Security Technology Executive

MAY-JUN 2018

Issue link:

Contents of this Issue


Page 9 of 79

10 SECURIT Y TECHNOLOGY E XECUTIVE • May/June 2018 • www. TECH TRENDS By Ray Coulombe • M uch has been written about the pro- visioning of safe passwords. In our industry especially, security cameras can be particularly vulnerable in this regard – as default, weak and reused passwords are common, as well as passwords trans- mitted in the clear, with no encryption. Back in October 2016 we experienced the Mirai botnet malware, which leveraged the use of weak cre- dentials, particularly passwords. Then came Persirai, which can exploit a zero-day vulnerability to steal the password file from an IP camera regardless of password strength. Satori malware infected 280,000 devices in 12 hours. Now, Okiru malware has the potential to reach billions of IOT devices. If your company does not have a secure password provisioning strategy, what are you waiting for? The Huns are massing at the border, and the attacks have begun. It is time to start acting proactively. Camera Password Provisioning Strategies I recently attended Axis Communications' annual A&S Summit in the Bahamas and learned about a new approach to the weak password epidemic – the KeyScaler product from a company called Device Authority, who demonstrated it on Axis cameras via the AXIS Camera Application Platform (ACAP), an open application platform that enables members of its development partner program to develop applica - tions that can be downloaded and installed on Axis network cameras and video encoders. KeyScaler has two significant provisioning ele- ments – certificates and passwords. Both are pro- vided for in the Axis application, and here's how it works: • From the Axis Device Manager Utility, the Device Authority agent is loaded onto the camera. This would typically be performed by an authorized integrator, or perhaps a distributor. • The agent connects to a KeyScaler server for secure device registration. Registration control records create a device whitelist and authorize A$$1Gn1ng $af3 C@m3r@ Pa$$w0rd$ A look at technological advances to solve the problem of weak IP camera passwords specific cameras for registration into the system. The server also enforces established policies for changing certificates and passwords. • A unique certificate, signed by the certificate authority, is delivered to the camera and stored as an encrypted file on persistent storage. The certificate is used to authenticate the camera to third-party applications, such as a Milestone VMS. • Default passwords for the Root and user accounts are changed and managed per the pol- icy. Note that the passwords are not transmitted over the network or even stored in the camera; instead, the camera stores the "recipe" for creat- ing the password. The initial recipe is based on certain device properties and settings at time of initial registration, and subsequent recipes use a different combination of elements. That is, every time the 44-character password is changed, the means for generating it is changed as well. Device Authority calls this process Dynamic Device Key Generation (DDKG). There are several attractive elements of this pro- cess. Every camera has a strong , unique password. It can be automatically updated per schedule or upon an event – such as a technician leaving the company – in a computationally unique way. There is no pass- word stored on the camera (note that encrypted weak passwords can still be easily hacked through brute force attacks. Importantly, the whole process can be automated and can be scaled to an entire installation of support- ed cameras. "Passwords are the weakest link – as you have the three-part problem of weak credentials to start with, storing passwords securely, and the shar- ing of potentially well-known passwords across an enterprise," explains Rao Cherukuri, Device Author- ity's CTO. For certificate management, the KeyScaler plat- form also has built-in, automated integrity checks that can detect suspicious devices and prevent them from participating in the ecosystem by revoking their Ray Coulombe is Founder and Managing Director of Securit and RepsForSecurit y. com. Ray can be reached at ray@ Securit ySpecifiers. com, through LinkedIn at w w raycoulombe or followed on Twitter @RayCoulombe. Continued on page 14

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - MAY-JUN 2018