Why you don't allow port forwards to CCTV equipment

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Why you don't allow port forwards to CCTV equipment

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#204764 16-Oct-2016 12:55

It seems that every month or so somebody starts a new thread here on GZ about port forwards to their CCTV cameras because they want to access them remotely. My stock standard response is to say that this should never under any circumstances be done and that the only secure way to access them is via VPN. Whether people pay any attention to that advice is something I can't answer.

It was interesting to read an article about the world's largest DDoS attack a few weeks ago against KrebsOnSecurity. For those who don't know at it's peak the attack was 665Gbps.

There is an article on Krebs about this, including the malware responsible for this attack which was specifically looking for known backdoors in common IoT and CCTV hardware to use them for the attack.

https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/

There are still "security" people out there installing equipment that's inherently insecure because they have no knowledge of network security and could well be used for DDoS attacks.

mdf

3512 posts

Uber Geek

Trusted

#1652057 16-Oct-2016 20:58

Two queries:

1. Any chance of either making this post a sticky or doing a repeat of your wifi article? When my non-tech friends and family are telling me about looking at their webcams from their phones, this is an issue that needs further publicity.

2. Are there any turn-key VPN solutions for this type of view-my-webcams situation? I'm fine with options you have to pay for. After a *lot* of trial and error, I've managed to get OpenVPN working, but its not something I thought was easy and will definitely not be offering to help said friends and family with it.

kingdragonfly

11190 posts

Uber Geek

Subscriber

#1652101 17-Oct-2016 08:52

Because the forum post specifically says "CCTV", and "internet of Things", IoT, varies a lot more than cameras, I'm not even going to attempt to discuss IoT's security.

I think most people are concerned with a lack of privacy / blackmail, when a hacker can access a camera. This is especially true for family households.

The article discusses several things, but the most important point: CHANGE YOUR DEFAULT PASSWORD!

From the article:

As long as the password can’t be reversed ... that would be a reasonable level of security

In my opinion much easier than a VPN for cameras, a DVR / PVR will at least only give you only one device, one IP address, one device to patch.

There's an unspoken rule that most security people live by: block everything, and only open thing at a time (usually one IP and port combination). This "one open thing" is the DVR of course.

If you've obeyed the previous rule, and cameras are streaming at the DVR, then a camera's security holes are less likely to matter.

For example some dodgy Chinese manufacturers have opened stupid features like P2P, uPNP, Telnet, hidden passwords, ...

A DVR/PVR also makes checking your home / business easier. For a location, who's satisfied with one camera for a location, or even one manufacturer's cameras.

Besides security, an added benefit to a DVR / PVR is it's recording, handy for home deliveries and keeping an eye on tradesmen.

xpd

Geek @ Coastguard NZ
13765 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#1652105 17-Oct-2016 08:57

Was showing Shodan.io to someone over the weekend, explaining how that attack was possible etc, selected the webcams section and logged into most of them I tried using default passwords........ he couldn't believe it.

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree

1101

3122 posts

Uber Geek

#1652685 18-Oct-2016 09:06

kingdragonfly:

As long as the password can’t be reversed ... that would be a reasonable level of security

Sort of, but not really.
Plenty of security holes in these things, that may never get patched

Any cheap device that connects to the internet can have security issues: routers, cameras, NAS have all had mass hacks in the past

Have a look a Krebs article on security issues on cheap routers . Even some expensive , high end brand devices had horrific
holes , that werent allways patched quickly.
Cheap devices sometimes just get quickly abandoned by the Brand (who may not have even designed & made the thing anyway)
Good example is the famous brand device that had a default pass hard coded in & couldnt be removed (a default login/pass stayed active no matter what)

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1652720 18-Oct-2016 10:02

1101:

kingdragonfly:

As long as the password can’t be reversed ... that would be a reasonable level of security

Sort of, but not really.
Plenty of security holes in these things, that may never get patched

Any cheap device that connects to the internet can have security issues: routers, cameras, NAS have all had mass hacks in the past

Have a look a Krebs article on security issues on cheap routers . Even some expensive , high end brand devices had horrific
holes , that werent allways patched quickly.
Cheap devices sometimes just get quickly abandoned by the Brand (who may not have even designed & made the thing anyway)
Good example is the famous brand device that had a default pass hard coded in & couldnt be removed (a default login/pass stayed active no matter what)

This is the exact problem. People think connecting the device to the internet is safe because they've changed the password, but if it's got a backdoor or hard coded root password then it makes no difference whether you've changed your password. Dahua in particular had this problem, and it's safe to say 99% of people don't update their firmware or products.

The problem is made worse by companies like Dahua and Hikvision differentiating between Chinese and Western products. If you look on Aliexpress most Dahua products with "English firmware" are Chinese product that's running hacked Chinese firmware to convert it to an English product. You can't upgrade the firmware even if you have newer English firmware (which isn't available from Dahua but is readily available online) simply because it won't support a Chinese product.

chevrolux

4962 posts

Uber Geek
Inactive user

#1652847 18-Oct-2016 13:25

Hikvision have finally started doing things to at least slow down these issues.

New NVR's require a password change, UPnP isn't enabled by default etc. Then with IP cams, if you are connecting them directly to a network (and not to a Hikvision NVR), you must 'activate' the camera by changing the password first and then it will work on a network.

Still doesn't stop people setting easy passwords and creating their own port forwards...

Zeon

3916 posts

Uber Geek

Trusted

#1652891 18-Oct-2016 14:05

IoT security is going to be a massive issue. I've got some ideas I'm planning to write a blog on ;)

Speedtest 2019-10-14

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

SQLGeek

135 posts

Master Geek

#1653033 18-Oct-2016 16:04

Steve, can you recommend a good VPN solution for viewing cameras remotely? Happy to pay for a decent solution if need be.

I currently view mine via Sighthound (which uses port forwarding), always looking for a better and more secure connection.

chevrolux

4962 posts

Uber Geek
Inactive user

#1653067 18-Oct-2016 16:48

One of the baby Mikrotik's (hAP lite, mAP etc) is probably one of the cheaper ways to do it. Put it on the LAN and just forward the required VPN ports (depending on type of VPN). Not a simple solution I suppose, but no less complex than if you were going to do it on the main router or with a raspberry pi or something.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1653146 18-Oct-2016 20:22

SQLGeek:

Steve, can you recommend a good VPN solution for viewing cameras remotely? Happy to pay for a decent solution if need be.

I currently view mine via Sighthound (which uses port forwarding), always looking for a better and more secure connection.

Being it's own application Sighthound is going to be a lot more secure than a port forward to a Chinese camera! I am of the belief however that port forwards should be minimised, so something like a Hap Lite is a really low cost way to establish a VPN connection into a network.

I was actually just having a look at Sighthound as it's not something I've seen before. It's actually quite a cool program for the price.

cynnicallemon

370 posts

Ultimate Geek

#1653178 18-Oct-2016 21:34

Remote access to CCTV always reminds me of that "childs toy" with internet camera that highlighted the danger of weirdos hacking into them and looking at your young kids. This was found and demonstrated by a security pro at a Black Hat conference a few years back.

Also, home automation systems can be just as insecure too.