Hacking your network from an IP camera

[korin]

What solutions have you found to secure your network from unauthorized access through the LAN connection on an IP camera? I'm considering an IP doorbell camera, but one thing that concerns me is that ability of a technically savvy intruder to access the LAN connection in the back of the camera. I imagine it's a fairly remote possibility right now, since most intruders are most likely opportunistic burglars looking for a quick and easy score, but as network connected security devices become more popular, the frequency and sophistication of attacks is sure to increase. This may sound like something from a Hollywood movie, but I assure you that these are all completely plausible scenarios that could be performed by any determined attacker with common network intrusion skills.

Consider the implications if an intruder is able to access the LAN connection of an IP security camera. With direct access to the network switch he could perform several forms of attack. If the camera is POE, he could just short the power pins to fry the switch. High-end switches have short protection to prevent one port from shorting out others, but a lower end switch won't have this protection and a short could potentially take out all of your cameras, or even your whole network. Alternatively, he could send a high voltage current through the cable to short out the switch. See this Slashdot thread about a security researcher who built an ethernet "deathray" device to kill networks https://tech.slashdot.org/story/15/...ethernet-to-kill-computer-infrastructure-dead

Alternatively, if he's a bit more sophisticated, he could use the LAN connection to access your network directly. MAC filtering is of little help, since he could easily spoof the MAC address of the camera that he has just removed. At the very least, he may have direct access to your NVR. At worst, he could also access to all of your camera feeds, or even every device on your network. Imagine what he could do with this. He could directly access your video storage to download or delete footage. Not only can he view the live feeds from your cameras, but he could even install a small wireless access point of his own and then replace the camera to allow himself to remotely monitor your cameras. Now, with remote access to your network, he could take his time attempting to hack into any computers and other networked devices to install malware or steal data. He could even simply use your internet connection for illegal activities that would be traced back to you.

I can think of some basic measures you can take to help protect yourself, roughly in order of complexity/expense:

• Use a secure password on your NVR - Never use the default password! Assume that anyone can access the login prompt and attempt to guess the password or use a computer to brute-force it. Make sure that you keep the firmware or software up to date and apply any security fixes. If available, enable security features to lock out access after a number of unsuccessful attempts.
• If you are running a software NVR rather than a hardware one, you are at an advantage because you have control over the hardware and OS. Add a second NIC to the machine, put your cameras on a dedicated switch and connect this switch directly to the NVR through the secondary NIC. Configure the OS to not block any logins or other access from the camera network. Only allow the protocols needed to control and monitor the cameras. Connect to your main network through the primary NIC. This will at least limit the attacker's access to just the camera network. They would have to hack into the NVR to access your storage, computers and other network devices.
• Consider the devices on your camera network to be untrusted. Add a stateful firewall between the cameras and the NVR and only allow outbound traffic from the NVR that is necessary to monitor and control the cameras. Don't allow any unsolicited inbound traffic from the camera network.
• If you can afford it, use a managed switch for your camera network. Enable security features to prevent Layer 2 attacks that could be used to access other devices on the switch. See https://howdoesinternetwork.com/2011/switch-security-attacks
• Use cameras with tamper switches. Configure the tamper switch to execute a script on activation that will immediately down the network port that the camera is connected to and trigger an alarm (you'll need to allow this trigger to pass through your firewall). If an attacker removes the camera from the wall, the script should completely disable that LAN port on the switch and alert you to the intrusion. This alone could prevent most attacks, but it requires a managed switch and some programming ability. This is only theoretical, since I don't have any cameras with tamper switches, and don't know how configurable they are. Also, if the attacker knows the location of the tamper switch and is able to prevent it from tripping during removal, he can circumvent the protection, so the other security measures are still important.
• Put surge protectors on your most vulnerable LAN connections, to prevent high-voltage surges from damaging the switch or other downstream devices. This will impact the performance of the connection, and could get expensive for more than a few ports, but might be worth it if you really want to protect against destructive power spike attacks, like the "deathray" device mentioned above. Something like this might help: https://smile.amazon.com/dp/B00805VUD8

Any thoughts or other suggestions?

 

[nayr]

only had time to read your first paragraph, but the answer is multifaceted:

1. VPN Server for Remote Access, x509 certs for each device with remote access is the most secure.
2. Isolated LAN Segment for Cameras/NVR on another subnet, aka Walled Garden.
3. Router/Firewall routing traffic from NVR to LAN, with very restrictive rules on what the NVR can access.
4. Blackhole all internet traffic too/from Walled Garden, run a local NTP Service for time and a local Mail server for mail.
5. Optional but extra hardening, Radius Authenticated Network ports.. if someone unplugs a camera and tries to use the network cable it will be dead.

there are backdoor passwords and security holes that allow remote code execution, secure passwords alone will not protect you.

