Security concerns: Dev back door?

Discussion in 'Blue Iris' started by erkme73, May 22, 2019.

Share This Page

  1. erkme73

    erkme73 Getting comfortable

    Joined:
    Nov 9, 2014
    Messages:
    816
    Likes Received:
    367
    There's really no tactful way to ask this question without impugning Ken's character. And that is certainly not my intention. He has provided me with no reason to question his ethics or character.

    A couple of years ago I was having some issues which we were unable to resolve using the traditional email correspondence. At the time, Ken used TeamViewer to log into my BI machine to do diagnostics and troubleshooting.

    It was interesting to watch from the sidelines as Ken worked his magic. I was able to chat with him about his permissions/rights. He confirmed that he was able to unmask view all camera passwords (and presumably the main BI user/admin passwords). He said not to worry that he wouldn't log in unless there was a need/request for diagnostic support. He even gave me his IP address which so I could verify that he wasn't logging in other than during these coordinated sessions. And if he did, I would see his IP in the connection logs.

    Being that he knows the intricacies of the software, wouldn't it be possible for him to leave a back door that doesn't get logged? And if such a back door existed, could it not be exploited by someone with more nefarious purposes?

    Again, I have no reason to think that Ken would ever deliberately violate anyone's trust. But given the possibility of such a violation (i.e. imagine someone hacks his machine, or he sells the product to another party, etc), what kind of protection or detection can we implement that would lock down such an exploit?

    Short of intrusion detection firmware on a router, is there anything that could be done to lock it down?
     
  2. Tmos

    Tmos n3wb

    Joined:
    Jul 24, 2018
    Messages:
    7
    Likes Received:
    2
    Location:
    Anaheim
    If you are really worried just uninstall team viewer and change passwords in Blue Iris and the system. I doubt developers would lower themselves to such things.
     
  3. erkme73

    erkme73 Getting comfortable

    Joined:
    Nov 9, 2014
    Messages:
    816
    Likes Received:
    367
    No, let me clarify. This is not a TeamViewer issue. Ken can see the passwords of any installed system. Given that he knows the IP and port of every installation (by way of software phoning home to verify key) and support emails info. This means he could conceivably remotely access the BI server. I am certain Ken wouldn't do this - or would like to think no developer would - but the world is a twisted place and simply trusting someone not to violate trust is not a good security approach.

    Without intentionally challenging Ken's (or any developer's) character, I guess I just want to know how we can eliminate the risk entirely.
     
  4. aristobrat

    aristobrat IPCT Contributor

    Joined:
    Dec 5, 2016
    Messages:
    2,043
    Likes Received:
    1,743
    The same method that prevents unwanted access to cameras/NVRs running firmware that isn't trusted should work here: VPN (and potentially disable the device's ability to access the Internet, to prevent it from trying to reach out through your firewall and connect to some system on the Internet that could be used to reverse-tunnel back into the device through that connection).

    When you limit incoming remote access to your network via VPN, unless you give someone VPN credentials, they can't even make a connection to your network (in general), much less connect to the network and try to back-door into a system that's on your network.
     
  5. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    8,424
    Likes Received:
    5,384
    It is like @aristobrat said, you would need to prevent your BI server from having internet access. BI does have an activation mechanism which can be used offline (it comes up if you try to activate without an internet connection) so you don't actually need it to ever have an internet connection.

    Remote access is still possible through a VPN.
     
  6. Dramus

    Dramus Getting the hang of it

    Joined:
    May 7, 2019
    Messages:
    95
    Likes Received:
    52
    Location:
    New Jersey
    No I.T. professional worth his or her salt will ever suggest it's possible to eliminate risk entirely, short of locking a thing in a sealed vault, immune to RF snooping, with a local/self-contained power supply.

    Beyond that the questions become ones of risk assessment and mitigation. That is: Determine your risks and mitigate against them to the extent possible.
     
    aristobrat and bp2008 like this.
  7. erkme73

    erkme73 Getting comfortable

    Joined:
    Nov 9, 2014
    Messages:
    816
    Likes Received:
    367
    I was hoping there was something in-between a total VPN solution (which would complicate remote access by family members) and the way it is now. For example, entering the router IP/domain:port from the WAN brings up a separate non-BI login page where a separate set of credentials would be required. If entered correctly, then the user would be forwarded to the actual BI login page.

    Ultimately, I guess if I want friends and family to have access to the BI server (but not my LAN via VPN) I have to leave it like it is, knowing that Ken (or whoever he entrusts with the keys to the kingdom) won't violate our trust. I trust Ken, but as someone famous once said, "Trust but verify".

    ETA: Regarding eliminating security risk - bad choice of words. I realize that is virtually impossible. I'm specifically addressing the risk of someone with Ken's tools being able to access the system, without any trace of said access being logged.
     
