Switching from VPN to Port Forwarding.

[wittaj]

Hackers don't care about your camera feed. Hackers use a vulnerable device (NVR or camera) that has ZERO protection on it to get into your LAN and either scrape it for bank info or use your ISP as a bot for DDoS attacks. Your antivirus software and router firewall do not block this crap because you gave an open door directly to your system to bypass these measures.

The P2P/QR code/port forwarding/allowing the camera internet access is how they are gaining access.

There are lots of examples where the security devices (ironic isn't it) are not very secure from the internet and pass information unencrypted before the P2P handshake begins...

Millions of people around the world want the simplicity of Internet of Things (IoTs) to be easy to connect to their system and work. They do not want to deal with security. They wrongfully assume that because they bought it and all they have to do is scan a QR code, that all is good. A manufacturer also doesn't want to deal with endless phone calls from consumers asking how to set something up, so they make it easy.

So these companies create these QR codes/P2P and magically the new device can be seen on the consumers app. Consumer is happy. But, this device has opened up the system to gain easy access to your entire network.

I have a friend that falls under this "I just want to plug it in and scan a code and it works" mindset. Many years ago she bought a Foscam camera to monitor her front door. She plugged it in and pointed it out a 2nd story window and downloaded the Foscam app and scanned the QR code and magically she could see her camera through the magic of P2P. No plug-ins were needed.

A few years later she bought a printer and again, simply downloaded the app from the manufacturer and scanned the QR code and she could start printing.

One time in the middle of the night, she hears her printer printing a page. She thinks maybe she is dreaming or hearing things, so she thinks nothing of it and goes back to sleep. Next morning she gets up and indeed her printer did print something in the middle of the night and the printed page says I SEE YOU and a picture of her from her Foscam camera was below the text.

She changes her wifi password in case it was the peeping perv next door that she has caught looking at her from through her window and he guessed her password.

Problem still persists. She goes into Foscam app and changes the password to the camera. Problem still persists. She gets a new router and sets up a stronger password for wifi and changed the passwords of all of her devices. Problem still persists. She gets rid of camera and printer.

At some point Foscam issues a security vulnerability and issued a firmware update. Basically the vulnerability was something like when logging into the camera with a web browser over HTTPS, the initial login to the P2P site is done using SSL. But then it establishes a connection to the HTTPS port again (for the media service) and sends all of its commands unencrypted. This means the username and passwords are being sent unencrypted. While this was a security vulnerability found in Foscam, I suspect it is in others as well. I suspect this is how my friend was hacked and someone was sending pictures of her taken from her Foscam camera to her printer that she set up using P2P.

Many articles on this site and out on the internet show how vulnerable these devices can be. I remember seeing an article of a webpage showing like 75,000 video streams around the world that were hacked into because of these vulnerabilities. I know there is an article someone on this forum where someone posted that many of these cameras do send passwords totally unencrypted and wide open easy to see for anyone knowing what they are doing.

Do not assume that because it is a name brand that they actually have good security on these cameras or any device for that matter. Think about the typical end-user that just wants simplicity to connect. And then think how a company would go about that to provide that simplicity. End result is to provide that simplicity, it comes at a cost and that cost is security vulnerabilities, which is ironic for security cameras. But if it can happen to Amazon/Ring (which is a fairly large company) and high end Axis and their P2P, it can happen to anyone, especially all the no-name brands being sold on Amazon.

For that reason, most of us here prevent our systems from having access to the internet.

 

[wittaj]

There are vulnerabilities within P2P itself and the device whether it is a camera or NVR.

Flat out these devices are not secure, which is ironic LOL.

It comes down to your level of convenience and amount of risk you want to take. Everything in life has a risk. At the very least you should VLAN it so it can't access the rest of your LAN, but it doesn't mean they can't use your ISP for bot attacks.

But we have lots of threads here of people being hacked and P2P or port-forwarding are the causes.

Do a google search on Dahua vulnerability and Dahua P2P and watch all the exploits found. Further these devices are rarely provided updates. If you see 3 in the device lifetime that is a lot. Here is just a sampling


Trust Center - Dahua DACH
Dahua fully recognizes the importance of cybersecurity. Here you can find the latest cybersecurity notices/announcements, how to report a vulnerability, and recommended prevention methods



Dahua IP Camera Vulnerability Could Let Attackers Take Full Control Over Devices
Researchers discovered a new vulnerability (CVE-2022-30563) in Dahua IP cameras that can be exploited by remote attackers to compromise the cameras.



