Anyone catch traffic from this?

[fenderman]

Under what law?


Are you sure? They have exploits (wanted or unwanted, hard to tell) for over.. 4+ years. Myself and my company has been reporting them from the first start, when we discovered a path traversal vulnerability back in 2008, if I do remember well.


That raises the costs of the installer... Race to bottom?
On this, I do agree... maybe at least explain what is a firmware and what is an update.


My simple question is: in a market like this, who should be hold accountable and who should pay the losses?

There is no law. Its common sense. Now if you want to get technical, all sorts of consumer fraud laws would apply here. They fail to disclose inherent serious security risks. They intentionally add backdoors and accounts that cannot be deleted. This would need to be certified a class since individual losses are minimal.

Most other exploits were not as widely reported in the mainstream press. The ones that have been had some positive effect. When foscams were reported exploited, the US distributor began notifying everyone by email and posting a notification to update firmware on its main page (until they screwed their customers and reopened as amcrest)
There is often no cost to add vpn, and when there is its minimal.
No one will likely pay the losses.
Regardless, this highlights the point that you cannot rely on firmware to stop attacks, the manufactures will always be behind the hackers.

 

[tangent]

It's simple until enough consumers demand better of electronics manufactures this isn't going to change. This applies to cell phones (<24 months of support for something that can cost > $600), cars, cameras, tvs, dvd players, thermostats, etc. It is a bit of a race to the bottom/minimum viable product, manufactures choose not to support the old devices so you're more likely to buy the new ones. Sometimes longer term support comes with a subscription model or advertising data about you being sold (eg. roku). Cars are probably one of the worst given how long they tend to stay on the road, but in many cases they are more isolated.

On CCTV cams, Dahua isn't the only one with issues. It's also possible that random sellers could bless an english fw hack with some additions like phoning home to a C&C server to check for commands. I think this would be relatively rare on hikvision/dahua cams but i have much less confidence of some of the other cheap stuff.

 

[CaliGirl]

So if the consumer (i.e. me) wants to check on the dog in the garage via ip camera, they should log into a VPN client, using two step authentication and a long password that uses upper, lower case, numbers and symbols that they have stored in their head. That isn't easy!

I think I finally understood VPN vs. Ports from this thread.

VPN is like giving a person a unique key to open the door to your house. Don't hand out the key or send it through email and no one should be getting in to the house to look at the art on the wall. Bc the data that is encrypted in an underground protected tunnel as it is being sent across the internet.

Port forwarding is saying you can not come in the front door, but you CAN go through the side door if you know the basic password to get to the IP camera interface and then you can look at the art on the wall. And the basic passwords for these interfaces appear to be much easier to hack. Maybe even a given since so many are left at default. And the data transmitted across the internet is not in a protected underground tunnel and can be intercepted?

Is that correct?

 

[fenderman]

It's simple until enough consumers demand better of electronics manufactures this isn't going to change. This applies to cell phones (<24 months of support for something that can cost > $600),

I switched to nexus phones for this reason. Its not just the lack of security updates after 18 months but how slow they roll them out. With nexus i get them instantly. I loved my moto phone, and the new z line looks great but no way im going back to that. They should all be running stock android.

 

[nayr]

iirc didn't the cheap Mini Top IP Cameras come with some malware in the firmware?

Dahua has made efforts to tighten up security, those default logins are no longer present in latest firmware.. and they force you to set a new password on first login, much more secure by default.. However all of that is brandable and its all to easy for a vendor to insert there own backdoors or disable these features.. plus any bugs and other issues that can expose security weaknesses.

In reality, its the idiot whom exposes devices to the internet w/out considering the risk whom's to blame.. The internet is a force of its own.. if you dont put on sunscreen and you get a sunburn, its your fault.. not the sun's.

 

[dexterash]

So if the consumer (i.e. me) wants to check on the dog in the garage via ip camera, they should log into a VPN client, using two step authentication and a long password that uses upper, lower case, numbers and symbols that they have stored in their head. That isn't easy!

From your consumer point of view, you are right.

From my solutions' provider point of view: I would deliver you something integrated, secured and managed. As in, I know you can't update weekly your router, cameras, NAS, TV, fridge etc, but I could take care of those. Of course, you would share with me 50% of your gain (as in time/work or agenda filling), but we both could win.

In this case, unfortunately, it's not you - the consumer - the "problem".Or, at least, not directly.

 

[dexterash]

Dahua has made efforts to tighten up security, those default logins are no longer present in latest firmware..

Efforts? Really?

Honestly... nope, no efforts. The static + dynamic pass [currently used] is somehow an adapt of a recipe we've provided 3...4 years ago...

 

[fenderman]

So if the consumer (i.e. me) wants to check on the dog in the garage via ip camera, they should log into a VPN client, using two step authentication and a long password that uses upper, lower case, numbers and symbols that they have stored in their head. That isn't easy!

