Announcement

Collapse
No announcement yet.

Nearly 200,000 WiFi Cameras Open to Hacking Right Now

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    I have my Foscam camera on its own segment with limiting firewall rules such that it can not go out and only my HS system is able to access it. Pretty much contained. Oh, yeah, and only HS can initiate the communication. In other words, the camera can not communicate to HS.

    Of course the older Foscam cameras complete junk. I would not recommend them.
    HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

    Comment


    • #17
      Nearly 200,000 WiFi Cameras Open to Hacking Right Now

      The inherent problem with any network attached device is vulnerable attack surface area. As devices age this surface area will inevitably increase. Normally, with quality devices a portion of the higher pricing is patches to mitigate this. Many cheap IOT devices forgo that. Worse yet is that in making products even cheaper they appear to be forgoing even standard practices for security when transmitting across the big I.



      "Cloud - The camera provides a "Cloud" feature that lets customers manage the device via the Internet. This feature uses a clear-text UDP tunnel to bypass NATs and firewalls. An attacker can abuse this feature to launch brute-force attacks and guess the device's credentials. Kim says this Cloud protocol was found in multiple apps for multiple products, and at least 1,000,000 devices (not just cameras) seem to rely on it to bypass firewalls and access closed networks where devices are located, effectively defeating the protection those private networks provide."



      Don't be fooled either. A compromised devices doesn't only mean watching the camera feed. In a worst case scenario the attacker could gain root level access and be able to remote code execute on the device. With that, they can run commands against your NIC, install software on the compromised device and further attempt to gain access to other devices on your network.
      Last edited by Kerat; March 14th, 2017, 11:01 AM.

      Comment


      • #18
        The problem with IP cameras, and all of these IoT devices, is not that someone can look at your camera feeds or control your lights or unlock your doors; it is that these are Trojan Horses. We invite (install) these seemingly innocuous devices behind the (fire)walls of our castles where they are free to roam about and do whatever they like on our private network - behind our firewall. Many of these devices, as mentioned above, 'phone home' to servers in foreign countries to let them know they are alive and waiting for something to do (other than the purpose you think they are there for, ie; a camera), and the 'what to do' can be anything from do nothing, to snoop around your network to find certain devices, to hack into other devices behind your firewall, to becoming part of a bot-net to attack other systems on the internet. Once the device is behind your firewall you no longer have any control over what it is doing!

        Blocking outgoing traffic for the device is a nice thought, but what good is an IP camera if you cannot use it remotely?

        I am certainly no internet security expert, but the best suggestion I have seen to date is to connect all of these IoT devices to their own router that is outside of your internal router and only connected to the internet; something like this:
        Code:
                        ---------------         ---------------
                       | Router 1      |       | Router 2      |
        INTERNET ----- |WAN        LAN1| ----- |WAN        LAN1| ------ ( Protected Devices )
                       |               |       |           LAN2| ------ ( Protected Devices )
                       |               |       |           LAN3| ------ ( Protected Devices )
                       |               |        ---------------
                       |               |        _______________
                       |               |       | Router 3      |
                       |            DMZ| ----- |WAN        LAN1| ----- ( IOT Devices)
                        ---------------        |           LAN2| ----- ( IOT Devices)
                                               |           LAN3| ----- ( IOT Devices)
                                                ---------------
        It's the wild west out there in IoT land and the complete lack of attention to security by the designers of these devices is a hot topic in the embedded systems world right now.
        Best regards,
        -Mark-

        If you're not out on the edge, you're taking up too much room!
        Interested in 3D maps? Check out my company site: Solid Terrain Modeling

        Comment


        • #19
          Why would someone pass traffic through a firewall unless they know what purpose it serves? Remember that you want to stop traffic outbound for security and data cap reasons.

          This is where people need to take responsibility of their network.

          Now I understand that not everyone has the background to do this. But, it has to stop somewhere.

          I encourage those of us that believe in this concept to keep software developers on their toes and not expect a blank check in terms of connectivity outbound to the internet. I mean, you certainly would never give someone unrestricted access to your checking account would you?

