J Sigmo
Known around here
- Joined
- Feb 5, 2018
- Messages
- 997
- Reaction score
- 1,335
NVR4108-4KS Recordings Paused by Thieves
- Thread starter aabs
- Start date
hotwheels498
Young grasshopper
What if the OP is in on this car heist plan, he turned off his system and then stole the car. Then come on this form to make a post to show the cops as a distraction.
DLONG2
Known around here
- Joined
- May 17, 2017
- Messages
- 763
- Reaction score
- 455
Good idea, but I thought I had read the cops already examined the interior camera recordings, and the last motion event showed the OP watching Netflix in the living room, rather than pulling the power plug in the office.
LOL I was also thinking the same thing.
tangent
IPCT Contributor
- Joined
- May 12, 2016
- Messages
- 4,416
- Reaction score
- 3,649
The OP's been absent enough from this thread, I wonder if the cops already came to that conclusion.
Im going for government agency using NVR manufacturers backdoor (they exist) so they can covertly ''steal" their targets vehicle and then bug it. "Hey we found your vehicle Mr Target you can have it back now".
Government agency forgot to delete/edit logs. OP uncovered the truth and has now mysteriously disappeared along with his neighbour.
Government agency forgot to delete/edit logs. OP uncovered the truth and has now mysteriously disappeared along with his neighbour.
IAmATeaf
Known around here
Most car thieves in the uk don’t seem perturbed by cameras and if they want the car will simply break in and take it. Seem plenty of cctv footage of thefts and they couldn’t care less and don’t even seem bothered by the cameras.
Jimbo7
n3wb
Fascinating thread.
If I had to (wildly) guess at the most likely attack vector:
1. OP's main (not guest) wifi network hacked (WPA2/PSK has known vulnerabilities)
2. Packet sniff the network traffic looking for NVR login events with a view to some sort of key replay attack or similar.
3. At the time of the theft, log in to the OP's Wifi and disable the recording/reboot essentially using the OP's own credentials.
(2) is 100% supposition of a suitable mechanism and vulnerability existing. I don't even own any Dahua kit (yet - package from empire tek en-route).
It is odd to think that anyone would go to such measures to avoid identification when a balaclava would do, but perhaps the aim was more focused on ensuring they weren't disturbed, and increase the chances that the theft would go unnoticed for the duration of time it takes to render a (presumably tracked) stolen car untraceable...
J
If I had to (wildly) guess at the most likely attack vector:
1. OP's main (not guest) wifi network hacked (WPA2/PSK has known vulnerabilities)
2. Packet sniff the network traffic looking for NVR login events with a view to some sort of key replay attack or similar.
3. At the time of the theft, log in to the OP's Wifi and disable the recording/reboot essentially using the OP's own credentials.
(2) is 100% supposition of a suitable mechanism and vulnerability existing. I don't even own any Dahua kit (yet - package from empire tek en-route).
It is odd to think that anyone would go to such measures to avoid identification when a balaclava would do, but perhaps the aim was more focused on ensuring they weren't disturbed, and increase the chances that the theft would go unnoticed for the duration of time it takes to render a (presumably tracked) stolen car untraceable...
J
Panopticon
Young grasshopper
- Joined
- Dec 13, 2017
- Messages
- 50
- Reaction score
- 17
My comments:-
Does that type of NVR by any chance have an IR Receiver that could have been accessed/operated from outside through a window?
Some NVR's have come with TV style IR remote controls.
The Wi-Fi network will be vulnerable to KRACK KRACK - Wikipedia it is a vulnerability in the WPA2 protocol itself so it no longer really matters how good your WPA2 password and username (used as a P/W salt) are - easy especially with the repetitive network traffic coming from video cameras showing images that mostly have nothing moving on the video.
AFAIK RADIUS uses MD5 encryption for one of its initial handshakes - MD5 is known to be insecure - there is an extension to use with RADIUS to mitigate the MD5 problem - try Diameter (protocol) - Wikipedia OR Kerberos (protocol) - Wikipedia it is all a question of picking a style of security vulnerability you can work around.
Was it possible to access the Wired LAN by unplugging a camera to access its Ethernet cable?(or other LAN device - some Printers have an Ethernet LAN Port + built in Wi-Fi module + built in Bluetooth module and if the two Radio modules are not secure OR totally switched off you can access the LAN via the printers Wi-Fi - networked printers have always been a security issue) - is there any access control running on the hardwired LAN to prevent any device just being plugged in temporarily instead of a camera?
