Foscam Calling Home

[nayr]

Ive been saying for a long time not to trust your cameras, and today this article hit the mainstream news:

source: http://thenewstack.io/snooping-webcam-reveals-security-dangers-internet-things/

“I had cut off anything that should have caused the camera to ‘phone home’, but it still insisted on sending out UDP 10001 to several different IPs,” posted another user a few days later. “My router blocked the incoming responses, so no conversation was actually created, but my firewall was reporting about 16,000 attempted connections (4,000 to each of four different IPs).” First, this behavior is activated by default, until the user proactively disables it. And second: disabling it doesn’t really work. “Foscam admits that disabling the P2P option doesn’t actually do anything to stop the device from seeking out other P2P hosts online…”

It opens up all Foscam users not only to attacks on their cameras themselves (which may be very sensitive), but an exploit of the camera also enables further intrusions into the home network. Given the seemingly cavalier attitude and the almost certain lack of automatic updates, it is almost certain that these devices are remotely exploitable

Not only should we all take steps to avoid exposing our cameras to the internet, we also should take steps to prevent our cameras from even accessing the internet.. and Foscam is not the only one, everything is doing this crap.

 

[JFire]

Just search ipcamleaks on youtube.

Sent from my SM-N920T using Tapatalk

 

[ruppmeister]

@nayr can you recommend a good firewall to install to prevent the "phone home" IoT a lot of us have installed these days? I have a router that does NATing, but really leaves a lot to be desired for packet inspection and reporting in the logs. Thanks.

 

[mcorzine]

I'm sure @nayr has some good ideas, I've read some of his prison implementations however I chose to put my cameras on an air-gapped network (A physically separate network that does not route to the internet). To access the cameras remotely I use a second NIC in my PC running Blue Iris. Then I can access my Blue Iris server from the internet.

 

[nayr]

@mcorzine has probably the simplest solution for the majority of people.. especially BI users.

these guys have lots of ways to phone home, some may seem innocuous that you might not even pickup on.. only way you can be sure is to setup explicit firewall rules that forbid the IPCameras from talking to anything on the internet, however you may need to run your own Mail/NTP Server locally with the blackhole them entirely approach.

alternatively you could go for a static IP setup with no configured gateway, they will only talk to the local subnet and nothing else.. still good idea to put some firewall rules in just incase.

 

[JFire]

@nayr VPN?

Sent from my SM-N920T using Tapatalk

 

[nayr]

VPN is for getting remote access securely, you still should firewall your cameras off to ensure they are incapable of bypassing your VPN and poking there own holes.

 

[ruppmeister]

Are we talking a true firewall or is a simple home router going to work to block these cameras?


Sent from my iPhone using Tapatalk

 

[nayr]

im not sure what you are trying to imply by true firewall, but if your simple home router is capable of defining firewall rules then its a true firewall in the sense that its external from the cameras and outside there influence.

Depends on the router but many good ones let you define host groups, where you can put all your IPC's IP Addresses.. then you can setup a few simple rules in this order:

1. Reject All outbound TCP/UDP Connections in Group
2. Drop All outbound ANY Connections in Group

and that should do it, the first reject is kindly telling the device it cant access it.. this can help prevent it from hanging while its trying to make an internet connection and instead of waiting for the drop to timeout, it instantly knows that it does not have access and wont just keep waiting which could chew up resources.. but that wont stop other protocols such as ICMP so the second rule catches anything that slips by the reject.

you should be able to verify by trying to ntp/ftp/email off your camera to something online, it should just throw an error about not being able to connect or simply do nothing at all if its really stupid.

 

[ruppmeister]

I was implying a stateful inspecting firewall vs a firewall that is simply trying to follow NAT tables when packets start flying. Your article suggested these IoT devices are able to open up the firewall ports and allow themselves out of your network. I guess I was thinking that these devices were either fooling the NAT table to allow access or creating a new rule allowing them to traverse out of the network. I just want to be certain that my firewall is actually blocking the outgoing attempts since I don't have a way to ensure it with logs from my device (too basic of a router being a AirPort Extreme and zero logging of packets).


Sent from my iPhone using Tapatalk

 

[nayr]

if you can create an outbound connection you can reverse a tunnel through that connection.. thats how all these Cloud P2P crap works through your firewall.

blocking outbound connections prevents this from occurring.. but only if you block everything.

 

[atom]

I have a box running Untange firewall between my modem/router and the main switch. Out of interest I just added firewall rules to block and flag any attempts by the one no-name cam I have on my network trying to connect to anything outside the LAN. This is a cam that when I set it up, I went through all of the network options and disabled them except for RTSP.

Turns out, this thing is attempting to make about 18 connections/minute. They include connections to various IPs (mostly belonging to AWS, so could be running anything) on ports such as 7999 which has some really comforting known vulnerabilities (worms, backdoors, etc)!

Thanks for the heads-up @nayr. I shouldn't have been so slack for so long ( I really should know better...)! Time to add some of the other cams and see out of interest if they're trying anything questionable too.

 

[nayr]

I was serious when I said they all do it, thats why I have mine on a walled off vlan; I dont even trust them to talk to my main network, let alone the internet..

if your going to get a bunch of IoT devices, cameras, or things you dont trust to have access to your LAN then buy a router like the Ubiquiti EdgeRouter Lite with 3 separate interfaces, one is for your internet and setup the other two as separate subnets.. one for trusted devices and one for untrusted, you dont need to do VLAN's just use separate switches and simply put anything you dont trust into the Walled Garden switch, then anything you do trust put on your normal lan and so all your apps/games/sites work without giving you grief.

