Secure Your System
It does you little good to install a system that tries to protect yourself, your home, and your family if an outsider can easily break in—whether while parked outside or from 10,000 miles away.
The default security of a system out of the box varies incredibly among manufacturers, making it critical that you follow your own security protocol in setting up new accounts and devices.
In this chapter, I explain the risks you face, how to secure your device with good general account and password hygiene, and how to keep your devices safe on the internet and up to date. I conclude with what is necessary to share access to your cameras and stored video safely.
You Face Real Risk
One reason to take this so seriously is that criminals and trolls are constantly scanning the entire internet—yes, really, the entire internet—to find devices that are improperly secured or that let them test endless combinations of things to break in. If you have an improperly secured directly connected internet device or a poorly secured online account, you almost certainly will be compromised.
This is no academic exercise. As I was writing this edition of the book, several news outlets reported on crackers gaining access to Ring accounts, going so far as to create podcasts in which they pranked Ring owners. In one case, someone started yelling at an 8-year-old girl from the camera.
Even though Ring cameras are new and frequently updated, the biggest problem is from outdated gear.
Avoid Earlier Generations of Cameras
Not very long ago, most affordable home security cameras had very few of the features we now look for in such a device. They were really webcams, designed for videoconferencing and recording at one’s desk, and some were repurposed with features that made them more generally useful.
They lacked robust triggering, had low resolution, had a small field of view, and didn’t have options to stream to cloud storage or come with storage plans.
Most importantly, they weren’t well secured against internet-based attacks. Manufacturers used inexpensive embedded operating systems that were quite similar to that used for home network routers, and lightly customized them, but didn’t harden them against attack.
Those are the cameras you typically see on the kind of site I just mentioned above. I would not purchase nor can I recommend any of these older models, which are still readily available—often very cheaply. Generally avoid camera models released before 2017; specifically, search on any model and “hacked” if you’re looking at any older system or one that isn’t optimized with high-quality versions of features described in this book.
Can You Trust Any Camera Maker?
I’d be remiss if I moved on without noting the frequent coverage in technical and mainstream media of hacking of various kinds that allows access to stored data, account information, or live feeds. As I was writing part of this book on December 30, 2019, a story broke about Wyze, a well-liked inexpensive maker of cameras.
Due to an absurdly amateur error by one of its new programmers that wasn’t overseen or caught by anyone else at the company, information about 2.4 million of its customers was exposed. While passwords were encrypted, as you read above about password reuse, merely the knowledge of someone’s email address can sometimes give crackers access to their accounts unless passwords are immediately reset by the site operator and those old passwords aren’t allowed to be used again.
There is no way to know or predict which camera maker won’t manage your data well. And companies may have taken every proper precaution, but a flaw in widely used software lets crackers in without any fault by the manufacturer whatsoever. It’s always a risk we take when we store data outside devices under our control or allow companies to maintain account information about us.
Set Up an Account or Device Password
Any camera or camera system you acquire will have at least one layer of account or password to access the equipment. For remote-based systems, you likely create an account at a website, and then access it via some combination of web app, desktop app, and mobile app—web and mobile are most common.
Pick a Strong Password
Never leave any default passwords in place for your devices, and no password you set should be very simple, even if the system allows it. User admin and password admin can be easily cracked automatically on an internet-connected camera, while [email protected] with a password of glenn is also potentially subject to automated cracking.
In addition to any online accounts, individual cameras or locally configured video systems may also allow or require device passwords. As with the administrative accounts, set those up uniquely and strongly, changing all defaults.
In every case, choose a strong password that’s easy to enter and that you can keep a simple record of. Preferably, use password-management software discussed in the next section to avoid having to wrangle that yourself.
If you must come up with a password manually, keep in mind that a strong password doesn’t have to be a set of mixed numbers and punctuation, no matter what the sites say. Those are fine, and may be required by hardware, sites, or services that only give you 8 to 12 characters, say.
But a long password that contains randomly selected words, not phrases from poems or books, works just as well. These can be memorable and are always far easier to type on a keyboard or tap on glass. They are no less strong than a short burst of gobbledygook.
The password hiccup-flubber-muskrat is even stronger than 2J99!$kjOp5, for instance.
Don’t Reuse Passwords
Unwanted account access most often arises not from crackers gaining access to an underlying system, which lets them sniff everyone’s cameras, network traffic, transactions, or whatever the currency of a site is.
Rather, in most cases crackers rely on one of two approaches:
Stealing an account database from a service that hasn’t engaged in best encryption practices and isn’t aware their users’ passwords were exfiltrated. Shorter and easy-to-guess passwords—huge lists of such things exist—encrypted using technology still common just a few years ago, and still widely in use, can be rapidly decrypted.
Trying combinations at other sites of emails and passwords already stolen and cracked from earlier break-ins and posted or sold online.
The latter is increasingly common as sites improve security, including the techniques to prevent easy or mass cracking of passwords even if an entire database is stolen. The site Have I Been Pwned? lists 9.3 billion accounts whose entries have been posted publicly or otherwise extracted, even if the passwords remain encrypted.
