Arnaud Vanwolleghem

Bosch Camera Data Security Training

In this online course you will learn how to secure your camera system and the basic
about certification usage.

CY B ER SECUR ITY FUN DAMEN TALS

Importance of Data Security

Securing the foundation: 10 key features

Secure Installation and Configuration

​Vulnerability Analysis ​& ​Hardening device access

Certificates

Secure Disposal and Decommissioning

EXAM

Exam
R ESOUR CES

Additional information & links

QUESTION B AN KS

Bosch Camera Data Security Training Exam

Lesson 1 of 8

Importance of Data Security

Arnaud Vanwolleghem

Data security refers to protective digital privacy measures that are applied to prevent
unauthorized access to computers, databases and websites.

Intentional malicious attacks become more feasible and more likely due to more connectivity.

Securing video surveillance data is just as important as safeguarding people and property.
Providing secure and reliable products and services to customers is the objective of Bosch.

Full definition of data security: Computer security, cyber

security, digital security or information technology security (IT
security) is the protection of computer systems and networks
from attacks by malicious actors that may result in
unauthorized information disclosure, theft of, or damage to
hardware, software, or data, as well as from the disruption or
misdirection of the services they provide.

Terminology
Vulnerabilities - are flaws in a computer system that weaken the overall security
of the device/system. Vulnerabilities can be exploited by a threat actor, such as
an attacker, to cross privilege boundaries (i.e. perform unauthorized actions)
within a computer system.

An exploit is a piece of software, a chunk of data, or a sequence of commands

that takes advantage of a bug or vulnerability to cause unintended or
unanticipated behavior to occur on computer software, hardware, or something
electronic (usually computerized).

A backdoor is a typically covert method of bypassing normal authentication or

encryption in computer, product, embedded device. From there it may be used to
gain access to privileged information like passwords, corrupt or delete data on
hard drives, or transfer information within networks.

In the context of information security, social engineering is the psychological

manipulation of people into performing actions or divulging confidential
information.

Malware (a portmanteau for malicious software)is any software intentionally

designed to cause disruption to a computer, server, client, or computer network,
leak private information, gain unauthorized access to information or systems,
deprive access to information, or which unknowingly interferes with the user's
computer security and privacy.
 Researchers tend to classify malware into one or more sub-types (i.e.
computer viruses, worms, Trojan horses, ransomware, spyware, adware,
rogue software, wiper and keyloggers)

Common Causes of Data Breach in Video

Systems
Botnet - The word "botnet" is a portmanteau of the words "robot" and "network". The
term is usually used with a negative or malicious connotation. Botnet is a group of
Internet-connected devices, each of which runs one or more bots. Botnets can be

used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam,
and allow the attacker to access the device and its connection.

Since more than 90% of IP cameras on the market run Linux kernels, they are
susceptible to weaponization. Weaponizing an IP camera is when it's "turned" into a
bot, part of a botnet, controlled remotely by an entity to do actions the device was
not designed for, like a DDoS attack). An IP camera can be "turned" into a bot by
maliciously gaining access, changing the behavior of the device.

DDoS a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to
make a machine or network resource unavailable to its intended users by temporarily or
indefinitely disrupting services of a host connected to a network. Denial of service is typically

accomplished by flooding the targeted machine or resource with superfluous requests in an

attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

Compromised cameras part of a Botnet can be used to perform DDoS attacks.

Mirai botnet - Mirai (from the Japanese word for "future“) is malware that turns networked
devices running on Linux into remotely controlled bots that can be used as part of a botnet in

large-scale network attacks.

On October 21, 2016, three consecutive DDoS attacks were launched against the Domain

Name System (DNS) provider Dyn. The activities are believed to have been executed through a

botnet consisting of many Internet-connected devices — such as printers, IP cameras,

residential gateways and baby monitors—that had been infected with the Mirai malware.

What can happen to a compromised camera?

Unauthorized Access: Attackers could gain unauthorized access to the camera's

live feed, allowing them to view and potentially record the surroundings
without permission.

Privacy Breach: Compromised cameras might invade personal or sensitive

spaces, violating privacy laws and causing significant emotional distress to

individuals being monitored.

Data Theft: If the camera stores recordings or images locally or in the cloud, a
breach could lead to the theft of this data, exposing sensitive information or
footage to malicious actors.

Surveillance and Espionage : A compromised camera could be used for

espionage purposes, allowing unauthorized individuals to gather intelligence or
monitor activities for malicious intent.

Physical Security Threat: Access to camera controls could enable attackers to

manipulate or disable the camera, creating blind spots in security surveillance

systems and compromising physical security.

Network Vulnerabilities: Compromised cameras might serve as an entry point

for attackers to infiltrate the wider network, potentially compromising other
connected devices or systems.
 Firmware Alteration: Attackers could modify the camera's firmware, enabling
persistent access, installing malware, or creating backdoors for future
exploitation.

Denial of Service (DoS) Attacks: Compromised cameras might be used as part

of a botnet to launch DoS attacks, disrupting network services and causing
downtime.

Legal and Compliance Issues: Breaches involving sensitive data could lead to

legal ramifications, fines, or lawsuits due to non-compliance with data

protection regulations.

Reputation Damage : Organizations using compromised cameras could suffer

reputational damage due to the breach, losing customer trust and credibility.

Financial Loss: Remediation costs, such as investigating the breach,

implementing security measures, and potential fines, can lead to substantial
financial losses for the affected organization.

Remote Control: If attackers gain control over the camera, they could pivot to

control other devices on the network, expanding the scope of the security
breach.

Common Causes of Data Breach in Video

Systems
We split the general security weak links in two categories:

ACCE S S T O T H E ACCO UN T S / D E V ICE : ACCE S S US IN G CO D E /S W WE AK N E S S :

1. Weak and Stolen Credentials, a.k.a. Passwords (Example of week passwords: admin,
1234, safe, test)
2. Social Engineering (Example: Sharing your password with other people, or mentioning in
a conversation for example that your password is the name of your pet animal)

3. Too Many Permissions (known as permissions leakage, privilege creep or privilege

escalation — creates a security vulnerability by granting users more access than
necessary. This vulnerability potentially compromises sensitive information or systems )

ACCE S S T O T H E ACCO UN T S / D E V ICE : ACCE S S US IN G CO D E /S W WE AK N E S S :

1. Back Doors, Application Vulnerabilities: There are certain threat actors that can influence
the creation of a backdoor into a device with the purpose of control or for surveillance
and espionage.

2. Malware : any software intentionally designed to gain unauthorized access to information

or systems, deprive access to information, or which unknowingly interferes with the
user's computer security and privacy.
 3. Insider Threats : An insider threat refers to a cyber security risk that originates from
within an organization. It typically occurs when a current or former employee, contractor,
vendor or partner with legitimate user credentials misuses their access to the detriment
of the organization's networks, systems and data.

