NVR4108-4KS Recordings Paused by Thieves

[aabs]

As per the title of the thread. Today the police knocked on my door to view footage of a robbery which had taken place in a neighbours property.
However when I went to view the footage both the cameras that had that area covered had been paused recording whilst the crime took place.

Went into the events log and saw that my system had been logged into at that time but HOW ?

I have a VPN running and I have changed the NVR default passwords to the admin account and the 88888 account.

Starlight cameras also have no gateway address for not internet facing.
NVR4108-4KS firmware 3.215.000000.3

Eager to find out where my vulnerability is and how this has happened if anyone can help.

A few screen shots attached, hope someone can help me plug my security flaw.

 

[redfive]

What about the details, of the logs ? And there is something other ? The recordings seem stopped around 2:46 AM

 

[aabs]

Hi Redfive,
Yeah the robbery took place at 2:46. My system was rebooted at 03:02
Can't figure out all cameras paused at 2:46 followed by a reboot.
Maintenance reboot is disabled and I've check other random dates and no pauses in any other night time monitors.

 

[bp2008]

I wonder if that could have been automatic maintenance of some kind on the NVR. Since your log doesn't show any events for an hour leading up to the reboot it is hard to say what happened. Does the details button show anything for the shutdown/reboot and later events to suggest what may have triggered it?

You should check on UPnP and port forwarding features as noted here: How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk

I'd also recommend preventing the cameras and NVR from having internet access at all, and when you need remote access use only a VPN.

There's also the possibility that something else simply failed on the NVR at exactly the wrong time and that nothing related to the failure got logged.

 

[alastairstevenson]

That does seem like an amazing coincidence - and way too sophisticated for normal smash-and-grab burglars.
But just in case - you can check the extent of external access using a service such as ShieldsUp! GRC | ShieldsUP! — Internet Vulnerability Profiling  
Use the 'All service ports' scan, not the UPnP scan, in the first instance.

 

[aabs]

That does seem like an amazing coincidence - and way too sophisticated for normal smash-and-grab burglars.
But just in case - you can check the extent of external access using a service such as ShieldsUp! GRC | ShieldsUP! — Internet Vulnerability Profiling
Use the 'All service ports' scan, not the UPnP scan, in the first instance.

Yeah the police did mention that it was a very organised gang taking prestigious vehicles in the area. I have no doubt that they have somehow disabled my system. I'm eager to find out how as I've followed all advise on here in the past. E.g. VPN, no wifi cameras and no gateways apart from NVR which is needed for my remote viewing.

Done the port scan and all Green

 

[bp2008]

Is it possible that your power was turned off (and later back on) shortly before this robbery in an attempt to disable your cameras?

 

[redfive]

The shutdown seems at 03:01:33, and then rebooted (like a power outage), the strange thing is that the recordings were stopped before, without any logs about this ...

 

[aabs]

No the power being switched off would of triggered my property burglar alarm and would of been obvious as all the AV equipment/clocks and other gadgets would all be flashing displays.
Also no further information in the details of who rebooted the system.

 

[aabs]

The shutdown seems at 03:01:33, and then rebooted (like a power outage), the strange thing is that the recordings were stopped before, without any logs about this ...

Yeah this completely fits in as the vehicle was taken at 2:50 and picked up on a police APR camera at 3:10 a 2 miles away.

 

[alastairstevenson]

Done the port scan and all Green

Yes, looks good.
Though remember it's only service ports.
Maybe also do a custom port scan on the higher ports that the NVR uses.

I have no doubt that they have somehow disabled my system.

That would be pretty stunning.
Can you ask the Police if they are aware of any similar situations where CCTV has been disabled?
That would be very newsworthy, in my view.

 

[redfive]

Do you have a wifi around from which you can access the NVR/cams ?

 

[aabs]

Do you have a wifi around from which you can access the NVR/cams ?

I have a guest wifi which has no access to LAN and password protected.
I have my wifi which does have access to LAN and is also password protected.
Reason for guest wifi is for visitors so I don't give access to my LAN.
I'm a dam more careful than most !!

 

[alastairstevenson]

So that's not an NVR with PoE ports (I'm unfamiliar with Dahua kit).
Do the cameras and NVR connect on a switch, ie not through switch ports on your router?

 

[redfive]

Did you check the logs on your router and/or wifi system ?

 

[looney2ns]

I have a guest wifi which has no access to LAN and password protected.
I have my wifi which does have access to LAN and is also password protected.
Reason for guest wifi is for visitors so I don't give access to my LAN.
I'm a dam more careful than most !!

How strong are the passwords for your wifi? What encryption are you using for your WiFi?

 

[alastairstevenson]

Do the cameras and NVR connect on a switch, ie not through switch ports on your router?

I'm thinking if they are capable enough to be using one of those relays / boosters for breaking into keyless cars, there could also be a WiFi disruptor aimed at the many that use WiFi cameras - that could give the router/AP a hard enough time that it doesn't pay enough attention to the router switch ports, to the detriment of any traffic though them.
If the normal camera traffic passes through them.
Pure unfounded speculation of course.

 

[aabs]

Did you check the logs on your router and/or wifi system ?

Wifi logs on router don't go back far enough only 10 hours or so due to the amount of activity.
I have tried a telnet session but get no connection, don't know if it support sssh
Totally at a loss how they have got in but when things emerge such as SHODAN did it might make a little more sense as the crooks always seam to be a step ahead with tech vulnerabilities.

With reference to the last post, at least and I will now enable DOS attacks.

 

[Cam_curious]

Were your cameras also recording to internal SD cards?

 

[davej]

Did you find a USB stick laying in your driveway recently?