When you think about IP video surveillance, you tend, logically, to think of the video that you take with your IP camera system.
But Axis, the original IP camera company, knows that the video has to be backed up by professional security on the back-end, too. Your cameras, your camera system: it needs to be as secure as possible. In this world of bad actors and hackers, you can be glad that Axis is looking out for you.
Axis Edge Vault is a hardware-based cybersecurity platform that establishes first-class security for your Axis IP Camera and your camera system from the ground up.
How? In this blog, we give a clear, non-technical overview of Axis Edge Vault and discuss the benefits of Edge Vault for your organization.
Cybersecurity from the Ground Up: Secure Boot and Signed OS
When we say that Axis Edge Vault establishes security from the ground up, what do we mean?
Here’s another question: How do you know that your IP camera is running its original, authorized operating system (OS), that bad actors haven’t tampered with the firmware?
Edge Vault uses a pair of technologies to make sure that an Axis endpoint can only start up with the authorized OS: secure boot and signed OS.
Secure Boot starts with boot ROM, unchangeable hardware memory that is the root of trust. For the camera to start up, the boot ROM must be unaltered.
When the camera is turned on, the secure boot process uses an unbroken string of cyptographically verified software (bootloader, Linux kernel) that leads back to the boot ROM to establish a verified root file system.
The result? You know your camera is running the authorized OS, that it hasn’t been hacked or tampered with.
Signed OS is a second anti-hacking technology used by Edge Vault.
This method works by assigning a cryptographic hash value to the endpoint’s OS software image.
This value is then “signed” with a private key that is made by combining the hash value and a private/public key pair. The public key comes with the device; Axis uses the RSA public-key encryption method.
For the camera to start up and for its firmware to be updated, its OS must be validated according to the Signed OS method.
A Unique ID for Each Device: Axis Device ID
It’s not unusual nowadays that people will pay for one product only to be delivered a counterfeit version of what they paid for. If it’s a good fake, there’s basically no way to tell just by looking over the product.
With surveillance, this is beyond unacceptable. But how can you trust that you have received what you pay for?
One method is to only shop at an authorized Axis online dealer like IP Phone Warehouse.
Axis Edge Vault goes a step further to guarantee you’re getting an authentic product with Axis Device ID.
Axis Device ID gives every Axis endpoint with Edge Vault a unique ID certificate at the factory. The ID certificate is stored in a tamper-protected Secure Keystore and verified by a public key infrastructure developed and managed by Axis themselves. This infrastructure complies with a strict industry standard for securing device identification over a network: IEEE 802.1AR.
The Device ID is checked to ensure that your endpoint is what you think it is.
Your camera system can use the Device ID for endpoint identification, onboarding, and provisioning, thereby protecting your whole camera system with cryptographically verifiable proof that the device was made by Axis.
Protecting Your Private Keys with the Secure Keystore
Obviously, you need to be able to access your camera, or else you’ll just have a bunch of security camera shaped sculptures lying about.
But how can you trust that your keys for accessing the camera won’t be exposed in the event of a security breach? Axis Edge Vault uses the Secure Keystore.
Secure Keystore uses one of three cryptographic computing modules to protect your keys: a TPM (Trusted Platform Module) 2.0, TEE (Trusted Execution Environment), or secure element. It might use more than one of these. (Which one is used depends on security requirements of the scenarios that the camera is intended to be used for.)
Axis stores all the keys, including the private keys that you load, in a hardware-based, tamper-resistant Secure Keystore. It also stores the cryptographic information used for Device ID and Signed Video (more on this in a second) in the Secure Keystore.
Many other devices keep this ultra-sensitive cryptographic information is the device’s file system, which means that if the user account is compromised, this information is totally exposed.
Axis uses a deep range of industry-standard security standards for certifying this information.
Ensuring Your Video Is Genuine: Signed Video
So far, we’ve covered how Axis Edge Vault guarantees that the operating system, physical device, and access keys are verified to be authentic and secured to the highest level.
Our final question is: How do you know that your video hasn’t been tampered with? Has someone edited your video to excise the incriminating sections?
Signed Video was developed by Axis themselves (and open-sourced to help the entire IP surveillance industry) to verify that your video is untampered with.
Moreover, you and the authorities are able to prove that the video is original without needing to worry about the chain of transmission of the video, so even if it passes through several hands before making it to the police or to the courtroom, the surveillance video is trustworthy.
How does it work? Each Axis camera with Edge Vault has a unique video signing key that it stores in the Secure Keystore.
The camera computes a cryptographic hash of a section of a video stream (they call it a “Group of Pictures” or GOP), including the metadata associated with the stream.
It then attaches the video signing key to the video stream, plus a hash of the first frame of the next Group of Pictures. The result? You have an unbroken stream of cryptographically verified security video.
Whoever then views the video using the Axis file player can see when the video was recorded, by which camera, and whether the video was altered in any way.
If you want to trust your IP cameras and protect your IP camera system, to not worry about hacking and tampering with your critical surveillance data, look for Axis endpoints with Axis Edge Vault.