New research: P2P vulnerabilities show IoT security camera risks
Nozomi Networks published research about vulnerabilities found in the Peer-to-Peer (P2P) feature of a commonly used line of security cameras - Reolink. The most critical vulnerability, assigned a CVSS score of 9.1, allows attackers to access sensitive information such as audio/video streams...



Nozomi probes deeper into security vulnerability that hackers can exploit to compromise Dahua IP cameras - Industrial Cyber
Nozomi detects critical vulnerability that hackers could exploit to compromise Dahua IP cameras by replaying credentials.



A flaw in Dahua IP Cameras allows full take over of the devices
A vulnerability, tracked as CVE-2022-30563, impacting Dahua IP Camera can allow attackers to seize control of IP cameras.
securityaffairs.com

Dahua, Hikvision IoT Devices Under Siege – Krebs on Security

Port 37777 vulnerability - Amcrest Forum


Is your camera hacked? | easypsim™
Hikvision and Dahua surveillance cameras or cameras produced by Xiongmai can pose a significant security risk. Some security vulnerabilities ...



"Dahua Generation 2/3 - Backdoor Access"
"Dahua Generation 2/3 - Backdoor Access"



Over two million IoT devices vulnerable because of P2P component flaws
Devices like IP cameras, smart doorbells, and baby monitors sold under hundreds of brands are impacted.
www.zdnet.com


Heck even Dahua in their wiki says one should disable P2P LOL

DahuaWiki





And the threat is the same for any camera using P2P. Don't think this is only a Dahua issue.

 

[Revo2Maxx]

OK I have over 40 cameras and DVR/NVRs please tell me how you will access my P2P device. If you have no clue what the SN is then you have no way to even start! By the way my first post here stated that it was plain Text when you connect P2P if you are logging in somewhere where they have internet access.. Yet I was told WTF does that have to do with P2P lol

Number 1 way that a Security system is insure is to let someone add some software to a Dahua Camera lol.. Or Let a person setup your camera and you don't take steps to remove the provided password, make sure there was no extra passwords added and that person that you trusted to setup your system then uses that info against the end user...

As I said before and I will say again.. 2 things needed to gain access to P2P First is Serial Number of the Device or a UUID, or SID or what ever some company wants to call it...

Didn't find them saying turn it off

Cybersecurity Best Practice - Dahua Technology - World Leading Video-Centric AIoT Solution & Service Provider

us.dahuasecurity.com

But yeah sure I agree.. Use a DVR for 1 password and 1 device.. or a POE NVR with all cameras connected on POE. Don't mean using Bridge Mode in my 5232E-16P NVR that just opens all devices and is less secure...

Anywhere you have to log into your device, 1 more space your device is open for attack again one reason I said no Cloud based cameras.. or using 3rd party software to access your IP cameras it opens so many different cans of worms..

 

[Revo2Maxx]

In the end off topic.. DON'T setup Port Forwarding Period... There are enough people that are already connected using Hikvision and Dahua devices that if I had to guess 60% of them have no clue. They are even connected... Then some of them don't even know how to setup Log in Lock out.. If I had to guess it would take less then 3 days before someone tries to attack your device if you were to connect with open ports.. What is worse is when there are some people out there that turn off security on the DVR/NVR and then makes it look like a connected device from a more secure company is at fault when really it is the Recorder All IP cameras are only as secure as the recorder it is connected too..

 

[TonyR]

WTF does that have to do with P2P? Really Dude Read it.. Lets see, DMSS, or some other desktop management on your laptop or tablet and you connect it is called Shoulder Surfing, FFS you hang with your Troll friends. Leave you all to giving people BS..

I read it and since you started the name calling I'm not going to stoop to your level. However, anyone can see, based on the majority of your content, is that some of the words in other paragraphs are a copy & paste...and some of those words consist of more than 2 syllables, which is way out of your wheelhouse.

