Last year it was the Mirai malware and just a year later it’s the KRACK exploit serving as a fresh reminder to everyone producing IOT devices about the importance of end to end security.
In simple terms, it’s a sophisticated Wi-Fi attack that exploits a vulnerability in the WPA2 authentication protocol; letting the attacker decrypt all network packets to and from the victim. The result of this attack is like being connected to an unsecured Wi-Fi network at a hotel or a coffee shop with no firewalls.
What can happen to the victim? All traffic in the clear (HTTP) can be sniffed, modified and injected with malware, ransomware or other malicious exploits to make matters worse. What about HTTPS? Traffic encrypted with TLS1.2 is secure and tamper free given that the connected device or the client application is taking proper security measures.
Proper security measures? This is a term that has unfortunately become somewhat cliché, but we at Rhombus do not take securing our products lightly. We take a holistic, top down approach to provide complete and true end to end security. And in the event of zero-day exploits in open standards (like KRACK) we provide automatic OTA firmware updates to respond immediately.
To provide this type of security we make sure that our cloud, mobile, web, data at rest, data in transit, and our cameras (physical access, firmware and all communication to and from the camera) adhere to strict, well defined principles and go through several layers of both internal and external security audits before releasing them to end users.
Following is an overview of how each component in our infrastructure was designed with a security first approach to ensure that our products act as a deterrent to attacks and exploits in the environments they are deployed in.
Rhombus cloud infrastructure is hosted on Amazon AWS with all services hosted within the AWS Virtual Private Cloud (VPC). Despite being within the VPC, we operate under the assumption that the network is insecure, and take the necessary measures to isolate external and internal access to our services with complete audit trails and monitoring.
In addition our cloud facing applications adhere to the OWASP security guidelines. On a regular basis we use web security scanners to ensure that our applications are resistant to any form of CSRF, XFS, XSS, Session Hijacking, Session randomness, Authentication bypass, Brute force protection, ACL/Privilege Escalation and Proper salting, to mention a few.
All communication (data in transit), whether within our VPC or between any of our external endpoints is done over mutually authenticated TLS1.2 secure channel with pinned CA’s to prevent any man in the middle attacks.
Any customer data at rest that is stored in the cloud is encrypted using SSE-KMS whereas all video and audio data stored on the camera SD card is encrypted using LUKS AES256.
There are multiple layers involved in securing an IOT device end to end which for our case is a camera. Starting with physical access, we lock down UART. On the software side, our firmware is signed and verified before being flashed on to the camera, using a specialized OTA update architecture that ensures that any security patches, feature releases and updates are applied in a timely manner with complete AUDIT trails being available.
In addition, unlike the typical IOT devices that flood the market, we do not require making any network changes to the firewall including any insecure port forwarding techniques. Instead our cameras make outbound mutually authenticated secure TLS1.2 connections on standard SSL ports. Lastly, for secure, seamless LAN streaming, we ensure that entities with only authenticated and authorized security sessions are allowed to connect to the camera.
In addition to providing our users with standard enterprise features such as 2FA and SSO/SAML, we also provide intelligent monitoring and alerts for anomalous usage activity. This includes alerting users about anomalous login attempts and usage patterns so that preemptive actions can be taken within seconds.
Developing secure IOT devices is not an easy task and making sure that these devices are not a source of any exploit is a serious obligation for anyone developing them. Because of our security-first DNA, we are confident that our cameras can safely be deployed into the enterprise IT infrastructure while providing the intelligence necessary to be a critical component of a company’s physical security solution.
Initially introduced in 2020, Cybersecurity Maturity Model Certification (CMMC) establishes cybersecurity standards for defense contractors who handle sensitive information. It affects all contractors who perform work for the Department of Defense (DoD) in the United States. In this blog, we’ll look at CMMC, how it pertains to video security cameras, and how you can use video surveillance to strengthen overall security compliance throughout your organization.
NIST represents a high standard of cybersecurity and data privacy that all organizations should aspire to. For federal agencies in the United States, NIST compliance is required. Organizations that require NIST compliance may wonder how video surveillance fits into their security strategy. In this blog, we’ll look at NIST, how it pertains to video security cameras, and how you can use video surveillance to strengthen overall security compliance throughout your entire organization.
As workers return to the office in the midst of Omicron, staying safe in the workplace is top of mind for employers and employees alike. To create a safer work environment, organizations need to develop and follow COVID-19 workplace policies. The CDC recommends that businesses start by “identifying where and how workers might be exposed to COVID-19 at work”. But how do you identify and assess these health risks at your workplace? In this article, we’ll discuss how smart physical security tools can help you.