Stop An IP Camera Hack

• By John W. Verity
• Apr 23, 2008

How’s this for a nightmare scenario? Stealthy bad hats sneak up on an IP video camera attached to a remote fence and unplug it from its Ethernet cable. In its place, they jack in a laptop computer and -- voila! -- they’re now inside that surveillance network where they can manipulate other cameras, reprogram door locks, fiddle with access credentials and perhaps wreak havoc all over the target organization’s intranet.

Or maybe not. If that branch of the network is secured by a new appliance developed by Waterfall Solutions Ltd., a Tel Aviv-based startup, these intruders might find themselves staring at what amounts to a virtual wall situated just a few meters down the network.

Waterfall claims its appliance, employing a clever combination of hardware and software, can isolate network segments in a way that’s completely impenetrable.

“I can give you full control -- password, administration rights, and more,” says Lior Frenkel, chief technology officer and co-founder of Waterfall. There’s no way through, he adds. “Standard firewalls and gateways are vulnerable to hacking or misconfiguration. Our appliance is not.”

Waterfall’s IP Surveillance Enabler exploits the fact that IP networks rely on a constant two-way flow of information.

Data packets, containing images from a camera, for instance, flow one way. Traffic control signals -- short data bursts that acknowledge that the originating data packets have been received or, if not, request a resend -- flow the other way. By blocking all of that downstream traffic control data and passing only upstream data packets,Waterfall’s box makes sure that any device located on the other side of the box will be unable to acknowledge packets sent to it by the intruders’ laptop. As a result, the laptop will be unable to engage with, much less manipulate, any device beyond the local network segment.

What stops hackers from receiving a single bit of downstream data? Within Waterfall’s box, inbound packets get turned into pulses of light, sent down a short piece of optical fiber, and then turned back into electronic pulses to continue their journey as usual. And it’s absolutely impossible, says Frenkel, for any data to travel the opposite direction across this electro-optical divide.

Waterfall says it also has worked out methods, based on a proprietary protocol, to keep the camera none the wiser about its isolation from the broader network. The camera will still be addressable from the management system, remote polling and control will continue to work and managers can even upgrade the device, all with no sacrifice in security.

Frenkel declines to quote specific prices, but says the company’s goal is to make sure its device costs no more than 10 percent of the overall investment a customer is making in surveillance, including cameras, software and networking. For now, the Waterfall device will likely be deployed only to protect certain cameras and other devices that are remotely located and therefore particularly vulnerable to physical attack. Waterfall has begun shipments, has several pilot projects in the works and has signed one customer, in Israel.

Privately financed, the firm is now scrambling to make its product smaller and less costly to produce, qualities that enabled once-costly and arcane network firewall products to take off a decade ago. Says Frenkel: “Today’s highend solutions always become tomorrow’s common solutions.”