4. Improper Configuration and User Error : A security misconfiguration occurs when system
or application configuration settings are missing or are erroneously implemented,
allowing unauthorized access

Common Causes of Data Breach in Video Systems

What are the methods used to discover some of these vulnerabilities?

Malware: Botnets, Trojans , Rootkits,

Privilege misuse: Insider access to VMS and Video

Physical Theft: SD cards, Hard Drives, Cameras taken

Web Attacks: Attacks on IP Device Web Interface (example Cross Site
Scripting)

Examples of data security vulnerabilities in CCTV

There is a huge number of vulnerabilities discovered over the last 9 years. Some of
them referred to tampering with devices during production process (factory sealed
firmware already contained malicious 3rd party code), many others are consequences
of inadequate care for cybersecurity:

Internet connected DVRs from a CCTV manufacturers found infected with a

bitcoin mining botnet (2014)

Critical vulnerability in Vendor A cameras allowing to hack and overtake them

with execution of Python code (2016)

Vendor B vulnerability to Mirai botnet allowed mass DDoS attacks on various

infrastructure (2016)

UPnP vulnerability of Vendor C cameras even if placed behind firewalls (2017)

 Vendor B vulnerability to intercept audio channel even if audio has been disabled
(2019)

One government report lists 95 vulnerabilities in Vendor C cameras (2021)

Vendor B’s vulnerability allowing authentication bypass, i.e., seizing Admin rights
without providing valid credentials (2021)

Vendor C’s backdoor exploit affects 400K internet connected devices (2022)

Some DoD’s banned Vendor C and Vendor B cameras from use in own premises

(2023)

* Click here to an example of an online catalog of hacked and unprotected cameras in

Europe and USA.
Lesson 2 of 8

Securing the foundation: 10 key features

Arnaud Vanwolleghem

So how does Cybersecurity fit into Data Security?

Cybersecurity is an important topic for IP cameras as they are used to show and
record data protection, relevant data that can be easily misused. Additionally, the
environment in which cameras are used transforms from a traditional closed network
(CCTV: Closed Circuit TeleVision) to a connected space using IoT (Internet of Things)
devices connected to cloud services or reachable via the Internet, requiring additional
security measures.

We have 10 leading measures to ensure data security:

1. Secure Element 2. Embedded login 3. Password enforcement 4. Minimum TLS 1.2

Future-proof Secure firewall Security first: set a A minimum version of TLS
Element with Trusted Embedded login firewall password, then connect. 1.2 provides maximum
Platform Module (TPM) minimizes unintentional security.
functionality, supporting lock-outs and DDOS
4096-bit keys. attacks. An intelligent
 login firewall you can
count on.

5. Simple Certificate 6. Software sealing 7. Encrypted firmware 8. Cloud firmware check

Enrollment Protocol Changes to a sealed Verifies firmware Always stay up to date.
(SCEP) camera configuration will authenticity and prevents
Simplifying cybersecurity trigger an alarm. Protects malware insertion.
at scale. against unintentional or
unauthorized changes.

9. Session timeout 10. Secure by default Cyber security

Manage how long a Security by default, certifications
configuration session can insecure ports closed
be left unattended. until you say it is open. Bosch's compliance
with leading
security standards
makes us unique:

UL2900-2-3
 IEC62443-4-1

IoT SMM

C l i c k h e r e fo r d e t a i l e d i n fo r m a t i o n

1. Secure Element

S E CURE E L E M E N T H ARD E N E D CRY P T O S E CURE E L E M E N T :

E AL : E V AL UAT IO N
T P M CRY P T O CO - CO - P RO CE S S O R CP P 1 3 AN D 1 4
AS S URAN CE L E V E L
P RO CE S S O R? (2 0 0 4 ) D E V ICE S

All CPP14 devices incorporate a new secure crypto-micro controller, which we call our Secure
Element.

“A Secure Element is a tamper-resistant platform capable of securely hosting applications and their
confidential and cryptographic data (for example cryptographic keys) in accordance with the rules
and security requirements set by well-identified trusted authorities.”

In this specific case the requirements are defined in the Trusted Platform Module library
specification defined by the Trusted Computing Group (TCG). As the Secure Element supports
the main functionalities specified by TCG, the ones needed for an IoT device, it is often
referred to as a “TPM”. Due to security reasons, the firmware or functionality of the secure
crypto-microcontroller cannot be altered in the field. Thus, not all new security features
become available on devices with older secure crypto-micro controller hardware or firmware
revisions.
For more information on TPM, click here.
For more information on CPP 14, click here.
For more information on standards of Secure Element, click here.

S E CURE E L E M E N T H ARD E N E D CRY P T O S E CURE E L E M E N T :

E AL : E V AL UAT IO N
T P M CRY P T O CO - CO - P RO CE S S O R CP P 1 3 AN D 1 4
AS S URAN CE L E V E L
P RO CE S S O R? (2 0 0 4 ) D E V ICE S

The Crypto Co-Processor is responsible for storing private keys, encryption functions (Triple
DES and AES 256), cryptographic functions such as generating Hashes, and PKI functions such
as certificate validation. Any critical information placed inside the TPM, such as private keys,
cannot be extracted
S E CURE E L E M E N T H ARD E N E D CRY P T O S E CURE E L E M E N T :
E AL : E V AL UAT IO N
T P M CRY P T O CO - CO - P RO CE S S O R CP P 1 3 AN D 1 4
AS S URAN CE L E V E L
P RO CE S S O R? (2 0 0 4 ) D E V ICE S

Independently certified with Assurance Level (EAL) 6+ based on Common Criteria for
Information Technology Security Evaluation

Cryptography with up to 4096-bit RSA keys for up to TLS1.3 and device identity

DES/AES/PKI crypto-coprocessors
S E CURE E L E M E N T H ARD E N E D CRY P T O S E CURE E L E M E N T :
E AL : E V AL UAT IO N
T P M CRY P T O CO - CO - P RO CE S S O R CP P 1 3 AN D 1 4
AS S URAN CE L E V E L
P RO CE S S O R? (2 0 0 4 ) D E V ICE S

EAL is a numerical grade assigned following the completion of a Common Criteria Security
Evaluation

International standard in effect since 1999

2. Embedded login
firewall

In computing, a firewall is a network security system that monitors and controls

incoming and outgoing network traffic based on predetermined security rules. A
firewall typically establishes a barrier between a trusted network and an entrusted
 network, such as the Internet.

Embedded login firewall minimizes unintentional lock-outs and DDOS attacks.

An intelligent login firewall you can count on.

3 failed login attempts within 20 seconds:

The camera Black Lists the attempting IP address

3. Password enforcement

Security first: set a password, then connect.

User Authentication
Bosch IP cameras support different methods of authentication.

Pre-configured is password-based authentication with three different roles that can be assigned

to a user.
Optional certificate-based authentication or ADFS integration into an active directory is
supported.

