Network Security Primer

[nayr]

Since IP Cameras are network devices, lets have a chat about security and best practices, feel free to ask me anything.. This is my specialty.

Ive got 3 areas I wish to discuss, I will summarize the areas here and we can have a more indepth discussion as the thread goes along.

Part 1 - Remote Access
So you want to view your cameras from anywhere on the internet right? Of course you do, thats a great thing about IP Cameras!

Consideration #1: Do you trust your remote network? Answer is clearly no you should not. If your using a Public WiFi, Work Internet, Hotel Internet, Friends Internet you should assume that not only can your traffic be monitored by others on that network it can be monitored as it traverses the internet and back into your network.. Its a trivial procedure to monitor packets as they travel over WiFi, Across Routers/Switches and anything that is not encrypted (such as your video streams) is fair game to intercept; infact it is often a policy to do this in work and public environments to keep tabs on appropriate network usage and prevent abuse or policy violations, etc.

Consideration #2: Do you trust your camera? Vast majority of IP Cameras have backdoors, hardcoded logins, unnessicary services running on them.. Here is a port scan of one of my cameras:​

# nmap 192.168.42.21


Starting Nmap 6.47 ( http://nmap.org ) at 2014-09-23 18:52 MDT
Nmap scan report for 192.168.42.21
Host is up (0.0023s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE
23/tcp    open  telnet
80/tcp    open  http
554/tcp   open  rtsp
3800/tcp  open  pwgpsi
5000/tcp  open  upnp
49152/tcp open  unknown
MAC Address: 90:02:A9:30:18:BC (Zhejiang Dahua Technology Co.)
Nmap done: 1 IP address (1 host up) scanned in 2.39 seconds

We see above its running telnet, which has a hardcoded login, I can tell its a dahua camera and none of these services offer encrypted authentication, so your login credentials are sent in plain text all the way across the internet... NOT GOOD.

Since we cant really trust our firmware to be 100% secure we should take special precautions with it.

Consideration #3: Hackers are constantly scanning every IP on the internet they can reach looking for known vulnerabilities to let them into a network, constantly 24/7 your being scanned and its your firewall's job to block most of these. If you port forward your cameras to expose them directly to the internet scanners can find your camera; dont believe me? Google search has a special token called inurl that lets you search the web for specific strings.. for example do a google search for inurl:"ViewerFrame?Mode=" and look at all the cameras you find, the majority of which the owner has no idea strangers are watching.

Solution: There is really one solution that negates all these issues and that is a Virtual Private Network, aka VPN.. All modern Smart Phones/Tablets/Operating Systems have VPN Clients built in, you just need to setup and configure a VPN Server on your network and forward the ports needed to that.. This will give you full access to your home network while away, from remote desktop, to printers and each and every IP camera's configuration and all the traffic will be encrypted as it traverses the internet so your logins and video streams are considerably more safe from prying eyes.. First place to check is to see if your home router has built in VPN Server support; if so read up on the documentation and get it working.. If not you can turn any reliable machine on your network, such as your BI server to also run a VPN Server.. a google search should yield guides that walk you through this..
TIP: Create a VPN User account for each device, say Ryan-Android for my phone.. if my phone gets lost/stolen I can always just change that password and not have to change everything.
TIP: If your up to the task you cant beat TLS authentication, its more complicated to setup and deploy but it uses Encryption Certificates as authentication tokens, no password to break and its as secure as you can keep your authorized devices from physical access.. (ie put a password on your phone thats not 4 numbers)

​

Part 2 - Local and Physical Security

VLAN: Is there anyone on your local network you dont want to have access to the cameras? Employees? Or is there anything on your network so private you need to keep it as secure as possible? The best strategy to this is to segregate your networks and put the cameras on a different subnet (range of ip addresses). You need a switch and router that supports vlans and you can externally firewall off your IP Cameras from your normal network.. opening up access to only those whom should have it.. all the other machines on the network wont even get a login screen or response from the camera.. I would avoid messing with any onboard firewall settings on your IP Cameras; its an easy way to lock your self out without many choices on getting back in.

​

Port Authentication (802.1x): Higher end switches can actually authenticate network access at the switch port level; this is great if you have alot of cameras in a public area, dorm, etc.. If setup properly someone cannot access the security camera network by simply taping into a ethernet cable or somehow unplugging the camera and hooking in there own device. My Dahua cameras all support it and on my network if you unplug a VoIP Phone or IP camera and try to use that network port it puts you onto the guest vlan by default; my phones and cameras authenticate with the switch when plugged in and this process grants them access to there own network segments... if no auth is attempted it puts them in a special garden with almost no access. This requires a radius authentication server and some network know how so I wont go into too much depth I just want you to be aware what it is and if you need it.


