Axon Cameras (Axon Body 2, Axon Flex 2, and Axon Body 3) are designed and built to meet the needs of the public safety community. Outlined below are security safeguards, considerations, and recommendations <anchor> for Axon Cameras.
Axon Camera Security Safeguards
All Axon products undergo rigorous security analysis and assessments during development. Axon's hardware and software engineering teams are trained on developing secure products and Axon Cameras regularly undergo security and penetration testing to ensure an ongoing defense against threats. All identified vulnerabilities are evaluated by the Axon Information Security team, assigned risk and remediation time frames, and tracked through remediation.
Axon Cameras, including interfaces, firmware, and operating systems, are hardened to reduce potential attack surface and only allow necessary device functionality. Security considerations have been implemented in Axon Cameras' wireless interfaces to safeguard the device against threats.
Firmware updates, enhancements, and security improvements for Axon Cameras are developed and deployed by Axon. Updates are retrieved, installed, and validated during the normal device charging and data transfer process. Firmware updates to Axon Cameras are systematically rolled out to customers in waves to minimize any negative impacts that may occur in update processes.
INTUITIVE OFFLOAD PROCESS
Axon Cameras can quickly and securely offload captured data to Axon Evidence or Axon Commander. Axon understands that inefficient solutions oftentimes incentivize workarounds which bypass necessary security measures. Axon products are designed to promote intuitive user experiences while ensuring security is integrated by design.
AXON BODY 3 SECURITY ENHANCEMENTS
Axon Body 3 introduces additional security safeguards including:
- Enhanced Video Authenticity & Integrity Validation between Camera and Axon Evidence
- Signed Commands - Cryptographic validation of commands sent to Camera from Axon Evidence
- Secure Boot - Only trusted, cryptographically signed firmware will run on Camera
- Hash Tree implementation to facilitate multiple layers of forensic integrity
- Disk Encryption - AES-XTS 128-bit
Axon Camera Interfaces & Radios
Axon Cameras are equipped with Bluetooth and Wi-Fi radios and a Near Field Communications (NFC) tag to facilitate communications and interactions between Axon Products. Axon Body 3 additionally has an embedded Long-Term Evolution (LTE) radio and a Global Navigation Satellite System (GNSS) receiver. All Axon Cameras have a physical port for data transfer and device charging.
The Axon Camera Bluetooth radio is used for Camera communications with the Axon client applications, Axon View and Axon View XL, and to facilitate Axon Signal and Axon Slate technologies. On Axon Body 3, Bluetooth can also used to facilitate Camera registration. Axon Body 3 uses Bluetooth LE (v4.2). Axon Body 2 and Flex 2 use Bluetooth LE (v4.0)*.
Axon View & View XL
Axon View and View XL, leveraging an Axon Camera's Bluetooth radio, allows a user to wirelessly interact with an Axon Camera to manage customer-permitted user level Camera configuration, apply metadata to video files, including GPS coordinates provided from a host system, and to initiate viewing of recorded videos or preview live video capture. Axon View and View XL functionality is limited as further explained on the Axon View Security webpage and within the Axon View User Guide and View XL Body Worn Cameras Guide.
Pairing Axon View to an Axon Camera
Pairing of the Axon View application to an Axon Camera is performed over Bluetooth. Both Axon View and the Axon Camera must be set into pairing mode.
Pairing View XL to an Axon Camera
Pairing of the Axon View XL application to an Axon Camera is performed over Bluetooth. When a user signs into View XL, View XL will communicate to Axon Evidence to see which Axon Cameras are assigned to the current user. Current user assigned Axon Cameras will appear as available to pair in the View XL settings page. Initiating Camera pairing from View XL will trigger a scan from the View XL host system over Bluetooth for the Axon Camera. The Axon Camera must be placed into pairing mode to be available for pairing and to complete the pairing process with Axon View XL.
Pairing mode on an Axon Camera requires the simultaneous pressing of physical Event and Function buttons as further described in the Axon Help Center. Requiring physical interactions on the Camera for pairing mitigates the risk of unintended pairing. Axon View and View XL pairing to an Axon Body 2 or Flex camera does not require the use of a PIN or other authenticators beyond the physical button combination. On Axon Body 3, users must be authenticated using Axon Evidence credentials and have permissions that authorize them to pair with the Axon Body 3 camera.
