Cybersecurity Best Practices for IP Cameras

Why IP Cameras Are a Cybersecurity Risk

IP cameras are among the most vulnerable devices on any enterprise network. They run embedded Linux or RTOS firmware that is rarely updated, they are physically accessible to anyone who can reach them with a ladder, and they are frequently installed with default credentials that are published in manufacturer documentation available to anyone on the internet. In 2016, the Mirai botnet conscripted over 600,000 IoT devices, predominantly IP cameras, into one of the largest distributed denial-of-service attacks in history, taking down major portions of the internet including Twitter, Netflix, and Reddit.

The irony is painful: the devices installed to protect your physical premises can become the very gateway through which an attacker compromises your digital infrastructure. A single unsecured camera on a flat network can provide an attacker with a foothold to pivot into corporate systems, exfiltrate data, deploy ransomware, or simply spy on your operations through the camera feeds themselves.

This guide provides a systematic, actionable framework for hardening IP cameras against cyber threats. It is organized from the most critical (and often simplest) measures to more advanced enterprise-grade controls. Whether you are managing a 16-camera retail store or a 2,000-camera enterprise campus, these principles apply universally.

1. Default Credentials: The Number One Vulnerability

The single most effective thing you can do to secure an IP camera network is change the default username and password on every device. This sounds obvious, but industry surveys consistently find that 15-25% of deployed IP cameras are still running with factory default credentials years after installation. The reasons range from lazy installers to the sheer volume of devices that need to be configured individually.

Default credentials for every major camera manufacturer are publicly documented. Axis cameras historically shipped with root/pass, Hikvision with admin/12345, Dahua with admin/admin, and Hanwha with admin/4321. Automated scanning tools like Shodan and Censys can identify these cameras on the internet in seconds. Botnets cycle through a list of known default credentials as their primary attack vector.

2. Network Segmentation: Dedicated Camera VLAN

Network segmentation is the second most important security control for IP cameras. Cameras should never reside on the same VLAN as corporate workstations, servers, or any other general-purpose devices. A dedicated camera VLAN creates a logical boundary that limits the blast radius of a compromised camera and prevents lateral movement into business-critical systems.

The architecture is straightforward. Create a dedicated VLAN (e.g., VLAN 100) for all IP cameras. Create a separate VLAN (e.g., VLAN 110) for access control devices. Create a management VLAN (e.g., VLAN 120) that is only accessible from the IT team's workstations. Configure inter-VLAN routing with strict access control lists (ACLs) that define exactly which traffic is permitted between segments.

For organizations with higher security requirements, consider implementing micro-segmentation using software-defined networking (SDN) or next-generation firewalls. This approach creates per-device policies, allowing each camera to communicate only with its designated recording server and nothing else, even within the same VLAN.

3. 802.1X Port Authentication

VLANs control which logical network a device is placed on, but they do not prevent an attacker from physically unplugging a camera and connecting their own device to the Ethernet port. 802.1X port-based network access control (PNAC) solves this problem by requiring every device to authenticate with the network before being granted access.

With 802.1X enabled, when a device is plugged into a switch port, the switch challenges it for credentials before passing any traffic. The device presents a digital certificate (EAP-TLS) or username/password (EAP-PEAP) to a RADIUS server (such as Cisco ISE, Microsoft NPS, or FreeRADIUS). Only after successful authentication is the port activated and the device placed on the appropriate VLAN.

If an attacker unplugs a camera and connects a laptop, the laptop will not have the correct certificate and will be denied network access entirely or placed on a quarantine VLAN with no connectivity. This is one of the most effective defenses against physical network attacks and is considered a mandatory control in enterprise security deployments.

4. Firmware Update Policy

Camera firmware is software, and like all software, it contains bugs, including security vulnerabilities. Manufacturers regularly release firmware updates that patch critical vulnerabilities, yet the majority of deployed cameras run outdated firmware. A 2023 Forescout study found that 75% of IoT devices in enterprise environments were running firmware with known CVEs (Common Vulnerabilities and Exposures).

The challenge is operational. Updating firmware on hundreds or thousands of cameras is labor-intensive and carries risk: a failed firmware update can brick a device, and new firmware can introduce compatibility issues with VMS platforms. For this reason, firmware management requires a structured, tested process.

5. Disabling Unused Protocols and Services

IP cameras ship with a variety of network services enabled by default to maximize compatibility and ease of setup. Many of these services are unnecessary in a production environment and represent attack surface that should be eliminated. The principle of least functionality applies: disable everything that is not explicitly required for the camera to perform its role.

After disabling unnecessary services, verify the changes using a network port scanner like Nmap. Run a scan against each camera IP to confirm that only the expected ports (typically HTTPS/443 and RTSP/554) are open. Any unexpected open port is a potential vulnerability.

6. HTTPS/TLS for Management Interfaces

Every IP camera has a web-based management interface for configuration. By default, many cameras serve this interface over HTTP (unencrypted). This means that when an administrator logs in to configure a camera, their username and password are transmitted across the network in plaintext, visible to anyone with a packet sniffer on the same VLAN.

The fix is simple: enable HTTPS and disable HTTP entirely. Most enterprise cameras support this natively. Upload a signed TLS certificate from your internal CA (or use the camera's self-signed certificate if you accept the browser warning) and configure the camera to redirect all HTTP requests to HTTPS. Then disable the HTTP listener on port 80 completely.

For organizations managing large camera fleets, consider deploying certificates from an internal PKI (Public Key Infrastructure) that integrates with your enterprise CA. This allows centralized certificate management, automated renewal, and revocation capabilities. Axis cameras support SCEP (Simple Certificate Enrollment Protocol) for automated certificate provisioning.