Here's your most notable statement, in your post #12:

" Don't think some have a good understanding how normal P2P works... Please note this info is for Normal DVR/NVR and IP Cameras connection using P2P and not some Cloud based system that isn't the same as a Normal P2P setup."​

and in your post #15, a close second statement:

"In a normal P2P there is no Middle man while stream is connectd only your phone and IP camera or DVR/NVR."​

OK....please name ONE consumer-level camera company that manufacturers and sells such a "normal" IP camera and or "normal" NVR system that will connect by employing your dreamland "normal P2P" schema........no cloud, no QR code scanning, no UID or serial number use. Maybe on Amazon? or eBay?

^^^^^ You seem to be infatuated with "normal" so just name one such "normal P2P" setup that any one of us could purchase online and install soon after delivery and be able to access our cam at home from our smartphone 10 miles away from home with no cloud server.....I want one.

 

[Revo2Maxx]

LOL copy and paste, Nope sorry.. I type the way I type and at times I press keys and I don't fix. Why would I.. if I am in a hurry then it is or can even be worse lol.. Name calling I am well saying as I see it.. I make a statement about P2P and I get Jumped by 3 High Volume users.. Yeah seems coordinated.. NORM P2P user level IP cameras? Really you have to ask I already answered lol.. Dahua, Amcrest, Annke as long as your using Annke Vision.. The Server in the Middle has no data storage. No Data flow though the server in the Middle.. Why is it so hard to understand...

I buy camera, I turn on and install camera on App using P2P method. When I do this a UUID, SID, GID or some form of ID is made, This ID is then sent to a Server, This server then waits for a Ping of the Client and if client ID and Server *AKA CAMERA/DVR/NVR has the right ID then it hands off the P2P connection and only 2 devices are connected just the same way as you would be able to using IP addressed within your LAN... Only difference is that it is OVER many different formats being IP4 and IP6 even if you are not using IP6 it is part of the path.. UDP and TCP and isn't something that leaves crumbs where someone can do a something in the middle attack..

Know why no one likes it? Because don't understand it.

Sorry I am old, Sorry if I was name calling as it may have been..

So Where is the confusion?
Decentralization?
Data Exposure?
Privacy Concerns?
Authentication Issues?
Anonymity and Traceability?
Device Vulnerabilities?
Poor Implementation?
OR maybe is just Lack of Central Control?

Out of the names I have used. I have tested and personally trust Dahua, Amcrest and for the most part Annke Personally wish they would do more Updates but is what it is Oh maybe that is why you think I am copy an Pasting lol.. I don't use ( this ( I use these*)) so maybe that is why you thought some of my text was copy and pasted lol OH OK... Nice.. Just the way it is...

Anyway back to what I was saying.. Using a camera system from someone that does updates and supports the hardware is best. While maybe to some Dahua and or Amcrest isn't giving High Quality cameras that you want. Seeing I have no clue what you use so I can't say.. But budget camera at budget dollars one gets what they pay for... I personally feel that I have some really good cameras for the money spent.. I have paid more and got less in the past so I am happy with what I use..

By the way there are so many insecure systems out there free to creep on why would someone want to worry about trying to get into mine lol.. There are better things to watch.. Plus it is against the law.. Why chance it.. I mean TRENDnet and Alibi has the ability to turn off secure RTSP and HTTP.. Have both camera types and both stay behind Vlan unless I let them out to play.. Then track the traffic and report the abuse to the IP owners. In cases I find that with some care and will stop the attacks where others ignore the report emails..

 

[TonyR]

Why is it so hard to understand...

I don't know...you tell me. You still have not replied specifically to my question but instead just type more and more, blah blah blah, yada yada like I'm supposed to get convinced and impressed by all the words and terms....and if you think that you HAVE answered it then no point in me repeating it a third time.

However, I am thankful to know that there is someone out there that can be more verbose than me, so thanks for that.

 

[Revo2Maxx]

LOL didn't answer your question? WTF?

You asked I answered..

Verbose? Then what you don't read? I mean do I have to keep it to Yes and No kind of answers lol How does anyone learn anything in that.. Sure I go on at times.. I had much more to say the last time. Each of the listed items I could have added more context lol..

