IT trends impacting IP video: Wi-Fi security for network video

Jan. 2, 2013
Advances in wireless technologies have made it a more secure, viable option for installers and end-users

IP video surveillance installations are expected to finally outpace analog install revenue in 2013, according to IMS Research. However, while IP technology has seemingly won the war, there are many analog vs. IP battles still taking place, especially in vertical markets like banking and finance, retail, small business and residential. The majority of camera installs in these markets are classified as small – with 16 or less cameras per site – and experts estimate that at least 80 percent of these small installs are still analog.

So why is analog winning the battle of the small install? Two reasons: perceived cost and complexity.

The first hurdle is being fought by the continued dropping costs of network cameras and digital storage. Vastly superior digital cameras and a multitude of storage options (server, hosted, NVR, PC, NAS, SD card, or a mix of these) will soon make the cost vs. performance argument negligible.

The perceived complexity of installation, however, may be a tougher barrier to break down, particularly for those installers who service small business owners and have sold analog CCTV for decades. With the introduction of local and wide area networks (LANs and WANs), some security professionals unfortunately lack the technical knowledge – or perhaps the confidence – for an IP installation. However, recent advances in simplifying wireless networking connectivity could help close that gap and enable the adoption of affordable network video for many small business owners.

Taking a cue from wireless consumer electronics

Consumer electronics vendors have become masters at creating ever more sophisticated, yet simpler-to-use products. For example, the broadband internet router that provides your home’s connectivity is basically a plug-and-play device. This is a far cry from the bad old days of dial-up modems with their high pitched shrieking, manual initiation and limited bandwidth. Today’s routers are always connected, providing instant access to information either through a wired or wireless link. The benefits of wireless connectivity for surveillance are obvious, but can also raise red flags for some small business users.

Data security issues

In the beginning, wireless data transmission was often considered less secure since it could be intercepted by parties other than the intended recipient. Encryption was added to combat that problem and over the years has gotten progressively better – going from Wired Equivalent Privacy (WEP) to Wired Protected Access II (WPA2), which became available in 2004 and was soon adopted as the industry standard for wireless encryption. WPA2 security includes limiting access to authorized users as well as protecting the data those users send across the network.

Setup complexity

Despite the availability of highly secure communications, many small business customers still haven’t deployed encrypted solutions due to the perceived technical complexity of doing so. For instance, if you wanted to use WPA2 to protect your camera transmissions from prying eyes, you would need to know the wireless network’s Service Set Identifier (SSID) as well as the device’s passphrase. The passphrase is a predetermined string of characters used to develop a public key that is entered to connect the camera to the wireless router. If you don’t enter that phrase correctly during setup, access is denied.  

Given this complexity, many home offices and small businesses have taken to running their wireless networks without turning on the encryption feature. Without such protection, strangers can gain access to the Internet through those routers and freely consume bandwidth that is being paid for by the home office or small business owners. In worst case scenarios, such hijacking can lead to hacking opportunities like denial of service, disruption of business operations and compromising of confidential personal and company information.

Removing the last barrier to Wi-Fi security

In response to this trend of disregarding communications security in exchange for easier deployment, the Wi-Fi Alliance (http://www.wi-fi.org/) developed the Wi-Fi Protected Setup (WPS) standard in 2007 with the goal of making it easier to setup secure wireless networks for the consumer and small business market. By 2011, this technology made its way into physical security products that use wireless communications, such as cameras and access card readers. While ease of installation may have been the driving factor for the development of this technology, the real benefit was getting over the hurdle of implementing IT security to the data being sent over the network.

The standard offers two simple setup options to greatly reduce installation time: the PIN method and the push button configuration method.

In the personal identification number (PIN) method, products are assigned a specific PIN sequence that can be broadcast to the wireless access point. Using a graphical user interface (GUI), the user selects which devices will be recognized by the network by entering their corresponding PINs. For instance, a network camera has a PIN assigned to it that is defined in the documentation of the product or on a sticker directly attached to the device. After being physically installed and powered on, the user or installer opens the GUI of the wireless router and enters the PINs of those products that were installed. The camera is now added to the network and is communicating in a secure manner.

The second and more popular implementation of WPS is the push button method, considered the penultimate of simplicity. The installer mounts the device and then pushes two buttons – one on the router and the other on the product itself. For a network camera, for instance, it’s simply a matter of physically installing the device then pushing the designated buttons on the access point and camera. The camera automatically registers itself and begins communicating securely over the wireless network.

Both of the PIN and push button methods avoid having to know the SSID or passphrase and minimize setup time, but the real benefit is that the communication between the camera and the network is now encrypted, which in many installations used to be the exception not the rule – especially in the small business environment.

No solution is 100 percent foolproof

From an ease of use perspective, WPS seems to solve the wireless networking learning curve in typical small system deployments. But does it actually provide the amount of security needed?  The answer is a resounding, yes, but with a caveat.

WPS simplifies the setup of WPA2 and directly creates a secure connection based on an industry standard that frequently was ignored in the past due to the complexity of early setup methods. Unfortunately, in 2011, an exploit was published online which enables individuals to procure a WPS-enabled access point’s PIN using a brute force attack.

This type of attack is employed by hackers trying to decrypt an encrypted transmission and involves trying all variants of the encryption key. The longer the key, the more time it takes a computer to crack it. In the case of Wi-Fi protected setup – the push-button or PIN method – the keys are only eight digits long and can be deciphered in a manner of hours. To put this into perspective, traditional WPA2 setup methods use a key length of 14 alphanumeric characters or more, which increases the timeframe for a brute force attack from minutes to years based on today’s computing power.

If the WPS method is used and decoded by an attack, the hacker has access to the network as if encryption was never enabled. As a result of this exploit, most network administrators require WPS to be disabled during installation of the wireless router, thus causing many security integrators to stop using the encryption method.   

Does this make WPS irrelevant?  That depends on the target.  For instance, is it likely that the local pizza shop that opts for a wireless video solution is going to be a hacked?  Even if the shop is hacked, with limited bandwidth to the Internet gained by stealing services from outside the building or in another room, what could this hacker be trying to achieve by tapping into their network? On the other hand, a small bank branch that has the same camera count and is also using a wireless solution might consider network security as a mission critical component. In this case, an integrator would either opt for a wired solution or use the traditional method of manual setup.

To encrypt or not to encrypt: that is the question

As with all decisions in physical security, practitioners need to determine the probability of a brute force attack and the possible loss and risk associated with a compromised wireless network. The answers to those questions will ultimately determine if wireless security is put in place using WPS or done through the manual setup process.

Either way, having encryption enabled on wireless networks is a best practice that should be adhered to with all security installations. The best outcome of WPS may not be that setting up secure wireless communications is made easier, but rather that security professionals begin educating themselves and their end-customers on the basics of wireless security and start implementing it across all network components instead of ignoring it altogether.

About the author: James Marcella has been a technologist in the security and IT industries for more than 18 years. He is currently the director of technical services for Axis Communications.

About the Author

James Marcella | Director of Technical Services

James Marcella has been a technologist in the security and IT industries for nearly two decades. He is currently the Director of Technical Services for Axis Communications. To request more info about Axis, visit www.securityinfowatch.com/10212966.