I had the same issue and had to go into the settings under Web server and uncheck Secure only.
Able to view all live cameras/groups on Roku!
- Thread starter erkme73
- Start date
No, have no clue who the dev is, but he did respond to my initial request for help (on the roku forums) within minutes of me sending him a PM. Very responsive, and once you've got the syntax figured out, it's pretty nice.
One thing I did notice... After several rounds of changing the paths in the roku app, at some point nothing would work anymore - even when it was all correct. A restart of the roku stick solved it. I think at some point it just gets confused and a restart is the appropriate thing to do. It only happened once, and it's worked like a top ever since. I particularly like the full-screen screen saver that comes up showing me all of my cameras. It turns all of my Roku TVs into live camera monitors when they sit idle.
DLONG2
Known around here
- May 17, 2017
- 772
- 461
I had to shut off the web server on my BI after a hacker was able to log into the same user account which I used for this Roku app. When I wrote to BI about this hacking incidence, they had suggested not unchecking the "Secure Only" option in the web server, which the Roku app requires one to do.
DLONG2
Known around here
- May 17, 2017
- 772
- 461
I discovered the hacks by looking at the BI logs. There were a number of connections from an IP in Ho Chi Minh City, which first alerted me. After looking more closely at the logs and earlier, I counted 3 successful logins from the Near and Middle East, using one of the BI user accounts, the same one which I used on the cell phone apps and on the Roku app. The access to the BI web server was my public IP address and a port number. The BI user account had a mixture of case and special characters.
The initial connections started coming within a day of placing the web server online, and it took the first hacker less than a day to log in.
The initial connections started coming within a day of placing the web server online, and it took the first hacker less than a day to log in.
DLONG2
Known around here
- May 17, 2017
- 772
- 461
I had the same events, and had to shut down my web server. BI Support wrote to me saying to not uncheck the "Secure Only" option in the web server, which this Roku app required. My question is concerning the damage from these events. The BI account I had used in Roku which the hackers also used was a user account, and not an admin one. I am hoping that all these hackers got to see were my live feed and clips, and that my IP cameras are safe from any malware. But as a precaution I'll probably factory-reset the cameras.
I was giving this some real thought as well. I think the webserver (apache) runs as a separate process from the server dashboard/console. That is, if a user has access to the webserver, all they can do is what you can do through either the default.htm or UI2.htm web pages. I may be totally off base, but I just don't see the someone can elevate their privileges, or create other users from the webserver. If they had access to the BI console (by way of RDP or something like VNC/Teamviewer) absolutely. Likewise, I don't think they can see each camera's properties such as username/password - or even IP address (unless you're using the IP address as the name of the camera).
In my case, I have all of my cameras on a separate subnet which is blocked from any (in or out) internet access - so they cannot be accessed from the WAN.
Still, in an over-abundance of caution, I've changed all my user passwords, enabled SSL (secure) on the server, and disabled the ROKU app.
I've also sent an email to Ken asking him if there is any auto-ban and IP whitelisting routine that he could add to the webserver. My filezilla FTP server has a fantastic IP validation process. I can block ALL incoming IP addresses, except those I've specifically allowed. And whitelisting a range is just as easy. For example, I can allow 24.*.*.* and 172.*.*.* - which are blocks assigned to specific geo-locations and ISPs. It makes attacks by users outside the US much more difficult. I currently have about 20 octets in my whitelist, and have not had any problems getting to my FTP from anywhere I might be logging in.
The auto-ban is great for eliminating brute-force attacks. If the same IP has a failed log attempt more than X times, block that IP for X hours (or indefinitely).
I'm hoping that Ken can incorporate such firewall measures on the webserver.
In my case, I have all of my cameras on a separate subnet which is blocked from any (in or out) internet access - so they cannot be accessed from the WAN.
Still, in an over-abundance of caution, I've changed all my user passwords, enabled SSL (secure) on the server, and disabled the ROKU app.
I've also sent an email to Ken asking him if there is any auto-ban and IP whitelisting routine that he could add to the webserver. My filezilla FTP server has a fantastic IP validation process. I can block ALL incoming IP addresses, except those I've specifically allowed. And whitelisting a range is just as easy. For example, I can allow 24.*.*.* and 172.*.*.* - which are blocks assigned to specific geo-locations and ISPs. It makes attacks by users outside the US much more difficult. I currently have about 20 octets in my whitelist, and have not had any problems getting to my FTP from anywhere I might be logging in.
The auto-ban is great for eliminating brute-force attacks. If the same IP has a failed log attempt more than X times, block that IP for X hours (or indefinitely).
I'm hoping that Ken can incorporate such firewall measures on the webserver.
Well, this is getting beyond creepy.
I've been two days now using my new credentials (and Roku disabled) with "secure only" turned on. Last night I discovered that the wget LUUP commands on my home automation controller no longer work with that enabled. So I disabled it. By this morning, I had a new IP logging in (from Australia) using my NEW credentials.
Somehow my creds are being revealed. I've turned secure only back on, and once again am changing my creds. Very, very frustrating.
I've been two days now using my new credentials (and Roku disabled) with "secure only" turned on. Last night I discovered that the wget LUUP commands on my home automation controller no longer work with that enabled. So I disabled it. By this morning, I had a new IP logging in (from Australia) using my NEW credentials.
Somehow my creds are being revealed. I've turned secure only back on, and once again am changing my creds. Very, very frustrating.
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,408
No, I have not yet reached out to the dev. The Roku app had not been updated with the new creds last night, so it would not have had the necessary data to send to anyone (or to be intercepted). While I didn't explicitly 'disable' or remove the app, the Roku app was only pinging on creds that were no longer valid on the server.
The logins I had this morning were using the new creds. Something else is going on. It may (or may not) have anything to do with the Roku app.
Since I was using the same creds on my VERA home automation system, and I actually did update those to the new creds last night, I'm thinking that may be the culprit.
What I've done now is given the VERA and the ROKU their own specific creds - something I should have done initially but was being lazy. If it happens again, it should paint a clearer picture of where to point the finger.
The logins I had this morning were using the new creds. Something else is going on. It may (or may not) have anything to do with the Roku app.
Since I was using the same creds on my VERA home automation system, and I actually did update those to the new creds last night, I'm thinking that may be the culprit.
What I've done now is given the VERA and the ROKU their own specific creds - something I should have done initially but was being lazy. If it happens again, it should paint a clearer picture of where to point the finger.
DLONG2
Known around here
- May 17, 2017
- 772
- 461
I have only the registered iOS apps from BI and the Roku app, which unfortunately used a shared user account, and I was hacked. I wonder if you can create a Roku-only user account in BI, connect it to Roku, un-assign cameras or clips, and see if there arrives logins from the other side of the world.
Edit: I re-read your post and see that you had already assigned a Roku-only user account.
Edit: I re-read your post and see that you had already assigned a Roku-only user account.
I did that with the VERA device, but not Roku. I set up a Roku user account, but didn't configure the TV app for the new creds. I will try that now.