Password Policy

No default passwords are set for the camera, when first connecting to the device a new

administrator password must be set following strict password complexity rules.

 Two Factor Authentication Firmware Signature

This process takes effect when installing Firmware 6.51.

4. Minimum TLS 1.2

TLS (Transport Layer Security) is a cryptographic protocol designed to provide

communications security over a computer network. A minimum version of TLS 1.2
provides maximum security. TLS 1.3 is supported, including the possibility to set the
minimum TLS version.

TLS 1.0 and 1.1 are the standard advanced developments of SSL 3.0 (Secure Sockets
Layer; an outdated encryption protocol for data transmission in IP-based networks).
Modern devices use TLS 1.2 or 1.3

General network port usage and video transmission

All Bosch IP video devices utilize Remote Control Protocol Plus (RCP+) for detection,
control, and communications. RCP+ is a proprietary Bosch protocol which uses
specific static ports to detect and communicate with Bosch IP video devices - 1756,
 1757, and 1758. When working with a video management system that has integrated
Bosch IP video devices via the Bosch VideoSDK, the listed ports must be accessible
on the network for the IP video devices to function correctly. Video can be streamed
from the devices in several ways: UDP (Dynamic), HTTP (80), or HTTPS (443).

If selecting HTTPS communications, communication between Configuration Manager

and video devices will utilize HTTPS (TLS) to encrypt the payload with an AES
encryption key up to 256 bits in length. This is a free basic feature. When utilizing

TLS, all HTTPS control communications and video payload is encrypted via the
encryption engine in the device.

5. Simple Certificate
Enrollment Protocol
(SCEP)

Bosch IP cameras provide various ways to have their certificates installed and
maintained.
One way is to use a standard protocol also used in PKI environments, like SCEP

(Simple Certificate Enrollment Protocol), which is for example used in Microsoft’s

Active Directory service NDES (Network Device Enrollment Service).

SCEP is intended to significantly simplify the requesting and issuing of certificates in

internal, trustworthy networks by allowing the device to fetch the certificate itself.
To ensure that this is not misused, an authorized person must first create a "one-time
password", which is then made available to the device.
The end device can then request a certificate from the SCEP service using this
temporary password, which on Windows typically expires after 60 minutes.
Each SCEP request is identified by a transmission identifier that is generated by the
client and uniquely identifies the request.

To ensure that this is not misused, an authorized person must first create a "one-time
password", which is then made available to the device. The end device can then
request a certificate from the SCEP service using this temporary password, which on
Windows typically expires after 60 minutes. Each SCEP request is identified by a
transmission identifier that is generated by the client and uniquely identifies the
request.

For more information on Bosch Certificate Management, download the TechNote

below, or see resources chapter.

Bosch_CertificateManagement_TechNote.pdf
832.5 KB
6. Software sealing

After a completed configuration of an IP camera, the settings of the device should not
change. A software seal can be enabled to notify of device configuration changes.
 Recommendation: Enable software sealing if there are no pending configuration
changes.

7. Encrypted firmware

Firmware encryption is a way to protect the firmware from reverse engineering.

8. Cloud firmware check

Always stay up to date

All cameras can be integrated with the Bosch Cloud Solution (Remote Portal) to allow central
configuration and management of devices via the cloud.

Check for Updates

The device should be always updated to the latest firmware version to include security or

functional fixes.

For devices connected to the Remote Portal (Cloud) users are notified about availability of

latest firmware.
9. Session timeout

Manage how long a configuration session can be left unattended.

We have two session types to describe:

1. One is the RCP session, which times out after 30 seconds of inactivity
 2. Another is the browser session timeout.

HTTP requests are static, one request is sent and responded to.

The browser session timeout defines the period after which a browser user
needs to re-authenticate.

Session timeouts are valid regardless of the client. If a session times out, re-
authentication is needed.

10. Secure by default

 HTTP Strict Transport Security (HSTS) is a web security policy mechanism that
helps to protect websites against protocol downgrade attacks and cookie hijacking.

Enabling "HSTS" in the network access menu prevents - TLS downgrade attacks

The Discovery port is for Onvif, you can turn this one off - > and then the discovery
will be on the RCP+ port.

Security by default, insecure ports closed until you say it is open.

All legacy protocols have been disabled since 2015.

The network services present will be:

HTTP Browser Port: OFF

 TLS Version: Set to 1.2

HSTS: ON

UDPencryption capable

Multicast and Unicast

Disable Ping and ONVIF

Disable RTSP options

Official certifications on the market

What have we done so far?

Maybe the best kept secret in the industry is how long Bosch has been
focused on cyber security.

Some features that we will discuss today have been in place since 2004.
This includes:

TPM (Crypto co-processors or Secure Element depending on the type

and camera generation)

Certificates

Closed operating systems and signed firmware

Bosch Utilizes a Security Engineering Process (SEP)

Internal and third-party pen testing

Open Web Application Security Project Testing Guide (OWASP)

OWASP IOT Testing Guide / Mobile Security Project

NIST 800, CIS, STIG

MITRE.ORG Certificated Numbering Authority

Bosch cameras have a “closed” OS that runs in limited memory space.

Bosch cameras are manufactured in a controlled and secure environment that is

continually audited

Chain of custody from cradle to customer

Devices can only be written to via a valid “signed” firmware upload, which is specific

to hardware series and chipset

 C l i c k h e r e t o s e e d e t a i s fo r c y b e r s e c u r i t y c e r t i fi c a t i o n s

Secure and cyber resilient for peace of mind

Data security in a hyper-connected world

S E CURIT Y FO R IN D US T RIAL
UL 2 9 0 0 CY B E RS E CURIT Y IO T S E CURIT Y M AT URIT Y
AUT O M AT IO N AN D CO N T RO L
CE RT IFICAT IO N M O D E L CE RT IFICAT IO N
S YS TE M S

As a result of sustained efforts, Bosch cameras have achieved Underwriters Laboratories (UL)
2900-2-3 Level 2 cybersecurity certification. This certification confirms that Bosch performs the
necessary penetration testing on the products to probe for vulnerabilities and have appropriate
methods to manage cybersecurity efficiently.

“Certification to the UL 2900 Series of Standards is the highest recognition of cybersecurity due
diligence and helps demonstrate that a product is secure to modern standards." - UL Cybersecurity
Assurance Program (UL CAP)
 S E CURIT Y FO R IN D US T RIAL
UL 2 9 0 0 CY B E RS E CURIT Y IO T S E CURIT Y M AT URIT Y
AUT O M AT IO N AN D CO N T RO L
CE RT IFICAT IO N M O D E L CE RT IFICAT IO N
S YS TE M S

Bosch cameras have achieved the IEC 62443-4-1 Certificate of Conformity – Industrial Cyber
Security Capability.

This certificate focuses on the processes and definitions around developing and manufacturing
secure products.

