We may not see it or feel it, but it’s happening. IoT devices are growing in number all around us, and improving our lives. Sensors help organizations streamline operations at a hospital, and point-of-sale devices improve our experience at the local coffee shop. But, securing IoT can be complicated, especially when contending with outdated devices, and deploying them across multiple sites. IoT devices typically lack 802.1X support and can be hacked in 5 minutes on average. In our recent “Security Made Simple” launch, we discussed a new feature called Identity PSK that simplifies IoT security.
A better way of securing IoT
Many IoT devices are not compatible with 802.1X, leaving IT admins no choice but to use WPA2 or a pre-shared key for authentication. Unfortunately, both methods come with well-documented security flaws. Identity PSK provides a way to assign users and devices unique keys, build identity-based groups, and scale them across the network. For example, a hospital might have wireless infusion pumps and patient monitoring tools for which they would like to apply different group policies. With IPSK, the hospital IT administrator can now assign those devices unique groups and separate VLANs. The IT admin will also be able to reset or change the keys on entire groups of devices at the same time.
With IPSK, it will become easier to secure devices across multiple industries. An IT admin at a manufacturing plant will segment barcode scanners and sensors into different groups. Retail point-of-sale devices and smart thermostats will connect to one SSID, yet have different security policies. On a college campus, gaming devices, RFID card readers, and printers are easily segmented when connecting to Wi-Fi. Hotels can onboard wireless users quickly and provide granular control over their access in a more simple and secure way.
Configuring Identity PSK
Identity PSK provides the simplicity of PSK with the benefits of 802.1X, and is available today in the Meraki dashboard. Configuration is located in the wireless access control section of the dashboard. The current implementation uses a RADIUS server for authentication, allowing organizations to leverage existing services such as Cisco ISE. When a client associates to a Meraki access point, the AP will send the MAC address of the device to the RADIUS server. The RADIUS server is able to respond with the PSK, which then allows the access point to authenticate the device.
You can learn more here about how Meraki is simplifying security for every layer of the network, from client to application. For a further deep dive on Meraki Wireless, join us for an upcoming live webinar.
The “smart” descriptor gets tossed around the tech world so much today, it’s hard to know what, if anything, actually makes a device smart.
In the case of the Meraki MV security camera line, a mobile-grade processor on each camera means that the power of a smartphone is packed into each device, rendering onsite servers and special software unnecessary. Instead, users simply log into a browser-based dashboard to see rich person detection and motion-sensitive analytics. These tools can help with everything from keeping a campus safer, to streamlining processes in a manufacturing plant, to monitoring foot traffic in even the tiniest of retail locations.
Listen to MV’s product manager George Bentinck describe the benefits of a cloud-based smart camera system and see him demo the dashboard at newsroom.cisco.com.
Security cameras can serve a multitude of different functions, from providing live footage to a security guard, to analyzing customer behavior in a retail location, to supplying evidence in a liability claim. With each of these use cases comes a different retention policy. Scheduled recording and motion-based retention, both available in public beta now, allow users to customize their camera settings to match their specific retention needs.
Hot on the heels of some otherproductimprovements in just the last couple of months, the engineering team has worked tirelessly to produce features that would help accommodate the most commonly received request from MV customers.
Scheduled recording minimizes extraneous recording for customers who only use cameras during certain hours—think process controls in a factory—with the potential to greatly extend storage duration. Plus, scheduled recording can be used to disable historical footage altogether in instances where only live footage is needed and/or permissible.
Motion-based retention works differently than other motion-based recording solutions on the market. Instead of triggering a camera to record only when it senses motion, which can often result in false negatives and lost footage, MV uses a hybrid cloud processing approach to give a more reliable result. MV will record all footage and then, using the same motion indexing engine as the Motion Search tool, will gradually and intelligently trim segments of footage which contain no motion. This gives users the flexibility to retain the most recent 72 continuous hours for extra security before trimming out the motionless video. This approach also means that motion-containing video segments can be better padded to ensure no valuable footage is lost.