Trusted: 192.168.1.0/32
Untrusted: 192.168.254.0/32

Anything not on the same network (subnet) will have to connect to the the router and will encounter the firewall rules.. you can put your NAS on your trusted network then open up only the ports your cameras need to connect to your NAS.. or put your NVR on the untrusted network and open up just the ports so your LAN can access streams off the NVR.. the Ubiquiti Edgerouter will transmit Gigabit wire speeds across subnets without an issue while filtering the traffic.. it'll never be a bottleneck and the'll perform like one big happy network with a guard in the middle.. really cant find a better performing router for the price.

Then you run VPN to connect you to your trusted network, its not really all that difficult to do.. just most people simply dont know.. so here you go, thats how you do it..

I use the Ubiquiti EdgeRouter PoE, its worth the extra money for 3 Gigabit PoE ports and plugging in 3 of there dual band AC access points into it.. thats how I get 100Mbit Internet on WiFi anywhere in the house, I can push 300Mbps+ through easy on any device from anywhere.. the access points are on there own subnets/vlans so you have secure guest wifi you can put firewall filters on, different firewall filters for wireless devices, etc.. I run a openwireless.org network with a ton of rules and no crypto, I figure nobody really wants to hack your secure wifi if you give em an open one and I dont have to give guests a password.

 

[atom]

Great stuff, thanks nayr. I have a few IoT devices (such as a Ninja Block, and others waiting to be played with...), so I'll look into doing as you suggest. I like the idea of 'physically' separating my work machines from the non-work devices.

 

[smiticans]

@nayr, what is your opinion on using Stunnel to provide a https connection for remote viewing with Blue Iris instead of going through a VPN?

 

[nbstl68]

I've been saying for a long time not to trust your cameras,....
Not only should we all take steps to avoid exposing our cameras to the internet, we also should take steps to prevent our cameras from even accessing the internet.. and Foscam is not the only one, everything is doing this crap.

Geeze, just saw your post...Funny, just the other day I'm streaming my Foscam through my phone at the office and it starts PTZ'ing all around on its own...I move it back to where I want it (looking at my driveway out a spare bedroom window), and a few sec later it zooms back around into the bedroom again and again for a few min then stops!

I just assumed it was lag response and I was hitting the PTZ buttons wrong but it happened too many times in a row...so who knows?

I need to look more into what you are talking about in this thread to separate stuff from my network.
Unfortunately, like a lot of us out here, I'm tech savvy to an extent but this will be a learning curve to set up properly.

Also, if you block it all off from the internet, does that mean I sacrifice my own ability to view \ control my cameras remotely myself from my phone, tablet etc.?

 

[LeeH]

I'm trying to set up a VPN with my ASUS router but I think it hates me.:mad-new:

 

[mcorzine]

I'm not sure about stunnel, it appears to be a proxy server that has some access control features. I would be concerned that it may open other possibilities for an attacker to gain access. I'll admit I'm not familiar with it though.

I agree with Nayr's method of using firewall and routing rules, this is definitely the most effective without sacrificing functionality.

You could set up a rule to only allow traffic from your Cellular provider's network or utilize a VPN that sits on your network and only allow traffic to/from devices on your local subnet. This method is known as whitelisting, it means to only grant access to the devices that need it and drop the packets of anyone else.

IMO, routing and firewall statements are easy ONCE you figure them out. Routers and firewalls are also cheap and easy to install. Understanding the statements, interfaces to use them on, and subnets to permit/deny is the difficult task.

I've dabbled with m0n0wall and pfsense (free Linux based firewalls) but I've not gotten very far due to the huge task of learning the user interfaces and understanding how the software components relate to my hardware. From what I hear, they are fantastic products.

Sent from my SAMSUNG-SM-N900A using Tapatalk

 

[nayr]

@nayr, what is your opinion on using Stunnel to provide a https connection for remote viewing with Blue Iris instead of going through a VPN?

unless that stunnel is doing x509 auth or something its not doing anything but providing crypto.. you also need secure and external authentication which that strategy does not provide...

now if you setup like Nginx and do an a x509 TLS Proxy to BI, that would be fine.. cant brute force x509 certs, and thats how I access my HomeAutomation system.. I wrote the entire thing up, you should be able to apply it to BI instead of Domoticz, it'd be much the same: https://www.domoticz.com/wiki/Secure_Nginx_Proxy_Setup

 

[alastairstevenson]

I chose to put my cameras on an air-gapped network (A physically separate network that does not route to the internet). To access the cameras remotely I use a second NIC in my PC running Blue Iris. Then I can access my Blue Iris server from the internet.

Admittedly being a little picky here, an air-gapped network is just that - no connections whatsoever to any other network, not even via a firewall.
It's what is supposed to happen in utilities environments, but doesn't always.

To access the cameras remotely I use a second NIC in my PC running Blue Iris. Then I can access my Blue Iris server from the internet.

Is this the Blue Iris client, or the Blue Iris server here?
Either way - it sounds like you are exposing a PC on the network to the internet via some unspecified method. That PC it seems has full access to your network.
That's not actually a secure method - it simply adds a bit more obscurity.
If the PC that's accessible from the internet was compromised, you have to assume that the whole network is also.