Its really easy. If I could train my computer illiterate staff to login to the office via vpn anyone can. They dont need to know anything about the authentication or passwords. All they gotta do is turn the vpn on/off.

 

[nayr]

they may just be token efforts but they are efforts.. none have any form of CERT response and disclosure team, they do not backport security fixes or any of the stuff thats a requirement for services running openly on the internet.

removing hardcoded logins and forcing a password change on first login may be a token gesture for security; but I'll take it.. I argued once that any device that does not force you to change credentials from default clearly was not designed for internet exposure, thats still true but there's nothing Dahua could do to make me trust there software enough to open up ports to em.

millions of people use VPN every day (corporate/government) w/whom have a fraction of the tech capabilities you do CaliGirl, with a good sysadmin you open a file they provide, type in your credentials and your connected.

 

[dexterash]

There is no law. Its common sense. Now if you want to get technical, all sorts of consumer fraud laws would apply here. They fail to disclose inherent serious security risks. They intentionally add backdoors and accounts that cannot be deleted. This would need to be certified a class since individual losses are minimal.

Common sense doesn't drive businesses. And we all know this. Or, at least, I think we do.

Most other exploits were not as widely reported in the mainstream press. The ones that have been had some positive effect.

From my point of view: it's not a very bright way to rely on "researchers" to disclose... You'll never know when one paid with 1000 USD/month can expose videos&other data from 200.000 devices.

When foscams were reported exploited, the US distributor began notifying everyone by email and posting a notification to update firmware on its main page (until they screwed their customers and reopened as amcrest)

Oups... didn't know that. So FosCam is out of USA?

There is often no cost to add vpn, and when there is its minimal.
No one will likely pay the losses.

Hummm...

Regardless, this highlights the point that you cannot rely on firmware to stop attacks, the manufactures will always be behind the hackers.

If you develop a product and take care of it, how can a X ousider be ahead of you/your development?

 

[CaliGirl]

Its really easy. If I could train my computer illiterate staff to login to the office via vpn anyone can. They dont need to know anything about the authentication or passwords. All they gotta do is turn the vpn on/off.

Once it is setup, it is pretty easy I have to admit.

How about on an IPhone? I guess it takes an extra app, openVPN and a few clicks, but it takes a ton of setup for the consumer to know how to set this up and make it work. Took me 12+ hrs. to get a vpn to work.

I work for a large company and we can't hardly get IT to walk us through how to do this. The IT people at our company don't have the people skills to explain it to us end users on the phone. I can hardly understand them and I feel like I am pretty tech savvy. And they don't post videos to walk us through it. So we just don't use VPN. We email everything and skirt around it using personal dropbox and whatever it takes to get the job done. But most of our work is not to sensitive mind you.

 

[nayr]

Thats because you used OpenVPN, most corporate VPN's will use L2TP+IPSec and it's built into your device..

Apple provides a tool that you create profile files and distribute them to users, they just load it up and the VPN is ready to go using the built in VPN Client in iOS

http://www.howtogeek.com/216137/create-a-configuration-profile-to-simplify-vpn-setup-on-iphones-and-ipads/

I have to use a security token and our infosec teams provide vpn profiles.

 

[CaliGirl]

Reading your article as we speak. Interesting stuff.

The current VPN at work makes you log in, load an applet that only works on firefox (but doesn't tell you that) and then you log in again and it send a code to your phone, then you enter that code and wait and it connects if you got it all right. Then once you are on it, the hard drive works sooooo slow, it is like going back to 2001 So a few of us just DropBox everything to each other much quicker

 

[c hris527]

I suspect that a lot of people have been caught by surprise byhow soon” the attacks, said Akamai’s Mr. Ellis. His company said it was blindsided by one of last week’s attacks.-<<<<<<< Quote from the article.....

I hope nobody who has been reading this form for some time was caught by surprise. The security side of the cameras has been hammered, hashed over and has been talked about a zillion times here on this form. If you knew about this and did nothing, you are part of the problem. If you are a installer and your client got hacked and you did not notify them of the risks of their crappy router setup, then YOU are lazy and part of the problem. The hackers are depending on you to be lazy and take the attitude as described by smoothie. I take my work VERY seriously and will go out of way to inform my customers about the risks of wanting to view video over the internet. They usually shake their heads and agree with me and then have their 14 yr old nephew port forward anyway. I have also dealt with seasoned network managers who have been explained the risks and do the same thing because of lack of knowledge or just plain laziness. My first exposure to a dvr was coming in behind a camera Installer to let my client view video from his home computer, I remember port forwarding a sonic wall and not thinking twice about it, that was 5 years ago and I know better now and hopefully this article and thread is a wake up call.

