Change BI Profile via Webcommand

bedpan · Feb 2, 2018

Hey Folks,

I have never had a lot of luck with the BI Geofences. Now my daughter and son have phones and I am not to keen on installing the BI App and thought I may as well look for another solution to control my Geofence.

I found this thread: Profile Change via URL w/ Authentication

Using the command http://192.168.0.50:10001/admin?user=user&pw=password&profile=x I am getting directed to the web login screen. If I login and run it it does work but it is not accepting the Username and Password in the URL. Just so we are clear I am using my admin user/pass in the URL and setting profile number 1 or 2.

Any thoughts?

In the end I would like to use Life360 for my geofencing which I have installed on the family phones. Via IFTTT and webhooks I can send the URL above to change my profile.

Cheers!

Mike

bedpan · Feb 2, 2018

Found it.. Have to disable secure only in the webserver settings.

Security concerns if I do this with the webserver being internet connected?

awsum140 · Feb 2, 2018

If you're port forwarding to gain access, yes. If you're using VPN, not so much.

bedpan · Feb 2, 2018

VPN would not be an option as the request will be coming from IFTTT....

Security thoughts here?

awsum140 · Feb 2, 2018

It doesn't matter how the request, access, occurs, IFTTT command or URL to the console, the security concerns remain the same.

bedpan · Feb 2, 2018

Thats the question.... What are the security concerns? I understand its a hole in the firewall.. What are the realistic risks in allowing access to the HTTP requests from internet.

awsum140 · Feb 2, 2018

Assuming you are using port forwarding, you're wide open to anyone that routinely scans the web looking for open ports to exploit. My original router didn't offer VPN and I was getting hammered daily. Have a look at your BI log and BI connections log. Since changing routers and setting up VPN, nada, noting, zip. It's a balancing act. Do you want real security or do you want the convenience of IFTTT? I don't use IFTTT, or know anything about configuring it, but maybe you can set it up to use a VPN connection, but I have no ideas for you.

bedpan · Feb 2, 2018

Ok... I guess I need to be more specific...

Is the Blue Iris webserver know to be fairly secure? Are they using another projects web server code? Are there any known exploits? Are they patching the web server on a regular basis? Has there been any previous exploits?

I understand the worst case ramifications of opening a port on my pfSense box and what can happen. I am looking for more specifics to help measure the specifc threat.

awsum140 · Feb 3, 2018

Maybe Fenderman or BP can answer that. I would assume, and we know what that does, that there is a reason for "secure connections only" being selectable in the first place.

bedpan · Feb 3, 2018

Found a little bit.. Disabling secure connections means the password is passed in plain text. Not to worried about that as long as we don't use public wifi. Still risk.. I will need to look at Stunnel to see if it will work with IFTTT. I have not looked at it at all.

Still curious though if Admins can chime in on there efforts around security and the web server portion.

Thanks

Mike

bp2008 · Feb 3, 2018

I'm sure IFTTT would work with https. Probably even without a verifiable certificate. Lots of stuff only uses self-signed certificates and they'd want to be compatible. However using https/stunnel for Blue Iris mostly just protects you from network administrators that might be snooping on traffic passing through their router. It does not protect you from any vulnerabilities in Blue Iris itself. This is why people who are really concerned with their cybersecurity should do all their Blue Iris remote access through a VPN. This would prevent you from changing profiles with IFTTT of course.

bedpan · Feb 3, 2018

Thanks BP...

has there been any major security issues with your HTTP server code? Are you using another projects server or in house?

Looking for now to create an account with limited access that can only change profiles. Would this fall under Administrator access? Any chance of adding that as a separate security item?

thanks!

Mike

bp2008 said:
I'm sure IFTTT would work with https. Probably even without a verifiable certificate. Lots of stuff only uses self-signed certificates and they'd want to be compatible. However using https/stunnel for Blue Iris mostly just protects you from network administrators that might be snooping on traffic passing through their router. It does not protect you from any vulnerabilities in Blue Iris itself. This is why people who are really concerned with their cybersecurity should do all their Blue Iris remote access through a VPN. This would prevent you from changing profiles with IFTTT of course.

bp2008 · Feb 3, 2018

I think you misunderstand who we are. IPCamTalk is not affiliated with Blue Iris at all. I don't know what Blue Iris uses for a web server.

I don't think you can have a limited account with permission to change profiles. In Blue Iris that permission is just one of many controlled by the Administrator flag.

bedpan · Feb 3, 2018

You are right.. I saw staff and had it in my head associated with BI. My apologies!

I have created an account with Admin access and removed all other abilities.. It still works for changing profile.. Unfortunately the account can still view the cameras.. For me they are just outside cameras around my house so not really concerned... Again thanks for the reply.

Mike

Search

Change BI Profile via Webcommand

bedpan

n3wb

bedpan

n3wb

awsum140

Known around here

bedpan

n3wb

awsum140

Known around here

bedpan

n3wb

awsum140

Known around here

bedpan

n3wb

awsum140

Known around here

bedpan

n3wb

bp2008

bedpan

n3wb

bp2008

bedpan

n3wb