 

[xman111]

I think you are too worried, i know that isn't very constructive but I think you have thieves that steal your shit around the house and thieves that steal your shit on the Internet.

 

[korin]

only had time to read your first paragraph, but the answer is multifaceted:

1. VPN Server for Remote Access, x509 certs for each device with remote access is the most secure.
2. Isolated LAN Segment for Cameras/NVR on another subnet, aka Walled Garden.
3. Router/Firewall routing traffic from NVR to LAN, with very restrictive rules on what the NVR can access.
4. Blackhole all internet traffic too/from Walled Garden, run a local NTP Service for time and a local Mail server for mail.
5. Optional but extra hardening, Radius Authenticated Network ports.. if someone unplugs a camera and tries to use the network cable it will be dead.

there are backdoor passwords and security holes that allow remote code execution, secure passwords alone will not protect you.

Thanks, nayr, those are all great suggestions. I currently have my cameras on an isolated switch, but haven't yet implemented a VPN for accessing the NVR (I'm running BlueIris).
Do IP cameras frequently support RADIUS authentication? I'm pretty sure that mine don't, since I initially just needed to get something up and running on the cheap, but I'm looking towards upgrading in the future. I haven't seen a doorbell cam that lists RADIUS a feature. Without some sort of protection on the individual switch ports, even with the cameras and NVR isolated from the internet and primary network, an attacker with access to one camera could gain access to the switch and potentially to the feeds from other cameras on the same switch, as well as the NVR itself. This is what I hope to address with a managed switch and a tamper detection alarm on the camera as described in my original post, but I don't yet have a camera with tamper detection to test it on and even a small POE switch with management capabilities is pretty pricey.

I think you are too worried, i know that isn't very constructive but I think you have thieves that steal your shit around the house and thieves that steal your shit on the Internet.

Xman111, if you're suggesting that the thieves who rob your house and the ones who steal information over the internet aren't the same people, then I think that is just naive. Perhaps it's relatively uncommon right now, but I have been working in computer and network security for almost 20 years, and I can guarantee that these types of attack are practical right now, and that within a very short time they will become commonplace. I'm sure you've already read news stories of people installing malware on laptops and hacking cloud-connected webcam feeds to collect material for blackmail. It's not much of a stretch to see how an unsecured IP camera installed outside your house could provide full access to your whole network just by plugging in a laptop.

 

[nayr]

My dahua's do, dunno i guess it'd depend on cameras, cheap consumer cameras are unlikely to support it..

You need a switch that supports port based auth, then the radius server.. it is a bit overkill for most residental uses, this is more for commercial and public spaces where its a real concern.. I dont even have it enabled, because well they are pretty damn isolated and getting on the network does not grant you access to my LAN or anything else other than camera feeds.

 

[xman111]

Xman111, if you're suggesting that the thieves who rob your house and the ones who steal information over the internet aren't the same people, then I think that is just naive.

I guess I really didn't think about it. I was more worried about my cameras phoning home to China or something. I always just thought about people casing the house for a tv, jewelry, or a mountain bike. Guess I will have to give it a little more thought.

I also have my cameras on a separate VLAN with no internet access or no access to other computers on my LAN.

 

[fenderman]

I guess I really didn't think about it. I was more worried about my cameras phoning home to China or something. I always just thought about people casing the house for a tv, jewelry, or a mountain bike. Guess I will have to give it a little more thought.

Dont worry about it...this type of attack does not happen in the real world. Do you think a criminal with that skill set will sit outside your house with a laptop trying to steal your data?
Furthermore, they would need to get close to you camera and disable it, if you have alerts setup for no signal you would watch the video and call the cops.

 

[nayr]

most hackers want your cameras, not for what they can see.. but the havoc they can wreak on the internet, most internet connected cameras have some pretty decent internet throughput backing them up.

https://twitter.com/olesovhcom/status/779297257199964160

but yeah, people also hack cameras for fun and games.. all sorts of internet videos of people getting harassed by there own hijacked cameras.. ex-wives/husbands/boyfriends/girlfriends, all sorts of shit

 

[tangent]

Perhaps it's relatively uncommon right now, but I have been working in computer and network security for almost 20 years, and I can guarantee that these types of attack are practical right now, and that within a very short time they will become commonplace. I'm sure you've already read news stories of people installing malware on laptops and hacking cloud-connected webcam feeds to collect material for blackmail. It's not much of a stretch to see how an unsecured IP camera installed outside your house could provide full access to your whole network just by plugging in a laptop.

Their are easier things to target in your typical residence. Like WPS PIN enabled routers or brute forcing a weak WPA password.

