Checklist/actionable advice to prevent IP camera hacking IP cameras can keep an eye on things when we are away. People use the IP cameras to watch kids, elderly and pets at home or wanna protect house from burglary. However, using them will increase the possibility of privacy intrusion. During these years, many news reported millions of IP security cameras were used for DDOS attacking, hackers hacked home camera and broadcast live video online. Here we invited Peter, the expert in network
security, he offered several actionable advice to prevent camera hacking. These actionable security advice is not only suitable for IP cameras but also be applied to all kinds of IoT devices.
MUST DO MEASURES TO ENSURE BASIC SECURITY OF YOUR CAMERA
1. Modify default password and use a strong password
Apparently those security cameras that use default password are very likely to be hacked. Users should change default password and use a strong password that contains digit, capital alphabet, symbol.
2. Update firmware
All IP cameras, NVR, DVR should be upgraded to the latest version to ensure your equipment have the latest feature and security.
ADVICE CAN GREATLY ENHANCE YOUR CAMERA’S SECURITY
1. Modify the password regularly
You should modify the password regularly in case the old password is obtained by malicious people.
2. Change default port of HTTP and TCP
Changing the default HTTP and TCP port can greatly improve your camera’s security. HTTP and TCP ports are used for remotely web and video access. You can set these two ports to any port number in the range of 1025～65535. After changing the port number, it will greatly reduce the risk that hackers can gain access through default port number.
3. Enable HTTPS/SSL encryption
If your network cam support web browser accessing, you should create a SSL certificate to enable HTTPS. After https is enabled, the information between camera and clients (including NVR, web browser, NAS, software etc) is encrypted.
4. Enable IP filter
You can enable IP filter in your router, so that only designated IP address can access the camera.
5. Change ONVIF password
6. Set user account permission
If multiple users need to access the network camera, ensuring you set different permission to the user account.
7. Disable UPnP
After enabling UPnP function in your router, the router will do automatically port forwarding. It’s very convenient for users to use, but expose a great vulnerability that hackers may gain access permission. If you have already done port forwarding for HTTP and TCP ports, we highly recommend you to disable UPnP.
If you don’t use SNMP function, we highly suggest you to disable it. SNMP function is restricted to be used for temporarily testing purpose.
Multicasting technology enables camera to transmit live stream to multiple video storage equipment. Currently, no vulnerability is discovered for multicasting stream technology, but if you don’t use this function, we suggest you to turn it off.
10. Checking log
If you want to know whether your camera is secure or not, you can check log to find unauthorized login attempt or brute force login. Device’s log will keep the record which IP address has attempted login and what kind of operation has been done by the user.
11. Physical protection
To achieve maximum protection, you may secure your network equipment with physical protection. You can put equipment inside the room with lock, put network video recorder to a lock cabinet to avoid unauthorized accessing.
12. IP camera connects to NVR through PoE
Using PoE to connect IP cameras with the NVR, your IP camera will be separate from Internet, so that will not be exposed to potential hacking.
13. Setup a dedicated network for network cameras
Network segmentation can ensure security of your entire network, you can achieve this by physical network segmenting or setting virtual local area network in your network switch. Network cameras will transmit their data on a VLAN like any other network device. For security, some administrators will define the IP camera port on the switch to use a specific VLAN, separate from the VLAN used by other network devices and access-list restricted to a specific set of systems.