Possible causes and solution(s)
-
Symptoms
Maintaining the highest level of data security requires continuous improvements in all the system components - including software and device firmware. Recent changes in the camera firmware are focused on improving the security level overall.
However, it might cause some troubles when such cameras are connected to the previous BVMS releases. The potential symptoms are:
-
no possibility to add the camera to BVMS
-
no communication with the camera with unsecure connection (using HTTP or RCP+)
-
no communication with the camera using secured, HTTPS connection
Those symptoms might be caused by various changes in the firmware, explained below.
-
Causes
1) Legacy RCP+ commands received a higher authentication level in the camera firmware
Within the camera firmware changes were implemented, so that legacy RCP+ commands received a higher authentication level to further reduce the attack surface and improve security by default. Those changes might make it impossible to add a new camera to the BVMS.
Changes introduced with:
|
Platform |
Firmware version |
|---|---|
|
CPP6 / CPP7 / CPP7.3 |
7.87.0029 |
|
CPP13 |
8.90.0037 |
|
CPP14 |
9.00.0210 |
2) Unsecured ports and services disabled in the camera
As best practice to reduce potential attack surfaces and limit the exposure of sensitive services the following ports are disabled in the camera by default:
RCP+: CONF_RCP_SERVER_PORT
HTTP: CONF_LOCAL_HTTP_PORT
RTSP: CONF_RTSP_PORT
iSCSI: CONF_ISCSI_PORT
Closed RCP+ port in the camera might not allow adding this camera to the BVMS, as it was used in the earlier versions
If camera is added to the system with Secured connection option disabled in the BVMS configuration (so it's using unsecured ports for the communication),
Changes introduced with:
|
Platform |
Firmware version |
Comments |
|---|---|---|
|
CPP6 / CPP7 / CPP7.3 |
- |
Changes considered in the future firmware released - to be determined later |
|
CPP13 |
8.90.0037 |
iSCSI - closed* (see below)
|
|
CPP14.1 CPP14.2 CPP14.3 |
9.00.0210 |
iSCSI - closed* (see below)
|
|
CPP14.3 |
9.00.0190
|
iSCSI - closed* (see below)
Important note: Intermediate fw version, replaced by 9.00.0210 - see the row above. |
*An unsecured connection is required for local storage replay, such as e.g. SD card, ANR. Communication over the RCP+ and iSCSI port is required in such a scenario. While communicating to the device on a secure connection, these ports can be re-enabled. A reboot of the device is required after re-enabling these ports, and then one can switch back to using an unsecure connection.
3) New firmware libraries with the limited backwards compatibility
The new libraries in the firmware, used for secured (HTTPS) communication are not compatible anymore with BVMS 11.1.1 or older. As a result, if secured communication is configured, camera will not function properly in BVMS anymore.
Changes introduced in:
|
Platform |
Firmware version |
Comments |
|---|---|---|
|
CPP6 / CPP7 / CPP7.3 |
- |
|
|
CPP13 |
- |
|
|
CPP14 |
9.00.0210 |
|
-
Solution
Please find the overview of applicable BVMS patches for supported BVMS versions
|
Platform |
Firmware version |
BVMS 11.1.1 |
BVMS 12.0.1 |
BVMS 12.1 |
Resolved compatibility challenge |
|---|---|---|---|---|---|
|
Fix / patch |
Fix / patch |
Fix / patch |
|||
|
CPP6 / CPP7 / CPP7.3 |
7.87.0029 |
BVMS111165 Patch CantAddCamSpecFW 424238 |
Included - no additional patch required |
Included - no additional patch required |
1) Legacy RCP+ commands |
|
CPP13 |
8.90.0037 |
BVMS111165 Patch CantAddCamSpecFW 424238 |
Included - no additional patch required |
Included - no additional patch required |
1) Legacy RCP+ commands |
|
Please consider workaround as described HERE |
BVMS1201375 Patch FW8_90 Cap 429121,418648,425002 |
Included - no additional patch required |
2) Unsecured ports closed in the camera |
||
|
CPP14 |
9.00.0210 |
BVMS111165 Patch CantAddCamSpecFW 424238 |
Included - no additional patch required |
Included - no additional patch required |
1) Legacy RCP+ commands |
|
Please update the fw to 9.00.0210 |
BVMS1201375 Patch FW8_90 Cap 429121,418648,425002 |
Included - no additional patch required |
2) Unsecured ports closed in the camera |
||
|
BVMS111165 Patch FW90improve 434923,428521 |
Included - no additional patch required |
Included - no additional patch required |
3) Libraries compatibility (for the secured connection) |
BVMS 11.0 or previous versions
Since the mentioned FW versions were released more than 2 years after BVMS 11.0 release, compatibility cannot be guaranteed. In order to use the latest camera FW versions with BVMS, please consider upgrading BVMS to one of the versions mentioned above.