Requirements assessed:
Security management, security requirements, secure by design, secure implementation,
security verification and validation testing, management of security-related issues, security
update management, security guidelines.
 S E CURIT Y FO R IN D US T RIAL
UL 2 9 0 0 CY B E RS E CURIT Y IO T S E CURIT Y M AT URIT Y
AUT O M AT IO N AN D CO N T RO L
CE RT IFICAT IO N M O D E L CE RT IFICAT IO N
S YS TE M S

Bosch has attained the IoT Security Maturity Model (SMM) certification from the Industry IoT
Consortium (IIC), confirming that we perform the necessary penetration testing and internal
practices to address cybersecurity.
Lesson 3 of 8

Secure Installation and Configuration

Arnaud Vanwolleghem

In the upcoming chapter, we will delve into the initial security configuration of a
camera, exploring the vital aspects of implementing robust password protection
mechanisms.

Security concept
When dealing with Bosch IP video devices your first line of protection are the devices
themselves. Bosch encoders and cameras are manufactured in a controlled and
secure environment that is continually audited. Devices can only be written to via a
valid firmware upload, which is specific to hardware series and chipset.

Most Bosch IP video devices come with an onboard security chip that provides
functionality similar to crypto SmartCards and the so called Trusted Platform Module,
or short TPM. This chip acts like a safe for critical data, protecting certificates, keys,
licenses, etc. against unauthorized access even when the camera is physically opened

to gain access.

Bosch IP video devices have been subjected to more than thirty thousand (30 000)
vulnerability and penetration tests performed by independent security vendors. Thus
far, there have been no successful cyberattacks on a properly secured device.
All Bosch IP video devices currently If no DHCP server is available in With earlier firmware, it will assign
come in a factory default state the active network on which a itself the default IP address
ready to accept a DHCP IP device is deployed, the device will 192.168.0.1.
address. - if running firmware 6.32 or higher -
automatically apply a link-local
address out of the range of
169.254.1.0 to 169.254.254.255, or
169.254.0.0/16.

Secure configuration

One of the first steps in limiting the possibilities of Note : Even before using IP Address
internal cyberattacks on a network, executed by Management to track the usage of IP
unauthorized locally attached network devices, is to addresses, a network management best

limit available unused IP addresses. This is done by practice is to limit access to the
using IPAM (IP Address Management), in network through port security on edge
conjunction with subnetting the IP address range switches, for example only a specific
that will be used (This applies were the installer MAC address can access through a

designs). specific port.

What is a password?
Passwords are used as an authentication method for individuals to access computer
systems or applications.

Using passwords ensures the owner of the account is the only one who
has access.

However, if the password is shared or falls into the wrong hands,

unauthorized changes to a given system could occur.

Unauthorized access could potentially lead to changes in the system's

overall status and health or damage the file system.

Passwords are typically comprised of a combination of characters such

as letters, numbers, and symbols. -> Thus, it is up to the user how they
generate passwords!
How secure are passwords?
Sometimes, companies have their own password policies and enforce users to follow
guidelines when creating passwords. This helps ensure users aren't using common or
weak passwords within their organization and could limit attack vectors such as brute-
forcing. For example, a password length has to be eight characters and more,
including characters, a couple of numbers, and at least one symbol.
Tips: How to protect against cyber-attacks

Always use a strong password that is the combination of

alphanumeric, special characters, symbols, lower case, and upper
case alphabets.

Never use any of the passwords that can be considered commonly

used passwords.
Use a Password Manager which encrypts and stores the passwords in
a secure vault that is protected by a master password and you will
remain safe.

Never use the same password to log in multiple accounts.

Secure Installation and Configuration

Initial setup of camera

How to implement a Password:

Scan the device on the network using Configuration Manager

Add password respecting the password requirements

Step 1: Opening Configuration Manager, from the Network Scan tab, we are scanning
for a new device.

Step 2: Once the camera is identified, the 1st message we get is the notification "The

connection is not secure"-> select the Add exception.

Step 3: This is related to the local.myboschcam.net certificate we will go into more

details at the certificate chapter.

Once the camera is added as exception you will need to set up the password.

Assigning a passwords to the camera

Using Configuration Manager add a password to your out of the box camera. Setting
up the password can be done via the web browser as well.
All defaulted devices with Firmware 6.4 (2017) and above cannot be accessed or configured

without a Complex Password.

3 failed login attempts within 20 seconds:

The camera Black Lists the attempting IP address

Hashing

What is Hashing?
Hashing is a function used to map data to a fixed-length value. This function is called
the hash function, and the output is called the hash value/digest.
There are two primary applications of hashing:

Password Hashes: In most website servers, it converts user passwords into a hash value
before being stored on the server. It compares the hash value re-calculated during login to the

one stored in the database for validation.

Integrity Verification: When it uploads a file to a website, it also shared its hash as a
bundle. When a user downloads it, it can recalculate the hash and compare it to establish data
integrity.

Hashing serves the purpose of ensuring integrity.

Hashing takes arbitrary input and produce a fixed-length string that has the following attributes:

The same input will always produce the same output

Multiple disparate inputs should not produce the same output

It should not be possible to go from the output to the input

Any modification of a given input should result in drastic change to the

hash

Hashing is used in conjunction with authentication to

produce strong evidence that a given message has not been
modified.
This is accomplished by taking a given input, encrypting it

with a given key, hashing it, and then encrypting the key with
the recipient’s public key and signing the hash with the
sender’s private key.

When the recipient opens the message, they can then

decrypt the key with their private key, which allows them to
 decrypt the message.

They then hash the message themselves and compare it to

the hash that was signed by the sender. If they match it is an
unmodified message, sent by the correct person.

Where do we use hashing?

Use hashing in authentication systems and to validate different types
of data, such as files and documents.

We can identify that if a file or an application that we download is

legitimate and hasn't been tampered with.

We can use it to identify malware.

We can use it to sign certificates.

It's also used in password exchange depending on the application

utilized.

What is the SHA-Secure Hash Algorithm?

SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed

by the United States National Security Agency (NSA) and first published in 2001.

The SHA-2 family consists of six hash functions with digests (hash values) that are
224, 256, 384 or 512 bits

SHA 256 is a part of the SHA 2 family of algorithms.

Certificates Capabilities and Hashing

Since firmware version 6.30 all cameras are prepared to receive a unique Bosch
certificate during production, assigned and enrolled by Escrypt LRA.

These certificates prove that every device is an original Bosch-manufactured and

untampered unit.

Escrypt is a Bosch-owned company, providing the Bosch certificate authority (CA).

Enrollment of the certificates in production is asynchronous to this firmware release.
Lesson 4 of 8

​ ulnerability Analysis ​& ​Hardening device

V
access
Arnaud Vanwolleghem

In this chapter, we'll explore two crucial concepts: Vulnerability Assessment and
vulnerability scanners. We'll dive into Nessus software, breaking down how it scans
and what results it provides. We'll also talk about vulnerability reports and understand
terms like CVSS and CVE for better cybersecurity. Shifting gears, we'll discuss the

basics of hardening device access, including Camera Lock Down. This section
simplifies how to secure devices and explains when and why it's essential in cyber
security.

