I have a camera under attack. How are they doing this?

[dtm]

I have a camera at a remote location that is being attacked. This is an ICSEE type cheap Chinese camera. I have an open port on the router and since it is remote I can't easily change the port number. I did change the password on the camera but that had no effect on the attacker. I don't really mind someone viewing the camera but the problem is that whatever this bot is trying to do causes the camera to reboot every few minutes. The camera worked fine up until a few weeks ago when it started doing all the rebooting. When I looked at the camera's log I noticed the repeating attack. A screenshot of the log with one cycle of the attack is below.

The IP address 45.95.146.118 is from the Netherlands. This changes frequently but is mostly Netherlands and Russia. I would like to know what password they are using to log in! It appears the bot is trying to upgrade the firmware which fails and causes the camera to restart. It is a PITA and since I don't have access to the router right now there isn't much I can do. Has anyone ever encountered something like this?

 

[danweber1]

There isn't much you can do as long as that port is still open. Close the port and use a vpn instead, won't have this issue

 

[wittaj]

It has been proven time and again that most of these devices have backdoor vulnerabilities, so changing the password is useless. Changing the port number is useless.

And a no-name device....forget about it....

It is why most of us here isolate the cameras from the internet and don't let them have access to the internet.

And it isn't the video feed they want. This is basically a way for them to get into your network and use it for DDoS attacks or to get into another device and steal your bank info.

 

[The Automation Guy]

The attackers also want to be able to take over this device and potentially install other firmware that will allow them to use the device as a "bot" for future attacks on other networks. So even if you don't have anything of importance on this network, it's still something that you should try to shut down because it could be used to attack other networks.

 

[dtm]

The attackers also want to be able to take over this device and potentially install other firmware that will allow them to use the device as a "bot" for future attacks on other networks. So even if you don't have anything of importance on this network, it's still something that you should try to shut down because it could be used to attack other networks.

I agree. This morning I was looking into what was happening and testing a few things. As the camera is remote, I was being careful so as not to lose it completely. I found that it had an IP Filter setting that allowed me to whitelist my IP which is also my Blue Iris server IP. That worked and stopped the hackers cold. The log still shows login attempts from the various European addresses, but none were allowed, and the camera hasn't restarted since I made the change. Interestingly enough the ICSEE app still works even when my cell isn't on the whitelisted IP address.

I find it interesting and a bit scary that there obviously is a back door into this thing. I would love to know what password they were using!

 

[The Automation Guy]

If you can get a legitimate copy of the firmware from the manufacture, I would suggest reinstalling the firmware (even if you use the same version). There is no telling what the attackers did while they did have access. Just because you stopped them from accessing the camera doesn't prevent the camera from reaching out. If there were firmware changes made, there is no telling what the camera might be capable of. Your whitelist only prevents access one way (into the camera) and the camera can still reach the internet on it's own.

 

[dtm]

If you can get a legitimate copy of the firmware from the manufacture, I would suggest reinstalling the firmware (even if you use the same version). There is no telling what the attackers did while they did have access. Just because you stopped them from accessing the camera doesn't prevent the camera from reaching out. If there were firmware changes made, there is no telling what the camera might be capable of. Your whitelist only prevents access one way (into the camera) and the camera can still reach the internet on it's own.

I do have a copy of the firmware that I have installed on some other cameras I have of the same manufacturer. Since this one is 300 miles away at another home, I am not going to attempt to do a firmware update right now. I don't think they ever succeeded at updating the firmware to whatever they were trying to do but like you say, one never knows!

 

[danweber1]

Again, ditch the port forwarding and use a vpn. Lots of options there and eliminates this from happening again.

 

[Flintstone61]

It's part of the Chinese sleeper cell plot to hold the world ransom for 1 Million dollars.

 

[c hris527]

Just a quick check of how many different sellers of these cams. Nothing would stop me from buying a lot of these and reworking the firmware and reselling 100 of them, most likely 90 of them would go unnoticed, That goes for all used IT equipment you find on Ebay, Tons of Vulnerable EOL Cisco and HP switches, routers, firewalls and the list goes on. I have tested a few e-bay cams in my sandbox with pretty much the same results you are seeing. This is how they are doing it. A few years back, I had a large Toshiba Copy, malfunction printer scanner Installed on One network I was managing, it was calling out to South America, Canada and a few countries in Europe according to the sonic wall log. I called the vendor who Installed it and they were clueless. They finally sent a teckkie over and he saw what was going on and installed updated firmware.. it was like hey thanks for bringing this to our attention, never got a real answer as to why it was calling out but it stopped after the new firmware was installed.

 

[iwanttosee]

Block the cameras' access to the internet. Use VPN or Tailscale to access the cameras.

 

[samplenhold]

I found that it had an IP Filter setting that allowed me to whitelist my IP which is also my Blue Iris server IP. That worked and stopped the hackers cold.

I hope that is correct. But it also could be that they had installed what they needed, on cam and possibly on your network, and the timing looked right to you. Good luck either way.

 

[Diggs]

It has been proven time and again that most of these devices have backdoor vulnerabilities, so changing the password is useless. Changing the port number is useless.

And a no-name device....forget about it....

It is why most of us here isolate the cameras from the internet and don't let them have access to the internet.

And it isn't the video feed they want. This is basically a way for them to get into your network and use it for DDoS attacks or to get into another device and steal your bank info.

This needs to be stickied. The plethora of cheap no-name IP cameras out there is crazy. 99% of the buyers have no clue and readily (and perpetually) give them access to the net.