Announcement

Collapse
No announcement yet.

Encryption, security, replay attacks, paranoia...

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Encryption, security, replay attacks, paranoia...

    This has been somewhat covered in other threads, but I've never seen any definitive answer. I'm currently publishing HSTouch externally for Internet access.

    While I don't particularly care today if someone can turn lights on and off remotely apart from power usage and plunging me into darkness, I *DO* care now that I'm integrating BlueIris (through an excellent new plugin ) and cameras into the system, and even more when I get round to DSC alarm integration soon.

    A netmon trace with an iPhone on AT&T hitting HSTouch clearly shows that after authentication, all information is clear-text. For example "COMMAND|33|GETALLDEVICES|" I'm looking at right now. The response alone is enough to make this interesting to some eavesdropper, especially when they see security related stuff - door locks, alarm systems, cameras.

    For authentication, I can see some form of encryption there "COMMAND|32|Authenticationenc|<long string="" of="" what="" looks="" to="" be="" base64="" encoded="" stuff".="" un-base64="" encoding="" doesn't="" yield="" much,="" so="" i="" suspect="" the="" "enc"="" in="" command="" indicates="" that="" it's="" using="" some="" proprietary="" hs="" method="" encode.

    So my questions
    - Does HSTouch Server respond to a command for authentication without encrypted authentication as well? If so, can this be turned off?
    - Is HSTouch traffic subject to replay? Let's say I capture a whole stream of me unlocking my front door. Could I replay that stream to achieve the same? Looking at it, I think I could, but have yet to prove it.
    - Can I use my own cert (I have a CA) to encrypt at least the creds. I don't like the idea of a trusting something I have no idea what the basis for encryption is
    - Can I have the entire HSTouch traffic encrypted with my own cert? Same as for SSL? (Note that BlueIris recently gave this option which is the reason I now publish that externally). This way even if captured, it's meaningless to onlookers.

    Please don't give the answer "Use an L2TP VPN". Sure, I can and do have one, but it limits usability.

    And please don't give the answer that it's unlikely to be attacked. Cyber-criminals are smart and only getting smarter. It wouldn't be terribly hard to track down the address of where the system is knowing just what's in the trace. And how hard would it be to look for open port 10200's out there and try default creds (encrypted through a local capture and subsequent replay)? I bet there's a bunch..... IMO, (user-defined, non-proprietary) encryption is a first line of defence here and should be a no-brainer when publishing something like this externally.

    Thanks,
    John.</long>

    #2
    Crickets...

    I have also asked for an improved security framework (and that should include over the wire data as well), but have not had a lot of luck...

    Comment

    Working...
    X