          .
          HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

          Comment


          • #20
            Originally posted by mfisher View Post
            The problem with IP cameras, and all of these IoT devices, is not that someone can look at your camera feeds or control your lights or unlock your doors; it is that these are Trojan Horses. We invite (install) these seemingly innocuous devices behind the (fire)walls of our castles where they are free to roam about and do whatever they like on our private network - behind our firewall. Many of these devices, as mentioned above, 'phone home' to servers in foreign countries to let them know they are alive and waiting for something to do (other than the purpose you think they are there for, ie; a camera), and the 'what to do' can be anything from do nothing, to snoop around your network to find certain devices, to hack into other devices behind your firewall, to becoming part of a bot-net to attack other systems on the internet. Once the device is behind your firewall you no longer have any control over what it is doing!

            Blocking outgoing traffic for the device is a nice thought, but what good is an IP camera if you cannot use it remotely?

            I am certainly no internet security expert, but the best suggestion I have seen to date is to connect all of these IoT devices to their own router that is outside of your internal router and only connected to the internet; something like this:
            Code:
                            ---------------         ---------------
                           | Router 1      |       | Router 2      |
            INTERNET ----- |WAN        LAN1| ----- |WAN        LAN1| ------ ( Protected Devices )
                           |               |       |           LAN2| ------ ( Protected Devices )
                           |               |       |           LAN3| ------ ( Protected Devices )
                           |               |        ---------------
                           |               |        _______________
                           |               |       | Router 3      |
                           |            DMZ| ----- |WAN        LAN1| ----- ( IOT Devices)
                            ---------------        |           LAN2| ----- ( IOT Devices)
                                                   |           LAN3| ----- ( IOT Devices)
                                                    ---------------
            It's the wild west out there in IoT land and the complete lack of attention to security by the designers of these devices is a hot topic in the embedded systems world right now.
            That is a pretty simple way to resolve the issue. the only vulnerabilities I can see in based on the diagram are:
            1. ensuring that IOT devices connected to router 3 are not able to shell/telnet/access the web administrator interface to/of Router 1.
            2. ensuring that IOT devices connected to router 3 are not able to shell/telnet/access the web administrator interface to/of Router 2.
            3. ensuring that IOT devices connected to router 3 are not able to shell/telnet/access the web administrator interface to/of Router 3.
            4. ensuring that IOT devices in router 3 are not able communicate outside of design (IE: allow only inbound web traffic and response to the ip camera) with devices on Router 2.

            That said the IOT devices on Router 3 will still be able to communicate with the big "I" so they are still vulnerable to attack, and can participate in future big "I" attacks. Additionally, if you are not going to spend the time double nat'ing between Router 1 and Router 3 and then creating routing rules to reroute outbound requests from Router 2 to router 3 you end up having to use whatever cloud hosted service the vendor requires. to me it just seems like a lot of layers of network not to actually protect the network from the risk the IOT camera poses.

            my plan for my home security cameras includes:
            1. POE network cams, connected to a managed POE switch.
            2. All cameras will be hosted on a separate VLAN and will have network ACL rules that deny access to the other internal subnets, my guest network, and the Internet.
            3. I will have one NVR (network video recorder) with 2 IP addresses and will have access to the Security Camera VLAN and the internal infrastructure network.
            A. communication with the cameras will occur on the security camera VLAN IP address only on appropriate ports
            B. communication with the rest of the network will occur on the internal network VLAN IP address.

            Any access to live/recorded videos will have to be done through the NVR's infrastructure IP address. this segregates the cameras from my other network devices and the Internet.

            Comment


            • #21
              I am running my camera software on a dedicated laptop that is only running a test version of HS3 and the camera software. If I used the laptop wifi to connect to my LAN/WAN Is there a way have HS3 turn off/on the laptop wifi? When off, my cameras would be isolated from the internet. When on, I could still view them from the web.

              Is this doable?

              Steve Q


              Sent from my iPad using Tapatalk
              HomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
              2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit

              Comment


              • #22
                There are several options.

                You can control the power of your wifi access point. You may even want to connect the cameras to their own wifi access point. That way you can disable the wifi access point for the camera while keeping your other access point for all your other devices available. This would also add some security benefits as the camera would never be able to "see" the network traffic from all other wireless clients.

                You can control the power of your camera.

                You can control the power of a potential network switch that feeds the network to the wireless router.

                Just depends what you're after. There are so many options. Happy to discuss them with you offline. Maybe we could do a skype call if interested.
                HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

                Comment


                • #23
                  Originally posted by Steve Q View Post
                  I am running my camera software on a dedicated laptop that is only running a test version of HS3 and the camera software. If I used the laptop wifi to connect to my LAN/WAN Is there a way have HS3 turn off/on the laptop wifi? When off, my cameras would be isolated from the internet. When on, I could still view them from the web.

