Security concerns: Dev back door?

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
There's really no tactful way to ask this question without impugning Ken's character. And that is certainly not my intention. He has provided me with no reason to question his ethics or character.

A couple of years ago I was having some issues which we were unable to resolve using the traditional email correspondence. At the time, Ken used TeamViewer to log into my BI machine to do diagnostics and troubleshooting.

It was interesting to watch from the sidelines as Ken worked his magic. I was able to chat with him about his permissions/rights. He confirmed that he was able to unmask view all camera passwords (and presumably the main BI user/admin passwords). He said not to worry that he wouldn't log in unless there was a need/request for diagnostic support. He even gave me his IP address which so I could verify that he wasn't logging in other than during these coordinated sessions. And if he did, I would see his IP in the connection logs.

Being that he knows the intricacies of the software, wouldn't it be possible for him to leave a back door that doesn't get logged? And if such a back door existed, could it not be exploited by someone with more nefarious purposes?

Again, I have no reason to think that Ken would ever deliberately violate anyone's trust. But given the possibility of such a violation (i.e. imagine someone hacks his machine, or he sells the product to another party, etc), what kind of protection or detection can we implement that would lock down such an exploit?

Short of intrusion detection firmware on a router, is there anything that could be done to lock it down?
 

Tmos

n3wb
Joined
Jul 24, 2018
Messages
7
Reaction score
3
Location
Anaheim
If you are really worried just uninstall team viewer and change passwords in Blue Iris and the system. I doubt developers would lower themselves to such things.
 

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
No, let me clarify. This is not a TeamViewer issue. Ken can see the passwords of any installed system. Given that he knows the IP and port of every installation (by way of software phoning home to verify key) and support emails info. This means he could conceivably remotely access the BI server. I am certain Ken wouldn't do this - or would like to think no developer would - but the world is a twisted place and simply trusting someone not to violate trust is not a good security approach.

Without intentionally challenging Ken's (or any developer's) character, I guess I just want to know how we can eliminate the risk entirely.
 

aristobrat

IPCT Contributor
Joined
Dec 5, 2016
Messages
2,982
Reaction score
3,180
Short of intrusion detection firmware on a router, is there anything that could be done to lock it down?
The same method that prevents unwanted access to cameras/NVRs running firmware that isn't trusted should work here: VPN (and potentially disable the device's ability to access the Internet, to prevent it from trying to reach out through your firewall and connect to some system on the Internet that could be used to reverse-tunnel back into the device through that connection).

When you limit incoming remote access to your network via VPN, unless you give someone VPN credentials, they can't even make a connection to your network (in general), much less connect to the network and try to back-door into a system that's on your network.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
It is like @aristobrat said, you would need to prevent your BI server from having internet access. BI does have an activation mechanism which can be used offline (it comes up if you try to activate without an internet connection) so you don't actually need it to ever have an internet connection.

Remote access is still possible through a VPN.
 

Dramus

Pulling my weight
Joined
May 7, 2019
Messages
323
Reaction score
229
Location
New Jersey
Without intentionally challenging Ken's (or any developer's) character, I guess I just want to know how we can eliminate the risk entirely.
No I.T. professional worth his or her salt will ever suggest it's possible to eliminate risk entirely, short of locking a thing in a sealed vault, immune to RF snooping, with a local/self-contained power supply.

Beyond that the questions become ones of risk assessment and mitigation. That is: Determine your risks and mitigate against them to the extent possible.
 

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
I was hoping there was something in-between a total VPN solution (which would complicate remote access by family members) and the way it is now. For example, entering the router IP/domain:port from the WAN brings up a separate non-BI login page where a separate set of credentials would be required. If entered correctly, then the user would be forwarded to the actual BI login page.

Ultimately, I guess if I want friends and family to have access to the BI server (but not my LAN via VPN) I have to leave it like it is, knowing that Ken (or whoever he entrusts with the keys to the kingdom) won't violate our trust. I trust Ken, but as someone famous once said, "Trust but verify".

ETA: Regarding eliminating security risk - bad choice of words. I realize that is virtually impossible. I'm specifically addressing the risk of someone with Ken's tools being able to access the system, without any trace of said access being logged.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
Well you CAN run a reverse proxy server that adds its own authentication layer. It is a bit complicated to set up but I have basic nginx instructions here: bp2008/ui3

And if you run that proxy server on a different device then you could even still prevent the BI machine from having internet access so you would be safe(r) from outgoing connections.
 

