It finally happened but I'm not sure how it happened because I consider myself somewhat a bit savvy with networking. It took 5 years before a breach occurred. The intruder had four admin accounts created:
"hackedBy", so and so. They also deleted all my 'user' accounts with basic privilege. They left the admin account. The password is strong on that. All cameras are working fine and they did not blank them. I am running V4.00 Build 2019-08-09 firmware.
I always use OpenVPN when I'm outside (hotels, coffee shops) to connect back home.
1. Google Fiber (Google Wifi router/puck)
- No port forwarding enabled other than port 1194 - to a Raspberry Pi for OpenVPN.
2. OpenVPN server (running on Raspberry Pi).
Raspberry Pi requires a SSH private key to login (Otherwise, all login rejected).
3. NVR dual-NIC. One subnet on NIC1 is connected to the same subnet as the Raspberry Pi and the rest of the home network. NIC2 is for the cameras. I specifically forced the NVR's gateway to point the Raspberry Pi. That way all traffic gets routed to the Rasberry Pi instead of the Google Wifi Gatway. But I think that is not safe, as I come to realize.
4. Yes, UPNP is disabled in Google Wifi Router. P2P also disabled in the NVR.
5. The Raspberry Pi then has IP Tables set up like this to drop ALL packets:
sudo iptables -A FORWARD -s 192.168.0.10 -p tcp -o eth0 -j DROP
sudo iptables -A FORWARD -s 192.168.0.10 -p udp -o eth0 -j DROP
sudo iptables -A FORWARD -s 192.168.0.10 -o eth0 -j DROP
So my only guess as to how they got in are the following:
1. Another IoT device connected as the same subnet allowed them to get into the NVR. So maybe my Alexa's are compromised.
2. There is malicious firmware in the NVR that disregards what the gateway IP is set at and regardless attempts to try all ranges within that subnet. When it finds one, it phones home with P2p re-opened.
Another thing I am observing now is my NVR firmware is probably compromised. When I reboot the system, it recalls the old static IP address from which I set it to, and the old gateway, and get this! It enables P2P!! Why???
"hackedBy", so and so. They also deleted all my 'user' accounts with basic privilege. They left the admin account. The password is strong on that. All cameras are working fine and they did not blank them. I am running V4.00 Build 2019-08-09 firmware.
I always use OpenVPN when I'm outside (hotels, coffee shops) to connect back home.
1. Google Fiber (Google Wifi router/puck)
- No port forwarding enabled other than port 1194 - to a Raspberry Pi for OpenVPN.
2. OpenVPN server (running on Raspberry Pi).
Raspberry Pi requires a SSH private key to login (Otherwise, all login rejected).
3. NVR dual-NIC. One subnet on NIC1 is connected to the same subnet as the Raspberry Pi and the rest of the home network. NIC2 is for the cameras. I specifically forced the NVR's gateway to point the Raspberry Pi. That way all traffic gets routed to the Rasberry Pi instead of the Google Wifi Gatway. But I think that is not safe, as I come to realize.
4. Yes, UPNP is disabled in Google Wifi Router. P2P also disabled in the NVR.
5. The Raspberry Pi then has IP Tables set up like this to drop ALL packets:
sudo iptables -A FORWARD -s 192.168.0.10 -p tcp -o eth0 -j DROP
sudo iptables -A FORWARD -s 192.168.0.10 -p udp -o eth0 -j DROP
sudo iptables -A FORWARD -s 192.168.0.10 -o eth0 -j DROP
So my only guess as to how they got in are the following:
1. Another IoT device connected as the same subnet allowed them to get into the NVR. So maybe my Alexa's are compromised.
2. There is malicious firmware in the NVR that disregards what the gateway IP is set at and regardless attempts to try all ranges within that subnet. When it finds one, it phones home with P2p re-opened.
Another thing I am observing now is my NVR firmware is probably compromised. When I reboot the system, it recalls the old static IP address from which I set it to, and the old gateway, and get this! It enables P2P!! Why???
