Securing IoT devices must be a top priority from start to finish these days. Whereas the issue used to be seen mainly as an add-on, it is now a fundamental part of product development and partner policy. According to Fabian de Clippelaar, Engineer at Axis Communications, this shift did not come out of the blue. “The growing computing power of devices offers opportunities for innovation. But if that power is not applied or secured in the right way, it can also cause serious problems.”
Security cameras and other IoT devices have quickly evolved into fully-fledged mini-computers with powerful processors and extensive software functionality. This makes them an attractive target for cybercriminals seeking to build botnets or exploit vulnerabilities to gain access to corporate networks. For Axis, this was reason enough to drastically change course years ago, when it saw the increase coming. From the initial design stage, cybersecurity measures are incorporated into the life cycle of every product. And long after that, the search for optimization continues.
Vulnerabilities better visible than hidden
Axis wants to distinguish itself by openly and transparently addressing vulnerabilities. The company actively registers security breaches with the international CVE database and has set up a bug bounty program to encourage researchers to report vulnerabilities. Pentesters and security experts are also explicitly supported via the Axis website, getting rewards for reporting vulnerabilities. They are asked to report them on time, after which Axis releases a patch within eight weeks.
De Clippelaar emphasizes that this is not a noncommittal choice but a conscious strategy to build trust. “We can’t do it alone. Our devices are not labeled ‘cyber secure’. If the user or system integrator does not configure them properly, there is still a risk.” This underlines that, in Axis’s view, cybersecurity is a shared responsibility, with suppliers, integrators, and end users each having a role to play.
This open attitude should prevent vulnerabilities from being hidden or only coming to light at a late stage. Axis always publishes notifications proactively, so that IT administrators can assess whether immediate action is needed or whether an update can wait until a regular maintenance moment. This transparency aligns with the expectation of a high degree of accountability and documentation, enabling partners and users to respond quickly.
It all comes together in what the company calls the Security Development Model. Here, more than a hundred employees work daily on security by design. The process includes risk analysis, threat modeling, and extensive penetration testing before firmware is released.
Proprietary operating system as a foundation
Axis’ security policy is largely built around its proprietary operating system. While many manufacturers rely on generic platforms, Axis has opted for a Linux-based OS that is developed and maintained entirely in-house. “We make our own operating system and we are in control of what’s in it,” explains De Clippelaar. This means that Axis knows exactly which components are present in each product. To reinforce this insight, the company publishes a software bill of materials (SBOM) for each device, listing the exact software components.
Updates are also distributed exclusively via the company’s own infrastructure. This offers advantages when, for example, vulnerabilities are discovered in standard components such as Apache servers. “Sometimes we don’t use those components at all, so we actually have a false risk,” says De Clippelaar. This control allows Axis to respond more quickly and prevent unnecessary panic.
Hardening from day one
On that basis, Axis adds additional layers of security so devices are better protected right out of the box. For example, new cameras are only visible on the network for one hour after installation, after which they become invisible to scanners. A vulnerable protocol such as UPnP is disabled by default, and the traditional admin account has been removed.
Users are required to set strong passwords: six to ten characters with special characters, or 128 characters if only letters are used. De Clippelaar acknowledges that this sometimes meets with resistance in the market, but it does contribute directly to the hardening of products. “The market does not always appreciate this, but we are taking steps to implement product hardening from the outset.”
For developers, this sometimes means extra work, because standard users no longer have admin rights. For cybercriminals, however, it becomes considerably more difficult to take over or misuse devices.
Secure boot keeps the chain clean
Another key focus of Axis’ strategy is protecting the supply chain. To this end, the company previously introduced Edge Vault. This protection is designed to guarantee the integrity of IoT devices. Through secure boot and signed operating systems, the company prevents cameras from being modified during transport or installation. Keys are also stored securely.
De Clippelaar outlines a scenario: “Suppose we have 300 cameras going to a Dutch distributor. On the way, the truck driver is robbed, and someone installs a different operating system on the cameras. Secure boot will prevent the camera from starting up if the operating system has been changed.”
Firmware updates also include digital signatures. If a camera detects an unsigned update, it refuses to start up. This ensures that only official software runs, regardless of the circumstances during delivery or installation.
Zero Trust right from the factory
Due to the threat posed by IoT devices and the fact that organizations operate across multiple locations, Zero Trust is also becoming increasingly important in the business world. Axis responds to this using the 802.1X protocol. This allows companies to securely onboard devices without relying on simple MAC addresses, which are relatively easy to forge.
De Clippelaar shares an example of a Dutch company with hundreds of remote locations that recently opted for a secure approach. By using the built-in Device ID certificates, the organization was able to securely connect new devices without the risk of spoofing.
For Dutch customers, the device’s origin is also crucial. Axis solves this with hardware Device IDs, which are signed by an Axis Root certificate physically secured in Sweden. The principle is similar to the SSL certificates used by banks to secure their websites. This allows customers to verify that a device actually comes from Axis and prevents malicious hardware from entering the network unnoticed.