​

Part 3 - Wireless Security

In my PROFESSIONAL opinion Wireless and Security are two technologies that oppose each-other dramatically; like hitlers WW2 enigma devices tought the world that you can never be sure if your BROADCASTING your communications to anyone in listening range, despite technology advancements.. Its like trying to keep a conversation private between two people with mega-phones a block apart.

The only acceptable place for a WiFi security device is a portable monitoring device such as your phones/tablets, since your security will not be compromised if those loose connectivity.

Lets go over our wireless security options:
WEP = Cracked quite quickly with enough captured packets; and IP Cams generate a constant stream of them.
WPA = Easily brute forced, if WPS is enabled its basically wide open... Can be hijacked with ease, I can run an access point with same Name/ID and your devices will gladly connect and tell me the password to your network.
WPA-TLS = Only one left standing hasn't been broken; you cant hijack or man in the middle it because of certificate authentication.. needlessly complex for individual users and few WiFi devices even support this.

Did you know anyone can send a deauth packet to knock your cameras off the wireless network? despite encryption? Within 30mins I could make a small hand held device that knocks everything off there wifi networks with parts I have laying about.. check this out:

http://danmcinerney.org/how-to-kick-everyone-around-you-off-wifi-with-python/

What good is your security camera when anyone could just make a universal remote to "turn it off" when they approach to steal some shit?

same can be said for wireless security sensors, I have a 5w handheld walkie talkie that can broadcast on the same frequencies most GE wireless sensors work on.. If I broadcast noise with that transmitter I am basically jamming out all the little 100mW security sensors for a mile or so.. not to mention my 50w HAM radio that if used nefariously could jam out all wireless sensors to the horizon.
​

Links:

Open Source Router Firmware has support to run a VPN Server, checkout:
​

• 
  [*=1]OpenWRT
  [*=1]DD-WRT
  [*=1]pFSense

 

[icerabbit]

Fantastic topic. Double repped!

Understanding the concept of VPN and protecting traffic the user initiates from a computer to a router and/or individual computer, or network. Computers are a bit more versatile when it comes to network traffic.

My router can do VPN but of course barely mentions it beyond being a feature and where to find it.

In light of surv cameras, and network devices, how can one integrate this protection / make this work when it comes to mobile devices and gaining access to:

- wifi thermostat + iphone/ipad app (check & set home temp,while away)
- ethernet home automation controller + iphone/ipad app (check & turn on/off some lights)
- still accessing individual cameras ... don't need to see all of them, just want to tap into the PTZ and check on the cats, or read the clips,from the driveway cam ...

Does it hinge on vpn user name/pw? And can apps transparently accept those? (just as if it were the device's user/pw)
Do you create multiple dedicated tunnels?
Or can everything squeeze through one tunnel? Maybe multiple user names? Then based on user/pw and maybe port or app (?) things get routed transparently to the right device in the lan?

example: one tunnel + user wantstat -----> tstat, user wanauto ------> home automation box, wannvr -----> nvr, wanptz -----> ptz cam, wannas ----> nas

Or how would one make it work?
As these devices just say use port forwarding with username, password. Known not to be safe.

 

[icerabbit]

>> Looks like the topic is not lost! <<

But I guess we lost a day and a half.

 

[icerabbit]

In essence, to recap, my content from the thread, that was lost in the crash.

VPN was a lot easier to implement than I assumed. You can use one tunnel for all traffic you need. It solves the headache of using a mobile device at home and while away; in that most mobile apps for surveillance, automation, etc allow you to spec one IP address. Each time you switch places, it has the wrong IP. To circumvent this home and away problem, I'd use two apps to do the same thing. One with WAN IP and port forwarding. One with LAN IP. Or a browser bookmark for each.

With the VPN tunnel in place, the app can keep the LAN IP because it considers traffic through the tunnel local, as if at home.

One hurdle in getting it setup was vague instructions and a on my iPhone there was the "secret" box for L2TP, which had no matching equivalent in my router. I consider it a shortcoming in my router firmware.

I was able to set it up with PPTP. Once established. The iphone puts a VPN text icon to the left of the bluetooth and battery icon.

