Able to view all live cameras/groups on Roku!

Joined
May 21, 2017
Messages
1
Reaction score
0
All these are working on my internet browser just not in the app for some reason
I had the same issue and had to go into the settings under Web server and uncheck Secure only.
 

DLONG2

Known around here
Joined
May 17, 2017
Messages
763
Reaction score
454
This works well. I was confused over the app's settings, as it allows you to configure a variety of cameras, AmCrest, Axis, and BlueIris was there, too, by navigating through the Next/Previous buttons.
 

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
Yep! That worked too. Great and thanks for the help. Do you have any relationship to the developer? Give them a thumbs up if you do!
No, have no clue who the dev is, but he did respond to my initial request for help (on the roku forums) within minutes of me sending him a PM. Very responsive, and once you've got the syntax figured out, it's pretty nice.

One thing I did notice... After several rounds of changing the paths in the roku app, at some point nothing would work anymore - even when it was all correct. A restart of the roku stick solved it. I think at some point it just gets confused and a restart is the appropriate thing to do. It only happened once, and it's worked like a top ever since. I particularly like the full-screen screen saver that comes up showing me all of my cameras. It turns all of my Roku TVs into live camera monitors when they sit idle.
 

DLONG2

Known around here
Joined
May 17, 2017
Messages
763
Reaction score
454
I had to shut off the web server on my BI after a hacker was able to log into the same user account which I used for this Roku app. When I wrote to BI about this hacking incidence, they had suggested not unchecking the "Secure Only" option in the web server, which the Roku app requires one to do.
 

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
I had to shut off the web server on my BI after a hacker was able to log into the same user account which I used for this Roku app. When I wrote to BI about this hacking incidence, they had suggested not unchecking the "Secure Only" option in the web server, which the Roku app requires one to do.
That's EXTREMELY concerning. How did you determine your BI server was hacked?
 

DLONG2

Known around here
Joined
May 17, 2017
Messages
763
Reaction score
454
I discovered the hacks by looking at the BI logs. There were a number of connections from an IP in Ho Chi Minh City, which first alerted me. After looking more closely at the logs and earlier, I counted 3 successful logins from the Near and Middle East, using one of the BI user accounts, the same one which I used on the cell phone apps and on the Roku app. The access to the BI web server was my public IP address and a port number. The BI user account had a mixture of case and special characters.

The initial connections started coming within a day of placing the web server online, and it took the first hacker less than a day to log in.
 

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
I found several logins and connecteds using the credentials I specified in the Roku app starting not long after my post here. From Turkey and China. Man does that piss me off.
 

DLONG2

Known around here
Joined
May 17, 2017
Messages
763
Reaction score
454
I had the same events, and had to shut down my web server. BI Support wrote to me saying to not uncheck the "Secure Only" option in the web server, which this Roku app required. My question is concerning the damage from these events. The BI account I had used in Roku which the hackers also used was a user account, and not an admin one. I am hoping that all these hackers got to see were my live feed and clips, and that my IP cameras are safe from any malware. But as a precaution I'll probably factory-reset the cameras.
 

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
I was giving this some real thought as well. I think the webserver (apache) runs as a separate process from the server dashboard/console. That is, if a user has access to the webserver, all they can do is what you can do through either the default.htm or UI2.htm web pages. I may be totally off base, but I just don't see the someone can elevate their privileges, or create other users from the webserver. If they had access to the BI console (by way of RDP or something like VNC/Teamviewer) absolutely. Likewise, I don't think they can see each camera's properties such as username/password - or even IP address (unless you're using the IP address as the name of the camera).

In my case, I have all of my cameras on a separate subnet which is blocked from any (in or out) internet access - so they cannot be accessed from the WAN.

Still, in an over-abundance of caution, I've changed all my user passwords, enabled SSL (secure) on the server, and disabled the ROKU app.

I've also sent an email to Ken asking him if there is any auto-ban and IP whitelisting routine that he could add to the webserver. My filezilla FTP server has a fantastic IP validation process. I can block ALL incoming IP addresses, except those I've specifically allowed. And whitelisting a range is just as easy. For example, I can allow 24.*.*.* and 172.*.*.* - which are blocks assigned to specific geo-locations and ISPs. It makes attacks by users outside the US much more difficult. I currently have about 20 octets in my whitelist, and have not had any problems getting to my FTP from anywhere I might be logging in.

The auto-ban is great for eliminating brute-force attacks. If the same IP has a failed log attempt more than X times, block that IP for X hours (or indefinitely).

I'm hoping that Ken can incorporate such firewall measures on the webserver.
 

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
Well, this is getting beyond creepy.

I've been two days now using my new credentials (and Roku disabled) with "secure only" turned on. Last night I discovered that the wget LUUP commands on my home automation controller no longer work with that enabled. So I disabled it. By this morning, I had a new IP logging in (from Australia) using my NEW credentials.

Somehow my creds are being revealed. I've turned secure only back on, and once again am changing my creds. Very, very frustrating.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Well, this is getting beyond creepy.

I've been two days now using my new credentials (and Roku disabled) with "secure only" turned on. Last night I discovered that the wget LUUP commands on my home automation controller no longer work with that enabled. So I disabled it. By this morning, I had a new IP logging in (from Australia) using my NEW credentials.

Somehow my creds are being revealed. I've turned secure only back on, and once again am changing my creds. Very, very frustrating.
have you contacted the ruku app author? does the ruku connect to foreign ip's ?
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
If the app is sending any data back to the developer it must be intentional...there is no need for any data to be sent to the developers servers.
 

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
No, I have not yet reached out to the dev. The Roku app had not been updated with the new creds last night, so it would not have had the necessary data to send to anyone (or to be intercepted). While I didn't explicitly 'disable' or remove the app, the Roku app was only pinging on creds that were no longer valid on the server.

The logins I had this morning were using the new creds. Something else is going on. It may (or may not) have anything to do with the Roku app.

Since I was using the same creds on my VERA home automation system, and I actually did update those to the new creds last night, I'm thinking that may be the culprit.

What I've done now is given the VERA and the ROKU their own specific creds - something I should have done initially but was being lazy. If it happens again, it should paint a clearer picture of where to point the finger.
 

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
Bingo. Just had a hit:

upload_2017-6-22_18-36-10.png

This tells me it is VERA that is revealing my new credentials. I created the "VERA" creds this morning. And a few hours later, someone is logging into BI with it.
 

DLONG2

Known around here
Joined
May 17, 2017
Messages
763
Reaction score
454
I have only the registered iOS apps from BI and the Roku app, which unfortunately used a shared user account, and I was hacked. I wonder if you can create a Roku-only user account in BI, connect it to Roku, un-assign cameras or clips, and see if there arrives logins from the other side of the world.

Edit: I re-read your post and see that you had already assigned a Roku-only user account.
 

erkme73

BIT Beta Team
Joined
Nov 9, 2014
Messages
1,540
Reaction score
1,412
I did that with the VERA device, but not Roku. I set up a Roku user account, but didn't configure the TV app for the new creds. I will try that now.
 
Top