Able to view all live cameras/groups on Roku!

[erkme73]

It's now been nearly 20 hours since configuring the Roku with the Roku-specific account on BI. Not a single attempt on those creds. Meanwhile, the ones for the VERA account are too numerous to count.

I added about 10 or so IP octets (-113.*.*.*, -85.*.*.*, -175.*.*.*, etc) to the webserver IP list. That has all but stopped the logins. I still see the connections, but logins are over.

I then changed the forwarded port on the router, and turned on secure only. For the last two hours, there have been zero connects or logins that weren't legit. I'm sure it's just a matter of time before they port-scan and find the new port.

 

[actran]

I have a Vera too. How are u integrating Vera with Blue Iris? How are u specifying Blue Iris creds in Vera?

I am concerned about unauthorized access now.

If u figure out how BI creds are leaking in Vera, let us know.

 

[erkme73]

I'm using the PLEG plugin on VERA to fire off LUUP script on certain triggers. Say someone opens my mailbox. PLEG, using this LUUP command:

luup.inet.wget("http://[BLUEIRIS_SERVER_IP]/admin?camera=[CAMERA_NAME_TO_START_RECORDING]&trigger&user=&user=[BI_USER_WITH_ADMIN_STATUS]&pw=[PASSWORD_FOR_BI_USER]",10)

My BI will then record the camera facing the mailbox for 10 seconds. Works great. Except the command is sent in clear text between the VERA box and the BI server. Even though I was using a local IP address, the UN/PW in the string was somehow compromised, and showed up in the BI logs with IP addresses from all over the world.

The problem is, I don't know where the compromise is occurring. It could be something on my network that is capturing packets and sending them somewhere. It could be that the VERA cloud servers are compromised (possible, but less likely). Ultimately, whatever credentials I put in that string end up in the hackers hands. If I was even moderately network savvy, I could probably figure this out. But, alas, it is not, and unless someone here (or at the VERA forums can provide assistance), the only option I have is to no longer use the bridge between VERA and BI.

I did reach out to VERA and they suggested that I 'secure' the VERA. That means it would require cloud-access 100% to log onto the controller - even when I'm on the same LAN. That's hardly a fix, since doing so will mean long delays each time I want to access the VERA GUI.

For now, I've added the offending IP ranges (just the first three numbers of each IP) to the block list on the BI server, moved my external port, and turned on secure only in the webserver settings. Those three things have, so far, cleaned up the attacks.

It's unfortunate that I can't use wget anymore, as a number of things in my home automation system were tied to the recording and alert push notifications from BI (i.e. mailbox, front door IR beam, garage IR beam, etc). It still works with VERA alerts sending push notifications, but it just won't trigger BI to record.

 

[actran]

Thanks for info. I am doing the same type of Vera/BI integration. Scary about BI cred leakage.

 

[erkme73]

Thanks for info. I am doing the same type of Vera/BI integration. Scary about BI cred leakage.

Just keep it in perspective. I'm coming down hard on Vera, but that's only because I'm too inept to figure out what the real cause is. I fully suspect that if Vera had an issue, I wouldn't be the only one to complain.

 

[Mike A.]

Just keep it in perspective. I'm coming down hard on Vera, but that's only because I'm too inept to figure out what the real cause is. I fully suspect that if Vera had an issue, I wouldn't be the only one to complain.

Obviously an issue somewhere. From your description sounds like the information is being pushed out somewhere. Doubtful that you'd be getting hit so hard just based on random scanning. Likely not even humans behind it but some automated bot-type process that its being pushed to. You could test that by changing your IP, dropping your blocks, putting the Vera user back up (with limited access) again with new credentials. If you're getting logins again within a relatively short time on a new IP with new credentials, then no way that's just by chance. Something must be capturing it and forwarding out or you have some type of beacon/trojan within your network that's flashing here I am, come get me.

Do you have Wireshark or something similar that you could use to monitor traffic on your network?

 

[erkme73]

I do. I installed Wireshark and played with it for a bit but it is so overwhelming that I quickly gave up.

Now that I've gone 30+ hours without a single hit, the urgency has been muted a bit, leaving time for my more mundane daily routines. I have simply not updated the Vera creds and will live without that feature set. At least until I have a verified step-by-step way of tracking down the culprit that even I can follow properly.