All in all. On the router side, it was like configuring a wireless network with a specific user & pw; and on the mobile side just adding the same.

 

[catseyenu]

Speaking of VPN... since the Shellshock post disappeared it may be appropriate to drop this here.
Shellshocking OpenVPN servers
https://news.ycombinator.com/item?id=8385332

 

[bp2008]

Hooray. I use openvpn on my router...

 

[nayr]

Peeping into 73,000 unsecured security cameras thanks to default passwords

Yesterday I stumbled onto a site indexing 73,011 locations with unsecured security cameras in 256 countries …unsecured as in “secured” with default usernames and passwords. The site, with an IP address from Russia, is further broken down into insecure security cameras by the manufacturers Foscam, Linksys, Panasonic, some listed only as “IP cameras,” as well as AvTech and Hikvision DVRs. 11,046 of the links were to U.S. locations, more than any other country; one link could have up to 8 or 16 channels, meaning that’s how many different security camera views were displayed on one page.

Told you guys, Always use a VPN!

 

[bp2008]

Whats really fun is the cams that open a port all on their own or connect to a cloud service you did not sign up for.

I don't think I have any of those

And not everybody has the gear and expertise to put cameras on a different vlan without internet access

 

[nayr]

I have encountered many IP Cameras with hardcoded backdoor logins; the devices them selves simply are not safe enough for being exposed directly to the internet.. this is just one website that shows what some very simple bots scanning the internet for IP Cameras found, nobody was targeted directly.. Security holes in specific software cameras run (Web Server/SSL/Bash/etc) can lead to further problems because those are easy to scan for also.

Anyone reading my primer is urged to block the internet to/from ANY IP camera and remotely monitor it with a VPN solution, anything less is not really secure.. Setting up a VPN is not that difficult, if you can forward ports you can setup a VPN.. just follow instructions online carefully, every Operating System and SmartPhone has VPN capabilities now days.. there is little excuse other than being ignorant.

An IP Security Camera without any IP Security isint much of a Camera

 

[nayr]

I also want to point out I technically can get any of your guy's IP address very easy, all I would have to do is embed an image to this thread loaded off my webserver... and then when someone replies I can check the logs for that time and correlate what requests for that image came in at that time, and then direct a targeted attack at you.. infact im sure I could find all sorts of cameras targeting these forums <wink>

people can do this anywhere, forums, facebook, twitter, etc.. the internet is full of vindictive asshats so you could become targeted for your opinion very quickly if you havent been already.. a bunch of security cameras could give them the information they need to know where you live, just GeoLocate IP to city, then search for streets/addresses on google streetview, then next thing you know swat teams are busting down your door because you pissed some lil prat on the internet off.

thats a scenario that plays out across the internet all the time..

 

[nayr]

Whats really fun is the cams that open a port all on their own or connect to a cloud service you did not sign up for.

If you have a decent router/firewall you can define a host group and input all your cameras IP's into that group, then create an outbound firewall rule saying reject all packets to/from that group.. it wont filter access to/from cameras locally like you can get w/VLAN's. It will prevent them from calling home or exposing them selves without your knowledge. You'll want to run a local NTP service because if it works they wont timesync over internet.

expanding on firewall rules, I like to do 2 rules for a blackhole group like this, reject tcp/udp for all hosts and then lower than that a drop all for those hosts.. some packet types cant be rejected, but if you drop tcp/udp you can end up making your cameras boot times really slow as it tries an external connection (dns lookup) only to wait for a timeout.

You can add more and more rules and allow only what you want if you do allow your cameras some internet, give it access to only a specific mail server, time server, etc.. but keep it simple, you'll vpn into the network and bypass the rules so it wont effect remote access.

 

[nayr]

Your beloved Foscrap: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2560

2013:

[COLOR=#000154][FONT=Verdana][B]Access Vector:[/B] Network exploitable[/FONT][/COLOR]
[COLOR=#000154][FONT=Verdana][B]Access Complexity:[/B] Low[/FONT][/COLOR]
[COLOR=#000154][FONT=Verdana][B]Authentication:[/B] Not required to exploit

[/FONT][/COLOR]
[COLOR=#000154][FONT=Verdana]Directory traversal vulnerability in the web interface on Foscam devices with firmware before 11.37.2.49 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI, as demonstrated by discovering (1) web credentials or (2) Wi-Fi credentials.[/FONT][/COLOR]

add to the fact that foscam hardcodes dynamic dns settings into there firmware it was stupid easy to scan *.myfoscam.org and find all these damn cameras.

