IoT Security Weaknesses: Why IP Cameras Have Become the Preferred Subject of Cyber Attacks
Cyber attacks open the way to controlling devices, to DdoS attacks, attacks against public institutions, hospitals and schools – and even in the war against the Ukraine, Russian air defense systems are watching to plan their attacks. The number of reported attacks is increasing massively every year. GIT SECURITY International spoke with Andre Bastert, Global Product Manager Axis OS at Axis Communications, about his company’s cyber security strategy.
GIT SECURITY International: Mr. Bastert, as far as possible, cameras should not have any cyber security vulnerabilities. And in spite of this, IP cameras are the most frequently attacked of all devices. How do you see the situation?
Andre Bastert: The situation really is worrying. International reports on the vulnerability of IoT devices confirm it. The sheer number – we are talking about billions of networked IoT devices – and their often insufficient protection present an enormous problem for everyone concerned, and that includes manufacturers, operators, or regulation authorities. It is therefore not surprising that the IoT market has been increasingly flooded with new laws, regulations, and standards. Unfortunately, not all manufacturers have managed to incorporate cyber security into all of their products. The resultant ‘IoT target’ is a growing risk that has to be addressed.
So although a cyber security strategy is absolutely essential for a manufacturer such as Axis, it cannot achieve anything on its own without the user. Could you explain the development of your strategy since Axis first published a vulnerability report in 2016?
Andre Bastert: We have come a long way since 2016 and are proud of the progress that we have made in vulnerability management. We intensively studied the Best Practices from the IT industry back then, and learned from what the leading companies were doing. We developed our own ‘Axis Vulnerability Management Policy’ on that basis. This explains transparently how we deal with weaknesses – from identification, through patching and to the processes and the communication with our partners and customers as soon as a deficit is identified.
Could you tell us more about the cooperation with external researchers – penetration tests, for example – and also your joining the Common Vulnerabilities and Exposures (CVE) Program 2021?
Andre Bastert: In 2021, we joined the Mitre CVE Program as a CVE Numbering Authority (CNA). Every identified vulnerability receives a CVE-ID, a unique identification number, together with a comprehensive Security Advisory and additional information. The CVE Program immediately forwards these externally so that our customers are informed, can react quickly, and install patches. The distribution of information and the associated transparency and scope of this process are the big advantages of this program and a major benefit for us and our customers. The ‘Knowledge Transfer’ that takes place has allowed us to develop our vulnerability management further and make it more professional by adapting our processes in a similar way to IT giants such as Google, Microsoft, or Cisco.
A further step forward was the start of our first Bug Bounty Program together with Bugcrowd. This is where we reward ethical hackers financially for their responsible reporting of weaknesses. This method alone has allowed us to rectify more than 30 weaknesses. Add to these the numerous penetration tests that Axis either orders yearly or are initiated by our customers. These have enabled us to identify and patch more than 50 vulnerabilities in the meantime.
A further milestone on the subject of vulnerability management is our cooperation with the Bundesamt für Security in der Informationstechnik (BSI). More than 220 network products from Axis now carry the IT security label of the BSI. A core commitment of this is to proactively inform the BSI market regulators about any weaknesses that have been discovered. Security-relevant information is then distributed rapidly – an important step towards implementation of the Cybersecurity Resilience Acts (CRA) of the European Union in Germany.
Our strategy adopts international cooperation and a multi-layer security concept with a range of measures that make our products step-for-step ever more robust – through penetration tests, the Bug Bounty Program, transparent communication and regulatory cooperation. Cyber security is however not a one-off project, but a continual process that requires engagement at all levels. Only a strategy that is based on mutual exchange and professional cooperation will strengthen our product security.
Let us take a closer look at your ‘Axis Edge Vault’ security platform...
Andre Bastert: What we call the ‘Axis Edge Vault’ consists in principle of the entirety of all hardware-based, advanced security technology at Axis – and thereby forms the foundation of cyber security in our network products. For example, our customers expect that their Axis product starts exclusively with Axis-authorized software and not with just any code. Equally, they expect that the product was not manipulated during transport and that it can be verified as a real Axis device with total certainty. This is ensured by functionality such as Secure Boot, Signed OS, and the Axis Device ID.
In addition to this, highly sensitive data such as certificates, private keys for network communication, or access information for door control, is securely stored without the possibility of extraction. That is why we exclusively use TPM modules and Secure Elements in our devices that are certified to Common Criteria and FIPS 140. The internationally certified TPM modules and Secure Elements that we use in our products are also used, among other applications, in smart phones or for the creation of passports and therefore provide the same level of security.
In the light of the increasing threat from deep fakes and manipulated video files, our cameras also offer the ability to cryptographically sign video streams. This permits customers to be certain that the video stream is real. Since 2020/2021, we have committed not to deliver any Axis IoT device without this security function.
You issue corresponding updates when you recognize a critical software security problem. How do you discover the weaknesses?
Andre Bastert: We actively drive cooperation with independent security researchers, ethical hackers, as well as professional security companies, among them many of our own customers. The basis of our trust is mutual, and transparency and openness are key to successful protection. We therefore expressly welcome that many of our customers regularly call in professional security companies themselves to carry out penetration tests and check the security standard of Axis products.
Vulnerability reports reach us via various different channels: either directly via an online form in the context of penetration tests, or via our Bug Bounty program in conjunction with the team from Bugcrowd. We currently pay up to US$ 50k for reports on critical security vulnerabilities – a clear sign of our engagement and our appreciation of the community.
How long does it take on average between the first report and Patch Day?
Andre Bastert: In general we are able to make corresponding patches available within six to twelve weeks, depending on the complexity of the vulnerability and the number of affected products – always under the premise that we can closely coordinate the publication of the vulnerability with the reporter so that our customers have enough time to apply the patch. With regard to so-called ‘Zero Day vulnerabilities’, of which we have luckily had none so far, we obviously have to react more quickly because these are weaknesses that can be actively exploited.
It is normal at Axis that a single patch is rolled out for between 200 and 300 network products and multiple software tracks. It requires precise coordination to ensure that this is rapidly possible.
How do you communicate this to your customers?
Andre Bastert: We recommend that our customers regularly and proactively check their Axis network products to keep them up-to-date. That is the most effective protection against security vulnerabilities. We publish information promptly via our Release Schedule about the version in which a vulnerability has been removed. However, we never publish details that could threaten the ‘Responsible Disclosure’ process. We also offer a Security Notification Service. After registering, customers will automatically receive an email as soon as new vulnerability patches become available. This provides enough time to plan updates and minimize risks. If our customers or partners have any need for further information, our sales and technical support are available free of charge 24/7.
How do you advise and support end-users in general? Do you make a comprehensive resource pack available?
Andre Bastert: Our customers are able to find out about the cyber security of our products before purchasing them, whether via the Axis website, from our partners, or in direct dialog via email or by phone to our sales department. We make current information on international standards, certifications, and penetration tests available on our Axis Trust Center.
We provide a Hardening Guide with firm recommendations for the secure configuration and operation of our products. If a device has to be forensically investigated, for example after a cyber attack, the Forensic Guide will help. We also have integration instructions available, for example, for cooperation with well-known network suppliers such as HPE Aruba Networking. We always aim to help our customers proactively to integrate their Axis products securely and smoothly into existing IT environments.