I have run various virus scanners on my PC's. But with so many IoT devices on my network (heck,even my washer and dryer are internet aware), there are just so many possible points of attack I don't know where to start.

 

[DLONG2]

Wondering about the use of the "Limit IP Access" feature in BI. It would be ideal if the presence of PLUS addresses would then provide some other HTML page for all other unwanted IPs (no login page presented).

 

[tommyboy]

Wondering about the use of the "Limit IP Access" feature in BI. It would be ideal if the presence of PLUS addresses would then provide some other HTML page for all other unwanted IPs (no login page presented).

I do this in my firewall. I basically got a few IPs from where I could use the mobile app (work, home, friend's house), and then found the range for Verizon Wireless so I can use it from my phone. While allowing all of Verizon wireless is a big group of IPs, it definitely limits my attack surface compared to keeping it wide open.

EDIT: Just wanted to add I would recommend doing this in your firewall instead of relying on software to implement it. No offense to Blue Iris - he's a great camera DVR guy - let him focus on that. Most of the enterprise software I deal with is the same way - handle the security in the firewall or another security device. If you have a home firewall with limited option, the Windows Firewall can be very powerful as well if configured properly.

 

[DLONG2]

Hi tommyboy. Thanks for the suggestion. Can the IP firewall rule be applied just to the BI port number?

 

[looney2ns]

I could be off base about this, but why are you using a forwarded port instead of a VPN?
Sorry, if I missed something.

 

[erkme73]

I have too many family and friends and other off-site BI servers that log in to my server. Never mind that the VPN experiences I've had in the past were slow, cumbersome, and had to be established each time prior to connecting to the remote site. In an ideal world, I'd have an always-on VPN connection between all remote sites and the BI server, but the reality of that implementation is just not practical.

 

[tommyboy]

Hi tommyboy. Thanks for the suggestion. Can the IP firewall rule be applied just to the BI port number?

Sure can. In the windows firewall, you can point it to the actual executable for BI or STUNNEL.

 

[tommyboy]

I could be off base about this, but why are you using a forwarded port instead of a VPN?
Sorry, if I missed something.

Port forwarding is definitely a security risk in comparison to VPN, but I never found a great always on VPN on my iphone, so I took convenience over security. Enabling the IPSec tunnel manually before being able to check alerts was a pain.
That was a year ago when I first started, since then I've given up on checking alerts as they come in and I'm lucky to look at them once a day - I just rely on the 24/7 recording. I have my BI server in a DMZ so I'll prob just keep the port forwarding and rely on packet inspection in the firewall if someone tries to get in.

 

[DLONG2]

Please don't use this Roku app, unless you don't mind allowing people from all over the world to view your cameras.

 

[Abbell]

I like the app... it works rather well for me
I would like to know if anyone got the ptz calls working to Blue Iris. That is one trick I am still trying to figure out.

 

[erkme73]

After some prompting at this thread, I realized I have not provided a final update into the use of this app on my Roku TVs. Rather than post it here, I will update the original post.

 

[Abbell]

After some prompting at this thread, I realized I have not provided a final update into the use of this app on my Roku TVs. Rather than post it here, I will update the original post.

I use the Roku service and I am very happy with your hard work. What I still need to figure out is the PTZ settings for Blue Iris so I can control my PTZ cams via the Roku. Unless I missed it somewhere, I do not see it referenced in either thread.

 

[erkme73]

You're right @Abbell, I don't think anyone has discussed the PTZ control string on the app. I have only two PTZ cameras, and they're on preset schedules or triggered by sensors - so having the ability to control them from the Roku app isn't of much use for me. But, if you manage to figure it out, please share it here so others can learn!

 

[Philip Gonzales]

first of all thanks for the guide! I have set this up but my camera's play back very poorly via the ROKU app. All my camera's display a different time and skip multiple seconds at a time. If I watch one camera it is fine but if I try all 4 of my camera's I have very poor performance. Is this due to my ROKU being on wifi? I do not have this issue on my computer even though it is on wifi. I even turned down each camera down to 65% JPEG quality and 40% JPEG scale and still it skips a few seconds each refresh and all the camera's are a couple of seconds apart. Almost impossible to see motion. Any ideas?