Dahua/Hikvision all have hardcoded telnet logins, and that is a fact.. My dahua cameras by default come with 3 backdoor logins that cant be removed but you can change the password.

there are billions of network capable devcies out there; and almost none of them should be exposed directly to the internet.. almost all of them were designed for local network access only and were never hardened or default to secure enough for internet exposure.. I am not saying you have to use VLAN's im saying got to use a fucking firewall and VPN instead of forwarding ports to insecure and hard to update hardware devcies.. go ahead and do it, i dont give a crap what you do..

Firmware updates are inherently riskey; camera makers are not pushing out new firmware to fix security issues and nor are people applying firmware updates to fix security issues.. im sure there are thousands of people with pre 2013 firmware on there foscams... Nor should they have to, if they keep the device off the internet (you can still access with VPN) its not a problem.

I recommend anyone who gives a shit, to setup a VPN, Firewall off your cameras from all internet access.. If you dont give a shit; well then so beit... listen to that asshat if you can get your head arround his ramblings.

If your camera (or any network device you own) was designed to be plugged directly into the internet securely the very first thing it would force you to do is set a new password before doing anything else; I have yet to find such a camera.

attached is a screenshot from my dahua camera; its impossible to delete admin, 888888 or 666666.. so you have to change 3 passwords and everyone knows the username so all they have to guess is a password thats probably easy to type into a phone/tablet.. This right here tells me this device was never intended to be exposed to the internet and maintain any level of security.

 

[bp2008]

nayr, lets not forget about Dahua's onvif support which lets you, at the very least, pull video streams without authentication. There is probably much more possible that I am not aware of.

 

[nayr]

Good point @bp2008

many decent IP cameras are designed for Professional Installers in mind, us DIY'ers are a nice side effect.. but professional installers are not typically network savvy, having to only learn basic networking recently as IPcameras have taken over the analogue market.. They put backdoor logins so the installer can get into the camera and fix it when the end customer ends up messing it up or locking them out and telnet logins that allow the resellers in to rebrand the camera to there name, or preconfigure settings with a few quick changes..

The 888888 login saved my ass once when I locked my self out on a password update; I guessed the password would be 888888 on first try.

 

[icerabbit]

There is nothing wrong ...

I can assure you that if ...

... Being primarily proactive in your network security and knowing what's being received and being sent from your Router/AP's from/to the Internet by activating your Router/AP's logging abilities and reviewing those logs ...

... I dare you to prove otherwise. I know you won't, because you can't. Because it's a truthful statement. Based on facts, that are impossible to dispute. ...

I respect that you have done a lot for the foscam owners / community, but really, the more you type, the less reassuring you are.

Without going into further details - as I really don't have the energy and time nor do I want to get into some web tit for tat on certain details that you're trying to raise - I just want to say that your attitude in your posting with false analogies, exaggerations etc looks to be non-constructive, is becoming hostile and then becomes a personal attack.

You even start highlighting things in bold and pulling in unrelated photos.

What's next? ALL CAPS? Alternating colors? ASCII ART? Animated GIFs.

You feel a need to go above and beyond, explaining and defending certain known insecure things manufacturers do ... for what?
You are tripping over yourself, running in circles, hijacking this thread, wanting nayr to prove certain things ... for what?
All you do is really prove that you somehow have an axe to grind against what nayr posted or him personally.

Longer and louder talk doesn't necessarily make one look better in public nor in a forum.

So, you may want to give that a moment of thought ...

( Back on topic )

Personally, I think closing all forwarding ports on a router and implementing VPN is 1000% solid advice and easy to implement. The rest may be too complex and over people's head; but I don't take issue with nayr's opinion as a whole. He's on the front lines of security, and, you have to highlight the bad to prove a point. Whether that's a bit alarmist, maybe, but there's no "dare to prove it" evidence required. This is not some prove it or lose it competition. This a friendly posting on a forum for fellow members. We all know stuff is exploitable and as time has proven so many times, networked electronics are inherently insecure / vulnerable. Manufacturers focus on getting the product out and selling. More features than the competition = more sales. Off the shelf security is fine. Build. Sell. Ship. Repeat.

