Be wary about using your camera’s remote access features
Many IP cameras provide a web interface that can be accessed
remotely over the Internet. However, these all require you to
open up ports in your router or enable plug and play features.
Be very careful before doing this to ensure that you do not inadvertently
allow free access to your local network for anyone. Also, do you
trust your router firmware and camera firmware
to have plugged all their potential security holes?
A broadband router normally serves as a useful barrier to prevent
access from anyone on the Internet to your local network.
Devices on your side of the router are effectively invisible
to the outside world. Provided that you do not download any viruses
or activate any online malware, you are in control of the Internet
traffic. Opening a port on your router provides an access point
from the outside world to your device but also opens up a chink
in the armour. Normally, if done correctly and the device firmware
has no security holes, this is fine. However, all too often,
in a flailing attempt to get results, settings are tried and re-tried,
more ports are opened, firewalls are disabled and so on until
something works. Then, with the euphoria of success,
the whole system is left as is and in a vulnerable state.
Such results are plain to see. There is an Internet search
engine dedicated to locating compromised routers, cameras and
devices:
Shodan.
It's incredible how many routers, cameras and devices are exposed
and left vulnerable with the default system administrator passwords.
Even if you have managed to open and NAT just the correct ports
to the correct device. Can you be sure that your camera firmware
is secure? Probably OK if you have a well designed device from
a reputable manufacturer rather than a cheap clone device. However,
even big names like Canon can get it wrong:
Canon Printer Hack.
In this case, the researcher just converted the printer
firmware to run the retro Doom video game, but imagine if a malicious person
had installed a program to sniff sensitive account details,
steal passwords or provide a back door direct into your network.
Security flaws keep on turning up. ShellShock is the name given
to the recent security flaw that has existed for 25 years in
Unix systems that run the BASH command line interpreter.
This includes many Servers, Macs and embedded
devices such as Routers, NAS appliances, DVRs etc.
ShellShock
Camac has given considerable thought to data security. All
communications with the Web Server use a 128bit AES HTTPS
encrypted connection. The FTP server also supports FTPS-TLS
(Transport Layer Security) so that all your camera data is
also encrypted. Cheaper and older IP cameras often do not
support FTPS. In this case images will be sent over the Internet
un-encrypted. This is similar to sending a postcard in the
mail: Most people won't have access to the data and those that
do more than likely won't be interested.
However, if you are
stuck with such a camera, NEVER use a password that you share
with other login accounts.
This would be a prime target for an eavesdropper.
Since the initial Camac login details and any reset passwords are
emailed out, you are advised to login and use the account
settings screen to change the passwords to values of your own choice.
Internally, Camac stores a salted, encrypted hash of the
passwords so has no record and cannot reconstitute the original passwords.
This provides extra security should the database ever become
compromised.
In summary, the only 100% secure way to avoid vulnerabilities
is to never connect to the outside world and leave your computer
turned off! However, to do so would miss out on the whole point
of the Internet age. At least by using the Camac service
you expose yourself to no more risk than plain Internet browsing.
Back to front page