned over to the customer,” Whitney says.

Passwords can be made even stronger with multi-factor authentication, which is an area where today’s IoT devices are lacking. But something as simple as requiring the entering of a numeric code received via text message or through a smartphone app, in addition to a password, can strengthen cyber security significantly, Davis says.

“That’s multi-level authentication because you’re using one of a number of factors. One is something that you know, and that’s your password. Another factor would be what you have, which would be a token, that number generator,” he says. “A third factor could be what you are, which is biometrics — retinal scan, thumbprint. A fourth factor that we talk about is where you are. Since we have GPS in our phones and everything, there are authentication solutions where if I’m logging in to an email account from Denver, but two hours ago it looked like I was in Berlin, the logic should keep me from logging in a second time from a different geographic location.”

Updates & Patches

Another common way hackers and others gain access to IP cameras is through outdated firmware. There’s a reason why hackers target this potential entry point — because it’s often left open, practically inviting a breach.

“We really have to do better in patching, maintaining and keeping devices up-to-date because there are constantly vulnerabilities that are being found in all computing devices,” Davis says. “The manufacturer’s responsibility is to find out what those vulnerabilities are, patch them and release their firmware updates. The other piece is the person who owns those devices needs to be vigilant about making those updates too,” he says.

No device should be connected to the network that has not been verified as having the latest firmware from the manufacturer.

“Regular updates of IT devices are common, but security practitioners are not as familiar with performing frequent updates of cameras as they should be,” Whitney says. “This new practice needs to be enforced as a best practice. Cameras that can be updated through a planned, secure process remotely and with multiple units at a time will make this process easier and less complex for the security practitioner.”

Sadly, even the firmware updates designed to protect devices can become tools for determined hackers, says Saks of Hanwha Techwin America.

“Most of the time, they download and analyze firmware without ever having the camera, and they’re looking for vulnerabilities that they can then use. Then they use a search engine to find a camera and attack it,” he says.

Recognizing this, Hanwha and other manufacturers have taken steps to eliminate this potential problem. (See related article, “Securing IoT Devices,” at www.SDMmag.com/securing-iot-devices.)

“We’ve started encrypting all of our firmware for our products so we know the firmware hasn’t been tampered with and that someone can’t just download the firmware and extract and analyze it,” Saks says.