                  Is this doable?

                  Steve Q


                  Sent from my iPad using Tapatalk


                  Just a consideration here. Turning off the laptop doesn't turn of the risk. The cameras would still be on and connected to the network. If you are really that concerned, you need to physically disconnect by turning of the connection to the cameras.


                  Sent from my iPad using Tapatalk

                  Comment


                  • #24
                    Originally posted by Krumpy View Post
                    There are several options.



                    You can control the power of your wifi access point. You may even want to connect the cameras to their own wifi access point. That way you can disable the wifi access point for the camera while keeping your other access point for all your other devices available. This would also add some security benefits as the camera would never be able to "see" the network traffic from all other wireless clients.



                    You can control the power of your camera.



                    You can control the power of a potential network switch that feeds the network to the wireless router.



                    Just depends what you're after. There are so many options. Happy to discuss them with you offline. Maybe we could do a skype call if interested.


                    Excellent suggestions. Here is how I would set up my cameras.

                    What do you think!

                    Steve Q




                    Sent from my iPad using Tapatalk
                    HomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
                    2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit

                    Comment


                    • #25
                      Originally posted by waynehead99 View Post
                      Just a consideration here. Turning off the laptop doesn't turn of the risk. The cameras would still be on and connected to the network. If you are really that concerned, you need to physically disconnect by turning of the connection to the cameras.


                      Sent from my iPad using Tapatalk


                      See the diagram in my previous post. I would keep the cameras on a separate LAN.

                      The advantage of this setup is that my camera software would continue recording and storing images/video. When I need to have access from the internet, I can reconnect to my main LAN/WAN.

                      I think this should work.

                      Steve Q


                      Sent from my iPad using Tapatalk
                      HomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
                      2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit

                      Comment


                      • #26
                        Here is what I would do - depending on your budget - and philosophy on how to manage and secure your network. Each of these internal network segments allow you to apply respective firewall rules which should limit traffic to only access devices they require. My main point with this example is that you do not want your HomeSeer system and the cameras (or other IoT devices) on the same network segment as you want to protect your HomeSeer machine from possible illicit tampering.

                        Warning: Some folks here may call this overkill, but it suits my purposes. I am a CISSP and also utilize this concept for training/educational purposes.

                        I can help you set this up.

                        WAN:
                        ------
                        Cable Modem or DSL Modem connect to WAN side of firewall.

                        Internal - Main LAN1:
                        ------------------------------------
                        This internal network segment is designated for all networking clients in the home and could include the access point (wireless router) for the wireless clients. This would include any networking devices which the clients need to connect to as part of a broadcast announcement mechanism. For example, Tivo DVR's periodically send broadcast messages announcing themselves to all clients. Remember that UDP based multicast packets can not traverse through a router/firewall. Other technologies that use the Bonjour or the like network communication technologies fall into this same category.

                        Internal - LAN2:
                        ------------------------------
                        This internal network segment is designated for all sensitive home automation equipment such as HomeSeer, security systems, and the like. This network segment is protected from access from all network segments other than what ip/ports are needed. I would refrain from adding any IoT devices on this segment. You want your HomeSeer system and home security system (for example ELK M1G) protected.

                        Internal - LAN3:
                        ------------------------------
                        This is the internal network segment that is designated for all of your cameras or similar IoT devices.

                        If you hard wire the cameras then you would need a network switch to connect them to. This switch will more than likely require a power adapter (wall wart) which you could power on/off at will via HomeSeer when you did not want them operational. The firewall rules for LAN3 are set such that only limited inbound/outbound network connectivity is available to the cameras on this network segment.

                        This network segment could also host another access point for any respective wireless camera - if you have them. You could combine this functionality with LAN4 if you wanted.

                        Internal - LAN4:
                        ------------------------------
                        This is the internal network segment for Guest WIFI clients and could host a captive portal. Captive portals (if you're not familiar) allow you to require a guest to enter a password to gain access to the network for connectivity. I use a captive portal for my son's friends when they come over so that I can limit and monitor activity.
                        HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

                        Comment


                        • #27
                          Krumpy, I sent you a PM

                          Steve Q


                          Sent from my iPad using Tapatalk
                          HomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
                          2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit

                          Comment

                          Working...
                          X