background image

 

 

IP Camera Hardening and Cybersecurity Guide | 

Secure Configuration and Operation 

6 | 

14

 

Data subject to change without notice | August 22 

Security Systems / Video Systems 

Discovery 

Using a Bosch propriety mechanism to make cameras discoverable by Bosch software, e. g. the Configuration 
Manager. 

Recommendation: 

When working with dynamic IP addresses this feature should remain enabled, when working in 

an environment with fixed IP addresses, this can be turned off. 

 

ONVIF Discovery 

Support the discovery of camera devices via the ONVIF Discovery protocol 

Recommendation: 

When working with dynamic IP addresses and ONVIF compliant tools this feature should remain 

enabled, when working in a fixed environment with fixed IP addresses, this can be turned off. 

 

GBT/28181 

GBT/28181 is a Chinese standard for interoperability between different devices.  

Recommendation: 

If required can be enabled, for all other use cases it should remain disabled. 

 

Password Reset mechanism 

IP cameras can be mounted in very remote locations making it hard to do maintenance work or do a factory reset 
in case access to the camera has been locked. Bosch offers the possibility to reset the password of a camera via 
challenge-response mechanism based on a secure public / private key mechanism. 

Recommendation: 

If this feature is not needed, it is recommended to disable this feature. 

 

Ping Response 

Configures if the camera answers to ping requests in the network. Can help with debugging, in a high secure 
network this can be disabled to avoid device enumeration via ping sweep, although there are several other means 
of device discovery that can be used by an attacker. 

Recommendation: 

Risk based approach, can be disabled for high security networks. 

 

RTSPS 

RTSPS is the encrypted version of RTSP and used for video streaming. If the receiving software supports it, 

RTSPS should always be preferred over plain RTSP. As many RTSP clients do not support the secure variant, 

RTSP is still enabled for Level 1 security. 

Recommendation: 

Use RTSPS if possible. 

 

Minimum TLS version 

IP cameras do not allow unsecure SSLv3 or older connections. TLS 1.0 and 1.1 are deprecated by the IETF and 
there are potential security issues known (BEAST, FREAK). 
CPP4, 6, 7 and 7.3 support the secure TLS 1.2 which should be set as minimum required version. 
CPP 13 and 14.x cameras do not allow TLS versions below 1.2. They also support the newer TLS 1.3 specification. 

Recommendation: 

Set minimum TLS version to 1.2 if not already set. 

 

HSTS 

HTTP Strict Transport Security (HSTS) is a policy set by a website to protect against man-in-the-middle attacks 
and protocol downgrade attacks. It allows the website to tell the browser to only allow HTTPS connections within 
this connection and not allow any unencrypted HTTP connections.  

Recommendation: 

Enable HSTS on the camera. 

 

 

 

Summary of Contents for 7100i-2MP OC

Page 1: ...ersecurity Guide Secure Configuration and Operation 1 14 Data subject to change without notice August 22 Security Systems Video Systems IP Camera Hardening and Cybersecurity Guide Secure Configuration and Operation of IP Cameras ...

Page 2: ...eature Description and Hardening Decisions 5 Defense in Depth 8 Firmware protection 8 Authentication Access Control 8 Network Layer 9 Operational Environment 10 Physical Security 10 Network Separation 10 Network Authentication 10 Central configuration 10 SIEM System 11 PKI 11 AD FS 11 Security Maintenance Activities 12 Checking of Log files 12 Check for Updates 12 Check for Security Advisories 12 ...

Page 3: ...ings to allow easy integration into existing environments Even though it is recommended to reach the settings as shown below Level 2 there can be limitations of the operational environment that mandates the use of a certain protocol or feature which is less secure e g SNMPv1 The Reasoning chapter describes why a certain protocol should be enabled or disabled to allow a better informed choice Harde...

Page 4: ...led Discovery Enabled Enabled Disabled ONVIF discovery Enabled Enabled Disabled GBT 28181 Disabled Disabled Disabled Password reset mechanism Enabled Disabled Disabled Ping response Enabled Enabled Disabled RTSPS Enabled Enabled Enabled Network Network Access Minimum TLS version 1 0 1 2 1 2 HSTS Disabled Enabled Enabled Network Advanced 802 1x Disabled Optional Enabled Syslog Disabled TCP TLS Netw...

Page 5: ...s is the configuration protocol for Bosch IP cameras Plain RCP is unencrypted so settings are transferred unencrypted All Bosch tools now use RCP over HTTPS communication for some time but it might be needed for 3rd party integration tools or scripting tools still relying on this protocol Recommendation Disable RCP if not used by 3rd party tools or legacy systems SNMPv1 SNMP is the common network ...

Page 6: ...eeded it is recommended to disable this feature Ping Response Configures if the camera answers to ping requests in the network Can help with debugging in a high secure network this can be disabled to avoid device enumeration via ping sweep although there are several other means of device discovery that can be used by an attacker Recommendation Risk based approach can be disabled for high security ...

Page 7: ...rk subnets can be defined that are allowed to access the camera It is recommended to define the computers or networks accessing the camera here Recommendation It is recommended to use the IP filter to define allowed hosts or networks Date Time For having the correct timestamp on logs and video data is it recommended to sync the time to a central timeserver Both SNTP and TLS date can be used to ach...

Page 8: ...ware root of trust This prevents an attacker to modify bootloader or firmware on the device Authentication Access Control 3 2 1 User Authentication Bosch IP cameras support different methods of authentication Pre configured is password based authentication with three different roles that can be assigned to a user Optional certificate based authentication or ADFS integration into an active director...

Page 9: ...traffic when using HTTPS HSTS HTTP Strict Transport Security HSTS protects against man in the middle attacks and protocol downgrade attacks For more details see chapter 1 RTSPS RTSPS is the encrypted variant of RTSP providing a secure means of transporting video data 3 3 2 Least Protocol It is recommended to activate only the protocols that are needed for operation of the camera All other protocol...

Page 10: ...ation The network in which the cameras are operated should support network authentication with 802 1x to allow only valid devices and actors on the network Central configuration The cameras can not only be configured locally via web based interface but there are several possibilities to centralize management 4 4 1 Configuration Manager The Configuration Manager offers the possibility to manage one...

Page 11: ...ntication with 802 1x user authentication with certificates and other encryption functions custom certificates can be installed on the camera The most secure variant of certificate deployment is to generate a signing request on the camera and request a certificate from an internal or external CA certification authority This way the private key of the certificate never leaves the device and is secu...

Page 12: ... it is advised to send the logs of the camera to a syslog server or a SIEM system as each camera will reserve a fixed space for logging internally but will overwrite older logs if that space is filled Check for Updates The device should be always updated to the latest firmware version to include security or functional fixes To get more information about the release cycle of firmware versions as we...

Page 13: ...tificates and the respective keys that were stored in the TPM or secure element will also be deleted It is recommended to set devices to factory default also in case that they must be moved into another installation that may use other credentials or certificates Reporting Security Vulnerabilities It is an essential part of the Bosch Quality Promise that we provide product security and protect our ...

Page 14: ...cure Configuration and Operation 14 14 Data subject to change without notice August 22 Security Systems Video Systems Bosch Sicherheitssysteme GmbH Robert Bosch Ring 5 85630 Grasbrunn Germany www boschsecurity com Bosch Sicherheitssysteme GmbH 2022 ...

Reviews: