Dahua Technology offers key inputs on how to secure the networked security system from cyber threats

Modern Video security systems are more secure now than ever before. Gone are the days when network video recorders (NVRs) and cameras were allowed to be default credentials (such as a 12345 password), which attackers used to mobilise tens of thousands (or more) devices in a botnet. It’s important to remember that security at times can be simple. 

Just requiring login credentials to be changed upon first use resulted in a drastic reduction of compromised security systems. But, simple doesn’t always mean ‘easy’. Attackers adapt, and defenders need to do their best to stay ahead. The best systems are designed to make it easier for defenders than for attackers, and there’s a lot that can be done with some additional (and simple) configuration decisions.

Best practice configurations

In a typical small security system, users may have a dozen or more IP cameras connected to network video recorders

In a typical small security system, users may have a dozen or more IP cameras connected to network video recorders (NVRs). Best practice configurations usually place the IP cameras on a network subnet that allows users to disable access from the internet and keep bandwidth intensive IP cameras streams from interfering with other traffic.

However, to access the NVR from outside the network, the user will have to expose it to the internet. Doing so potentially puts key assets at risk, as hackers can more easily use the open internet to break into the system.

Anatomy of a hack

Any IP device that’s remotely accessible from the Internet is potentially at risk. Many times, the device is available from a network that has a fixed IP address and port. If so, that’s easily detectable from anywhere in the world, by using port scanning (Port scanning is a standard technique that is used to determine what ports a target system may be listening on). This can help attackers determine as well what services may be running on the system, because certain ports are usually associated with particular services.

If the device is an NVR for example, it’s likely to have Port 80 open, so the legitimate user can access the NVR’s web interface. But to the hacker, an open Port 80 is a big clue that the device has a web server running on it.

Port scanning

Port scanning is essentially a way of ‘fingerprinting’ the remote operating system, in order to understand what services and software versions are running on the target. This is a problem because if there are known exploits of that version of an operating system or particular services, then its good news for the attacker, if the device is not up-to-date on patches or otherwise unprotected.

Most network video recorders have a mobile app that can connect via Peer-to-Peer (P2P)

However, there are a number of practical ways to minimise that risk. Most network video recorders have a mobile app that can connect via Peer-to-Peer (P2P). This setup uses an intermediary server to query the NVR, and request a port to be opened. Once that occurs, the mobile app connects to the NVR. When the connection is closed, the port is closed.

The big advantage of this approach is the port is open only for the duration of the session. At any other time, a port scanning won’t reveal much of anything to a potential attacker. It’s the equivalent of opening your garage door when you pull up to your house, then shutting it right after you pull your car in, and leaving it shut until you need to take your car out again.

IP address blocking

Another way to minimise exposure is to use IP address blocking. Also known as a Geolocation feature in many firewalls, this allows users to block access to the system from a range of IP addresses. Some allow users to block access to the system from IP addresses that originate in specific threat countries.

Some security experts believe this is a very blunt instrument to deploy, so it’s fair to ask if IP address blocking is worthwhile to do. Here’s is globally renowned video surveillance and security services company, Dahua Technology’s take on this.

For anyone managing an important website for their company, they have to periodically check the logs, which give great insight, especially when things aren’t working correctly.

Dahua Technology example

It turns out that the recorded IP address is from a city that famously hosts a troll farm

In case of Dahua Technology, the operators noticed over 300 admin login attempts from a specific IP address in less than one day. It turns out that the recorded IP address is from a city that famously hosts a troll farm, which the security community strongly suspects is engaged in online influence operations, on behalf of business and political interests from a particular country.

Since Dahua Technology’s website serves only users in North America, they chose to block the entire domain of IP addresses in that geographical area. What was done won’t prevent whoever it was from initiating a brute force password attempt again, but it makes it considerably less convenient. And that’s a win for the defenders.

Securing access to the network video recorder (NVR)

For many businesses, it’s far easier to secure access to the network video recorder (NVR), because it’s likely that there are only a few people, who are authorised to access it.

In that case, users can change the default settings and setup an IP allow list, which will block all access attempts, unless they come from the IP addresses that re specified and verified for safety. That makes it even harder for hackers to carry out cyber-attacks.