 

[smoothie]

So if the consumer (i.e. me) wants to check on the dog in the garage via ip camera, they should log into a VPN client, using two step authentication and a long password that uses upper, lower case, numbers and symbols that they have stored in their head. That isn't easy!

I think I finally understood VPN vs. Ports from this thread.

VPN is like giving a person a unique key to open the door to your house. Don't hand out the key or send it through email and no one should be getting in to the house to look at the art on the wall. Bc the data that is encrypted in an underground protected tunnel as it is being sent across the internet.

Port forwarding is saying you can not come in the front door, but you CAN go through the side door if you know the basic password to get to the IP camera interface and then you can look at the art on the wall. And the basic passwords for these interfaces appear to be much easier to hack. Maybe even a given since so many are left at default. And the data transmitted across the internet is not in a protected underground tunnel and can be intercepted?

Is that correct?

In short...yes

Using the VPN with two-factor authentication and long passwords with complexity is ideal. There are certain things you can do to help mitigate the chore of it all. If you have security features enabled on your iPhone such as; a non-obvious unlock code on your iPhone, erase the phone after 10 failed unlock attempts and enable auto-lock after as few minutes as possible. Some of the things you could do include; storing passwords for the viewing software, adding your mobile device to a "trusted device" list if your VPN supports this which allows the bypass of the two-factor authentication, and store the password for the VPN app which is best paired with an x.509 certificate for increased security.

The obvious risk to doing these things is if someone knows your iPhone unlock code or gains access to the device while it is unlocked they would have access to the security details. Personally I think the risk is minimal in return for the significant gain in convenience. The easy rule to remember is: the harder it is for you, the exponentially harder it is for a stranger.

The rest of your assertions are largely correct.

A VPN (without x.509 certificates) is more like a top quality high security deadbolt like The ASSA Abloy Protec 2 and giving people copies of the key as you see fit. If one of those keys were to fall into the wrong hands you would have to replace or rekey that lock. Using a VPN with x.509 certificates is more like what you were describing. Each device can have its own unique x.509 certificate which can be singularly revoked or removed from the VPN. So if your iPad was lost/stolen you could revoke just that device's x.509 certificate with no change or interruption to the functionality of your iPhone. Not all VPN servers can use x.509 certificates so they may not be available for all situations. Honestly a VPN alone is very secure and perfectly capable, if you can use x.509 all the better.

Port Forwarding is much as you said.

Data transmitted across the open Internet is able to be intercepted, but a surprising number of websites are encrypted these days which is akin to a VPN between you and the website you are visiting. This is only in broad strokes since even if you are talking to an encrypted site that site could have embedded ads which are from external sources and may not be encrypted...its complicated.

So long story short, yes you are mostly correct.

 

[logbuilder]

I have an outbound rule on the FW to prevent the BI server and cameras from talking outside the network. VPN in to view cameras, and anything on LAN can access BI. You would not believe how much a win10 box talks outbound EVEN THOUGH I turned off all the BS phone home crap. Now it won't even install a patch unless I allow it to.

You might want to explore metered connections. In windows 10, this is an option on wifi connections. This causes windows 10 to not download updates, or rather stage updates. You control the update process. With a reg change, you can also make wired Ethernet connections operate the same. Google it.

I suggest this only as a way to reduce chatter outbound.

 

[notagto]

Every machine in my house runs through VPN, needed or not its a good practice.

I hadnt thought about the cameras being on the network so this is making me research my options even more!

So much to learn and keep finding things i didnt know that i didnt know until i know i didnt know them lol

 

[Lance]

Does anyone have links to a good "how to" on setting up dahua stuff for Vpn? Also idmss and gdmss?

 

[nayr]

VPN is agnostic to vendor or application.. you turn it on and open the apps like you were at home on the wifi.

First thing to do is determine if your router already has built in VPN Server, if it does use google to find a vpn server howto for your router.

If it doesn't, determine if you can simply flash an open source firmware such as dd-wrt, tomato, etc.

 

[CaliGirl]

Does anyone have links to a good "how to" on setting up dahua stuff for Vpn? Also idmss and gdmss?

I can help you out to the extent of my knowledge Lance. I just set one up. It is basically a way to access your network (cameras, etc.) remotely and securely.

What wifi router model do you have?

I simply purchased a router that has the ability to do it out of the box $100, but like nayr said, you can also flash new firmware to routers that don't have it and add the feature. Although I feel like that is jailbreaking a device that may not be intended to do this. And subject to varying results. For the guys that have done this, how do the routers handle the tomato firmware and other hacks? Do they have enough CPU to handle the VPN? I was told to be careful about running VPN on my router and luckily the CPU floats around 60% of max while running it.

I can help you with iDMSS setup since I just did it. There are not great youtube tutorials online for some reason. They are a lot but not one can walk your through step 1-20. They also serve a purpose just not complete.