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
Well you CAN run a reverse proxy server that adds its own authentication layer. It is a bit complicated to set up but I have basic nginx instructions here: bp2008/ui3

And if you run that proxy server on a different device then you could even still prevent the BI machine from having internet access so you would be safe(r) from outgoing connections.
That sounds intriguing. Unfortunately my nginx/coding experience is zero. I'll start researching it now. Does anyone know of a tutorial or template for how to go from no proxy to proxy specifically with BI/UI3? Not being lazy - just need a starting point, else I'm sure I'll get snowed.
 

aristobrat

IPCT Contributor
Joined
Dec 5, 2016
Messages
2,982
Reaction score
3,180
That sounds intriguing. Unfortunately my nginx/coding experience is zero. I'll start researching it now. Does anyone know of a tutorial or template for how to go from no proxy to proxy specifically with BI/UI3? Not being lazy - just need a starting point, else I'm sure I'll get snowed.
Looks like if you can find a generic tutorial to get Nginx installed, the link BP provided above will get you the rest of the way...
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
Well I tell you what @erkme73 if you want to skip that learning curve I have it on good authority that @Mike has a web proxy server in the works for Blue Iris Tools and he could probably be persuaded to add http basic authentication to it.
 

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
That's a great idea! I know his plate is full getting the latest update out (with the bug fix)... But, if you're listening @Mike :)
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
I doubt he could unmask the passwords without actually being logged in via teamviewer this would create a terrible backdoor and even if he did he would not disclose that. More than likely he could unmask the passwords once logged in via teamviewer. I believe bp2008 has a tool for this as well as they are stored in the registry. Remember that several years ago there was no "peak" feature to view your camera/webserver passwords so he would have to manually unmask them.
 

aristobrat

IPCT Contributor
Joined
Dec 5, 2016
Messages
2,982
Reaction score
3,180
Well I tell you what @erkme73 if you want to skip that learning curve I have it on good authority that @Mike has a web proxy server in the works for Blue Iris Tools and he could probably be persuaded to add http basic authentication to it.
What protection does a reverse-proxy without extra authentication add? Obscuring the BI server one more layer deeper?
 

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
What protection does a reverse-proxy without extra authentication add? Obscuring the BI server one more layer deeper?
I'm probably not the one to answer that question, but I'll attempt it. I don't want anyone outside my LAN to have direct access to the BI server login page/IP:port. Having a proxy server (with its own set of credentials) forward requests to/from BI would (?) prevent someone with the BI creds from getting to the BI login screen without the proxy's creds. No?

Maybe this isn't the correct approach, or I'm over-simplifying it. But the net effect is that someone would have to credential twice to get to the BI content. Once at the proxy, once at the BI login page.

edit: @aristobrat - I see your logic... Why would @Mike add it without some kind of authentication, as it wouldn't offer any benefit. Though, I suppose if your goal is to load balance you can use the proxy to direct to different apps without providing different ports. At least that's what I've found reading about the benefits of nginx.
 

archedraft

Getting the hang of it
Joined
Sep 11, 2018
Messages
138
Reaction score
91
Location
USA
What protection does a reverse-proxy without extra authentication add? Obscuring the BI server one more layer deeper?
Instead of logging into the BI server with your public IP address and port number, you would log in with a FQDN. Possibly more secure as the only open port would be the reverse proxy and the attacker would than need to figure out the entire FQDN which can be uniquely setup for each application. Still not as secure as a VPN.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
Having a proxy server (with its own set of credentials) forward requests to/from BI would (?) prevent someone with the BI creds from getting to the BI login screen without the proxy's creds.
Correct.

I believe the plan for BITools was to provide an HTTPS endpoint (TLS 1.2) with automated certificate management using LetsEncrypt. The main benefits of this are providing identity verification and encryption of the connection.

In a more general sense, reverse proxy servers are often used for offloading the HTTPS encryption work for a busy web server, and providing load balancing and some amount of DDOS protection. These aren't really major concerns for BI except that of course BI doesn't support HTTPS natively.
 

aristobrat

IPCT Contributor
Joined
Dec 5, 2016
Messages
2,982
Reaction score
3,180
Instead of logging into the BI server with your public IP address and port number, you would log in with a FQDN. Possibly more secure as the only open port would be the reverse proxy and the attacker would than need to figure out the entire FQDN which can be uniquely setup for each application. Still not as secure as a VPN.
Thanks, I was missing that if someone is just port scanning and happens to find the port, the proxy won’t let them through without them specifying the FQDN. That’s pretty cool.

Turns out my Synology has reverse proxy support built in, including auto-fetching LetsEncrypt certificates. I’ve got it all setup with BI now!
 
Top