Security Digest

The IoT Zombie Survival Guide

Zombie hands and computer code

This Halloween, the risk of being spooked and possibly thrilled by hordes of zombies appearing in your neighborhoods and TV screens is very high. One night of the living dead may be entertaining but the threat of zombies infecting your video surveillance system the other 364 days is not. While a perimeter intrusion detection system can provide protection against the walking dead, IT security needs a different approach to protect network cameras from Internet of Things (IoT) malware and botnet herds of zombie devices.

Mirai, a strain of malware that infects Linux-based network devices, rose from underground in September 2016. Slightly more than 28 days later, Mirai was infecting network cameras and routers across the internet and disabling systems via Distributed Denial of Service (DDOS) attacks. Some of the Internet’s most popular websites were taken offline, including Github, Twitter, Reddit, Netflix and AirBnB.

The creators of Mirai were eventually caught and are now cooperating with the FBI to prevent further outbreaks. Unfortunately, Mirai-like malware continues to propagate, with re-animated versions like Torii becoming a resident evil in an ever-connected IoT world.

Why Target Network Cameras?

Why are network cameras being infected? Because they exist in large numbers and are easy targets. They may use factory-default login credentials, fail to implement user lockout, and use software with known exploits. To make matters worse, some manufacturers are slow-moving to issue firmware updates (if at all) while organizations face logistical challenges when managing large, often geographically disperse, deployments with hundreds if not thousands of cameras.

Unlike physical zombie bites, malware-infected devices may go unnoticed. Common symptoms include an increased appetite for bandwidth, memory and CPU usage. The cameras may continue to operate, with the operators only noticing a sluggish response, especially if on-camera video analytics are running. The real concern, however, is that the camera is “rooted”. The botnet owner has complete control and can change admin passwords, power it off, re-configure it, or use it as a staging point against other internal systems.

Prevention and Protection and Zombies

Ideally a firewall provides protection from external threats. Be aware however that firewalls can be complex to configure and maintain. In addition, configuration settings like enabling UPnP (Universal Plug and Play) or insecure cloud-based video streaming may undermine your security.

Quarantined air-gapped closed networks are certainly an option to avoid infection – a physically isolated network should be immune to Internet-based attacks. Unfortunately, this security comes at a price, as remote monitoring, administration, and troubleshooting are not possible.

A segregated approach makes it more complicated to take advantage of Internet-based services and utilities that you may need to keep your infrastructure current and secure. Software and firmware updates are two examples. For these reasons, many would prefer to have their surveillance network be accessible over the Internet – so long as connections can be secured and restricted to legitimate uses. Logically segmenting the network using Virtual LANs (VLANs) and Access Control Lists (ACLs) is another popular option.

Rules for Surviving IoT Zombieland

Here’s the top 5 ways to protect your video surveillance network and prevent cameras from being zombied:

  • Be informed – When purchasing cameras, check the record of the manufacturer in terms of publishing firmware updates as well as their support offerings.
  • Change default passwords – While many manufacturers force you to change the password upon initial configuration, some don’t. Never deploy a device using the default passwords.
  • Update firmware – Older camera firmware versions will generally contain more vulnerabilities. When camera vendors address vulnerabilities, they do so through firmware updates.
  • Be proactive – Perform a vulnerability assessment of your deployment and create a security plan. Limit access to only those systems and people that require it, and ensure that all firewall rules are carefully reviewed.
  • Be prepared – Cybersecurity, like video surveillance and physical security, requires constant vigilance. It is impossible to take action on events that remain unknown. For this reason, cybersecurity events need to be continuously monitored, either from individual consoles or through event aggregation technologies.

In Search of a Cure

In an ever-mutating world of IoT infections, there is no cure in sight. However, security is a process, one that can be streamlined with best practices and innovative tools. Senstar can help!

The Senstar Enterprise Manager streamlines video surveillance-related IT operations by offering unified health monitoring, configuration management, and automatic firmware updates. Quickly identify offline cameras, storage failures, and CPU and memory threshold violations with an intuitive web-based console and email status summaries. Reduce risk with automated camera password updates, and increase compliance with the ability to explicitly define settings, which cannot be changed locally.