  8. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    8,424
    Likes Received:
    5,384
    Well you CAN run a reverse proxy server that adds its own authentication layer. It is a bit complicated to set up but I have basic nginx instructions here: bp2008/ui3

    And if you run that proxy server on a different device then you could even still prevent the BI machine from having internet access so you would be safe(r) from outgoing connections.
     
    Xenon54 likes this.
  9. erkme73

    erkme73 Getting comfortable

    Joined:
    Nov 9, 2014
    Messages:
    816
    Likes Received:
    367
    That sounds intriguing. Unfortunately my nginx/coding experience is zero. I'll start researching it now. Does anyone know of a tutorial or template for how to go from no proxy to proxy specifically with BI/UI3? Not being lazy - just need a starting point, else I'm sure I'll get snowed.
     
  10. aristobrat

    aristobrat IPCT Contributor

    Joined:
    Dec 5, 2016
    Messages:
    2,043
    Likes Received:
    1,743
    Looks like if you can find a generic tutorial to get Nginx installed, the link BP provided above will get you the rest of the way...
     
  11. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    8,424
    Likes Received:
    5,384
    Well I tell you what @erkme73 if you want to skip that learning curve I have it on good authority that @Mike has a web proxy server in the works for Blue Iris Tools and he could probably be persuaded to add http basic authentication to it.
     
    Mike likes this.
  12. erkme73

    erkme73 Getting comfortable

    Joined:
    Nov 9, 2014
    Messages:
    816
    Likes Received:
    367
    That's a great idea! I know his plate is full getting the latest update out (with the bug fix)... But, if you're listening @Mike :)
     
    Mike likes this.
  13. fenderman

    fenderman Staff Member

    Joined:
    Mar 9, 2014
    Messages:
    30,215
    Likes Received:
    9,342
    I doubt he could unmask the passwords without actually being logged in via teamviewer this would create a terrible backdoor and even if he did he would not disclose that. More than likely he could unmask the passwords once logged in via teamviewer. I believe bp2008 has a tool for this as well as they are stored in the registry. Remember that several years ago there was no "peak" feature to view your camera/webserver passwords so he would have to manually unmask them.
     
    vidmo likes this.
  14. aristobrat

    aristobrat IPCT Contributor

    Joined:
    Dec 5, 2016
    Messages:
    2,043
    Likes Received:
    1,743
    What protection does a reverse-proxy without extra authentication add? Obscuring the BI server one more layer deeper?
     
  15. erkme73

    erkme73 Getting comfortable

    Joined:
    Nov 9, 2014
    Messages:
    816
    Likes Received:
    367
    I'm probably not the one to answer that question, but I'll attempt it. I don't want anyone outside my LAN to have direct access to the BI server login page/IP:port. Having a proxy server (with its own set of credentials) forward requests to/from BI would (?) prevent someone with the BI creds from getting to the BI login screen without the proxy's creds. No?

    Maybe this isn't the correct approach, or I'm over-simplifying it. But the net effect is that someone would have to credential twice to get to the BI content. Once at the proxy, once at the BI login page.

    edit: @aristobrat - I see your logic... Why would @Mike add it without some kind of authentication, as it wouldn't offer any benefit. Though, I suppose if your goal is to load balance you can use the proxy to direct to different apps without providing different ports. At least that's what I've found reading about the benefits of nginx.
     
  16. archedraft

    archedraft Getting the hang of it

    Joined:
    Sep 11, 2018
    Messages:
    62
    Likes Received:
    43
    Location:
    North America
    Instead of logging into the BI server with your public IP address and port number, you would log in with a FQDN. Possibly more secure as the only open port would be the reverse proxy and the attacker would than need to figure out the entire FQDN which can be uniquely setup for each application. Still not as secure as a VPN.
     
    aristobrat and erkme73 like this.
  17. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    8,424
    Likes Received:
    5,384
    Correct.

    I believe the plan for BITools was to provide an HTTPS endpoint (TLS 1.2) with automated certificate management using LetsEncrypt. The main benefits of this are providing identity verification and encryption of the connection.

    In a more general sense, reverse proxy servers are often used for offloading the HTTPS encryption work for a busy web server, and providing load balancing and some amount of DDOS protection. These aren't really major concerns for BI except that of course BI doesn't support HTTPS natively.
     
    aristobrat and erkme73 like this.
  18. aristobrat

    aristobrat IPCT Contributor

    Joined:
    Dec 5, 2016
    Messages:
    2,043
    Likes Received:
    1,743
    Thanks, I was missing that if someone is just port scanning and happens to find the port, the proxy won’t let them through without them specifying the FQDN. That’s pretty cool.

    Turns out my Synology has reverse proxy support built in, including auto-fetching LetsEncrypt certificates. I’ve got it all setup with BI now!
     
  19. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    8,424
    Likes Received:
    5,384
    Cool. Synology has some neat stuff in it.
     
    aristobrat likes this.