Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




27270 posts

Uber Geek
+1 received by user: 6699

Moderator
Trusted
Biddle Corp
Lifetime subscriber

Topic # 204764 16-Oct-2016 12:55
Send private message

It seems that every month or so somebody starts a new thread here on GZ about port forwards to their CCTV cameras because they want to access them remotely. My stock standard response is to say that this should never under any circumstances be done and that the only secure way to access them is via VPN. Whether people pay any attention to that advice is something I can't answer.

 

It was interesting to read an article about the world's largest DDoS attack a few weeks ago against KrebsOnSecurity. For those who don't know at it's peak the attack was 665Gbps.

 

There is an article on Krebs about this, including the malware responsible for this attack which was specifically looking for known backdoors in common IoT and CCTV hardware to use them for the attack.

 

https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/

 

There are still "security" people out there installing equipment that's inherently insecure because they have no knowledge of network security and could well be used for DDoS attacks.

 

 

 

 

 

 

 

 


Create new topic

mdf

2029 posts

Uber Geek
+1 received by user: 599

Trusted
Subscriber

  Reply # 1652057 16-Oct-2016 20:58
Send private message

Two queries:

 

1. Any chance of either making this post a sticky or doing a repeat of your wifi article? When my non-tech friends and family are telling me about looking at their webcams from their phones, this is an issue that needs further publicity.

 

2. Are there any turn-key VPN solutions for this type of view-my-webcams situation? I'm fine with options you have to pay for. After a *lot* of trial and error, I've managed to get OpenVPN working, but its not something I thought was easy and will definitely not be offering to help said friends and family with it.


1580 posts

Uber Geek
+1 received by user: 825


  Reply # 1652101 17-Oct-2016 08:52
Send private message

Because the forum post specifically says "CCTV", and "internet of Things", IoT, varies a lot more than cameras, I'm not even going to attempt to discuss IoT's security.

I think most people are concerned with a lack of privacy / blackmail, when a hacker can access a camera. This is especially true for family households.

The article discusses several things, but the most important point: CHANGE YOUR DEFAULT PASSWORD!

From the article:

As long as the password can’t be reversed ... that would be a reasonable level of security


In my opinion much easier than a VPN for cameras, a DVR / PVR will at least only give you only one device, one IP address, one device to patch.

There's an unspoken rule that most security people live by: block everything, and only open thing at a time (usually one IP and port combination). This "one open thing" is the DVR of course.

If you've obeyed the previous rule, and cameras are streaming at the DVR, then a camera's security holes are less likely to matter.

For example some dodgy Chinese manufacturers have opened stupid features like P2P, uPNP, Telnet, hidden passwords, ...

A DVR/PVR also makes checking your home / business easier. For a location, who's satisfied with one camera for a location, or even one manufacturer's cameras.

Besides security, an added benefit to a DVR / PVR is it's recording, handy for home deliveries and keeping an eye on tradesmen.

 
 
 
 


xpd

Chief Trash Bandit
9146 posts

Uber Geek
+1 received by user: 1443

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 1652105 17-Oct-2016 08:57
One person supports this post
Send private message

Was showing Shodan.io to someone over the weekend, explaining how that attack was possible etc, selected the webcams section and logged into most of them I tried using default passwords........  he couldn't believe it.





XPD / Gavin / DemiseNZ

 

Server : i3-3240 @ 3.40GHz  16GB RAM  Win 10 Pro    Workstation : i5-xxxx @ x.xxGHz  16GB RAM  Win 10 pro    Console : Xbox One

 

https://www.xpd.co.nz - Games, geeks, and more.    