Based on the motion data from all cameras that have been deployed since launch in October, 95% of MVs are expected to record 30 days or more at Standard image quality.
To enable schedules and motion-based retention, simply choose a camera and go to its settings page. Select the “Quality and Retention” tab. To create a new schedule, select “Scheduled” and “Change Schedules.” Select an already-created schedule te mplate, or “New schedule.” Then, just drag the time sliders to adjust when cameras are recording. Click on any timeline to create multiple recording segments in one day.
Motion-based retention can also be enabled on this page. The chart on this page shows how much motion that specific camera actually captured in the past week. Based on an average of the same time period, the dashboard will provide an estimate of the total retention capacity for the selected camera. Adjusting the image quality from Standard to Enhanced will also affect this value. Use scheduled recording in conjunction with motion-based retention to build the retention plan that works best for you.
Finally, video exports now feature timestamps embedded as watermarks. This small-but-mighty feature update will help provide users a more robust experience, should video need to be shared as evidence with law enforcement. Timestamps include the camera name, date, time, and timezone to ensure absolute clarity when reviewing footage.
Optimized retention is now available in beta. To take advantage of this functionality in your network, go to Network-wide, then click General. At the bottom of the page, select “Yes” in the dropdown menu next to ‘Try beta firmware.’ Please proceed with caution, however, if your cameras are housed in a combined network, as enabling this setting will apply to all device types in that network, not just cameras.
If you still haven’t gotten your hands on an MV trial, be sure to contact us to learn more.
The last couple of weeks have shown how vulnerable our connected world can be. Reports of a new wave of Distributed Denial of Service (DDoS) attacks at a scale beyond what has been seen before are attracting worldwide headlines. With traffic floods now reaching the terabyte scale, only those with global resources and deep pockets can withstand such an onslaught.
“The attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second.”
KrebsOnSecurity Hit with Record DDoS – KrebsOnSecurity – September 21st 2016
Powering this new wave of cyber weaponry is the Internet of Things (IoT). A nascent breed of devices taking their steps into the world at a time where the value of something is dramatically amplified by its integration into the network. Unfortunately this rapid push to connect everything has not always been balanced with the rapid push to secure the underlying technology architecture.
“That cyberattack was powered by something the internet had never seen before: an army made of more than one million hacked Internet of Things devices.”
How 1.5 Million Connected Cameras Were Hijacked to Make an Unprecedented Botnet Motherboard – September 29th 2016
One of the unwilling device types in these recent attacks are IP enabled security cameras. These cameras and recording systems are typically well connected and remotely accessed. When this is combined with poorly implemented web interfaces, default passwords, and a lack of cyber security oversight, systems are effectively waiting to be exploited.
“Attackers used an army of hijacked security cameras and video recorders to launch several massive internet attacks last week, prompting fresh concern about the vulnerability of millions of “smart” devices”
The Meraki MV Security Camera delivers on the promise of simple connected devices without security compromise. At the heart of MV is the same core software powering other Meraki devices like wireless access points and security appliances. This code has been honed over the last 10 years, battle tested in the most demanding of locations, and it provides the most secure control infrastructure of any security camera available.
All MV management traffic and video transport is encrypted by default: it’s not even possible to configure MV to operate without encrypted communications. Administrative access to the cameras is only available through the Meraki dashboard, an interface that can be secured with advanced technologies such as two factor authentication.
Beyond the individual devices, the Meraki infrastructure is housed in SSAE16 / SAS70 Type II certified data centres, undergoes daily penetration testing, and is covered by our security rewards program. These policies and processes allow us to meet the most rigorous of customer requirements, including the need to be PCI compliant.
The initial savings of a low cost or consumer grade security camera system may prove expensive later on. If it is trivial for cameras to be used to attack legitimate businesses and other organisations, how much extra effort would it take for someone to start snooping through those same cameras?
With the advent of National Cyber Security Awareness Month, the MV team will be posting more information on MV’s security architecture to highlight our commitment to a safe world of connected devices. Until then, for further information please contact us to find out more.