Security Dealer & Integrator

JUN 2018

Find news and information for the executive corporate security director, CSO, facility manager and assets protection manager on issues of policy, products, incidents, risk management, threat assessments and preparedness.

Issue link: https://sdi.epubxp.com/i/993638

Contents of this Issue

Navigation

Page 19 of 59

M uch has been written about the provisioning of safe passwords. In our industry especially, security cameras can be par- ticularly vulnerable in this regard – as default, weak and reused passwords are common, as well as passwords trans- mitted in the clear, with no encryption. Back in Oct. 2016, we experienced the Mirai botnet malware, which lev- eraged the use of weak credentials, particularly passwords. en came Persirai, which can exploit a zero-day vulnerability to steal the password file from an IP camera regardless of pass- word strength. Satori malware infected 280,000 devices in 12 hours. Now, Okiru malware has the potential to reach billions of IOT devices. If your company does not have a secure password provisioning strategy, what are you waiting for? e Huns are massing at the border, and the attacks have begun. It is time to be proactive. Camera Password Provisioning Strategies I recently attended Axis Communications' annual A&S Summit in the Bahamas and learned about a new approach to the weak password epidemic – the KeyScaler product from a company called Device Authority, which demonstrated it on Axis cam- eras via the AXIS Camera Application Platform (ACAP), an open applica- tion platform that enables members of its development partner program to develop applications that can be down- loaded and installed on Axis network cameras and video encoders. KeyScaler has two provisioning ele- ments – certificates and passwords – that are provided for in the Axis appli- cation. Here's how it works: • From the Axis Device Manager Utility, the Device Authority agent is loaded onto the camera – typically done by an authorized integrator or perhaps a distributor. • e agent connects to a KeyScaler server for secure device registration, creating a device whitelist and autho- rizing specific cameras for registra- tion into the system. e server also enforces established policies for chang- ing certificates and passwords. • A unique certificate, signed by the certificate authority, is delivered to the camera and stored as an encrypted file on persistent storage. It is used to authenticate the camera to third-party applications, such as a Milestone VMS. • Default passwords for the Root and user accounts are changed and managed per the policy. Note that the passwords are not transmitted over the network or even stored in the camera; instead, the camera stores the "recipe" for creat- ing the password. e initial recipe is based on certain device properties and settings at time of initial registration, and subsequent recipes use a differ- ent combination of elements. at is, every time the 44-character password is changed, the means for generating it also changes – which Device Authority calls Dynamic Device Key Generation. ere are several attractive elements of this process. Every camera has a strong, unique password that can be automatically updated per schedule or upon an event – such as a technician leaving the company – in a computa- tionally unique way. ere is no pass- word stored on the camera (note that encrypted weak passwords can still be easily hacked via brute force attacks). Importantly, the whole process can be automated and scaled to an entire installation of supported cameras. "Passwords are the weakest link – as you have the three-part problem of weak credentials to start with, storing passwords securely, and the sharing of potentially well-known passwords across an enterprise," explains Rao Cherukuri, Device Authority's CTO. e KeyScaler platform also has built-in, automated integrity checks that can detect suspicious devices and prevent them from participating in the ecosystem by revoking their certifi- cates and other credentials. e provisioning of certificates tells the system that the device communi- cating to it is really the expected device and not an imposter. 20 Security Dealer & Integrator / www.SecurityInfoWatch.com June 2018 A$$igning $afe Cam3r@ Pa$$w0rd$ A look at technological advances to solve the problem of weak IP camera passwords Tech Trends BY RAY COULOMBE Passwords are the weakest link – you have the three-part problem of weak credentials to start with, storing passwords securely, and the sharing of passwords across an enterprise," explains Rao Cherukuri, Device Authority's CTO.

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Dealer & Integrator - JUN 2018