Some people I have come across even intentionally have outdoor LAN ports - they say they unplug them indoors when they are done using them so they are then dead outdoors - but how long until they forget to unplug?
Did not notice (too lazy to go back and read it again) if Camera passwords had been changed from default.
Did not notice if system is set to record only on motion or continuously - continuous recording is the only way to go (with motion alerts of course).
Using an Internet providers router is almost always a recipe for disaster - they cannot cope with non-stop data traffic.
RF Radio Frequency attack on cameras with Radio Jamming Device (Army Surplus device from a jeep or other vehicle to jam roadside IED's) - do the cameras have metal bodies that have been effectively earthed or are the cameras plastic bodied - the RF would happily travel down that UTP LAN cable and could affect the NVR - that would depend on a thousand variables BUT jamming IED's works and that also depends on thousands of variables.
UPS Uninterruptable Power Supply - you MUST have a UPS & everything vital for operation MUST be plugged into it - get a big name/brand UPS like APC in a decent size / capacity & NOT the APC Home Office/Domestic versions meaning only get the APC Commercial grade.
Have you tested your UPS battery's recently???? Meaning unplug the mains and see if the UPS will actually run and power the connected load for say 80% of the run time the UPS is reporting (via its management interface) that it can manage. Alternatively a calibration test can be triggered on the UPS to test out just how good (or bad!) the batteries are at present.
But as you guys have already said it could just be the perp looking for excuses to give to local law enforcement.
Does that type of NVR by any chance have an IR Receiver that could have been accessed/operated from outside through a window?
Some NVR's have come with TV style IR remote controls.
The Wi-Fi network will be vulnerable to KRACK KRACK - Wikipedia it is a vulnerability in the WPA2 protocol itself so it no longer really matters how good your WPA2 password and username (used as a P/W salt) are - easy especially with the repetitive network traffic coming from video cameras showing images that mostly have nothing moving on the video.
AFAIK RADIUS uses MD5 encryption for one of its initial handshakes - MD5 is known to be insecure - there is an extension to use with RADIUS to mitigate the MD5 problem - try Diameter (protocol) - Wikipedia OR Kerberos (protocol) - Wikipedia it is all a question of picking a style of security vulnerability you can work around.
Was it possible to access the Wired LAN by unplugging a camera to access its Ethernet cable?(or other LAN device - some Printers have an Ethernet LAN Port + built in Wi-Fi module + built in Bluetooth module and if the two Radio modules are not secure OR totally switched off you can access the LAN via the printers Wi-Fi - networked printers have always been a security issue) - is there any access control running on the hardwired LAN to prevent any device just being plugged in temporarily instead of a camera?
Some people I have come across even intentionally have outdoor LAN ports - they say they unplug them indoors when they are done using them so they are then dead outdoors - but how long until they forget to unplug?
Did not notice (too lazy to go back and read it again) if Camera passwords had been changed from default.
Did not notice if system is set to record only on motion or continuously - continuous recording is the only way to go (with motion alerts of course).
Using an Internet providers router is almost always a recipe for disaster - they cannot cope with non-stop data traffic.
RF Radio Frequency attack on cameras with Radio Jamming Device (Army Surplus device from a jeep or other vehicle to jam roadside IED's) - do the cameras have metal bodies that have been effectively earthed or are the cameras plastic bodied - the RF would happily travel down that UTP LAN cable and could affect the NVR - that would depend on a thousand variables BUT jamming IED's works and that also depends on thousands of variables.
UPS Uninterruptable Power Supply - you MUST have a UPS & everything vital for operation MUST be plugged into it - get a big name/brand UPS like APC in a decent size / capacity & NOT the APC Home Office/Domestic versions meaning only get the APC Commercial grade.
Have you tested your UPS battery's recently???? Meaning unplug the mains and see if the UPS will actually run and power the connected load for say 80% of the run time the UPS is reporting (via its management interface) that it can manage. Alternatively a calibration test can be triggered on the UPS to test out just how good (or bad!) the batteries are at present.
But as you guys have already said it could just be the perp looking for excuses to give to local law enforcement.
Last edited:
fenderman
Staff member
- Joined
- Mar 9, 2014
- Messages
- 36,901
- Reaction score
- 21,269
Nonsense again. Krack has been repaired. Any modern update router is not vulnerable. Please dont mislead.
You really think these car theives unplugged a camera did their thing and plugged it back in all nice? really?
All this is nonsense. Nothing happens.
Panopticon
Young grasshopper
- Joined
- Dec 13, 2017
- Messages
- 50
- Reaction score
- 17
As I already said it could just be a Perp looking for excuses to give local Law Enforcement.