An Axon Camera can only be paired with a single instance of Axon View XL or Axon View at a time. If an Axon Camera is paired with Axon View XL, it must be re-paired with Axon View for functionality. Similarly, if an Axon Camera is paired with Axon View, it must be re-paired with Axon View XL for functionality.
Leveraging Bluetooth, Axon Cameras can accept activation advertisement messages from other Axon Products. Axon's Signal technology is limited on Axon Cameras to only allow to activate recording of an Axon Camera that (1) has Bluetooth enabled, (2) is in BUFFERING mode, and (3) has Axon Signal enabled.
Axon Signal technologies do not transmit sensitive information or rely on device pairing mechanisms. Thus, the aforementioned Bluetooth LE pairing safeguards do not apply to Axon Signal.
Leveraging Bluetooth, Axon Cameras advertise and in EVENT mode(recording) capture advertised information from other Axon Cameras for associating and synchronizing videos within Axon Evidence to facilitate Multicam Playback. Captured advertised information is stored within the Axon Camera and is uploaded to Axon Evidence during device charging and data transfer processes.
Axon Slate technologies do not transmit sensitive information or rely on device pairing mechanisms. Thus, the aforementioned Bluetooth LE pairing safeguards do not apply to Axon Slate.
Customer administrators with appropriate permissions in Axon Evidence can manage Bluetooth on Axon Cameras registered to their Axon Evidence tenant. The Bluetooth functionality can be enabled or disabled holistically. Alternatively, a specific configuration can be made to enable or disable Axon View and View XL pairing and Axon Signal Activation functionality.
*Axon Body 2 and Flex 2 cameras utilize Bluetooth LE (v4.0). Due to known limitations in Bluetooth LE (v4.0) pairing security, all Axon Cameras (including Axon Body 3) and Axon View have implemented additional application-level security pairing to protect against eavesdropping attacks. On initial connection over Bluetooth LE, the Axon Camera and Axon View or View XL utilize the Elliptic-curve Diffie-Hellman key exchange protocol to exchange cryptographic keys. These keys are used as a basis to derive AES-256 bit session keys unique to each session to ensure an encrypted session for subsequent communications over Bluetooth.
The Axon Camera Wi-Fi radio is used to facilitate the viewing of live and recorded video using Axon View. Upon request over an authenticated Bluetooth session from Axon View, the Axon Camera will create a secure Wi-Fi network with a unique, non-broadcasted service set identifier (SSID). The Axon Camera acts as an Access Point in Infrastructure Mode. The Wi-Fi network created by the Axon Camera is secured via Wi-Fi Protected Access version 2 with a Pre Shared Key (WPA2-PSK). Client connectivity requires a secret key (a passphrase) which is generated on the Axon Camera during the initial pairing process between Axon View and the Axon Camera. Once an Axon Camera is paired with Axon View, subsequent data communications and streaming occur over HTTP (port 80) and RTSP (port 554), respectively.
For Axon View, the mechanism in which the Axon Camera transmits the network SSID and passphrase to Axon View for connectivity is dependent on the mobile operating system.
Axon View XL
The Axon Camera Wi-Fi radio is used to facilitate the viewing of live and recorded video or to prioritize upload of videos recorded on the Axon Camera.
Cameras connected to View XL operate in Wi-Fi station (client) mode and communications are secured using WPA2-PSK. Axon Cameras receive the in-car Wi-Fi network SSID and passphrase over Bluetooth from View XL to join the network. During the Vehicle Creation process within Axon Evidence or Commander the in-car Wi-Fi network SSID and passphrase are submitted into and stored by Axon Evidence or Commander. View XL securely retrieves these stored credentials from Axon Evidence or Commander to relay to the Cameras for connectivity.
View XL will only enable Wi-Fi on an Axon Camera when the connectivity is required for functionality, such as reviewing or uploading recorded video. Once those tasks are completed Wi-Fi is disabled to optimize Axon Camera battery life.
