Much has been written about the provisioning of safe passwords. In our industry especially, security cameras can be particularly vulnerable in this regard – as default, weak and reused passwords are common, as well as passwords transmitted in the clear, with no encryption.
Back in October 2016 we experienced the Mirai botnet malware, which leveraged the use of weak credentials, particularly passwords. Then came Persirai, which can exploit a zero-day vulnerability to steal the password file from an IP camera regardless of password strength. Satori malware infected 280,000 devices in 12 hours. Now, Okiru malware has the potential to reach billions of IOT devices.
If your company does not have a secure password provisioning strategy, what are you waiting for? The Huns are massing at the border, and the attacks have begun. It is time to start acting proactively.
Camera Password Provisioning Strategies
I recently attended Axis Communications’ annual A&S Summit in the Bahamas and learned about a new approach to the weak password epidemic – the KeyScaler product from a company called Device Authority, who demonstrated it on Axis cameras via the AXIS Camera Application Platform (ACAP), an open application platform that enables members of its development partner program to develop applications that can be downloaded and installed on Axis network cameras and video encoders.
KeyScaler has two significant provisioning elements – certificates and passwords. Both are provided for in the Axis application, and here’s how it works:
- From the Axis Device Manager Utility, the Device Authority agent is loaded onto the camera. This would typically be performed by an authorized integrator, or perhaps a distributor.
- The agent connects to a KeyScaler server for secure device registration. Registration control records create a device whitelist and authorize specific cameras for registration into the system. The server also enforces established policies for changing certificates and passwords.
- A unique certificate, signed by the certificate authority, is delivered to the camera and stored as an encrypted file on persistent storage. The certificate is used to authenticate the camera to third-party applications, such as a Milestone VMS.
- Default passwords for the Root and user accounts are changed and managed per the policy. Note that the passwords are not transmitted over the network or even stored in the camera; instead, the camera stores the “recipe” for creating the password. The initial recipe is based on certain device properties and settings at time of initial registration, and subsequent recipes use a different combination of elements. That is, every time the 44-character password is changed, the means for generating it is changed as well. Device Authority calls this process Dynamic Device Key Generation (DDKG).
There are several attractive elements of this process. Every camera has a strong, unique password. It can be automatically updated per schedule or upon an event – such as a technician leaving the company – in a computationally unique way. There is no password stored on the camera (note that encrypted weak passwords can still be easily hacked through brute force attacks.
Importantly, the whole process can be automated and can be scaled to an entire installation of supported cameras. “Passwords are the weakest link – as you have the three-part problem of weak credentials to start with, storing passwords securely, and the sharing of potentially well-known passwords across an enterprise,” explains Rao Cherukuri, Device Authority’s CTO.
For certificate management, the KeyScaler platform also has built-in, automated integrity checks that can detect suspicious devices and prevent them from participating in the ecosystem by revoking their certificates and other credentials. The provisioning of certificates tells the system that the device communicating to it is really the expected device and not an imposter.
KeyScaler automatically quarantines new devices until validated, or keeps a device quarantined and generates an alert to the system administrator. To prevent theft of certificates and unauthorized use, the Device Authority agent stores the certificate and associated key pair in an encrypted state. The agent will make decryption available only to authorized applications defined in the credential provisioning policy on the KeyScaler server. By binding the certificate to the device, KeyScaler can detect misuse of certificates that are stolen or copied to another device.
In another approach to securely provision credentials, Bosch has partnered with SecureXperts to load CHAVE cameras with signed X.509 certificates, allowing trusted communication with these devices. Further, passwords are eliminated entirely by provisioning users with smart card credentials to allow device access.
A Vendor-Agnostic Solution
Both of the approaches highlighted have technical merit, but they also have a limitation on manufacturers they can currently work with. With many installations employing a mix of different devices, additional techniques would be needed to cover the remaining devices.
Back in 2016, I wrote about an innovative password provisioning program implemented by security integrator Contava to securely provision passwords to security techs in the field (www.securityinfowatch.com/12242602). I circled back with David Sime, now VP of Technology for Paladin Technologies, which acquired Contava in 2017. The approach, which uses a product from Click Studios (www.clickstudios.com.au) called Passwordstate, involves VPN access from the field to a Paladin password server, which responds with a strong encrypted password. Passwords are tied to specific devices through a device identifier.
Sime says this effort was very successful, adding that “there was obvious resistance by our techs up front, but once we got them there, it took away a lot of their frustrations by having the information at their fingertips. It is a balance between usability and security.”
Provisioning updated passwords across the enterprise is more of an issue with this approach and involves a mass export operation – which in itself can have security ramifications. Sime is now evaluating an enterprise-level offering from 1password to shed the requirement for an internal password server.
Ray Coulombe is Founder and Managing Director of SecuritySpecifiers and the CONSULT Technical Security Symposium. Email him at ray@SecuritySpecifiers.com, or contact him through LinkedIn at www.linkedin.com/in/raycoulombe or follow him on Twitter: @RayCoulombe.