The now infamous Target data breach was transacted by malware being placed on the HVAC system servers. A casino had its “high roller” database stolen by leveraging the network connection of an aquarium thermostat to export the file from the internal network. Leveraging the physical security system’s camera devices a bank was hacked, revealing confidential information. These are just some of the examples of how IoT devices, especially at the edge of a network, can be exploited by cyber-criminals.
Right now there is a scramble within the physical security industry to address cyber vulnerabilities present in many camera devices. The days of “set it and forget it” are waning, as the costs are rising for not taking action. Whether Mirai, WannaCry, or more recently Peekaboo, malware agents are finding a friendly home inside a modern surveillance camera. In reality, these are not cameras, but small servers with processors, memory, storage, and network connectivity that often are mounted outside of buildings or in out of the way places. In other words, perfect environments for launching denial of service attacks and other exploits.
What makes camera devices also ideal for malware is (until recently) the lack of consistent methods to update the device once it is placed in service. For any IP-based device (not just security devices) the reality is that when the device leaves the factory it is built and designed for a specific purpose and functionality. Once in the field, the manufacturer often can make that device satisfy additional purposes and functions – but only by updating the firmware. Likewise, industry standards that the device must be compliant to can also change – but only by virtue of updating the firmware. And as highlighted above, as new vulnerabilities are discovered they can be thwarted only through updates to the firmware. For all these reasons a consistent and automated approach to device firmware updating is needed.
Especially for security, keeping firmware maintained at the most current level is the primary mechanism to know you’re protected. When hackers find a way to infiltrate the system, they don’t announce it. Far from it – they seed camera devices with malware that can lie in wait. That’s why in many cases the camera devices installed in your organization may already have been infected. In that case it’s not an issue of preventing infection, it’s to prevent the malware present from having an impact or being able to accomplish its mission. That’s why it is critically important that every camera, especially ones installed a while ago, be updated to the most current firmware level.
Another aspect of physical security that makes firmware updating difficult is the scale problem. With camera, access control, and other physical security devices, there are typically dozens if not hundreds of them. That makes the problem of maintaining firmware at the correct revision very time-consuming, costly, and perhaps even impossible using manual methods. Yet, for every camera that remains on an older firmware version your organization has one more vulnerability to be exploited.
Where is this headed? If we look at how traditional IT devices have dealt with these issues, they evolved from occasional firmware updates, to frequent, to “Patch Tuesday”, and in some cases to continuous (think of how your antivirus software keeps updating itself). It would not be surprising if the physical security industry follows this path as well. But to make that happen it needs to be an automated process, performed securely with a chain-of-trust for what is being installed.
That capability is now coming into the market, both from camera manufacturers for their specific camera devices, and from Viakoo for multi-vendor camera systems. At Viakoo we’re proud to have been awarded “New Product of the Year” from Security Today for our Camera Firmware Update Manager (CFUM). CFUM provides physical security system operators the ability to automate firmware updating across multiple makes, models, and physical locations from a single dashboard. Now is the time to look at these capabilities and understand how your organization can keep on top of this growing issue. Want to see CFUM in action? Sign up at www.viakoo.com/start for a free demo of how automation can keep your organization secure and firmware at the level it needs to be.