Silly Disregard for Security in IP Security Products
Here’s a clue how far most physical security industry vendors
are from understanding IP, IT or convergence. Show me the firewall. That’s
it. Show me how your device with a .Net
architecture or a Linux operating system is not a hacker’s wet dream.
I circle the trade shows, interview countless product
managers over the phone, and test quite a few products. But if I find an ethernet network connection,
or wireless networking capability, I also find a fairly easily hackable
target. That goes for IP cameras (wired
and wireless), analytics appliances, digital video recorders (DVRs), even the
mobile systems installed in city buses and cop cars, plus these new IP capable
door controllers from HID, and so on.
Aha! You say! More reason to stick with old dumb serial
At which point I realize you don’t read much. IP-based
security systems create value and very often the final decision for selecting
surveillance, monitoring or access control systems built around smart software,
computers, and Internet networking come not from security directors, but from
business managers. The business needs
the flexibility of distributed video images, the lower costs of Internet
networking, the efficiency of software-controlled access and storage
Consumers of IP-based security technologies enjoy many
benefits from their intelligence-enabled security systems, such as
- New sources
measurements of performance
- Ability to
identify and fix problem in real-time, before they create loss
Yet, none of those points would be the first off their lips.
Each customer would tell you that they selected the IT solution because they
simply had no choice. The pressure of
doing business in a highly competitive marketplace means there is no more room
for waste – no more indulgence of inefficiencies.
But that doesn’t mean physical security vendors can just
plug “IP” into their product.
I mentioned the threat of hacking to an HID product manager
who was describing his VertX V1000 door controller. Whereupon he promptly defended the system. “Well, it’s no bigger risk than someone
walking up to a control panel and directly connecting to bypass the door.
Another product manager said it’s not a problem since the
security network is segregated from the IT network. …That’s what one of my clients thought until
a virus took down all of his DVRs. (One
router on the segregated network hosted an Internet connection.)
Deb Radcliff just wrote about this last week in
Computerworld. Network printers, like the one parked outside your cubicle right
now, are computers that may propagate viruses. So are DVRs and even some cameras.
I’ll take this moment to remind the physical security
industry that there is also a $40 billion IT security industry. We can learn a lot from the geeks.
For example, a firewall is a good idea when connecting any
network system to any network. So is
reducing the operating system. How many
full Microsoft Server deployments have I seen underlying today’s physical
security systems? I recommend limiting server
functions or using a very trimmed-down Linux kernel, like the one used by Edge
Integration’s IP access control product.
This blog post is a gentle nudge for the technology
companies in physical security. But if I
don’t see improvement, don’t be surprised if my buddies and I start publishing
security holes in today’s products.