The way to avoid this sort of cracking of your account is to use a unique password at every site, and change all existing duplicate passwords at site you now use. I recommend 1Password for this task, as it works across several platforms, is quite affordable, and lets you create, manage, and fill in passwords in apps and at web site.
Joe Kissell wrote a whole book about the 1Password ecosystem—Take Control of 1Password—as well as a more general book about password management, Take Control of Your Passwords.
Enable Two-Factor Authentication
The rise of passwords theft has been paced by availability of a tool once cumbersome and used largely in corporations: multi-factor authentication. Each factor is a separate element and two (and sometimes more) are required to log in to an account or gain access to hardware.
The rubric is something you know, something you have, and something you are—that is usually a password, a device, and a fingerprint or facial scan (biometric).
Many internet-based accounts and some device-based ones rely on a password that you enter, followed by a six-digit numeric code sent to a device or retrieved from an app. The login requires both. Possession of the code “proves” possession of the device. This is known generically as two-factor authentication and often abbreviated 2FA.
The notion is that 2FA prevents a wholesale attack: a mass theft of passwords for accounts protected by 2FA can’t lead to a mass break-in those accounts. Instead, it forces attacks to be “retail,” or one at a time: each password theft has to be paired with a second-factor theft.
I’ve found real variation among camera makers as to whether their account systems allow or require 2FA. For example: Arlo has offered it as an option since September 2019, Blink will start rolling it out after March 30, 2020, and Ring has required it since January 2020 for new account setups, and offers it for previous account holders.
Whenever possible, turn 2FA on.
The easiest way to use it when an option is available other than a texted code (or sometimes an automated voice call speaking the code) is with an authentication app. Several exist, but I recommend the free tier of Authy, which is a secure way to manage second factors and sync them securely across your devices. (You can find more about 2FA and Authy in Joe Kissell’s aforementioned Take Control of Your Passwords.)
Risk Always Remains
It’s impossible without having access to a site’s inner workings or without them publishing an independent audit to know how well the company controls account-cracking attempts. Well-designed sites block IP addresses and lock out accounts when too many bad logins are tried or they’re tried too quickly.
Unfortunately, all too many sites and a lot of standalone firmware on devices directly connected to the internet have no throttles at all to guard against attacks, making a good password the best defense.
This can make it an advantage to manage your own storage on equipment you control (virtual or real) or using a well-known online storage system, like Amazon S3, which has robust account security so long as you ensure you don’t set up storage to allow public access. (Amazon now has safeguards and alerts against setting this up unintentionally.)
Secure Hardware and Data
The next smartest thing you can do after ensuring that your camera can’t be administered by anyone but you, with a strong password you’ve set, is to make sure that its internal operating system and other software—its firmware—is as fresh as possible. You can also work through settings to make sure there are no unlocked doors or partially open windows that someone can force their way through. Finally, you may need to enable encryption or turn it up to the highest level.
Keep Firmware Up To Date
One the greatest risks you face with security cameras is partly outside your control. Those are exploits that can be managed via a company’s website or via direct access to internet-connected hardware due to flaws in the camera or account software.
What you can do is make sure that you always have the latest version of the firmware installed, as most companies are fairly good about pushing out updates to patch security flaws. I note this as one of the reasons to pick a brand name over generic, cheaper gear in Pick a Brand Name?.
Here’s some steps that are within your control:
Register the camera when you purchase it. While this may unfortunately give the company some permission to market other stuff to you (based on the country you’re in and the options on the registration form about receiving marketing materials), it can also make sure that if there’s a recall or critical update you’ll receive an email.
Sign up for security mailings by the maker, if any. Some companies maintain separate mailing lists in which they post information about security updates for specific gear or all their products. It may mean some unwanted email, but it keeps you up to date.
Set a Google Alert for your camera model. Google offers a free service that monitors news for mentions of keywords. If your camera model (or even camera maker or product line) winds up in the news, that’s rarely for good reason—and it may give you a leg up on either taking your camera offline until there’s a patch to a flaw or downloading and installing the pass.
Install firmware updates as soon as they’re available. Firmware updates can sometimes cause trouble for a small number of customers. But the benefits of patching security outweigh the low possibility of a problem requiring technical support.
Lock Down Settings
It’s worth going through literally every setting in your camera and reading the freaking manual, too. Sometimes there are switches that, by default, allow way too much easy access into your devices, whether over the internet or your local network.
Cameras oriented towards simplicity, proprietary cloud storage, and the least possible configuration tend to have the fewest or zero ways to set them up for poor security. They either lack options that could cause problems or, if they have them, the defaults are set sensibly, and require some effort to override.
Cameras that have more options you dig down through, sometimes hundreds of configuration settings, tend towards the potential of less secure defaults out of the box and the potential to more easily make a change that opens up a camera for remote hacking attempts.
