Ensuring device security with Axis Edge Vault cyber security platform

Axis Edge Vault provides a hardware-based cyber security platform that safeguards the Axis device.

---

In modern zero trust security networks (never trust, always verify), the ability to verify the origin of the device, its authenticity and its connections is a foundational need. A network device can verify its integrity and authenticity similar to how you provide verification of your identity to the authorities by showing your passport at the airport.

Axis Edge Vault provides a hardware-based cyber security platform that safeguards the Axis device. It relies on a strong foundation of cryptographic computing modules (secure element and TPM) and SOC security (TEE and secure boot), combined with expertise in edge device security. Axis Edge Vault has its anchor point in the strong root of trust, established by secure boot together with signed firmware. These features enable an unbroken chain of cryptographically validated software for the chain of trust that all secure operations depend on.

Axis devices with Axis Edge Vault minimise customer exposure to cyber security risks by preventing eavesdropping and malicious extraction of sensitive information. Axis Edge Vault also enables the Axis device to be a trusted and reliable unit within the customer’s network.

The hardware-based cyber security platform safeguards Axis devices by providing:

• Trusted device identity
• Secure key storage
• Video tampering detection
• Supply chain protection

To comply with IEEE 802.1AR, Axis manufactures most of its devices with device-unique and factory-provisioned Axis device ID certificate (IEEE 802.1AR Initial device identifier, IDevID). The Axis device ID is securely stored in the tamper-protected secure keystore, provided through a cryptographic computing module on the device itself. This identity is unique for each Axis device and is designed to prove the origin of the device.

By using the Axis device ID, the overall security can be increased and time for deployment of devices can be reduced, since more automated and cost-efficient controls can be used for device installation and configuration.

Apart from providing an additional, built-in source of trust, Axis device ID also provides a means to keep track of devices and allows for periodic verification and authentication according to zero trust networking principles.

From a security aspect, the secure keystore is critical for storing and protecting cryptographic information. Not only is the sensitive cryptographic information (included in the Axis device ID and signed video) stored in the secure keystore, but customer-loaded information can also be protected in the same manner.

The secure keystore is provided through a hardware-based cryptographic computing module. Depending on security requirements, an Axis device can have either one or multiple such modules, like a TPM 2.0 (Trusted Platform Module) or a secure element, and/or a TEE (Trusted Execution Environment).

An Axis device in operation carries customer-specific configuration and information. The same is true for when the Axis device is in transit to the customer from a distributor or system integrator that provided pre-configuration services. When physical access to the Axis device is achieved, a malicious adversary could try to extract information from the file system by demounting the flash memory and accessing it through a flash reader device. Therefore, protecting the read-writeable file system against extraction of sensitive information or configuration tampering is an important protection for when the Axis device has been stolen or intrusion is achieved.

The secure keystore prevents the malicious exfiltration of information and prevents configuration tampering by enforcing strong encryption on the file system.

A basic premise in the security industry is that video recorded by surveillance cameras is authentic and can be trusted. Signed video is a feature developed to maintain and further strengthen the confidence in video as evidence. By verifying video authenticity, the feature provides a means to ensure that video has not been edited or tampered with after it left the camera.

With the Axis-developed signed video feature, which was proactively open sourced, a signature in the video stream can be used to safeguard that the video is intact and verify its origin by tracing it back to the camera that produced it. This makes it possible to prove the video authenticity without having to prove the chain of custody of the video file.

Each camera uses its unique video signing key, which is stored in the secure keystore, to add a signature into the video stream. This is done by computing a hash of each video frame, including metadata, and signing the combined hash. The signature is then stored in the stream in dedicated metadata fields (the SEI header).

Axis Edge Vault requires a secure foundation that acts as the root of trust. Establishing the root of trust starts at the device’s boot process. In Axis devices, the hardware-based mechanism secure boot verifies the operating system (AXIS OS) that the device is booting from. AXIS OS, in turn, is cryptographically signed (signed firmware) during the build process.

Secure boot and signed firmware tie into each other. They ensure that the firmware has not been tampered with (by anyone with physical access to the device) before the device is deployed and that, after deployment, the device cannot install compromised firmware updates. Together, secure boot and signed firmware create an unbroken chain of cryptographically validated software for the chain of trust that all secure operations depend on.

Clifton Greeff, National Surveillance Business Manager at Duxbury Networking, local distributor of AXIS technology, says: “Our customers can rest assured that everything is done to minimise their exposure to cyber security risks and that the Axis device is a trusted unit on the customer’s network.”

For more information, contact Duxbury Networking, (+27) 011 351 9800, info@duxnet.co.za, www.duxbury.co.za.