Announcement

Collapse
No announcement yet.

Nearly 200,000 WiFi Cameras Open to Hacking Right Now

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Nearly 200,000 WiFi Cameras Open to Hacking Right Now

    Doesn't look good. If you check out the list there are so many Foscams that it must be most if not all of them. List

    What started as an analysis of a simple security flaw in a random wireless IP camera turned into seven vulnerabilities that affect over 1,250 camera models and expose nearly 200,000 cameras to hacking.
    The flaws affect a generically named product called Wireless IP Camera (P2P) WIFICAM, manufactured by a (currently unnamed) Chinese company, who sells it as a white-label product to several other camera vendors
    https://www.bleepingcomputer.com/new...ing-right-now/
    Originally posted by rprade
    There is no rhyme or reason to the anarchy a defective Z-Wave device can cause

  • #2
    Very worrisome. I have many Foscams. However, all of my indoor cams are plugged into z-wave power switches so they are off if we are home.

    - Robert

    Comment


    • #3
      Just make sure that they are not directly accessible from the internet and you should be fine. Supposedly some of the newer Foscams/Armcrests and other brands of cameras send some data to servers on the other side of the world, so you may want to block outbound traffic too.


      Sent from my Phone using Tapatalk
      HS 3.0.0.548: 1990 Devices 1172 Events
      Z-Wave 3.0.1.262: 126 Nodes on one Z-Net

      Comment


      • #4
        Originally posted by RJS View Post
        Very worrisome. I have many Foscams. However, all of my indoor cams are plugged into z-wave power switches so they are off if we are home.

        - Robert


        Rather than switching off the individual cameras, if I used a dedicated router only for the cameras, could I simply use a z-wave module to switch off the power to the router. I have an older Lynksis router that I am not using. How would I set it up?

        Steve Q


        Sent from my iPad using Tapatalk
        HomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
        2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit

        Comment


        • #5
          You can setup the dedicated router as an access point. Are you sure that all your cams will get a decent signal from that router's wifi?
          FYI - some Foscams (like the FI9831P V2) continually speak that the wifi is unavailable when they lose wifi connection. That gets irritating pretty quick.

          - Robert

          Comment


          • #6
            Killing power or Wi-Fi to cameras sounds like a hack at best. Why not just not have any internet facing cameras to begin with? Who wants people hacking their cameras when they're not home? At best this only lets people know when you are and are not home. $30 (or how ever much a Z-Wave outlet costs) per camera sounds like a lot to fork out for inconvenience and compromised functionality when you can use your router to keep them all on the inside for peanuts. It still seems as though BI is secure, though I wouldn't be surprised in any way, shape or form if it has been cracked wide open since day one, so you could use it for all remote viewing. Better yet, use HSTouch. I imagine that MyHS is such a small target with a secure enough infrastructure that it should be safe. Though I still wouldn't be shocked to hear that the NSA or some such have"the keys" so to speak.

            Remote viewing of cameras is certainly useful and cool but I'm really thinking that there should be an airgap between every camera that isn't high profile and the internet.
            Originally posted by rprade
            There is no rhyme or reason to the anarchy a defective Z-Wave device can cause

            Comment


            • #7
              Originally posted by S-F View Post

              Remote viewing of cameras is certainly useful and cool but I'm really thinking that there should be an airgap between every camera that isn't high profile and the internet.


              What is an "airgap"?

              Steve Q


              Sent from my iPad using Tapatalk
              HomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
              2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit

              Comment


              • #8
                Not connected to the internet.
                Originally posted by rprade
                There is no rhyme or reason to the anarchy a defective Z-Wave device can cause

                Comment


                • #9
                  Originally posted by S-F View Post
                  Killing power or Wi-Fi to cameras sounds like a hack at best. Why not just not have any internet facing cameras to begin with? Who wants people hacking their cameras when they're not home? At best this only lets people know when you are and are not home. $30 (or how ever much a Z-Wave outlet costs) per camera sounds like a lot to fork out for inconvenience and compromised functionality when you can use your router to keep them all on the inside for peanuts. It still seems as though BI is secure, though I wouldn't be surprised in any way, shape or form if it has been cracked wide open since day one, so you could use it for all remote viewing. Better yet, use HSTouch. I imagine that MyHS is such a small target with a secure enough infrastructure that it should be safe. Though I still wouldn't be shocked to hear that the NSA or some such have"the keys" so to speak.

                  Remote viewing of cameras is certainly useful and cool but I'm really thinking that there should be an airgap between every camera that isn't high profile and the internet.
                  You have valid points. The main reason all my indoor cams are connected to z-wave outlets is to appease the wife. No matter what I say, she still thinks that there is someone out there watching her. So $30/cam is a cheap investment to keep my wife and keep funding for future HS purchases.

                  - Robert

                  Comment


                  • #10
                    Nearly 200,000 WiFi Cameras Open to Hacking Right Now

                    "Not connected to the internet"

                    I don't think I am in the minority here: One of the main reasons I have security cameras is to be able to check the house while I am away. To do this, they must be connected to the internet! And that makes them vulnerable! Not connecting to the internet is not an option. But disconnecting from the internet when they are not needed makes perfect sense to me!

                    Years ago, my modem had a button on top. Press it and everything was disconnected from the internet. A simple and effective approach.

