IP Camera Hardening and Cybersecurity Guide |
Secure Configuration and Operation
6 |
14
Data subject to change without notice | August 22
Security Systems / Video Systems
Discovery
Using a Bosch propriety mechanism to make cameras discoverable by Bosch software, e. g. the Configuration
Manager.
Recommendation:
When working with dynamic IP addresses this feature should remain enabled, when working in
an environment with fixed IP addresses, this can be turned off.
ONVIF Discovery
Support the discovery of camera devices via the ONVIF Discovery protocol
Recommendation:
When working with dynamic IP addresses and ONVIF compliant tools this feature should remain
enabled, when working in a fixed environment with fixed IP addresses, this can be turned off.
GBT/28181
GBT/28181 is a Chinese standard for interoperability between different devices.
Recommendation:
If required can be enabled, for all other use cases it should remain disabled.
Password Reset mechanism
IP cameras can be mounted in very remote locations making it hard to do maintenance work or do a factory reset
in case access to the camera has been locked. Bosch offers the possibility to reset the password of a camera via
challenge-response mechanism based on a secure public / private key mechanism.
Recommendation:
If this feature is not needed, it is recommended to disable this feature.
Ping Response
Configures if the camera answers to ping requests in the network. Can help with debugging, in a high secure
network this can be disabled to avoid device enumeration via ping sweep, although there are several other means
of device discovery that can be used by an attacker.
Recommendation:
Risk based approach, can be disabled for high security networks.
RTSPS
RTSPS is the encrypted version of RTSP and used for video streaming. If the receiving software supports it,
RTSPS should always be preferred over plain RTSP. As many RTSP clients do not support the secure variant,
RTSP is still enabled for Level 1 security.
Recommendation:
Use RTSPS if possible.
Minimum TLS version
IP cameras do not allow unsecure SSLv3 or older connections. TLS 1.0 and 1.1 are deprecated by the IETF and
there are potential security issues known (BEAST, FREAK).
CPP4, 6, 7 and 7.3 support the secure TLS 1.2 which should be set as minimum required version.
CPP 13 and 14.x cameras do not allow TLS versions below 1.2. They also support the newer TLS 1.3 specification.
Recommendation:
Set minimum TLS version to 1.2 if not already set.
HSTS
HTTP Strict Transport Security (HSTS) is a policy set by a website to protect against man-in-the-middle attacks
and protocol downgrade attacks. It allows the website to tell the browser to only allow HTTPS connections within
this connection and not allow any unencrypted HTTP connections.
Recommendation:
Enable HSTS on the camera.