What are the best security practices to secure a remote IoT camera?

24

8

I have done a bit of home automation such as building a remote camera that can be turned on via SSH locally and publishes images on a Raspberry Pi run Linux server.

I'm curious, though, as to what protocols are best followed when your security is behind a router. I've used things like Putty and opened ports so that I can tunnel in but I don't imagine these are the most secure methods.

I'm wondering what protocols/tools are best used when accessing a home server system remotely.

Trevor J. Smith

Posted 2016-12-06T18:02:11.623

Reputation: 491

Do you have the ability to encrypt the image stream?tbm0115 2016-12-06T18:10:15.417

@tbm0115 I have physical access to the device. The technical know-how, not so much. I'm still learning.Trevor J. Smith 2016-12-06T18:11:11.157

4Ideally, I think your camera would encrypt the image stream and an application on a secured device in the network would decrypt it. Alternatively/Additionally, you could potentially setup either a separate network or a subnet in your network to run your IoT devices from and add additional security to that area of the network.tbm0115 2016-12-06T18:14:00.613

That makes a lot of sense. Definitely worth performing if I want to add a few more devices to the mix. Thanks.Trevor J. Smith 2016-12-06T18:15:23.633

1That question is incredibly broad. Especially your title — given the body, I guess you're specifically concerned about network security? Even so, it depends what kind of network connectivity your application requires.Gilles 2016-12-07T00:02:58.957

Answers

17

PuTTY is actually quite secure - the session itself is encrypted. That's part of what SSH gives you "out of the box". I do a lot of this type of thing myself, and here are a few hit-points I would suggest:

  • Don't open port 22 to the world - configure your SSH server to listen on a non-standard port (e.g. 22022 or 2222) on your WAN interface
  • Require authentication to get to any web pages with your security images. Even if this is simple HTTP-AUTH using .htaccess files, it's better than nothing.
  • Use SSL to talk to web servers, even if they're behind your router
  • Use OpenVPN or another VPN technology to get to your home machines from anything outside your router. That obviates the need for direct SSH access, though I usually like to keep direct SSH available in case the VPN services fail.

John

Posted 2016-12-06T18:02:11.623

Reputation: 747

This assumes the OP is using Windows.kenorb 2016-12-10T12:30:00.543

1No it doesn't. The recommendations above are for any OS, not just Windows.John 2016-12-10T13:53:38.160

Putty is a SSH client for Windows only. If you can rephrase it to SSH and give Putty as an example SSH client, would sound better.kenorb 2016-12-10T15:47:59.777

1The only reference to PuTTY is the first sentence. Everything else references SSH, as I meant.John 2016-12-10T15:59:55.467

14

The other answers cover a lot of the technologies that you can use to protect your system. Here are some more general thoughts/philosophies.

  1. A DMZ is your friend - In almost every case where you have a service facing an external network a DMZ (see a.) will be very beneficial. In this case it will both minimize the attack surface and minimize the damage. By limiting the number of devices in the DMZ to only the ones that need external access you limit the attack surface. Also the DMZ will make it much harder for anyone to access your core network, thus minimizing the damage.
  2. Whitelist, don't Blacklist - By default every single protocol, port and internal connection should be blocked by default. This blocking should be setup in the device (if possible), the firewall and the router. Only enable options that you are actively using and only for the devices that need one. If you know and must use a protocol for an IoT device that is weak (for example devices that are affected by Mirai) you should setup a device (like a RaspberryPi) to act as relay. You completely isolate the device from the network and only communicate with it via a secure protocol (ssh, vpn etc.) that the RaspberryPi transforms into the protocol that the device needs.

AstroDan

Posted 2016-12-06T18:02:11.623

Reputation: 314

2

SSH is a reasonable starting point, its essential that you use TLS encryption, and using putty for ssh access is one way to achieve this. A VPN is another. What is really important is that you use strong pasphrases or keys to access the devices within your network, and that you keep the gateway devices up-to-date.

Using a non-standard port is kind of sensible, but does nothing to secure your network if you leave your device with a default (or common) password.

If you want remote access, you need a port open to forward SSH (or something very similar). If you don't trust the security implementation on the camera (i.e. it's last firmware update was over about 6 months ago), then you need to use a VPN to create an isolated network segment for it. If it has WiFi, and old firmware, it might as well be wide open and public (at least for anyone in physical proximity).

Sean Houlihane

Posted 2016-12-06T18:02:11.623

Reputation: 7 357