When we think about security risks, we tend to expect the threat to come from shady online sources, perpetrated by “threat actors” and “hackers”. But the truth is that some security threats are waiting for us on our hardware before we even unbox it.
Supply chains today are often quite long and involve many companies and entities. Design, manufacture, logistics and shipping are generally handled by several groups along the chain, and some are more trustworthy than others. In many cases of supply chains being compromised, a worm or rootkit is introduced during the manufacturing process. The attacks can occur in any sector, financial, medical, government, and of course the physical security industry.
This will generally be carried out while the product is with the “weakest link” in the chain. As information is necessarily shared in a supply chain, risk is created. Information compromised in the supply chain can give threat actors time to determine what the best course of action is to deliver their malware.
In 2013, the US watched as retailer Target was hit with one of the largest data breaches in history. It is believed this was accomplished through a third party supplier gaining access to Target’s primary data network using passcode credentials from a company who provides HVAC systems.
Also common is modification of ATM firmware during manufacture, a scheme which has skimmed credit card information of millions on more than one occasion.
Of course, supply chain attacks can be and have been carried out against IP camera products. Having a security system compromised before installation would render it worse than useless, and even dangerous perhaps. In order to protect against these attacks it is recommended to:
. Maintain the smallest possible supplier base
. Impose strict control over what vendors are used. Conducting occasional site audits can help alleviate fears as well.
.Use products with security built into the design. Features such as “check digits” built into the software can help detect any previous unauthorized access to the code.
Contact us at email@example.com
or call 24/7 (210)-446-4863