The importance of encrypting video over IP

Howdy Pierce

I just read this report of a new IP security vulnerability being demonstrated today at the DefCon hacker’s conference in Las Vegas. The new hack has two components:

  1. The attackers are able to view video being streamed across a network, and
  2. The attackers are able to use a man-in-the-middle attack to insert video controlled by the attacker to a video decoder somewhere on the network.

The linked video shows viscerally how an attacker could foil a security/surveillance video system – a modern-day Thomas Crown Affair. But the underlying problem goes beyond the surveillance market and could conceivably affect a wide range of industries using video over IP. This is a big deal, and vendors of any form of network-connected IP video device – whether a camera, encoder, or decoder – should take note.

In fact, the security researchers who are demonstrating the hack are also helpfully releasing open source software to exploit the vulnerability. So what started out as a vulnerability that was only open to bad guys with a reasonably deep technical understanding has just become widely accessible. Thanks, guys.

At Cardinal Peak, we’ve built a large number of these systems, so I feel like I have a relatively good understanding of why vendors of IP video solutions are doing what they are. It’s all about cost: today most IP video is not encrypted when it is transmitted across the network. That’s bad. (What’s even worse, many products’ user interfaces offer faux security options, like bogus “password-protection,” that might lead enterprise customers to think they’ve got more security than they do.)

The reason that video is sent unencrypted is a corollary to the First Law of Video:

Video – even video compressed using state-of-the-art codecs like H.264 – is BIG.

It takes a lot of bits to send motion imagery across a network. If you want to encrypt that video, you’ll have to encrypt those bits. Encrypting a lot of bits consumes nontrivial computing power – which means you either need a beefier CPU in your embedded video encoder device, or you need dedicated hardware like an FPGA. Either way, adding encryption to your product is going to add to your cost of goods sold.

But wait, it’s worse. Adding more processing power to an embedded device means more power to dissipate, which increases the need for moving parts like fans which lower reliability. So in addition to cost, there is complexity, reliability, and power dissipation.

Even if you somehow get around that, there are more problems. To display the video, you still need to decrypt it, which means you’re going to consume CPU power on the decode side, as well. On modern computers, that probably isn’t a huge problem if all you want to do is display video from a single camera. On the other hand, if you’re trying to display a 16-up display of live video from 16 cameras – well, time to buy some more Intel stock.

And finally: adding security features to a system are always at cross-purposes with making that system easy to use. So solving this problem places a burden on every system integrator and IT administrator.

What a pain!

For standards-based MPEG-4 or H.264 systems, there is a standard called Secure RTP (with the associated SRTP RFC if you’re looking for some light reading) that, if implemented widely, would basically prevent the hack. Unfortunately, as far as I’m aware, very few encoders, decoders, or network recorders implement SRTP. That may be about to change, assuming news of the hack causes customers to complain to their vendors.

I’m not aware of a standards-based way to encrypt MPEG-2 video over IP, although at first blush you wouldn’t think it would be too hard to come up with one.  But crypto in general seems difficult to get right – witness the difficulties that they’ve had with ssh, which has been designed to be secure from the ground up.

Categories: Howdy, Video

Cardinal Peak
Learn more about our Audio & Video capabilities.

Dive deeper into our IoT portfolio

Take a look at the clients we have helped.

We’re always looking for top talent, check out our current openings. 

Contact Us

Please fill out the contact form below and our engineering services team will be in touch soon.

We rely on Cardinal Peak for their ability to bolster our patent licensing efforts with in-depth technical guidance. They have deep expertise and they’re easy to work with.
Diego deGarrido Sr. Manager, LSI
Cardinal Peak has a strong technology portfolio that has complemented our own expertise well. They are communicative, drive toward results quickly, and understand the appropriate level of documentation it takes to effectively convey their work. In…
Jason Damori Director of Engineering, Biamp Systems
We asked Cardinal Peak to take ownership for an important subsystem, and they completed a very high quality deliverable on time.
Matt Cowan Chief Scientific Officer, RealD
Cardinal Peak’s personnel worked side-by-side with our own engineers and engineers from other companies on several of our key projects. The Cardinal Peak staff has consistently provided a level of professionalism and technical expertise that we…
Sherisse Hawkins VP Software Development, Time Warner Cable
Cardinal Peak was a natural choice for us. They were able to develop a high-quality product, based in part on open source, and in part on intellectual property they had already developed, all for a very effective price.
Bruce Webber VP Engineering, VBrick
We completely trust Cardinal Peak to advise us on technology strategy, as well as to implement it. They are a dependable partner that ultimately makes us more competitive in the marketplace.
Brian Brown President and CEO, Decatur Electronics
The Cardinal Peak team started quickly and delivered high-quality results, and they worked really well with our own engineering team.
Charles Corbalis VP Engineering, RGB Networks
We found Cardinal Peak’s team to be very knowledgeable about embedded video delivery systems. Their ability to deliver working solutions on time—combined with excellent project management skills—helped bring success not only to the product…
Ralph Schmitt VP, Product Marketing and Engineering, Kustom Signals
Cardinal Peak has provided deep technical insights, and they’ve allowed us to complete some really hard projects quickly. We are big fans of their team.
Scott Garlington VP Engineering, xG Technology
We’ve used Cardinal Peak on several projects. They have a very capable engineering team. They’re a great resource.
Greg Read Senior Program Manager, Symmetricom
Cardinal Peak has proven to be a trusted and flexible partner who has helped Harmonic to deliver reliably on our commitments to our own customers. The team at Cardinal Peak was responsive to our needs and delivered high quality results.
Alex Derecho VP Professional Services, Harmonic
Yonder Music was an excellent collaboration with Cardinal Peak. Combining our experience with the music industry and target music market, with Cardinal Peak’s technical expertise, the product has made the mobile experience of Yonder as powerful as…
Adam Kidron founder and CEO, Yonder Music
The Cardinal Peak team played an invaluable role in helping us get our first Internet of Things product to market quickly. They were up to speed in no time and provided all of the technical expertise we lacked. They interfaced seamlessly with our i…
Kevin Leadford Vice President of Innovation, Acuity Brands Lighting
We asked Cardinal Peak to help us address a number of open items related to programming our systems in production. Their engineers have a wealth of experience in IoT and embedded fields, and they helped us quickly and diligently. I’d definitely…
Ryan Margoles Founder and CTO, notion