Wi-Fi configuration is dependent on a Camera's Bluetooth configuration. If Bluetooth functionality is disabled on the Camera, Wi-Fi functionality is also disabled due to the need for Bluetooth communications to enable a Camera's Wi-Fi functions.
RADIO OPERATIONAL SECURITY CONSIDERATIONS
Like any radio signal, Axon Cameras' Bluetooth and Wi-Fi radio signals can be generally detected. The nature and purpose of Wi-Fi and Bluetooth signals is for them to be found and used by devices. Axon Cameras are Class 2 Bluetooth devices with operational signals rated at 8m, but could be observed or amplified at greater distances.
Axon recommends that operational security considerations be made prior to deploying Axon Cameras in operations where Axon Camera detection may result in unintended outcomes. Stealth Mode does not disable the emission of radio signals on Axon Cameras.
Additionally, Axon recommends that usage and configuration of Axon Signal activation technologies are considered in the context of customer's operational policies, such as body worn camera policies. Specifically, 'Assigned Officer Activation' and 'Mute Mode' functionality exists to mitigate unintended Axon Camera activations. See 'Mute Mode' options for Signal Sidearm, Signal Performance Power Magazine, and Taser 7.
Axon Cameras have an embedded Near Field Communications (NFC) tag to facilitate device identification. Axon Device Manager leverages these tags to enable quick and accurate assignment of Axon Cameras.
Axon Cameras have the device serial number and model written in cleartext to their NFC tag during manufacturing. The device serial is the same data that is available externally on the Camera body through visual inspection. The NFC tag is configured to be read-only, preventing data to be written to the tag after manufacturing.
The NFC tag does not pair or actively communicate with the Axon Camera. Axon Device Manager acts as a standard NFC reader leveraging a mobile phone's NFC capabilities to read data from the Axon Camera tag.
PHYSICAL PORT AND STORAGE
The physical port available on Axon Cameras is used as a data port and charging port. Axon Body 2 and Axon Flex 2 use either the Axon Dock or Evidence Sync over the 2.5mm port. Axon Body 3 has a USB-C port which can use data and charging over the Axon Body 3 Dock or supported USB-C interfaces. The only method of communication with the Camera through this port is via a proprietary communication protocol. The local storage on Axon Cameras is not accessible via common protocols used by operating systems to access storage devices such as those used by the USB mass storage device class. The local storage is a solid-state, non-removable, embedded MultiMediaCard (eMMC) integrated circuit soldered onto the main board; easily removable media is not used. For Axon Body 2 and Axon Flex 2, the local storage is not encrypted at rest. Axon Body 3 uses full disk encryption (AES-XTS 128-bit).
PHYSICAL DESIGN AND SAFEGUARDS
Axon Cameras are physically hardened to the US Military Standard MIL-STD-810G, are IEC 60529 rated (IP67 for Axon Body 2 & 3, and IP54 for Axon Flex 2), and are suitable for many public safety operations. However, Axon Cameras are still subject to destruction. Additionally, if an Axon Camera is lost or stolen, any data on the device that has not been offloaded should be considered unrecoverable unless the Camera is recovered.
Axon Camera Security Recommendations
Axon recommends that customers consider the following when using Axon Cameras:
- Establish Inventory Management - Customers should deploy inventory management policies and processes. Processes should include periodic, physical inspection of Axon Cameras to identify damage or tampering.
- Secure Axon Cameras when not being worn: If using an Axon Dock for unattended camera storage, maintain the Axon Dock in a physically secure location and follow the Axon Dock Agency Requirements: Dock Security. Avoid leaving Axon Cameras in publicly accessible areas.
- Return (RMA) Axon Body 2 or Flex 2 cameras if physically controlled by an untrusted party - If a user's Axon Body 2 or Flex 2 is stolen or lost, meaning that the camera is expected to be under the physical control of an untrusted party, Axon recommends that the Axon Camera be returned to Axon. If such Camera is believed to hold video data that is needed by the customer, Axon can assist in video retrieval and evaluate capabilities to provide assurances to support the integrity or authenticity of any recoverable videos.
- Manage Configuration of Axon Cameras - Customers must ensure the configuration of their Axon Cameras, and all Axon products, adheres to their organizational policies.