But Wi-Fi WPA3 is on the way because WPA2 alone is no longer enough (just like WPA1 & WEP are nowadays considered security jokes but back in the day they were thought of as perfectly secure - looking back a ludicrous conceit) and Plain Vanilla style RADIUS is getting rickety - it has been a long week so instead of me having to explain it all here is an article that just covers the tip of the WPA2/3 iceberg What Is WPA3, and When Will I Get It On My Wi-Fi?
Last edited:
tangent
IPCT Contributor
- Joined
- May 12, 2016
- Messages
- 4,416
- Reaction score
- 3,649
There are a fair number of android devices that never got a KRACK patch. Also plenty of IoT devices and printers that were never updated.
Plenty of routers in the world are sadly still vulnerable to a WPS pin attack.
Plenty of routers in the world are sadly still vulnerable to a WPS pin attack.
fenderman
Staff member
- Joined
- Mar 9, 2014
- Messages
- 36,901
- Reaction score
- 21,269
Please stop misleading. There is no known hack for WPA2 on an updated router. It's also important to think a bit when coming to these silly conclusions about what car thieves might be doing.
Negative and negative.... RADIUS is just accounting/auth, the transport is selectable (tunnel), you don't have to use MD5 and in fact, it is only used these days within an existent TLS tunnel between the client and the server.... so it's moot, because you have to break the encapsulation (TLS). MD5 hashed passwords are only then a risk at the storage level of the RADIUS backend, if it is compromised, as MD5 is pretty much dead since the beginning of rainbow tables, and even more now with GPU assisted cracking (hashcat and co).
As for "RF jamming" of cable devices: that ain't happening. There is a balun at every ethernet phy/port which pretty much renders that impossible as far as radiated EMI/RF goes. Twisted pair is also a factor, it does not just reduce cross talk.... and then there's FTP cable. IED triggers also usually operate under microwave frequencies, nowhere near 2.4 or 5Ghz. Educate yourself before making these grandiose claims... it's middle America, not Ch-Iraq. RF does not just "radiate into cables and arrive at the NVR" (or anything else). For coupling to happen there's a heck load of factors involved (impedance mismatch, shielding, length of the wires, twisted pair bringing its own issues, RF field strength, filtering stages at the target, including the balun mentioned earlier.....) , but long story short: not a chance, though it makes for an intriguing tale.
source: I have the equivalent of an Extra hamradio license (in Europe there is a similar breakdown of licenses, but we don't have the lowest level the ARRL has, you get General or Extra, or nothing, exams are quite similar), and got a whole shelf of equipment behind me right now (spectrum analyzers, RF generators, programmable attenuator...). I work with RF engineers regularly....
CCTV Guy
n3wb
OMG! That is so freaking great. The other professionals I work with will appreciate this, as we've all dealt with the customer who thinks this is reality.
CCTV Guy
n3wb
You know, sometimes sh- er, stuff just happens at an inopportune time. I had a bank that was a customer that had an early DVR. It was checked by the branch every day and by their Corporate Security Department weekly. They had a hostile takeover, in which the thieves held everyone at gunpoint. Upon exiting the bank, there was running gun battle with the local police department (which the thieves lost). When I arrived to pull video for law enforcement, the DVR had no power. I determined the power supply was bad and replaced it. It was then that we discovered the DVR, that had been in continuous service for more than three years, blew the power supply less that 20 minutes prior to the robbery. While I was on site, I actually received a dispatch to check the unit, as it was not communicating with their Corporate Security Department. The FBI actually interviewed me, as they thought the coincidence was too convenient.
I was cleared. Just in case anyone was wondering <grin>.
I was cleared. Just in case anyone was wondering <grin>.
OMG I can't believe how much activity this thread has created since my last visit.
As suspected by fenderman and many others,it appears to be a hardware fault.
I have monitored the performance of my NVR since the event and had another reboot take place last night which indicates a hardware issue.
I have now set a maintenance reboot to take place during the day on my NVR but I think I'm now going to replace it to a NVR5208-8P-4ks2 to be on the safe side.
Thanks for all the attention input/advise and theories which this thread has attracted. It has certainly made some entertaining reading.
As suspected by fenderman and many others,it appears to be a hardware fault.
I have monitored the performance of my NVR since the event and had another reboot take place last night which indicates a hardware issue.
I have now set a maintenance reboot to take place during the day on my NVR but I think I'm now going to replace it to a NVR5208-8P-4ks2 to be on the safe side.
Thanks for all the attention input/advise and theories which this thread has attracted. It has certainly made some entertaining reading.