For the time being, I think mounting something like a low camera or intercom station with security torx screws is about as far as you really need to take it.

 

[copex]

Dont worry about it...this type of attack does not happen in the real world. Do you think a criminal with that skill set will sit outside your house with a laptop trying to steal your data?
Furthermore, they would need to get close to you camera and disable it, if you have alerts setup for no signal you would watch the video and call the cops.

Oh i wish this was true, i have used it many times to gain access to a network even where the network is vlan'd though domestic networks it normally easier to hack the router its fun telling the IT manager how you accessed the network via the CCTV network i mean who is going to walk up to a building go up a set of ladders pop the lid off the junction box and connect a device to allow wifi access i mean that would be crazy right?

 

[fenderman]

Oh i wish this was true, i have used it many times to gain access to a network even where the network is vlan'd though domestic networks it normally easier to hack the router its fun telling the IT manager how you accessed the network via the CCTV network i mean who is going to walk up to a building go up a set of ladders pop the lid off the junction box and connect a device to allow wifi access i mean that would be crazy right?

You've used it to gain access to home networks to steal Info? Stop being silly... there is zero risk of this...this is a private home...

 

[fenderman]

Get a decent router?

On my router I can simply click on any device that is connected and "block internet access" for that device

That won't prevent network access by another device connected to the lan cable...

 

[nayr]

I run a OpenWireless.org access point, why hack my networks when I'm already giving you free internets..

 

[bike_rider]

I can't imagine anyone who works in network security allowing open ports into their home network through anything other than a VPN (or similar) device. The line "it is only a home network" is naive. So much network attacking is done in an automated or semi automated way that the "why would anyone care about my stuff" line is not relevant.

And, the internet of things is, in its current state, a public menace.

 

[korin]

Get a decent router?

On my router I can simply click on any device that is connected and "block internet access" for that device

Your router most likely performs this function by blocking the MAC or IP of the device. Plugging in a device with a different MAC or IP would easily bypass this restriction, not to mention that blocking internet access doesn't prevent the rogue device from accessing anything on your local network.

 

[korin]

I can't imagine anyone who works in network security allowing open ports into their home network through anything other than a VPN (or similar) device. The line "it is only a home network" is naive. So much network attacking is done in an automated or semi automated way that the "why would anyone care about my stuff" line is not relevant.

And, the internet of things is, in its current state, a public menace.

I completely agree with you, but securing inbound access from the internet is a completely different matter and one that is fairly well understood by security conscious users. I'm talking about unauthorized network access over existing physical LAN connections attached to accessible IP cameras, such as those mounted on the exterior of a home or business. These are of course much less exposed, since they require an intruder to physically access the cable, but I think its precisely the "I don't need to secure it because who would care enough to break into my stuff" attitude that will ultimately make them a very tempting and soft target.

 

[bike_rider]

I completely agree with you, but securing inbound access from the internet is a completely different matter and one that is fairly well understood by security conscious users. I'm talking about unauthorized network access over existing physical LAN connections attached to accessible IP cameras, such as those mounted on the exterior of a home or business. These are of course much less exposed, since they require an intruder to physically access the cable, but I think its precisely the "I don't need to secure it because who would care enough to break into my stuff" attitude that will ultimately make them a very tempting and soft target.

It's an interesting attack vector. For most people on this forum, they are not protecting a high value target, so the risk is residual. On a forum like IPVM, the topic might gain more traction.

 

[Redemption]

Interesting topic. Cheap quick solution. two routers, one for the home network and one for the camera network. If they fry the camera router, problem will not spread to the home network. If they connect to port they can only try hack access to your other cameras, they would have to hack your other router just like anyone else on the internet to get access to your home network. Now if that sounds expensive then you have nothing worth protecting and in that case I would remove both routers and give everyone access to the network

 

[copex]

You've used it to gain access to home networks to steal Info? Stop being silly... there is zero risk of this...this is a private home...

Yes but with permission

 

[vmsguy]

I blocked all of my cameras and the NVR from accessing the Internet at the cable modem.

I then bought a cheap linksys E1200 refurbished on Amazon and flashed it with DD-WRT and configured OpenVPN.
I used Ubuntu to generate my certs and I can access my NVR and/or cameras using OpenVPN from my work PC or my iPhone.

All devices in my home network are on the 192.168.1.x subnet, and when using OpenVPN from outside, I come in on 192.168.3.x, and the DD-WRT based router routes me to the 192.168.1.x subnet.

It took me a few days of reading blogs/tutorials but I was able to get it working. It works quite well, and is stable. I have an 8Mbits uplink service from suddenlink and I can easily stream video without too much lag.