Authenticity of video images: signed video
In recent years, the authenticity of images has also become a topic of discussion. This is partly due to the rise of AI and deep fake technology. As a result, it is becoming increasingly difficult to distinguish authentic from manipulated images. Axis responds to this with Edge Vault, which includes the signed video feature. This technology adds digital signatures between video frames. This proves that the recorded material has not been manipulated.
“Suppose something happened and you recorded a video. Then you go to court and someone asks, ‘Is that a real piece of film or has something been manipulated?'” says De Clippelaar. With a signed video, any attempt at editing can be detected because the digital signature will no longer be correct. For courts and investigative services, this is an important step in preserving the evidential value of video material.
Foundation for trust
Axis uses clear firmware cycles for its own operating system, Axis OS. A new Active Track version is released every two years, with five years of active support and another four years of extended support. In total, devices can expect updates for 9 years. However, De Clippelaar acknowledges that hardware often lasts much longer than that set period. Cameras from 2010 usually still function perfectly, but cybersecurity requirements now determine their lifespan. For organizations, this means that security considerations more often drive replacement than by functionality needs.
Another advantage is Axis’ platform strategy. All devices, from cameras to intercoms and access control systems, run on the same Axis OS. This allows patches and updates to be rolled out widely at once, making management easier for IT departments.
Academy prepares partners
As we mentioned at the beginning, Axis also sees it as a shared responsibility to achieve a high level of cybersecurity. To get partners on board, Axis has developed various training programs. Through the Axis Academy, installers can take two-day courses that include cybersecurity as a fixed component. Larger Solution Partners are subject to stricter requirements, including certification through the Axis Certified Professional program.
Nevertheless, De Clippelaar emphasizes that communication remains just as important as training. “As Axis, we must continue to communicate clearly about our role, but also about what customers themselves can do.”
Customization versus standard solutions
Sometimes customers ask for specific functionality, such as built-in VPN software on cameras. Axis can develop such customized applications, but warns that this is expensive and can complicate future updates. “It’s custom work, so there are costs involved. But what are we going to do when we move from OS 12 to OS 13? That application written for 12 won’t work as standard for 13.”
That is why Axis prefers standard solutions that are widely supported. This simplifies maintenance and prevents long-term dependencies that cause problems.
Everyone is in transition
De Clippelaar has noticed that end customers, including municipalities, are increasingly asking specific cybersecurity questions. For example, they are asking specifically about the IEC 62443 standard for securing OT systems. For system integrators, this means they must quickly familiarize themselves with topics that were previously hardly on the agenda. De Clippelaar notes that this is causing uncertainty among integrators. “With many integrators, you notice that awareness is growing, but that they are still looking for ways to implement cybersecurity in their projects.” Nevertheless, it is forcing the entire chain to include cybersecurity in tenders and installation processes.
For organizations that are struggling to get to grips with the complexity of cybersecurity, certifications offer additional guidance. Axis regularly refers customers to standards and frameworks that provide a certain degree of certainty. “I often try to refer back to certifications,” says De Clippelaar. By setting certification requirements, customers know that products comply with specific security guidelines. This clarifies the selection process and contributes to the market’s professionalization.
Catalyst for threats
The increasing role of AI makes the playing field even more complex. Whereas cyberattacks used to consist of simple DDoS actions, security now sees much more sophisticated methods. “The attacks have become much more sophisticated, and we have to deal with that,” says De Clippelaar. Criminals use AI to automate attacks and circumvent traditional detection systems. At the same time, security companies are using the same technology to identify and mitigate threats more quickly. It’s becoming a cat-and-mouse game that is constantly changing.
Cameras and other IoT devices are a popular target. They contain powerful hardware, run 24/7, and are often connected to corporate networks. “Our cameras have become three times smarter in the last few years,” says De Clippelaar. “We have more CPU and Deep Learning Processing Unit power; everything is much more extensive, so they are basically all mini-computers available on the network.”
A recent attack, which did not involve Axis equipment, illustrated how sophisticated criminals are becoming. Malicious code was spread unnoticed to thousands of devices worldwide for months. At a predetermined moment, all infected devices were simultaneously deployed for a massive attack. Scenarios like this show how important it is for IoT devices to be secure from the ground up.
Cybersecurity as the foundation of IoT
The development of IoT devices has transformed security cameras from passive sensors into powerful computers that, if not properly secured, pose a risk. Axis is responding by embedding cybersecurity into its strategy. From its own operating system and secure boot to signed video and certification programs, the company wants to show that security is not an afterthought, but the basis of trust.
For organizations, this means cybersecurity cannot be postponed or pushed aside. It is part of every step, from procurement and installation to daily management and replacement. Only by taking joint responsibility can IoT devices play a secure role in a world where cyberattacks are becoming increasingly sophisticated.
Also read: Enhancing video encoding: The AV1 support in the new ARTPEC-9 System-on-Chip