Eye on the Eye – Increasing Security and Visibility for your IP Cameras

Adi Ikan, Network Research & Protection Group Manager

Oren Koren, Senior Cyber Security Product Manager

Ibrahim Shibli, Security Expert

IP cameras, a type of digital video camera that receives control data and sends image data via an IP network,  are commonly used for surveillance. As a result, they are an essential part of our ability to monitor and secure our properties, whether those are commercial buildings, public areas, or private homes. In the last couple of years, there has been a significant increase in the use of these products, which can be seen as part of the larger trend of Smart Homes. Based on forecasts, this trend is expected to continue in the coming years. With the growing existence of these devices in our networks, it is increasingly important to monitor the associated network traffic. In this blog, we share how to leverage the unique capabilities of Check Point Application Control (APCL) to provide better visibility and security for your IP cameras. Application Control is one component of the broader Check Point IoT Protect solution for discovering and securing all your enterprise, medical and industrial IoT devices.  Check out IoT Protect for more information.

Check Point Application Control provides the industry’s strongest application security and identity control for organizations of all sizes and is integrated into the Check Point R81 Cyber Security platform.  Check Point R81 is the Security Management and Threat Prevention platform for Check Point’s Infinity Architecture.  Application Control enables IT teams to easily create granular policies based on users or groups — to identify, block or limit usage of applications and widgets. Applications are classified into categories, based on diverse criteria such as applications’ type, security risk level, resource usage, productivity implications and more.

Check Point Application Control IP cameras’ detection capabilities encompass major IP camera network protocols, divided into 4 major components – Streaming, Control, Discovery and Management protocols. In addition, our capabilities are focused both on standardized and proprietary protocols, following top vendors in the market.

IP Camera Visibility

A major challenge today presented by IP cameras within a network is to identify their traffic and behavior. There are many vendors, and their various devices use several layers of communication, depending on the actions performed. In addition, devices may use both standardized and proprietary protocols, and have multiple interfaces. Application Control provides the ability to detect the relevant traffic, identifying the devices and their network connections.

Best practice:

  • Download the report template to review and report on IP camera applications usage.
  • Discover IP cameras in your organization, using the relevant applications and protocols.
  • Identify potential challenges based on the amount of traffic and how this may impact the infrastructure.

    Figure 1 – Report showing IP camera’s streaming protocols activity within the network

Data Exfiltration

IP cameras are a potential source for Data Exfiltration flow, as in many cases they are less monitored and are knowingly or unknowingly connected to the internet. In some cases, these devices are part of the core network and reside in sensitive locations within the organizations. Those devices can enable a backdoor within the organization, thereby exposing sensitive information.

Figure 2 – Shodan query on IP cameras exposed to the internet

Best Practice:

  • Identify external IPs with high bandwidth usage.
  • Deduce the internal to internal network activities based on your segmentation like the following example: NOT (src:(“192.168.*”) AND dst:(“192.168.*”))
  • Identify anomalies in the external resource connection’s time- frame (for example, outside of working hours.)
  • Pinpoint internal hosts that shouldn’t be connected to the cameras and are sending significant amounts of traffic

Camera External Exposure

Based on their configuration, IP cameras may be exposed outside of the network to the internet. This issue correlates with a major challenge in IoT, namely, misconfiguration of devices. The potential damage of this exposure can be severe, as it can enable attackers to view the live video streaming of the camera. Therefore, it is highly important to identify the devices exposed to the internet, and block outbound traffic.

Best Practice:

  • Identify suspicious external connections using protocols associated with malicious activity.
  • Leverage Geo location capability to expose suspicious/forbidden source IPs connecting to cameras within the organization.

Unknown Camera Installed

With the proliferation of devices within the network, it is increasingly important to monitor the IP camera’s traffic and identify any unknown\unwanted devices. These devices may have been wrongly installed or connected to the network or to a specific unintended segment.  This can result in potential data loss or create a new attack surface within the network.

Best Practice:

  • Identify unknown devices communicating over IP cameras associated protocols.
  • Review the list of IP addresses related to IP cameras and identify the unknown devices.

Summary

IP cameras enable us to more easily secure and monitor public and private properties. However, these devices may in turn present security challenges of their own. Following the significant increase in their usage, it’s more important than ever to secure and monitor these devices. Check Point Application Control has unique detection capabilities that provide better visibility and security for IP cameras, as well as their associated traffic and behavior within the network.

Figure 3 – Check Point’s Application Control IP camera’s inspection flow

Application control can be used with Check Point’ IoT Protect solution for monitoring IoT device application traffic. IoT Protect is a broader solution that identifies any IoT device on the network, assesses its risk, prevents unauthorized access with zero-trust segmentation, and blocks IoT attacks with threat prevention security services including 300+ signatures and on-device run-time protection.