1597 posts

Uber Geek
+1 received by user: 369


  Reply # 1652685 18-Oct-2016 09:06
Send private message

kingdragonfly:

 


As long as the password can’t be reversed ... that would be a reasonable level of security


 

Sort of, but not really.
Plenty of security holes in these things, that may never get patched

Any cheap device that connects to the internet can have security issues: routers, cameras, NAS have all had mass hacks in the past

 


Have a look a Krebs article on security issues on cheap routers . Even some expensive , high end brand devices had horrific
holes , that werent allways patched quickly.
Cheap devices sometimes just get quickly abandoned by the Brand (who may not have even designed & made the thing anyway)
Good example is the famous brand device that had a default pass hard coded in & couldnt be removed (a default login/pass stayed active no matter what)

 

 




27270 posts

Uber Geek
+1 received by user: 6699

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1652720 18-Oct-2016 10:02
Send private message

1101:

 

kingdragonfly:

 


As long as the password can’t be reversed ... that would be a reasonable level of security


 

Sort of, but not really.
Plenty of security holes in these things, that may never get patched

Any cheap device that connects to the internet can have security issues: routers, cameras, NAS have all had mass hacks in the past

 


Have a look a Krebs article on security issues on cheap routers . Even some expensive , high end brand devices had horrific
holes , that werent allways patched quickly.
Cheap devices sometimes just get quickly abandoned by the Brand (who may not have even designed & made the thing anyway)
Good example is the famous brand device that had a default pass hard coded in & couldnt be removed (a default login/pass stayed active no matter what)

 

 

 

 

This is the exact problem. People think connecting the device to the internet is safe because they've changed the password, but if it's got a backdoor or hard coded root password then it makes no difference whether you've changed your password. Dahua in particular had this problem, and it's safe to say 99% of people don't update their firmware or products.

 

The problem is made worse by companies like Dahua and Hikvision differentiating between Chinese and Western products. If you look on Aliexpress most Dahua products with "English firmware" are Chinese product that's running hacked Chinese firmware to convert it to an English product. You can't upgrade the firmware even if you have newer English firmware (which isn't available from Dahua but is readily available online) simply because it won't support a Chinese product.

 

 


3680 posts

Uber Geek
+1 received by user: 1389

Subscriber

  Reply # 1652847 18-Oct-2016 13:25
Send private message

Hikvision have finally started doing things to at least slow down these issues.

 

New NVR's require a password change, UPnP isn't enabled by default etc. Then with IP cams, if you are connecting them directly to a network (and not to a Hikvision NVR), you must 'activate' the camera by changing the password first and then it will work on a network.

 

Still doesn't stop people setting easy passwords and creating their own port forwards...


3422 posts

Uber Geek
+1 received by user: 410

Trusted

  Reply # 1652891 18-Oct-2016 14:05
Send private message

IoT security is going to be a massive issue. I've got some ideas I'm planning to write a blog on ;)






110 posts

Master Geek
+1 received by user: 16


  Reply # 1653033 18-Oct-2016 16:04
Send private message

Steve, can you recommend a good VPN solution for viewing cameras remotely? Happy to pay for a decent solution if need be. 

 

I currently view mine via Sighthound (which uses port forwarding), always looking for a better and more secure connection.  


3680 posts

Uber Geek
+1 received by user: 1389

Subscriber

  Reply # 1653067 18-Oct-2016 16:48
Send private message

One of the baby Mikrotik's (hAP lite, mAP etc) is probably one of the cheaper ways to do it. Put it on the LAN and just forward the required VPN ports (depending on type of VPN). Not a simple solution I suppose, but no less complex than if you were going to do it on the main router or with a raspberry pi or something.




27270 posts

Uber Geek
+1 received by user: 6699

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1653146 18-Oct-2016 20:22
Send private message

SQLGeek:

 

Steve, can you recommend a good VPN solution for viewing cameras remotely? Happy to pay for a decent solution if need be. 

 

I currently view mine via Sighthound (which uses port forwarding), always looking for a better and more secure connection.  

 

 

Being it's own application Sighthound is going to be a lot more secure than a port forward to a Chinese camera! I am of the belief however that port forwards should be minimised, so something like a Hap Lite is a really low cost way to establish a VPN connection into a network.

 

I was actually just having a look at Sighthound as it's not something I've seen before. It's actually quite a cool program for the price.

 

 


370 posts

Ultimate Geek
+1 received by user: 85


  Reply # 1653178 18-Oct-2016 21:34
Send private message

Remote access to CCTV always reminds me of that "childs toy" with internet camera that highlighted the danger of weirdos hacking into them and looking at your young kids. This was found and demonstrated by a security pro at a Black Hat conference a few years back.

 

Also, home automation systems can be just as insecure too.

 

 


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.