 

[Revo2Maxx]

Oh, I see,, This time it was me that didn't read lol... Ok. So your question is without Blah Blah Blah and the truth is that was just plain dumb question as there is no such P2P device that one would setup without some form of scanning or UUID being added.. That is the HOLE MAKER... Without that there is no way for the SERVER 1 being your Camera or DVR/NVR and server 2 to even have any idea of what the App AKA Client Requester is asking for... SO I read to the point of what I took as Who.. So Who uses normal P2P as I am calling it would be Amcrest or Dahua, Using normal P2P again NOT CLOUD P2P NORMAL IP LINE ONLY... Hardware First server talks to Server AKA Second Server and keeps a I am ready. They chat back and forth over time to make sure the First Server is still active.. Then once a Ping comes in the Second Server hands off the connection to the First Server YOUR DEVICE and the Connection is between your Phone or Desktop app and your DEVICE there is nothing in the Middle PERIOD that is how a Normal P2P works...

 

[looktall]

If I could make a comment here that might clarify the above.

If any of you have used bit torrent you might like to think of it that way.
There is a camera/NVR (the seed) and there is a mobile app (the leech).
In order for the leech to find the seed they both talk to the vendor server (the tracker).
Once they have located each other the app talks directly to the camera/NVR and the data streams directly without going via the server.

Alternatively if you've ever used terminal services that could also be a good analogy.
In this case the camera/NVR is the terminal server and the mobile app is the remote desktop client (eg thin client).
To find each other they speak to the connection broker and once the connection is established between them all traffic flows directly between them and not via the broker.

 

[Teken]

I’ve honestly resisted commenting on this specific thread because there are / is clearly a lack of understanding of how things work.

I think it’s fair to say a few senior members have chimed in with solid advice and factual information as to the pros & cons of using any P2P service.

At a high level it’s really up to each person or company to decide (IF) another business service (P2P) is trustworthy. One would think the proper due diligence and pen testing would have been undertaken.

Along with reviewing and challenging all supporting documentation as to how their service is secure. Calling out (How) their network systems & topology is managed, protected, secured, isolated, and what PI information is stored etc.

How they comply with the various countries privacy and data retention laws.

Having said that how does @Revo2Maxx explain push notifications?!?

How does Dahua / Hikvision / Other know when their is a change in state from motion detection, illegal logins, failed Micro SD card, etc??

Lastly, the reference to a Thin Client connection is nothing remotely the same as it is today.

 

[looktall]

How does Dahua / Hikvision / Other know when their is a change in state from motion detection, illegal logins, failed Micro SD card, etc??

Lastly, the reference to a Thin Client connection is nothing remotely the same as it is today.

For push notifications I would say the process is the same but in the reverse direction.

As for thin clients, how they work today may or may not be the same as how I described (I know the 400 or so where I work still work exactly as I described), the point was to provide a description of something analogous to the way a connection might be made between a camera/NVR and a mobile client that people might be familiar with.

 

[Teken]

For push notifications I would say the process is the same but in the reverse direction.

As for thin clients, how they work today may or may not be the same as how I described (I know the 400 or so where I work still work exactly as I described), the point was to provide a description of something analogous to the way a connection might be made between a camera/NVR and a mobile client that people might be familiar with.

I think for the benefit of others who may stumble upon this thread and have similar questions and concerns some basics need to be expanded and called out.

As it relates to so called thin clients there are three industry recognized types: Thick, Thin, Zero Client.

Thick: Is a standard computer system with operating system, storage, and applications with the ability to work off line and use all the applications and resources without the need for a connection or external server access.

Thin: Is a typically a stripped down low power low processor system that has an OS, Storage, with no applications loaded.

All of the resources are provided by another offsite server or local computer system to provide the needed data / applications.

These devices rely on connectivity to access the information or application to view / perform work. These devices do not provide the end user any function without a hard line / wireless connection.

Zero: These devices have no storage, operating system, applications. They rely on the built in firmware in the hardware to turn on. Once on, they connect to an external server via hardline to load the OS, Application into memory to operate.

Once the terminal is powered down or connection severed there is nothing on the zero client hardware.

Both zero and thin clients (back in the day) were used extensively in business / government as it helped deploy vast amounts of computer systems at low cost and speed for deployment to sites with very little IT Support.

The obvious advantages of both Zero / Thin client is security & privacy. The next important area is zero maintenance as it relates to updates, patching, and configurations. As all of the above are done server side with no maintenance on the client side.

