Improving security

Cooldood

n3wb
Joined
Feb 24, 2015
Messages
10
Reaction score
0
I am a little freaked to see that my PTZ wifi cameras will re-orient themselves back to facing the room and occupants if I aim them at the wall or ceiling.
Pretty sure there are no pre-programmed routes in the cameras, and if rotate the body, they will still turn around the camera to face the room. It really feels like someone is manipulating them to watch us.

I am using Blue Iris, with a variety of Hikvision, Foscam, Vescam etc cameras.

The router is a Netgear Orbi and I have used "Block Services", set to always on and set it for the IP range that the cameras are in, along with "service type" of any and ports 1-65535. Surely this ensures the cameras are not reachable outside the LAN?
I have also enabled the routers built in VPN service, although I am not convinced that is doing much.
I have tried reading/following posts on security, but they are all kind of general and I am not an expert in this area.
BI runs on a server, and I set the firewall within Windows to block inbound and outbound from those IP addresses too, does that even work if from a Windows PC, not the router?

Use a web based port checker, most ports are returned as "timed out".
How do I know if the cameras are compromised? How do I sort this?
 

tangent

IPCT Contributor
Joined
May 12, 2016
Messages
4,338
Reaction score
3,519
Turn off UPnP on your router and P2P type services on the cameras. You can also use parental controls to prevent the cameras from connecting to the internet.
 

Cooldood

n3wb
Joined
Feb 24, 2015
Messages
10
Reaction score
0
UPnp is off in the router, and in the cameras, as are all other obvious leaky connections.
Noticed that the cameras were moving while I was in BI, almost as if someone was there hopping from one to the next and using the PTZ controls.

Interestingly, found an "anonymous" username setup in BI users page, along with "local console". Deleted them both and they popped back a few minutes later. Set them both to "LAN Only" and added cryptic passwords, then disabled them.

Let's see if the cameras keep pointing at the ceiling as they are now or someone changes them again.
 
Last edited:

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Interestingly, found an "anonymous" username setup in BI users page, along with "local console". Deleted them both and they popped back a few minutes later. Set them both to "LAN Only" and added cryptic passwords, then disabled them.
This is normal.
Blue iris keeps a log of all logins in the status page - ensure log to file is checked.
If you camera support p2p ensure that is disabled in the camera.
 

Cooldood

n3wb
Joined
Feb 24, 2015
Messages
10
Reaction score
0
So this is not good then, right? None of these are my IP, all are now permanently blocked, and I will watch for new ones arriving here.
upload_2019-5-9_13-27-29.png

Other ones then start popping up as connections. I deactivated the web server, I can live without access on my cell phone for a bit while I research this.
 
Last edited:

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Woah, that's for me the ultimate reason to isolate all (possible compromised) cams into a seperate vlan, and let them not even talk to the "windows" of the BI pc, and let only connect BI to these cams (and not otherwise).

If I was you, I scratched the BI pc, reinstall windows and all software. If you can't make vlans with your existing networking gear, I'd add an additional network card in your BI pc so your cams are not able to talk to anything else. Never ever.

And only use the BI pc for BI, not for generic browsing (or letting the kids play games on it).

Hope this helps!
CC
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
So this is not good then, right? None of these are my IP, all are now permanently blocked, and I will watch for new ones arriving here.
View attachment 42290
That is meaningless. If you port forward, you will get hit with landings on the page, that does NOT mean that someone had access to the server. You have to look at the connection time and frames sent. They are likely zero.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Woah, that's for me the ultimate reason to isolate all (possible compromised) cams into a seperate vlan, and let them not even talk to the "windows" of the BI pc, and let only connect BI to these cams (and not otherwise).

If I was you, I scratched the BI pc, reinstall windows and all software. If you can't make vlans with your existing networking gear, I'd add an additional network card in your BI pc so your cams are not able to talk to anything else. Never ever.

And only use the BI pc for BI, not for generic browsing (or letting the kids play games on it).

Hope this helps!
CC
This is an overreaction because you dont understand the blue iris status page. There is zero indication of any access to the blue iris server.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
This is an overreaction because you dont understand the blue iris status page. There is zero indication of any access to the blue iris server.
You are right, I might not know BI that well, but if I interprete the starting post correctly (eg blocked internet access, VPN service and appropriate routing rules engaged), then I expect ZERO packets arriving at ANY service on the BI pc, especially not from "infuturo.it" domains. Statements like "these connection times and frames are likely zero" are very dangerous, but BI did see them, because they arrived at the landing page! Especially when TS wrote: "although I am not convinced that [the vpn service] is doing much."

That's why my suggestion may be harsh (start over again), but when doing correctly (start from Router, setup firewall, configure OpenVPN, isolate BI pc, isolate cams, make sure no compromised devices (eg factory reset, latest firmware), apply fix packs/windows update/ ... ) only then one can be sure that ZERO strange packets are being sent out or received.

Hope this clarifies!
CC
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
You are right, I might not know BI that well, but if I interprete the starting post correctly (eg blocked internet access, VPN service and appropriate routing rules engaged), then I expect ZERO packets arriving at ANY service on the BI pc, especially not from "infuturo.it" domains. Statements like "these connection times and frames are likely zero" are very dangerous, but BI did see them, because they arrived at the landing page! Especially when TS wrote: "although I am not convinced that [the vpn service] is doing much."

That's why my suggestion may be harsh (start over again), but when doing correctly (start from Router, setup firewall, configure OpenVPN, isolate BI pc, isolate cams, make sure no compromised devices (eg factory reset, latest firmware), apply fix packs/windows update/ ... ) only then one can be sure that ZERO strange packets are being sent out or received.

Hope this clarifies!
CC
Your suggestion assumes that VPN was properly implemented and it was in fact fact hacked, which I assure you is 100% not the case. And even if it was a case wiping the PC will do nothing to remedy it. What happened here is that the user Port forwarded /upnp, despite having turn on the VPN server on his router. That is the only way to explain multiple hits on the blue iris web page.
I assure you that no frames were passed.
 

tangent

IPCT Contributor
Joined
May 12, 2016
Messages
4,338
Reaction score
3,519
Possible scenarios:
  1. Something about your network settings is allowing the cameras to connect directly to the internet and get hacked even though you thought you prevented this
  2. The cameras or blue iris are set to automatically return to a particular preset
  3. Your computer has malware or a virus
  4. You're port forwarding to blue iris and likely using a weak password and someone is actually connecting to blue iris (likelihood varies with quality of password).

Just because an ip shows up as attempting to connect it doesn't mean it was successful. I don't currently use blue iris so I'm not sure exactly what the log shows.
Your suggestion assumes that VPN was properly implemented and it was in fact fact hacked, which I assure you is 100% not the case. And even if it was a case wiping the PC will do nothing to remedy it. What happened here is that the user Port forwarded /upnp, despite having turn on the VPN server on his router. That is the only way to explain multiple hits on the blue iris web page.
I assure you that no frames were passed.
I agree
 

MachAF

Young grasshopper
Joined
Dec 12, 2018
Messages
49
Reaction score
23
Location
Washington
99% chance you are forwarding port 80 or 443 to your BI Machine. People port scanning are reasons for the connections. Either use the VPN and disable the port forward. Or use Stunnel and choose a random higher port above 10000 for the web server.
 
Top