Lesson 7.2: Device Hardening - Security experts

Module: 7 – Cybersecurity for Physical Security Prerequisites: Lesson 7.1 (Threat Landscape) Estimated Time: 45–60 Minutes

By the end of this lesson, you will be able to:

Execute a “Cyber Hygiene” checklist for every new camera or controller installation.
Explain the danger of UPnP (Universal Plug and Play) and why it must be disabled immediately.
Justify the need for firmware management to patch “Zero Day” vulnerabilities.
Implement 802.1X authentication to prevent unauthorized devices from joining the network.

As we learned from the Mirai Botnet, default credentials (e.g., admin/12345) are the root of most evil.

The Rules:

Change Immediately: Do not mount the camera until the password is changed.
Complexity: Minimum 12 characters. Mix of Upper, Lower, Numbers, Symbols.
- Bad: Camera1
- Good: Tr@ff!c_C@m_NW
Unique per Site: Never use the same password for Client A and Client B. If Client A gets hacked, hackers will try that password on all your other clients.
Management: Do not write passwords in a notebook. Use an encrypted Password Manager (e.g., KeePass, LastPass) or the VMS’s built-in credential manager.

Out of the box, cameras are “chatty.” They want to be easy to find, so they leave many digital doors open. You must close them.

What it does: It allows the camera to talk to the Router and say: “Hey, please open a hole in the firewall so the internet can see me.”
Why it’s bad: It automates Port Forwarding without your knowledge. It exposes the device to the public internet.
Action: DISABLE UPnP on both the Camera and the Router.

What it does: Command-line access for developers.
Why it’s bad: Hackers love these ports (Port 23 / 22) to inject code. You, as an integrator, rarely need command-line access.
Action: DISABLE unless actively troubleshooting with tech support.

What it does: Allows you to scan a QR code to view the camera on an app, bypassing the firewall.
Risk: Traffic routes through the manufacturer’s cloud server (often overseas).
Action: For high-security clients (Government/Banks), DISABLE P2P. Use a VPN instead.

Software is never perfect. Vulnerabilities (bugs that hackers can exploit) are found constantly.

CVE (Common Vulnerabilities and Exposures): A database of known hacks.
- Example: “Hikvision Web Server Buffer Overflow (CVE-2021-36260).”
The Patch: The manufacturer releases new Firmware (e.g., v4.5.1) to fix the code.
The Integrator’s Job: You typically have 72 hours to update your client’s systems after a major vulnerability is announced before hackers start scanning for it automatically.
- Note: Always read the “Release Notes” before updating to ensure it doesn’t break your VMS integration.

To stop the “Pivot Attack” (Lesson 7.1), where a hacker plugs into the outdoor camera cable, we use 802.1X.

How it works:
1. The Camera plugs into the Switch.
2. The Switch says: “Who are you? Show me your certificate.”
3. The Camera presents a digital ID card (Certificate) installed by the IT team.
4. The Decision:
  - Valid Certificate: The port turns ON.
  - Hacker’s Laptop (No Certificate): The port stays DEAD.
MAC Filtering (The “Poor Man’s” Version):
- You tell the switch: “Only allow the device with MAC Address AA:BB:CC…”
- Flaw: Hackers can easily “Spoof” (copy) a MAC address. 802.1X is much safer.

When you log into a camera via a web browser, look at the URL bar.

HTTP (http://192.168.1.50): Unencrypted. A hacker on the network can “sniff” the traffic and see your username/password in plain text.
HTTPS (https://192.168.1.50): Encrypted. The traffic is scrambled.
Action: Always enable HTTPS and force the camera to redirect HTTP to HTTPS. Note that you may get a “Certificate Warning” (Not Secure) in the browser because the camera uses a “Self-Signed Certificate.” This is normal for local devices; the encryption still works.