I most narrowly escaped a major hacking headache a number of months ago after opening a port for some quick remote access. Something I did last minute before a trip. I didn't think much of opening a specific port for a manufacturers device, as directed. Boy, would it have cost me very very very dearly on many fronts if I was one of the victims.

You can knock on my IP since then. Unless you get into the router itself or can bypass it, there's nothing to see.

One of my next purchases is a more secure router with VPN. Have done some comparison shopping on a few features. Still on the fence a bit, but a better router swapped in is imminent.

 

[nayr]

its me personally; I keep calling him out on his bullshit and am not the least bit impressed with his signature like he thinks I should be..

every once and a while he has some pretty sound advice, I do admit; but by default I would suggest you seriously question anything he states given the behavior I have seen out of him.

But this goes to prove my earlier point about targeted attacks; he is harmless.. there are people out there whom arent and if you hurt there internet ego the'll hack your IPCam just to fuck you up.. Welcome to the internet, enjoy your stay.. Lesson #1, people will be asshats to just coax an emotional response from you, then attack you further upon submitting to that.. we like to call them Trolls.

 

[icerabbit]

I know. I've got a bit of technical experience and pretty good set of eyes and ears.

I just felt compelled to speak up a little in the hopes it may help him in some way to stop shouting from the other end of the spectrum.

 

[nayr]

That forum does not promote open and honest discussions so I am not a member and will not participate in there community... I require the ability to use four letter words every once and a while and post links to anything relevant; regardless of the commercial interests of the staff and advertisers.

When you moderate out any opposing lines of thought you end up with a bunch of mindless dolts; much like a religion... They say there open but when you find the statment: Please do not try to defeat the forum's word censors - words/urls are censored/masked for a reason... that kinda implies the opposite.

Fuck, i stubbed my toe.. ouch.. oah look at that were all grown ups, well most of us.

 

[nayr]

I love you, your my UberOverlord

 

[icerabbit]

I have been working with networks for over 40 years. Please see the "About Me" link in my signature if needed. Only three of those years involve Foscam cameras.

If you feel my response is somehow incorrect. Please feel free to post text like this:

Over here: http://www.cctvforum.com/viewforum.php?f=19

While I could respond to your post there. I won't, but I will watch and have some good laughs, as others there respond.

At least that would help you see, without any bias from me. That the above, is a false statement and I am more than positive that others at the above link will also say same.

A good title for the post there to better match the statement above would be:

"If Your Don't Monitor Your Cameras Remotely Using a VPN Then Anything Less is Not Really Secure"

Don

Have your laugh.

You really want me to go to another forum and ask the members there? And say hello, I'm new here, I just got a few cameras, but am worried about security, I hear they can be accessed remotely and exploited.
Between
(a) uberlord's method of just opening up router ports and monitoring web traffic
and
(b) nayr's advice of keeping the router ports plugged and using a vpn tunnel
Which is more or less secure? More hack proof? Easier to implement?

You have got to be kidding me.

Anyone who opens up a port, even changes port settings, edits the device password to be "safe", and maybe even goes as far as removing the factory admin account after creating a custom user, is not safer as you state, than when those cameras are simply not directly accessible from the internet.

Whatever factory back door / secret logins that are baked in are still wide-open, if the device is visible online. Maybe we don't have to worry about 99% of factory trained personnel and engineers, but word gets out, things get discovered. Whether motivated by fun or financial gain, one can bet it will get abused and at some point gets out.

Whatever vulnerability that can be exploited without even touching the default admin/user account is right there waiting to be built and exploited, if the device is visible online. As I tried to say, I just narrowly escaped this very exact thing with a networked appliance from one of the world's top vendors; where an attack was built specifically targeting their hardware around the globe. Tons of people got duped. Eye opening to someone who's not on the front lines of internet security, how you can seemingly do the right thing per the manual but come up losing it all. This exact exploit hinged on the open a port method you say is secure. Really makes one think. Oh and the monitor traffic thing didn't work because it took mere moments to be compromised. People have to work, sleep, go on a trip, ... aka have a life and don't sit there monitoring their router logs.

Since you're into proving things and challenging people. Maybe this example will raise a spark. We could do a test. We'll give you and nayr and any forum member who feels like jumping in, an hour or two hour to pull some stills from a camera of choice, change a camera setting, password, whatever, just something to prove it was found. Nayr's challenge would be to poke one behind a router with open ports. You try the same except with a router with all ports closed. Doesn't have to be for the fastest time or anything.

I just know which challenge I'd prefer.