For instance, cameras from Logitech, Google Nest, and Ring offer no real method to break security other than to let the wrong people share access to an account (see Share Access below). Logitech notes that its Circle cameras have uniquely generated and installed private encryption certificates to prevent anything but Logitech servers from communicating with it.
But Reolink offers a simple page for its highly configurable cameras and NVRs in which you can enter an address and port that your network router or broadband modem can forward to the internet, exposing it (Figure 26).
I generally recommend disabling all remote features that aren’t needed and reducing the kinds of access to your device. Then you can add access as needed.
Some people may want to add a hardware firewall to their network, or enable one already available in their network router or broadband modem, when they add remotely accessible devices. Even inexpensive and built-in firewalls can be sophisticated enough to block remote addresses temporarily or permanently that attempt to gain access repeatedly using known patterns of abuse.
You can also configure a firewall to disable access to most of the public internet, and only allow incoming connections from, say, a VPN service’s range of addresses that you use all the time, your office IP addresses, or other limitations that reduce attack surface by random people.
Encrypt Video Transfers, Storage
It used to be that encryption of data passing over a network, whether your own network or the wider internet, was often lacking from networked hardware and services, and when available, was considered optional. The reality of those days is many years past.
Now, encryption is fast and cheap. Standalone hardware often includes either fast-enough processors or specialized circuitry to speed encryption. (That’s true of all modern mobile and desktop computers.)
There are two states of data you need to consider: the kind moving around and the kind sitting on a hard drive, flash card, or SSD.
Encrypt Data in Transit
Data in transit—sent over a local network or over the internet—should always use encryption. This is almost always TLS (at one time called SSL/TLS), a standard for web-based encryption used with HTTPS connections in browsers, but also more broadly for many services.
The Federal Trade Commission has a surprisingly fantastic page about “IP Camera” security. It includes this excellent and concise paragraph about data in transit:
If you bought a camera that encrypts data transmitted via the internet, turn this feature on. The log in page for your camera should have a URL that begins with https. If it doesn’t, the username and password you enter won’t be encrypted, and other people may be able to access them. Once you’ve logged in to your camera’s webpage, the URL still should indicate https. If it doesn’t, your feed isn’t encrypted, and other people may be able to view it.
I cannot top that. I did think that any camera released in the last three years, if not longer, would always enable HTTPS or other secure data transit by default. But in my research, I’m no longer certain that’s true, nor is it necessarily straightforward to find that out.
For example, reading the manual for one of the NETGEAR Arlo camera models, it notes that both ports 80 and 443 must be open on a firewall for outbound access. Those are both ports for remote access of the device via a web-style connection, which is actually common for remote device communication due to simplicity.
While port 443 is nearly uniformly associated with HTTPS or TLS-based encrypted sessions, port 80 is typically used for non-secured data transfer. I’m not sure why Arlo would need that open in this day and age, but it makes me furrow my brow.
To determine whether a camera sends only encrypted data or can be configured to do so:
Find the manual or download it and read through whether data-transit security is mentioned.
Check online support files or product sheets for details.
If you already have a camera, open its configuration settings and see if there are options to make transmission more secure.
Nest, for instance, makes it hard to find out what standards and practices the company uses for data in transit. With some searching (ironically via Google), I finally found a page that described the policy succinctly and with good detail: “…when you stream your camera video feed to your mobile phone, we protect this data with multiple layers of security, such as HTTPS and Transport Layer Security, while the data moves between your mobile phone, your products (like your Nest Cam), and our cloud services.”
Encrypt Data at Rest
Depending on the kind of storage you use, there more or should be additional encryption:
Proprietary cloud: Data at rest on company servers should be encrypted. The company that runs the cloud retains the key, and should have policies in place preventing easy access by all but a limited set of employees to decrypt customer video. You may be able to find this information on a website or in a manual. Logitech notes for its Circle cameras, “Logitech uses unique, random and automatically rotating AES 256 Bit Dual Layer Encryption to protect and store your audio and video content.” Arlo says, “Recordings are encrypted with the user name and password you that create.”
Personal cloud/internet storage: Some cloud-storage providers automatically encrypt data that at rest, just as in a proprietary cloud, and maintain their own encryption keys for it. Others provide no basic encryption, but some let you layer encryption on top by providing your own encryption key. Amazon, for instance, offers default encryption for its Secure Storage Service (S3) private storage (called buckets), but you need a camera that works with Amazon S3 and can provide the key. You should be able to find this information on the website or in a product manual.
NVR or other local storage: Network video recorders continuously accept video, and typically offer no at-rest security. However, depending on the system, it may support a storage drive (internal or external) that, when powered down, is fully encrypted. When powered up, a password must be entered and all data is accessible while it’s in use. This is typical of how full-disk encryption (FDE) is offered in modern desktop operating systems.
Memory card: These suffer from the same issue as NVRs, even with much less storage. I can’t find any camera system that offers an option to set an encryption key to write video for locally encrypted at-rest storage.