Vulnerability assessments
Vulnerability assessments or scanning is a testing process used to identify and rank
vulnerabilities in a device or system.

Vulnerability scans are typically performed with automated tools such as Nessus or

NMAP and depending on the network facing surface of the device and the scanning
software that you're using vulnerability scans typically only take a few seconds to a
few minutes per host.
 Nessus

Nessus Professional is an assessment solution for identifying

vulnerabilities, configuration issues, and malware that attackers use to

penetrate networks. It performs vulnerability, configuration, and
compliance assessment. It supports various technologies such as
operating systems, network devices, hypervisors, databases,
tablets/phones, web servers and critical infrastructure developed by
Tenable Network Security.

Nessus is the vulnerability scanning platform for auditors and security

analysts. Users can schedule scans across multiple scanners, use wizards
to easily and quickly create policies, schedule scans and send results via
email.

Click here to download a 7-days trial of Tenable Nessus Professional.

From the scan templates select the “Advanced Scan”.
We will use this tool for the vulnerability scan of our camera and use the report for camera
hardening assessment.
 How to create a new scan?

In the following steps we will explain how to create a new scan in Nessus.
 Step 1

The main page is the My Scan page. To create a new scan click on “Create a new
scan” or “New Scan”
 Step 2

Setup a scan name. Under the scan “Target” section add the IP address of the device
you want to scan.
 Step 3

You can run the scan immediately by clicking on the “Launch” button or you can
“Save” the scan for a latter use.
 Step 4

Already configured scans is going to appear under “My Scans” section. The scan can
be launched by pressing the arrow button.
 Step 5

The scan is going to take approx 15 min. Once the scan is finished click on the scan
name for more details.
 Step 6

Scanning result of a factory defaulted (not locked down) for CPP ≤7.3 camera, will
typically produce 4 vulnerabilities.

Note: The first two are TLS version issues.

Go to resources chapter to find the report example "CPP14 with firmware 9.00.0178
-defaulted camera"
 Step 7

Scanning a factory defaulted (not locked down) CPP14.2 camera, with firmware ≥
9.0 will typically produce 2 vulnerabilities.

The two are related to Certificates:

SSL Self-Signed Certificate

SSL Certificate Cannot Be Trusted

SSL Self-Signed Certificate

Description:

The X.509 certificate chain for this service is not signed by a recognized certificate
authority.

Solution: Purchase or generate a proper SSL certificate for this service.

SSL Certificate Cannot Be Trusted

Description:

The server's X.509 certificate cannot be trusted. This situation can occur in three diffe
rent ways, in which the chain of trust can be broken, as stated below :
 1. First, the top of the certificate chain sent by the server might not be descended
from a known public certificate authority. This can occur either when the top of
the chain is an unrecognized, self-signed certificate, or when intermediate
certificates are missing that would connect the top of the certificate chain to a
known public certificate authority.

2. Second, the certificate chain may contain a certificate that is not valid at the
time of the scan.

3. Third, the certificate chain may contain a signature that either didn't match the
certificate's information or could not be verified.

This could make it easier to carry out man-in-the-middle attacks against the remote
host.

Solution: Purchase or generate a proper SSL certificate for this service.

 Summary

In the preceding steps, we described how to initiate a new scanning process in

Nessus.
 How to create a new report?

In the following steps we will explain how to create a new scan in Nessus.
 Step 1

Reports can be created quickly. From the “Home Page” select “Reports”.
 Step 2

The report starts by color categorizing the type of vulnerabilities, the Nessus
identified.

Details listed in report are:

Vulnerability name

Description

Solution

Risk Factor

CVSS v3.0 Base Score

CVSS v2.0 Base Score
 Summary

In the preceding steps, we described how to create a new report in Nessus.

What do you do with a report?

For a system administrator or the company's IT department, the report shows the

risk factors, but also vulnerabilities names, and a solutions how to fix each one.

From a hacker with malicious intent point of view this is a document where they

look for the vulnerability or vulnerabilities that can provide access and leverage over
the system.
What is CVSS in the report?

The Common Vulnerability Scoring System (CVSS) provides a way to capture the

principal characteristics of a vulnerability and produce a numerical score reflecting its severity.

Exploit ability means that the weakness has a definite path to giving potential attackers access

to sensitive information.

Known Exploits
What is the Exploit Database (EDB)?

The Exploit Database is a public exploits archive and corresponding vulnerable software,

developed for use by penetration testers and vulnerability researchers.

From an attacker point of view, knowing a weakness, all that is left is to find a way how
to exploit this vulnerability.

This website EDB being one of the sources for an attacker.

What is an exploit?

An exploit is a piece of software, a chunk of data, or a sequence of commands that takes

advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on

computer software, hardware, or something electronic.

For more information, click the website link here.

 Doing a generic search you receive the latest vulnerabilities,
scanning for a specific brand of products.

CVSS vs CVE

Common Vulnerability Scoring System (CVSS) Common Vulnerabilities and Exposures

(CVE)

The Common Vulnerability Scoring System

(CVSS) provides a way to capture the principal CVE is a dictionary that provides
characteristics of a vulnerability and produce a definitions for publicly disclosed
numerical score reflecting its severity. The cybersecurity vulnerabilities and
numerical score can then be translated into a exposures. CVSS is a separate program

qualitative representation (such as low, medium, from CVE. CVE’s sole purpose it to
high, and critical) to help organizations properly provide common vulnerability identifiers
assess and prioritize their vulnerability called “CVE Entries.” CVE does not
management processes. provide severity scoring or prioritization
ratings for software vulnerabilities.
For more information, Common Vulnerabilities
click here and/or here. and Exposures (CVE)

CVE is for providing IDs

for each vulnerabilities
for example “CVE-2016-
765432” (CVE prefix +
year + sequence number
digits)

CVE is a universal naming

standard for
communication and ID-
ing of the Vulnerability.

So when we
communication a
vulnerability “CVE-2016-
765432” anyone can
identify what the
vulnerability is by
referring the CVE list.

Also while filling the NIST

Incident Report and
Incident Response
procedure we will be
referring the name for the
vulnerability as per the
CVE list.

Security Advisory BOSCH‑2018‑1202‑BT

Our very first Security Advisory BOSCH‑2018‑1202‑BT at BT:

registered externally as CVE-2018-19036 in the MITRE database

Is this a good thing?

NO! Nobody wants a bug.
What is a good thing?
Yes: The turn around in suppling a fix.
Yes: It shows all of the work we have done preemptively in the cyber space.

Yes: We have a successful management process in place to deal with this type of
event.