Generally speaking, both zero & thin clients in the past were driven by need, costs, and volume. There wasn’t a lot of compute power around and thick clients were very expensive to deploy especially with tens of thousands to million seat counts.

In 2024 compute power, storage, and bandwidth isn’t a problem. Given we are all inundated with all manner of threats the use of Thin / Zero clients are used even more today.

The biggest difference is nobody is just dialling into a mainframe / server making a true P2P connection. Every so called Thin / Zero Client (P2P connection) goes through a VPN to secure both the client / server.

Almost every Enterprise / Government network that utilizes a Thin / Zero client infrastructure have authentication servers before, during, and after the initial connection.

It doesn’t matter if it’s a AD, SSO, or OTP. These all go through another server to authenticate a person / system to access the resources required.

Given the very common use of 2FA never mind any other biometrics in place such as voice, face, iris, bone, finger, key cards, USB, etc.

All of these security measures go to another server to verify and grant access.

As it relates to Dahua / Hikvision P2P. People are kidding themselves if they think it’s truly a 1:1 connection from a persons smart application to a camera / NVR!

A simple wire shark / network tool that provides hop counts and their destination will affirm you’re NOT connecting to just the smart application and target device whether it be camera / NVR while using Dahua / Hikvision P2P Services.

If the question and discussion was about using your own computer hardware, network management infrastructure, VPN, and applicable 3rd party remote software to access the camera / NVR.

There’s no question it’s (more) secure, and doesn’t include Dahua / Hikvision in a direct way.

But, this too isn’t the be all end all.

Because outside of having a hardline, wifi, PtP Wireless connection. You’re on someone’s else’s infrastructure and network!

It doesn’t matter if it’s dial up, DSL, Fibre, Cable, Cellular, Satellite.

You’re literally using someone’s else’s network to pass your data through. Which they can (Government / ISP) can see, track, disseminate.

Lastly, Push Notifications in the context of Dahua / Hikvision is provided and processed by an external server.

I’ll finish this long ass reply with another question. How do you or anyone receive a push notification of a camera / NVR being offline?!?

Is this magic??? Is this what the other member coined (Normal) P2P?!?

What is the magic / secret sauce that allows a no connection message via Push Notification to anyone that identifies a piece of hardware is off line or has no connectivity???

How does the smart application know you must sign in and it’s you? How does the smart application know you can’t use it until you update the application before use?

How does the smart application know there’s a firmware update available and able to download and install the same???

 

[TonyR]

As it relates to Dahua / Hikvision P2P. People are kidding themselves if they think it’s truly a 1:1 connection from a persons smart application to a camera / NVR!

 

[bigredfish]

FWIW, we took a 10 day road trip last week and I turned on P2P on my Dahua NVR as well as Wireguard VPN via my firewall appliance for backup
(for me, Wireguard is MUCH faster than OpenVPN)

I never ended up connecting via Wireguard as the P2P connection was solid, reliable and seamless. I also got alerts based on my IVS rules.

Having done a few scans and gone over router and firewall appliance logs, it appears no Russian or Bulgarian hackers were able to infiltrate my network. (There were some suspicious attempts by some Org named FBICIANSA but otherwise all good.)

 

[Teken]

FWIW, we took a 10 day road trip last week and I turned on P2P on my Dahua NVR as well as Wireguard VPN via my firewall appliance for backup
(for me, Wireguard is MUCH faster than OpenVPN)

I never ended up connecting via Wireguard as the P2P connection was solid, reliable and seamless. I also got alerts based on my IVS rules.

Having done a few scans and gone over router and firewall appliance logs, it appears no Russian or Bulgarian hackers were able to infiltrate my network. (There were some suspicious attempts by some Org named FBICIANSA but otherwise all good.)

Pretty sure you missed the fact it’s not from the orgs you mentioned but from Castro in Cuba!

Than again it could be from those beaver loving Canadians!

 

[bigredfish]

Im FAR more concerned with the US Govt hacking me than anyone other actor.

Though, Im not sure about my physical security, now that you mention it there WAS an empty bottle of Moosehead in the garbage can ..

 

[TonyR]

There were some suspicious attempts by some Org named FBICIANSA but otherwise all good.

There...fixed for ya....

"There were some suspicious attempts by some Org named FBICIANSA DOJFORJOE but otherwise all good."​