For those of you who are regulars on Geekzone you’ll know one of my pet peeves is people who don’t understand the huge security risk associated with port forwards. Configuring a port forward in your router or firewall is something configured by people every day, with the vast majority probably failing to consider the security risks of something that’s so easily done.
Opening up your network to allow traffic from anywhere on the Internet to directly access your PC or hardware behind your router and/or firewall removes an entire layer of security, and allows anybody on the Internet to directly access your PC or hardware on the port(s) that have been forwarded. If there are security exploits in either the software on your PC or the hardware it could easily compromise your entire network and your security.
If you’re running a VoIP setup and port forward port 5060 you’re opening your IP PBX or phone system up to what will be a never ending attack from bots and scripts trying to find holes your system for the purpose of routing illegitimate calls. By setting up a port forward to CCTV equipment you run the risk of your security cameras being left wide open for anybody on the Internet to view for both entertainment and for possible malicious purposes.
In recent days we’re once again seen a mainstream media article on Stuff discussing compromised or poorly configured CCTV cameras in New Zealand that can be openly viewed by anybody on the Internet. While Stuff have chosen not to name where these cameras are linked from, the source is insecam.org, a site that proclaims itself as “the world biggest directory of online surveillance security cameras”. This story is very similar to another run in 2014 in the NZ Herald discussing the very same issue with cameras in New Zealand viewable on the insecam website.
While this site lists only lists openly viewable CCTV equipment, IoT search tool Shodan is the best resource on the Internet for discovering hardware devices (both CCTV and other) that are exposed to the Internet. Many of these devices are “compromised” because of one simple flaw – either configuring port forwards to allow remote access, or enabling UPnP allowing the devices to create their own port forwards for remote access. It’s worth pointing out here that the insecam website isn’t doing anything illegal – they’re simply aggregating content that’s all publically accessible.
If you’ve got CCTV cameras then it’s not an unrealistic requirement to want to view these remotely. Most systems these days offer web access and/or mobile apps allowing you to view your cameras from anywhere in the world, and many even pitch remote access as a key selling point. The simplest way to configure remote access is to set up a port forward allowing direct access to the camera itself, a Network Video Recorder (NVR) or a Digital Video recorder (DVR).
Some equipment may also be UPnP enabled to make this process even easier – if you have a router with UPnP capabilities and the UPnP functionality is enabled on both your router and the CCTV equipment you may have your CCTV equipment exposed to the Internet even without your knowledge. By having a port forward or UPnP enabled you’ve exposed your CCTV system to the entire Internet and it’s now as a secure as the hardware you’re using.. And that’s where the problems start.
Many people clearly never change default passwords of some of the equipment viewable on the Internet. Many brands of cheap Chinese CCTV equipment also run embedded software of dubious quality with very well known exploits and hacks. Many also contain backdoor passwords, meaning that even if you change the password these devices can still be accessed by anybody with this knowledge. As many of these systems are never upgraded by installers or end users, flaws that have been fixed can often still exist for the life of the system.
The issues also extend beyond somebody snooping on your video feeds – some of these exploits can also be used to turn your hardware into a bot capable of being used for major DDoS attacks, or even turned into a tool for mining bitcoins. In September 2016 one the world’s largest DDoS attacks against krebsonsecurity was reportedly performed with the assistance of over 145,000 compromised CCTV cameras.
In my day job as a network engineer I’ve had numerous dealings with security companies who lack even basic fundamental knowledge when it comes to networking and security. Concepts of networking are something that many people will fail to grasp, with many people relying on the advice of others or a “she’ll be right” mentality rather than seeking proper advice from an expert.
There have been many threads here on Geekzone about CCTV systems and comments posted by people who have been told that “nobody knows your IP address”, “you’re on a dynamic IP address which keeps changing so nobody will find you”, “I’ll change the port to something random so they won’t find you” or “if you make your password secure you’ll be fine”. Statements like this show a fundamental lack of knowledge, and when they’ve given by people posing to be security experts, should really be raising alarm bells. Having a public IP that changes regularly or changing ports offers absolutely nothing in the way of security. Likewise having a secure password is meaningless if a backdoor master password exists on your device.
If you’re wanting remote access to most hardware on an internal network there is only one safe way to do this – by using a Virtual Private Network (VPN). By using an appropriate router with a built in VPN server you can connect your remote PC or phone via VPN and then safely browse your cameras with no risk of your cameras or data being exposed to the entire Internet. If access is only required from specific connections then you could also look to restrict access to a locked down range of public IP addresses to ensure your cameras are not unnecessarily exposed.
If you have an IP camera, NVR or DVR that’s exposed to the Internet using port forwards or you have UPnP enabled you should be taking immediate steps to secure it. If your knowledge of networking doesn’t extend to configuring a VPN then you should be disabling remote access and/or UPnP until such time as you are able to implement a VPN or lock down access to specific IP ranges.
If your security or CCTV installer has no issues with allowing port forwards then you should be on the lookout for a new installer. You’re not just compromising your own safety and security, you’re also compromising the safety, security and end user experience of everybody on the Internet if your hardware can be compromised and used as a bot for DDoS attacks.
Other related posts:
Yet another Mikrotik RouterOS exploit is in the wild
No, AT aren’t stealing your money. How Stuff confused a nation.
The perils of using Airbnb during big events
comments powered by Disqus