Secure access to a Dahua PTZ without a VPN

RChadwick

n3wb
Joined
Aug 31, 2015
Messages
16
Reaction score
2
First, I want to get this out of the way. I have a VPN set up. It's too slow, and a less than perfect internet connection becomes unusable with the VPN. So, I'm looking for options OTHER than a VPN.

I've got the EYEsurv ESIP-PTZmicro-1080p. I want to access it remotely. Sending the connection through Blue Iris was a thought, but I don't want to dedicate the computer, and the associated electricity and added complexity/unreliability to only security. I also don't need there to be any more delay while panning. I'd like to just open ports. So:

1) I've accessed my camera through two programs on my phone. One is IP Cam Viewer, which uses port 554, and a Dahua app that uses port 37777. Is one of these ports/methods more secure than the other?
2)What other ports will I need to open?
3) I've heard some Dahua cameras have hard-coded users/passwords. Does this camera have any obvious security vulnerabilities?

The camera doesn't need to be ultra secure, I just want it as secure as possible, without impacting convenience. Unless if there's hard-coded passwords (And maybe even if there is), I'd choose convenience over security in this case.

Thanks!
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
It is hard to say. I am not familiar with Dahua camera security problems, but it is always best to avoid forwarding ports directly to the camera if you can avoid it. If you use a program like Blue Iris to access the camera, then you do not need to forward ports directly to the camera and you don't have to worry about its security problems. I have a free option here, https://cameraproxy.codeplex.com/ with Dahua PTZ support, but it is very rough around the edges and I do not really support it if people choose to use it.

If you don't want to run camera server software like Blue Iris in your house, then I suggest you open only ports 554 and 37777 and use the dahua app. I don't know if the Dahua app requires port 80 also, but it might. Also if you can remap the external ports to something random then it would help avoid automated hack attempts which might only try known port numbers to save time.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
To address your points specifically,

1) If I had to guess I would say the Dahua app is more secure. IP Cam Viewer probably uses http on port 80 to control the PTZ, though I can't say for sure if that is the case. Port 80 http is probably the most often used attack vector because it is so common.
2) None, if all the features are working.
3) Yes, you can find them in the users list in the camera's web interface. You can and should change their passwords if you have those accounts on your camera. I think those user accounts are named 888888 and 666666 (same password as user name)?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
In truth it doesn't make a lot of difference what ports you offer on the internet since when your IP address gets scanned it's a wide range of ports that are tested.
What the port is associated with when it's found to be listening is determined by the response it provides when it's poked in various ways. You have no control over this.
We might consider it not too big a deal if a camera gets compromised, but what's worth some thought is what else is on your internal network that's of value to you, or of value to a potential attacker, should an exploit of a camera vulnerability allow it to be used as a foothold to access your internal network.
So in terms of a bit of extra security, it would help to locate the camera on a DMZ that has firewall rules that block inbound access from the DMZ to your internal network, but still allow outbound access to the DMZ from your internal network.
 

Michelin Man

Getting the hang of it
Joined
Jul 22, 2015
Messages
430
Reaction score
47
Location
Australia
If someone wants to get into your network, as alastairstevenson says they can scan almost every port on your public ip address it may take a bit of time but they can find what ports are open then try and manipulate them.

That is if someone is targeting you though. There are heaps of unsecured IP cameras you can watch for fun on the interwebs.

Changing them from the usual port numbers may slow someone down if they know you have something they want and know your ip.

Make sure your internal network is secure as well, ie strong wifi password, and I hope your using WPA2.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Changing them from the usual port numbers may slow someone down if they know you have something they want and know your ip.
True, however the scanners are automated, and are mostly 'bots' consisting of large numbers of compromised devices such as NAS boxes, PCs etc.
A port scan is pretty fast, listening ports are probed against a set of signatures and any interesting candidates are added to a list for the attacker to go look at and investigate.
These days, with fast domestic internet connections, people may not even realise their NAS box or PC has been compromised and is part of a bot network.
There is a lot of this around after the various high-severity vulnerabilities in the Linux world over the last couple of years.
 

Michelin Man

Getting the hang of it
Joined
Jul 22, 2015
Messages
430
Reaction score
47
Location
Australia
If someone has enough computing power they can do anything. It's like breaking encryption, no encryption is unbreakable it is just unfeasible to break the encryption within a useful time frame especially with time sensitive data. It's just like 'unpickable' locks, any locks can be picked if given enough time, Although at the same time I don't believe anyone has picked an Abloy protec, but I won't get into that, just another hobby of mine.

I was thinking more like say a friend of a friend or something similar who wants to get access to your cameras for whatever reason. They might try and find out what your IP address is when they're over, then try and attack it when they are out.

Pretty much, gotta love reading all those events prior where companies were getting attacked with DDoS attacks.
 

RChadwick

n3wb
Joined
Aug 31, 2015
Messages
16
Reaction score
2
Thanks everyone for the responses!

There's two things more I'd like to know.

1) I'm new to IP Cameras. It seems mine can use RTSP (Port 554), or TCP (Port 37777). Which is the preferred protocol? IP Cam Viewer seems to support both.

2) I don't care if someone in the middle can see my video feed, but I don't want passwords sent clear text. There's an option in the camera to enable HTTPS, but how does that work? Would it encrypt TCP? RTSP? Or would I have to give up my Android client, and log in to port 443 with a web browser? Or are RTSP and TCP already encrypted?

Thanks!
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
1) Neither is "preferred" but 554 is only designed for video streaming while 37777 is designed to provide full camera control, so if you have to open one port then I suggest 554.

2) HTTPS would encrypt web communication on port 443. The web interface in a browser would be transmitted with encryption, nothing else. Not even the video stream within the web interface uses http or https to stream. It would not encrypt your video stream. Neither TCP or RTSP has built-in encryption. I don't know how passwords are transmitted in RTSP, maybe if you are lucky they are salted and hashed so it is safe from snooping, but I wouldn't count on it. If you don't want passwords sent in clear text, the best bet is to not require a password to view the stream, or just use a password you don't care if anyone learns.
 

RChadwick

n3wb
Joined
Aug 31, 2015
Messages
16
Reaction score
2
OK, I did a little more research about RTSP. Does anyone know if this camera supports Digest Authentication?
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
I'm not sure. A few years ago I reverse-engineered Dahua's login procedure for the web interface so my own software could log in. It was exceedingly stupid. They go to all the trouble of encrypting the login information with hashing algorithms but then just before transmitting the login request to the server, they append the password in plain text to the end of the message. So they can't be taking security too seriously.
 

Zorac

Getting the hang of it
Joined
Apr 17, 2015
Messages
213
Reaction score
26
change the camera to be on a non standard port and then use a really long password. if your always accessing from the same network/device, you could screen the ips that are allowed to access the camera.
 
Top