For more information on Bosch Security Advisory, click here.

The vulnerability came into the firmware 6.32 through a feature extension, requiring
larger buffers.

It was overlooked in one section of code to check the length of the message,
allowing a buffer overflow situation.

All firmware prior to 6.32 had restricted buffer length and this length check was
not necessary. Buffer overflow was not possible by design.

For older products that run FW 5.54, FW 5.97, and FW 6.30 as maximum,

They not affected or impacted

These devices are not listed in the Security Advisory

For more information on Security Advisory, download the PDF file below:
 bosch-2018-1202-bt-cve-2018-
19036_security_advisory_ip_camera_vulnerability.pdf
363.7 KB

How to calculate a CVSS score?

CVSS Rating The CVSS V3 Base

Score is rated at: 9.4 (Critical) CVSS:3.0

AV:N

AC:L

PR:N

UI:N
S:U

C:L

I:H

A:H

Scores

CVSS Rating The CVSS V3 Base Score is rated at: 9.4 (Critical)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A :H

Hardening device access

Protective measures
Now the we know what are the vulnerabilities of our device, we can define the protective
measures for them.

All Bosch IP video devices come with built-in multi-purpose web pages. The device-specific web

pages support both live and playback video functions, as well as some specific configuration

settings that may not be accessible via a video management system.

For the online training, consult resource tab for more details:

Bosch Cybersecurity guidebook

IP Camera Hardening and Cybersecurity Guide

All Bosch IP video devices utilize Remote Control Protocol Plus

(RCP+) for detection, control, and communications.
 RCP+ is a proprietary Bosch protocol which uses specific
static ports to detect and communicate with Bosch IP video
devices - 1756, 1757, and 1758.

Video can be streamed from the devices in several ways: UDP

(Dynamic), HTTP (80), or HTTPS (443).

When utilizing TLS, all HTTPS control communications and

video payload is encrypted via the encryption engine in the
device.

Hardening Overview
There are two levels of hardening defined, namely ’elevated’ and ‘strict’ .

Hardening level ‘strict’ features the most secure means of setting up a device but

might be limiting the usage of the device as features like auto discovery of a device

are disabled.

For each feature it should be evaluated if ‘elevated’ settings or ‘strict’ settings can be

applied.

HTTP, HTTPS and video port usage - HTTP is enabled by default, but unencrypted, so
credentials or settings are transferred unencrypted if used. HTTP and HTTPS port
usage on all devices can be altered or turned off. Encrypted communication can

be enforced by disabling RCP+ port as well as the HTTP port, forcing all
communication to use encryption.

Recommendations:

Plain HTTP should be disabled in favor of the encrypted HTTPS, especially if the

network is untrusted.

HTTPS is the default secure protocol used for configuration and should remain
enabled.

Disable RCP+ if not used by 3rd party tools or legacy systems.

HTTP Strict Transport Security (HSTS) is a policy set by a website to protect

against man-in-the-middle attacks and protocol downgrade attacks. It allows the
website to tell the browser to only allow HTTPS connections within
this connection and not allow any unencrypted HTTP connections. Enable HSTS

on the camera.
 CPP 13 and 14.x cameras do not allow TLS versions below 1.2. They also
support the newer TLS 1.3 specification. Recommendation: Set minimum TLS
version to 1.2 if not already set.

Camera Lockdown

Protocol and port usage:

HTTP Browser Port: OFF

TLS Version: Set to 1.2

HSTS: ON

UDP encryption capable

Multicast and Unicast

 RTSP is used for video streaming, but normally unencrypted. Risk based
approach if video can be transmitted unencrypted or via Bosch encryption. If
possible, use encrypted RTSPS.

Disables the internal iSCSI server which is used to make internal recordings on
the camera accessible via iSCSI. iSCSI is an unencrypted protocol. Disable iSCSI
server if not used on the camera.

Ping Response - in a high secure network this can be disabled to avoid device
enumeration via ping sweep, although there are several other means of device
discovery that can be used by an attacker. Risk based approach, can be disabled
for high security networks.

ONVIF Discovery - Support the discovery of camera devices via the ONVIF

Discovery protocol.
Recommendation: When working with dynamic IP addresses and ONVIF
compliant tools this feature should remain enabled, when working in a fixed
environment with fixed IP addresses, this can be turned off.

Quick Configuration for different deployment environments:

Disable RTSP options – use RTSPS if possible

Disable iSCSI server if not used on the camera.

All legacy protocols have been disabled (2015)

Disable Ping and ONVIF

 The Network Services Menu features a “Security Rating”

Default rating is a B

Rating meters increase as items are “Disabled”

IPv4 Filter
IP Filter
In IP Filter several IP addresses (single hosts or network subnets) can be defined,
that are allowed to access the camera. It is recommended to define the computers or

networks accessing the camera here.

Recommendation: It is recommended to use the IP filter to define allowed hosts or

networks.
Note : To successfully configure this feature, you must have basic understanding of
subnetting or have access to a subnet calculator. Entering incorrect values into this
setting can restrict access to the device itself and a factory default reset may need to
be performed to regain access.

To add a filter rule, make two entries:

Enter a base IP address that falls within the subnet rule you create.The base IP
address specifies which subnet you are allowing and it must fall within the
desired range.

Enter a subnet mask that defines the IP addresses with which the IP video device
will accept communication.

In the following example the IP address 1 of 192.168.1.20 and the Mask 1 of

255.255.255.240 have been entered.

This setting will restrict access from devices that fall within the defined IP range of
192.168.1.16 to 192.168.1.31.
Firmware sealing and software sealing

Software Sealing - After a completed configuration of an IP camera the settings of the

device should not change. A software seal can be enabled to be notified of any changes to

device configuration (break of seal).

Recommendation: Enable software sealing if there are no pending configuration

changes.

Firmware Signing - Each firmware update file is encrypted and signed by a Bosch
certificate. Only updates published by Bosch can be installed on the cameras, avoiding

installation of malicious firmware.

Proof of concept lockdown - Camera should have

a lower number of ports open, thus less chances
of compromise
Lesson 5 of 8

Certificates
Arnaud Vanwolleghem

Welcome to this chapter, where we'll break down the basics of encryption keys and
why they matter for certificates. We'll dive into Certificate Management using
MicroCA, covering how to start MicroCA, set up Certificate Authorities, and sign
device certificates. We'll also explore Certificate Management with RCP+ and

HTTP(S), explaining CSR generation, getting CSRs signed, and figuring out how to use
certificates.

Encryption keys and the role of encryption for

certificates.
When encrypting data there are two basic options for key deployment, Symmetric and
Asymmetric keys:
Symmetric key Asymmetric
encryption encryption
utilizes only one utilizes a two key
key. The same key system known as a
that encrypts also Public and Private
decrypts the data. Key Pair

This method is PKI utilizes

quick but “key Asymmetric
exchange” can Encryption!
be an issue.