                    I think everyone on this forum could benefit from knowing how to minimize all hacking threats to their HA stuff. I for one am very interested in having HS3 automate a connect/disconnect method. I like the idea of z-wave modules on the cameras, but for me, this is not a viable solution. A single z-wave module (maybe on the modem) might be viable but that seems like overkill to me.

                    What are some other alternatives?

                    Steve Q


                    Sent from my iPad using Tapatalk
                    HomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
                    2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit

                    Comment


                    • #11
                      That's the catch isn't it? How secure are our networks? Like I said before, Blue Iris still seems fairly secure so you can access all of your cameras through it. I'm sure ZomeMinder is similar in this respect. The truth though is that anything on the internet is theoretically vulnerable.
                      Originally posted by rprade
                      There is no rhyme or reason to the anarchy a defective Z-Wave device can cause

                      Comment


                      • #12
                        Nearly 200,000 WiFi Cameras Open to Hacking Right Now

                        I have a PFsense router/firewall I built from a mini PC with dual NICS built in. I also have a layer 3 managed switch to control network connectivity. PFsense's product is literally the network equivalent of Batman's utility belt. Snort and pfblocker (recommended by @Pete) are cornerstones of my network's security.
                        In this instance you could configure a second VLAN and separate subnet. A good wireless access point (I use Ubiquiti) would host a separate wifi connected to the new VLAN. The wifi cameras would then be connected to this subnet. You would then apply ACL rules on the new subnet and VLAN to segregate the camera network from the rest of your network and the Internet. The first ACL rule would allow network connectivity to the NVR. The second ACL would disallow communication between the camera subnet and the rest of the network equipment. The last rule would block the cameras access to the Internet.
                        In this configuration the only way to see the video feeds would be to access the recordings or live feeds from the NVR.


                        Sent from my iPhone using Tapatalk
                        Last edited by Kerat; March 13th, 2017, 01:46 PM.

                        Comment


                        • #13
                          Originally posted by Kerat View Post
                          I have a PFsense router/firewall I built from a mini PC with dual NICS built in. I also have a layer 3 managed switch to control network connectivity. PFsense's product is literally the network equivalent of Batman's utility belt. Snort and pfblocker (recommended by @Pete) are cornerstones of my network's security.
                          In this instance you could configure a second VLAN and separate subnet. A good wireless access point (I use Ubiquiti) would host a separate wifi connected to the new VLAN. The wifi cameras would then be connected to this subnet. You would then apply ACL rules on the new subnet and VLAN to segregate the camera network from the rest of your network and the Internet. The first ACL rule would allow network connectivity to the NVR. The second ACL would disallow communication between the camera subnet and the rest of the network equipment. The last rule would block the cameras access to the Internet.
                          In this configuration the only way to see the video feeds would be to access the recordings or live feeds from the NVR.


                          Sent from my iPhone using Tapatalk


                          This seems incredibly complicated for me. IMHO, it is not worth this much effort to prevent someone from hacking into my cameras. I really don't care if someone wants to look at my front porch or driveway.

                          Is there some way that HS3 could turn off/on the port forwarding configuration in my firewall. If the camera ports are closed, I think they would be inaccessible right?

                          Steve Q


                          Sent from my iPad using Tapatalk
                          HomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
                          2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit

                          Comment


                          • #14
                            Seriously... The only secure computing device is one that is not connected to the Internet, locked up in a room, and not accessible to any person or machine.

                            From there it is all about risk assessment and risk mitigation.

                            How much risk are you willing to live with, and how much do you want to spent to mitigate that risk?
                            HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

                            Comment


                            • #15
                              ahhh... the ol sneaker net security

                              I agree with a lot being said from all fronts on this thread. It does come down to how much risk are you willing to accept, and the effort needed to minimize that risk.

                              I think for 90 percent of us, keeping the cameras behind a NAT'd router (all customer based routers) will be the most effective for the ease of effort/cost. Can it still be hacked? Of course... but takes some effort and most hacks are there to catch opportunity.

                              And if its made outta China, expect that its not secure at all and has a backdoor in it . There are ways around this too (blocking outgoing traffic completely and go thru a proxy of sorts).

                              My setup for cameras is as follows and I do plan to do something with PFSense down the road as a precaution, but not because I have had issues... yet

                              I just use cameras outside, I figure if I catch you on the camera outside going into my house and something is missing, I didn't catch the actual act, but I know who you are... I don't trust the sickos that hack cameras and get off in watching me walk around in my tighty whiteys (nor do I want to subject that to the internet).

                              I have no port forwarding anymore, I use a proxy to view the cameras (currently HSTouch) and use their servers to give me my camera feed. I do agree that HS is probably low on the threat risk of getting hacked in comparison to other companies like trendnet and foscam.

                              Is my setup completely secure? No, but I have always looked at security as a whole as to level of effort to get whatever it is the bad guy wants. It's just like the lock on my door... with the window right next to it. Are they going to take the time to hack my zwave lock, or just toss a rock thru the window? Is the hacker going to take the time to dissect my low level security, vs my neighbor just opening the ports and not changing the default passwords?

                              It comes down to how paranoid are you, and what are you wanting to do about it.

                              Comment

                              Working...
                              X