7. RTSP over TLS for Video Streams

While HTTPS secures the management interface, the actual video stream is typically transported via RTSP (Real Time Streaming Protocol), which by default is unencrypted. This means that even if an attacker cannot log in to the camera, they can potentially intercept the video stream by sniffing network traffic on the camera VLAN.

RTSPS (RTSP over TLS) encrypts the video stream in transit between the camera and the VMS server. The implementation varies by manufacturer and VMS platform. Axis cameras support RTSPS natively and it can be enabled in the ONVIF or stream configuration. Genetec Security Center and Milestone XProtect both support RTSPS connections.

The trade-off is performance. TLS encryption adds CPU overhead on both the camera and the server, which can reduce the maximum number of streams a server can handle by 10-20%. For most deployments, this is acceptable. For very large deployments (500+ cameras per server), test the performance impact before enabling RTSPS fleet-wide.

8. Physical Port Security

Cybersecurity is not purely a digital concern. IP cameras are physically accessible devices, often mounted in public or semi-public areas. An attacker with physical access to a camera's Ethernet cable can unplug the camera and connect their own device to the network. Beyond 802.1X (covered above), there are additional physical controls you should implement.

• Disable unused switch ports. Every unconnected port on a PoE switch is a potential entry point. Administratively shut down unused ports and enable them only when a new device is being deployed.
• Use MAC address sticky binding. Configure switch ports to learn and lock the MAC address of the connected camera. If a different MAC address is detected, the port automatically shuts down and generates an alert.
• Secure IDF closets and junction boxes. Network closets containing PoE switches should be locked. Cable junction boxes where camera runs terminate should use tamper-resistant enclosures.
• Use conduit for exposed cable runs. Ethernet cable running through publicly accessible areas (parking garages, exterior walls) should be enclosed in metal conduit to prevent tampering and tapping.
• Mount cameras at inaccessible heights. Where possible, mount cameras at 12 feet or higher and use vandal-resistant housings with tamper switches that generate alerts if the camera is physically disturbed.

9. Vulnerability Scanning for IoT Devices

Standard enterprise vulnerability scanners like Nessus, Qualys, and Rapid7 can identify known CVEs in IP camera firmware, detect open ports, flag default credentials, and check for expired certificates. However, scanning IoT devices requires care: aggressive scans can crash camera firmware or cause temporary outages.

We recommend running vulnerability scans against camera VLANs on a monthly basis using a "safe" scan profile that avoids denial-of-service checks and brute-force tests. Schedule scans during off-peak hours and monitor the cameras during the scan for any adverse effects. Any camera that crashes during a routine scan is a camera with fragile firmware that should be prioritized for update or replacement.

For organizations without a vulnerability scanning tool, at minimum run monthly Nmap scans to identify open ports across the camera fleet. Compare results against your baseline to detect any unexpected services that may have been enabled (intentionally or through a firmware bug).

10. Incident Response Planning

Even with all preventive controls in place, you must plan for the possibility that a camera or the entire camera network is compromised. An incident response plan specific to physical security IoT devices should address the following scenarios:

• Compromised camera: A single camera is exhibiting anomalous behavior (unexpected outbound traffic, modified configuration, unresponsive management interface). Procedure: Isolate the port, capture forensic data, factory reset, re-provision with hardened configuration.
• Unauthorized access to video feeds: Evidence that an unauthorized party has accessed camera streams. Procedure: Rotate all credentials, audit VMS user accounts, review access logs, check for rogue RTSP sessions.
• Mass firmware exploit: A zero-day vulnerability affects multiple camera models on your network. Procedure: Isolate camera VLAN from all other VLANs at the firewall level (emergency ACL), apply vendor patch as soon as available, scan for indicators of compromise.
• Physical tampering: A camera has been physically tampered with or replaced with a rogue device. Procedure: Verify MAC address against inventory, check 802.1X authentication logs, inspect physical mounting for evidence of disturbance.

Document these procedures, assign roles (who isolates the device, who performs forensics, who communicates to management), and conduct tabletop exercises at least annually. An untested incident response plan is barely better than no plan at all.

11. NIST Framework Alignment

The NIST Cybersecurity Framework (CSF) provides a structured approach to managing cybersecurity risk that maps directly to IP camera security. For organizations subject to regulatory requirements (government, healthcare, financial services), aligning your camera security practices to NIST demonstrates due diligence and facilitates compliance audits.

12. Security Hardening Checklist

Use this checklist as a standard operating procedure for every camera deployment. Every item should be completed and documented before a camera is placed into production service. Print this checklist and include it in your commissioning documentation for each project.

Conclusion

Securing IP cameras is not a one-time activity. It is an ongoing discipline that requires the same rigor you apply to servers, workstations, and network infrastructure. The controls outlined in this guide, from changing default credentials to implementing 802.1X to aligning with the NIST framework, represent a layered defense strategy where each control reinforces the others.

The good news is that modern enterprise-grade cameras from manufacturers like Axis, Hanwha, and Bosch provide the tools to implement all of these controls. The limiting factor is not technology. It is awareness and discipline. Too many organizations purchase excellent hardware and then deploy it with default credentials on a flat network, negating the security investment entirely.

Zimy Electronics treats cybersecurity as a non-negotiable component of every physical security deployment. Our standard commissioning process includes every item on the hardening checklist above, and our ongoing maintenance agreements include quarterly firmware reviews and annual security audits. If your current integrator is not addressing these concerns, it may be time for a conversation.