Hacked? My cameras had access to the internet

[Cold-Lemonade]

While doing some maintenance on my network, I had forgotten to disconnect my cameras from the switch and, as a result, my ip cameras had access to the internet for about 30 minutes. When I checked the firewall logs after discovering this error, I could see that the private ip addresses associated with the ip cameras were communicating with a public ip address associated with Amazon Web Services and that this ip address was trying to connect to various ports on my router.

How bad do you think the situation is? When I realized the cameras could access the internet, I immediately disconnected the switch to them. I have since rebooted my router to get a new public ip address. These cameras are branded Amcrest, Marquis, and Anpviz (I think the latter two are Hikvision clones). I had changed the passwords to the cameras. I haven't checked the logs inside the cameras yet. Going to do that after I post this thread.

Unfortunately I was working right in front of several of these cameras so if they were sending video out to that Amazon Web Services machine they would have that video.

Any suggestions for other actions to take?

 

[Cold-Lemonade]

Here are the two ip addresses that my cameras contacted and were trying to connect to my router afterwards:

3.236.167.184 (This one is associated with Amazon Web Services) trying to connect from port 443 to port 39359.
208.67.75.242 (This one is associated with be OpenDNS) trying to connect on port 123 so probably an NTP server of some sort and not much to worry about.

 

[Lorex_Sucks]

This is why could access is bad, especially with branded products like lorex..

 

[iwanttosee]

Use the firewall in your router to block the cameras would be minimum.

 

[tangent]

The cameras probably have P2P type NAT traversal enabled for easy remote access. They could also be checking an update server. Typically these options can be disabled in the camera settings. Disable those and then see how chatty the camera is.

 

[Lorex_Sucks]

Before u go on this wild goosechase, if the cams are not showing anything sensitive just forget about it and move on.


Paranoia can send u crazy

 

[looktall]

Most camera manufacturers use amazon etc data centers as points of contact for their cameras when they check for updates or for communications to P2P servers etc.
They're not connecting directly into a server in the factory in china.

I think in this case that is what you're seeing.

Before u go on this wild goosechase, if the cams are not showing anything sensitive just forget about it and move on.

Are you familiar with the term "Lateral Movement" in regards to cyber security?

 

[TonyR]

Before u go on this wild goosechase, if the cams are not showing anything sensitive just forget about it and move on.


Paranoia can send u crazy

Whether or not the camera is pointed toward "anything sensitive" is not the issue.......a camera that has been hacked can be used to access your LAN and install a bot that can provide DoS (Denial of Service) and take down your entire network and/or attack outwardly from your LAN.

Being concernd about and providing network security is not being paranoid, it's being wise.

 

[Lorex_Sucks]

Tonyr, the op claimed himself the issue that he was working directly in from of the camera for 30mins.

He also said he corrected the original vulnerability.

After checking firewall logs to match the ips how far do you expect him to go?

If the attacker was proficient they could deploy their payload from an aws, therefore ip matching may not yield anything useable.

A sophisticated botnet isnt easily detectable and you could spend hours looking for something that potentially isn't there

If youre that concerned re-flash your NVR firmware and wipe your connected host machines.

 

[TonyR]

He also said he corrected the original vulnerability.

What, changing the camera password?

After checking firewall logs to match the ips how far do you expect him to go?

Isolate the cameras from the Internet.

If the attacker was proficient they could deploy their payload from an aws, therefore ip matching may not yield anything useable.

A sophisticated botnet isnt easily detectable and you could spend hours looking for something that potentially isn't there

If youre that concerned re-flash your NVR firmware and wipe your connected host machines.

Hmmmm. That reads like something from the Internet copied and pasted.

 

[Lorex_Sucks]

Isolate the cameras from the Internet.

He already did that by dissconnecting the switch - its in his opening post, once again you failed to read and offer nothing new

Hmmmm. That reads like something from the Internet copied and pasted.

Hmmmm. Your post reads like a reply somebody would give when they dont have a counter to the valid points raised

Says it all lol

Don't get triggered old man

 

[TonyR]

He already did that by dissconnecting the switch - its in his opening post, once again you failed to read and offer nothing new





Hmmmm. Your post reads like a reply somebody would give when they dont have a counter to the valid points raised

Says it all lol

Don't get triggered old man

So in your mind it was practical for him to isolate the cameras by disconnecting the switch....that sounds like how you would do it......then why even have cameras? In case you are wondering, there are other ways you can isolate cameras from the Internet other than by rendering them useless.

Why are you calling me "old man" ? Why such disrespect? In case you didn't notice, "Scottie", I don't get triggered by noobs that joined 2 days ago and whose experience with network security came about by owning a Lorex boxed kit....

 

[TonyR]

Hey, @Lorex_Sucks ...you said I offer nothing new. How about this?
You better disconnect your switch...we can see you!