Digital Certificates
Digital Certificates are used to validate the keys you receive are authentic:

Digital Certificates associate a public key with a Individual or

Company

Digital Certificates are issued by a Certificate Authority (CA)

Digital Certificates include important information to include:

Version and Serial Number

Certificate Signature and Algorithm

Issuer and Validity Dates

Public Keys!
Certificate Management principle - way of work

Certificate Authority Key Distribution

Certificate Management using RCP+ and
HTTP(S)
When an IP camera communicates with an HTTPS web server, encryption typically
occurs through the Transport Layer Security (TLS) or its predecessor, Secure Sockets
Layer (SSL) protocol. Here's a simplified explanation of how encryption works
between an IP camera and an HTTPS web server:

1. Handshake and Key Exchange: When the IP camera connects to

the HTTPS web server, they initiate a handshake process to
establish a secure connection.

- During this handshake, they agree on a shared encryption method

and exchange cryptographic information, including digital
certificates.

2. Digital Certificates: The web server presents its digital

certificate to the IP camera during the handshake. This certificate
contains the server's public key and is issued by a trusted
Certificate Authority (CA).
- The IP camera verifies the validity of the server's certificate. It
checks if the certificate is issued by a trusted CA and if it hasn’t
expired or been revoked.

3. Key Exchange and Encryption: After verifying the server's

identity, the IP camera generates a symmetric session key, which
is used for encrypting the data for the current session. This
session key is encrypted using the server's public key obtained
from the digital certificate and sent securely to the server.
- The server decrypts the session key using its private key,
establishing a shared secret between the camera and the server.

4. Secure Communication: Now, both the IP camera and the server

have the same session key, which they use for symmetric
encryption and decryption of data transmitted during the session.
- All data exchanged between the IP camera and the web server is
encrypted using this session key, ensuring the confidentiality and
integrity of the communication.

This process ensures that even if someone intercepts the communication between
the IP camera and the web server, they cannot decipher the encrypted data without

the session key. The use of public-key cryptography in the handshake phase enables
secure key exchange and establishes a secure channel for subsequent data
transmission.

This way, the HTTPS protocol ensures secure and encrypted communication between
the IP camera and the web server, protecting sensitive information from unauthorized
access or tampering.
Certificate Management using MicroCA
Bosch IP cameras provide various ways to have their certificates installed and
maintained. One way is to use the proprietary protocol RCP+ (Remote Control
Protocol plus) in combination with HTTP/S to upload and download certificates.

Another way is to use a standard protocol also used in PKI environments.

Other than manual certificate management, as with MicroCA in Configuration Manager,

these methods allow deeper integration into PKI environments with a certain degree
of automation.
The Configuration Manager is a free tool for configuration of a wide variety of Bosch IP
video devices.

The MicroCA functionality in the Configuration Manager program is an easy-to-use tiny

certificate authority (CA) that facilitates the management of small to medium

systems.

For highest level of security, the private key must be concealed in hardware, a
physical key store, typically performed by a Trusted Platform Module (TPM) chip.

Use a USB or smart card crypto token for MicroCA use to guarantee exclusive
ownership.

For test purposes, or in case of low expectations on measures against stolen keys,
you may also store the private key and certificate on a standard USB flash stick as

PKCS12 file.

Note :

Weak protection by PKCS12 implementations

Malware on the PC may create an unnoticed copy and crack the PIN due to weak

encryption of most PKCS12 implementations. Never use PKCS12

implementations in security-critical applications.
 Configuring MicroCA using USB file






 

Preferences

On the navigation bar of the Configuration Manager program, click the Preferences tab.
 

USB File

In the Certificate store type list, click USB File.

 

Create

In the MicroCA group., click Create. The Create CA dialog box is displayed.
 

Security

Click the Security tab.














Organization, Organization unit, Locality, State, Country

Fill out the Organization, Organization unit, Locality, State and Country boxes. In larger installations,
this information will help you to identify the authority.
 

Trusted

Select trusted.
 

Generate certificate

To confirm creating a new certificate, click OK. A Password dialog box is displayed.
 

Create

Click Create to open the Generate Certificate dialog box.

 

Pfx File password box

In the Pfx File password box, type a new password. While you type, the Password dialog box will
change its color from red (very weak password) to yellow (weak password) and to green (very strong
password). Use a combination of characters, digits, and special characters to achieve a very strong
password.

In the Confirm box, type the same password

 

Valid from, Valid until

In the Valid from and Valid until lists, click the desired start and end date.
Note : Since the MicroCA functionality has no provisions to prolong validity, make sure that you select
an appropriate period of time.
 

Common name box

In the Common name box, enter a meaningful name for the new Certificate Authority.

no space

minimum length

Use a name that is recognizable in a later stage

 

Key type list

In the Key type list, select an entry. (in our case RSA 2048 )
Note : Higher numbers reflect higher levels of security. For example, RSA 2048 is more secure than
RSA 1024, but requires more computation time.
 

Certificate store location box

Insert a USB stick into your system, click the icon to the right of the Certificate store location box,
then select a storage location.
 

USB File

Insert a USB stick into your system, click the icon to the right of the Certificate store location box,
then select a storage location.

Signing device certificate

One of the main purposes of the MicroCA functionality is to deploy certificates to
devices.

To achieve this, you will replace a self-signed certificate by a MicroCA signed

certificate.

For signing, you will need your MicroCA crypto token or USB drive, and you need to
enter the MicroCA PIN to authorize its use.
 The new CM 7.x offers the possibility of generating a signing request that can be
signed by a Certificate Authority.

Create HTTPS CRS and sign the certificate with the new CA

Go to the camera certificate section and generate a signing request

Create Certificate Signing Request

Signing requests require general information. Once created you can either sent this
CRS (Signing Request) to a 3th Certified Authority or sign it with your own CA, to sign
it yourself press the pencil, it shall ask your CA password to sign.

Note : Creating the certificate request may take some time due to the key creation
process.
 


 

Common name box

In the Common name box, the IP address of the device is displayed.

 

create

Click Create.
 

The remaining boxes

The remaining boxes are filled from the MicroCA certificate and can be adapted according to your
needs.
The sign icon is available after MicroCA has been configured.

The sign icon allows you to sign and upload the signed certificate in a single step.

Click the sign icon to the left.

You may be asked to insert your smart card or to type your PIN to authorize the

action.
Follow the instruction on the screen.

After the certificate is signed, select the role the certificate

will play.

In the Usage column select HTTPS server:

Open now camera in a web browser and check if the

correct certificate get used and if there are no warning
is the path.

Press the green certificate icon to check if the path is

correct and no warning symbols are shown. Red cross or
exclamation marks could occur, when for example the CA
is not reachable.

Certificates
Since firmware version 6.30 all cameras are prepared to receive a unique Bosch
certificate during production, assigned and enrolled by Escrypt LRA. These certificates
prove that every device is an original Bosch-manufactured and untampered unit.

