The DDoS attack launched from various network cameras and NVRs last year again exposed the vulnerabilities of security devices as they migrate towards IP. Safer security experts have listed common vulnerabilities in security equipment and made suggestions on what security geeks should do to avoid them.
Their comments came after the DDoS attack against a U.S.-based Internet performance and management company, resulting in a shutdown of service across such sites as Amazon and Netflix. It was later found out several IP cameras and NVRs were used to launch the attack after being affected with the Mirai malware. Once the malware has identified and accessed the devices, it turns them into bots that can be commanded as part of an army of devices to flood websites with requests, effectively crippling the server and eventually forcing it to go offline. It was estimated that Mirai had been spread to least 500,000 devices with vulnerabilities.
According to experts, one vulnerability is the use of default username and password. Exploiting this vulnerability, Mirai was able to gain control of these devices. What the malware did was scan the internet for devices that were still ‘factory’ set, which meant they were still using default username and password combinations.
Besides the default username and password, the default configuration of the device can also create problems. Default configuration typically uses insecure protocols and leaves open services. This can cause information to be sent in the clear and also enable access to a command line via services such as telnet.
Another vulnerability is the execution of proprietary encryption, as opposed to the more well-established encryption methods, as more powerful tools are now available to crack encryption algorithms.
Then comes firmware, where vulnerabilities and flaws can be exploited and help hackers intrude further into a device. Most security devices are full blown computers with modern operating system, for example embedded version of Windows or Linux. Updating firmware for these devices is as crucial as the updates to your desktops and the related applications.
Having said that, security geeks should make their best efforts to secure their security devices. And a good point to start is requiring the user to change the username and password. The newly revised NIST publication ‘Digital Identity Guidelines’ as well as the NISTIR 8040 on passwords for mobile devices are some examples of publicly available guidance to follow.
Encryption, meanwhile, is also important. Enable encryption within the network-based physical security devices whenever available. Among the documents that can be followed, the so-called NSA Suite B algorithms represent the list of acceptable cryptographic algorithms.
In addition, vendors should regularly update firmware, in a manner that is easy and friendly to users. There is much more ado with regards to user interface design in recent days. The end goal is to ensure users do not find running updates to be a hassle. Thus, an efficient interface to ensure great user experience is essential. Another alternative is automatic patching, a path we are seeing Microsoft experimenting with, with the launch of Windows 10. This removes the need for user involvement in the update process.
Technical experts can even consider implementing a two-factor authentication, be it from tokens, apps or RFID cards to verify user’s identity instead of simply entering a username and password to log in. Finally, they could also look at collaborating with cybersecurity companies for vulnerability testing and assessment, the potential of these devices from being hacked can be identified earlier and thus can be further improved to minimize your network’s risk of being attacked.