IP Cameras. Securing your installation.

Be wary about using your camera’s remote access features

Many IP cameras provide a web interface that can be accessed remotely over the Internet. However, these all require you to open up ports in your router or enable plug and play features. Be very careful before doing this to ensure that you do not inadvertently allow free access to your local network for anyone. Also, do you trust your router firmware and camera firmware to have plugged all their potential security holes?

A broadband router normally serves as a useful barrier to prevent access from anyone on the Internet to your local network. Devices on your side of the router are effectively invisible to the outside world. Provided that you do not download any viruses or activate any online malware, you are in control of the Internet traffic. Opening a port on your router provides an access point from the outside world to your device but also opens up a chink in the armour. Normally, if done correctly and the device firmware has no security holes, this is fine. However, all too often, in a flailing attempt to get results, settings are tried and re-tried, more ports are opened, firewalls are disabled and so on until something works. Then, with the euphoria of success, the whole system is left as is and in a vulnerable state. Such results are plain to see. There is an Internet search engine dedicated to locating compromised routers, cameras and devices: Shodan. It's incredible how many routers, cameras and devices are exposed and left vulnerable with the default system administrator passwords.

Even if you have managed to open and NAT just the correct ports to the correct device. Can you be sure that your camera firmware is secure? Probably OK if you have a well designed device from a reputable manufacturer rather than a cheap clone device. However, even big names like Canon can get it wrong: Canon Printer Hack. In this case, the researcher just converted the printer firmware to run the retro Doom video game, but imagine if a malicious person had installed a program to sniff sensitive account details, steal passwords or provide a back door direct into your network.

Security flaws keep on turning up. ShellShock is the name given to the recent security flaw that has existed for 25 years in Unix systems that run the BASH command line interpreter. This includes many Servers, Macs and embedded devices such as Routers, NAS appliances, DVRs etc. ShellShock

Camac has given considerable thought to data security. All communications with the Web Server use a 128bit AES HTTPS encrypted connection. The FTP server also supports FTPS-TLS (Transport Layer Security) so that all your camera data is also encrypted. Cheaper and older IP cameras often do not support FTPS. In this case images will be sent over the Internet un-encrypted. This is similar to sending a postcard in the mail: Most people won't have access to the data and those that do more than likely won't be interested. However, if you are stuck with such a camera, NEVER use a password that you share with other login accounts. This would be a prime target for an eavesdropper.

Since the initial Camac login details and any reset passwords are emailed out, you are advised to login and use the account settings screen to change the passwords to values of your own choice. Internally, Camac stores a salted, encrypted hash of the passwords so has no record and cannot reconstitute the original passwords. This provides extra security should the database ever become compromised.

In summary, the only 100% secure way to avoid vulnerabilities is to never connect to the outside world and leave your computer turned off! However, to do so would miss out on the whole point of the Internet age. At least by using the Camac service you expose yourself to no more risk than plain Internet browsing.

Back to front page