Escrypt is a Bosch-owned company, providing the Bosch certificate authority (CA).

Enrollment of the certificates in production is asynchronous to this firmware release.

All devices can house “Certificates” for:

 TLS/SSL: SSL Certificates facilitate an encrypted connection
between a browser and a web server while also authenticating
the identity of the website.

EAP-TLS: Certificate used for 802.1x networking.

TLS Date : Utilizes the TLS handshake with designated server to establish and
sync time.

AFDS CA: Active Directory Federation Services

Crypto Co-Processor

CPP 7.3 ≤
Cameras with security co-processor version 3 with an externally applied certificate
will fail HTTPS connections requesting SHA256. The restriction applies to all
functions using the private key from the certificate, including:

EAP-TLS with client authentication

TLS-Time with client authentication

TLS-Syslog with client authentication With self-signed certificate, HTTPS is fully

functional
Lesson 6 of 8

Secure Disposal and Decommissioning

Arnaud Vanwolleghem

At a certain point in the life cycle of a product or a system, it might be necessary to

replace or to take out of order a device or a component. As the device or the
component may hold sensitive data, like credentials or certificates, make sure to
delete these data completely and securely.

You can set the most devices to factory default.

For the most IP cameras and encoders, you can use for this the reset button.

For the ones that do not have a reset button, use the factory default function via the
web interface before dismounting them from the network.
All users and their respective passwords will be deleted, and the settings will be set
back to the factory default settings. All certificates and the respective keys that were
stored in the TPM or secure element will also be deleted.

Other devices may have different options to set them to factory default. Refer to the
instructions in the respective user documentation for correct disposal procedures.
Lesson 7 of 8

Exam
Arnaud Vanwolleghem

Dear Learner. Congratulations you have gone through the full content of the training. A quiz follows on
the next page. You will be asked 10 questions about the content of the training. You must get 80%
correct to pass the exam. Do you think you have absorbed all the information thoroughly? Then click on
'Start Exam'.
Question

01/01

10 questions drawn randomly from Bosch Camera Data Security Training Exam
Lesson 8 of 8

Additional information & links

Arnaud Vanwolleghem

Welcome to this section, where you can access whitepapers for a deeper
understanding of the related subjects. Additionally, feel free to explore our YouTube
channel, where you can tune in to Cyber Bytes—concise educational videos covering
various aspects of Cyber Security.

Whitepapers
Please click the provided links below to access in-depth whitepapers on the
associated subjects.

Bosch_CertificateManagement_TechNote.pdf
832.5 KB
Bosch_ConfigSealing_TechNote.pdf
432.1 KB

bosch_hardening_windows_2K22_en_v1.1.pdf
1.1 MB

Bosch_IP_Camera_Hardening_and_Cybersecurity_Guide_TechNote.pdf
552.5 KB

Bosch_Secure_by_default_TechNote.pdf
435.9 KB

EmbeddedLoginFirewall_TechNote.pdf
421.1 KB
IP_video_products_Cybersecurity_guidebook_enUS_99078607755.pdf
2.6 MB

CPP14 with firmware 9.00.0178 -defaulted camera.pdf

143.3 KB

CPP14 with firmware 9.00.0178 -defaulted camera

extended details.pdf
2.7 MB

Configuration_Manage_Operation_Manual_enUS_9007200472721035.pdf
2.1 MB

Bosch_Releaseletter_ConfigManager_7.71.0169.pdf
343.7 KB
 Network Authentication 802.1x_TechWP.pdf
1019.4 KB

Cyber Bytes
Click the link to view the Cyber Bytes YouTube series. As part of our Cyber Bytes
series, we aim to help you gain a better understanding of the key aspects of cyber and
data security, demonstrating Bosch's end-to-end approach to security.

YOUTUBE

Bosch Video Systems Cyber Bytes - #1: States of Data and…

and…

Video Systems - Cyber Bytes

As part of our Cyber Bytes series, we aim to help you gain a better
understanding of the key aspects of cyber and data security, demonstrating
Bosch's end-to...
VIEW ON YOUTUBE 
Bosch Camera Data Security Training Exam
Question

01/15

Which signature of a certificate provides the lowest security level?

Certification Authority signed certificate

Self-signed certificate

Micro-CA signed certificate by Bosch Configuration Manager

Question

02/15

What is the Bosch cameras minimum number of characters for initial password
setup?

12
Question

03/15

What is a Vulnerability?

Flaws in a computer system weakening overall security.

A piece of software exploiting a system flaw.

Methods of bypassing system authentication.

Question

04/15

What is a Backdoor?

Software designed to cause device disruption.

A covert method bypassing normal authentication.

Measures to ensure secure communication.

Question

05/15

Bosch leading measures to ensure data security: Which transport layer security
(TLS) version is used in Bosch devices to ensure secure communication?

Minimum version 1.1 or higher

Minimum version 1.2 or higher

Minimum version 1.3 or higher

Question

06/15

4. What is Secure Element in Bosch devices?

Standard implementation with TPM functionality.

An intelligent implementation blocking threats.

Security measures without assignment to the camera.

Question

07/15

What is Software Sealing in Bosch devices?

Protection against unauthorized changes triggering alarms.

Regular checks for updates from Bosch Download Area.

Simplifying cybersecurity by managing certificates on cameras.

Question

08/15

What does the abbreviation CVSS mean?

Common Vulnerability Scoring System

Common Versatilely Scoring System

Common Velocity Scoring System

Question

09/15

What is the purpose of Camera Hardening?

Capturing principal characteristics of vulnerabilities.

Process of reducing a camera's surface of vulnerability.

Ranking the severity score based on risk.

Question

10/15

What is recommended regarding the HTTP port on the camera?

Disable and use HTTPS instead.

Disable and use RTSPS instead.

Disable (impacts playback from SD-Card).

Question

11/15

What does Asymmetric encryption utilize?

A two-key system (Public and Private Key Pair).

Only one key used for both encryption and decryption.

Issuance by a Certificate Authority (CA).

Question

12/15

What is the MicroCA functionality in the Bosch Configuration Manager program?

An easy-to-use tiny certificate authority for system management.

A request signed by an official CA or MicroCA feature.

Usage assigned to a certificate for camera connection to Bosch

Cloud.
Question

13/15

What does EAP-TLS certificate involve?

Facilitating encrypted connection between browser and camera web

server.

Utilized for 802.1x networking.

Utilizes TLS handshake with designated server for time

synchronization.
Question

14/15

How does Bosch recommend securing network access on their IP cameras?

Enabling MAC address filtering

Implementing VLAN segmentation

Using default factory settings for network setup

Question

15/15

What security measures are implemented in Bosch IP cameras to prevent

unauthorized access?

Two-factor authentication

Encryption of stored footage

Regular firmware updates from the Bosch Download Area