someLuser should find more interesting things to do with his time, instead of wasting mine, the twat.
Hackers squeeze through DVR hole, break into CCTV cameras
The digital video recorders of several CCTV video cameras are vulnerable to attacks that create a means for hackers to watch, copy or delete video streams, according to security researchers. The researchers added that unless systems are properly firewalled, security flaws in the the firmware of the DVR platform also create a …
-
-
Tuesday 29th January 2013 22:52 GMT Anonymous Coward
Re: VPN
Funny.
The landlord at a very large building I once worked at just ran his own CAT5 infrastructure for the camera's to standalone PC's with an airgap to anything connected to the internet.
Pretty cheap to do and very secure since the starting point for an attack is literally hacking into the devices with a hacksaw to get to a cable.
-
-
-
This post has been deleted by its author
-
Tuesday 29th January 2013 15:32 GMT adnim
Thanks
I enabled UPnP for some testing a short while ago I got distracted during the testing and and forgot to disable.
I run a web server at home and port 80 has been the only port ever visible from my public IP address. After reading your post I remembered I still had UPnP enabled and did a quick scan. I found port 443 open to the Internet. I connected using https:mydomainname.co.uk and my NAS logon appeared in the browser window!!!
I blocked https in and out over the WAN to both the NAS box and the web server yet my NAS log on still appeared when I connected over the Internet. I disabled UPnP and 443 is no longer open. So UPnP completely ignored my firewall rules.
I have always known UPnP was a security risk, but it was a shock to discover, at least on my router, that it just bypasses the firewall.
-
Tuesday 29th January 2013 17:15 GMT koolholio
Re: Thanks
Depending upon NAT routing and DNS Daemon type (relays/proxies for instance), depends on whether it resolves the DNS resolution internally or externally
Externally, this may not be possible? Else you may need to manually configure the config from the router (in Wordpad, since some formats are incompatible with notepad editing)
-
-
-
Tuesday 29th January 2013 14:09 GMT Anonymous Coward
That's my problem with UPnP port forwarding
That's my biggest problem with UPnP port forwarding: there simply is no control - you enable it, and any device can punch a Christmas Island-sized hole in your firewall, and there's not much you can do about it.
Had UPnP port forwarding been designed by somebody who understood and cared about systems administration, every UPnP device would have been required to have some shared secret assigned by the administrator, and the firewall would present a list of entities that requested forwarding and allow the administrator to say yeah or nay. You could even have made it more stupid-user friendly by having dedicated firewalls and and devices have a button (like the WiFi paring button) that could allow for this to be done automatically: Press the gizmo's button, press the firewall's button at the same time, done.
But that would have required the makers of UPnP port forwarding to understand the concepts of "security", "administrator", and "responsibility".
-
Tuesday 29th January 2013 21:31 GMT Gordon Fecyk
That's my problem with UPnP detractors
you enable it, and any device can punch a Christmas Island-sized hole in your firewall, and there's not much you can do about it.
Isn't that a problem with the device that requests the open ports?
Have we banned raw sockets yet? Should we petition MS to ban IP support? Oh wait... this is The Register I'm posting to here...
-
Wednesday 30th January 2013 16:30 GMT Oddb0d
Re: That's my problem with UPnP port forwarding
You could even have made it more stupid-user friendly by having dedicated firewalls and and devices have a button (like the WiFi paring button) that could allow for this to be done automatically: Press the gizmo's button, press the firewall's button at the same time, done.
WiFi Protected Setup probably isn't the best example as many implementations have a nasty PIN flaw that is easily exploited, further reading: http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
-
-
Tuesday 29th January 2013 15:16 GMT Bernard M. Orwell
How about....
...my spy-happy friends, you save yourself the cost of upgrading your firmware or hiring staff that know what they are doing when it comes to security, and remove some of those obnoxious cameras that surveil us every day? After all, they don't work, and are now very obviously vulnerable to those that would....ahem....repurpose them.
-
Tuesday 29th January 2013 15:33 GMT Anonymous Coward
See, the problem with increased security standards in general is that in a world where I can't sign up to post on a forum without a 25 character password containing at least one high ASCII character, you still get crap like this:
To make matters worse, the DVRs support Universal Plug And Play, making control panels externally visible on the net.
It honestly never occurred to me that UPnP would do something like that. I mean... just... why? Who set that up and thought, "Yeah, this seems like a really good idea!"?
I've never used UPnP just because I didn't understand it precisely and prefer to have a bit more control over things, but I think one could be forgiven for not imagining that it actually hangs a giant billboard on your IP address saying, "COME IN AND FUCK ME UP!"
-
-
Wednesday 30th January 2013 09:07 GMT Peter Gathercole
Re: Don't blame UPnP... @Dom 3
I think that you've misunderstood what a firewall is for. It's there to protect you from devices and services that try to compromise your security regardless of their intent.
My view is that having a mechanism that can override your firewall without your knowledge can never be a good thing regardless of how much easier it may make running your environment. If you need remote access, configure it yourself, and learn in the process. Trying to justify anything else is just lax thinking.
-
Wednesday 30th January 2013 21:44 GMT Old Handle
Re: Don't blame UPnP... @Peter
It's not a firewall, it's a router. The purpose (in a typical use case) is to share an internet connection with all devices on a LAN. Specifically by providing NAT so we can keep using IPv4 forever. And that requires, among other things, forwarding inbound connections to the proper device. The fact that you can tell it not to forward certain connections at all is nice, but that's really a side benefit.
Reasonable people can disagree about whether something like uPnP should be on by default, but to me it looks perfectly consistent with the real primary goal of the device: Letting your other gadgets communicate on the internet.
-
Thursday 31st January 2013 11:24 GMT Peter Gathercole
Re: Don't blame UPnP... @Peter
I'm not sure that I believe you that it is just a router. Most routers now claim to have statefull firewalls in them, and bearing in mind that they are the first line of defence in most peoples home networks, I think that you need to treat them as a firewall.
Indeed, some misguided PC world sales youth tried to persuade me to buy an (expensive) all-singing, all-dancing ADSL router to replace my ADSL modem/router, separate Smoothwall firewall and wireless router, as it would do everything I needed in one box. I don't normally lecture people while in PC world, but he was an exception. I had gone in to try and find a wireless range extender.
But you are right, I should have been more careful in my comment.
Back on topic, you can turn UPnP on if you want, but I am never going to allow a vendor device on my network permission to open up inbound connections without being bloody sure I trust it, and I will offer that advice to anybody who asks me. I believe that it is just asking for your network to get pwned. It only takes one mis-configured or deliberately malicious device or software service/piece of malware (PCs can use UPnP as well) to appear on your network to let in things you do not want. If you do not see the danger, then that is not my concern, apart from having to fend off a future botnet in which your machines are enrolled.
-
-
-
-
-
-
-
Wednesday 30th January 2013 11:59 GMT Intractable Potsherd
Re: How do I do a port scan to see what ports my uPNP router has exposed?
I agree with Peter Gathercole - "Shields Up!" is a good place to go. The site isn't intuitive, but it tests comprehensively. I have just used it, because I changed broadband providers just before Christmas (no cable at the new house, so had to go to DSL) and hadn't thought to check the default security of the router other than a quick run through the setup options. Delighted to find that I am effectively invisible on the internet (except for when I post here!)
-
-
-
Tuesday 29th January 2013 18:09 GMT Steen Hive
Makes a change
"In short - this provides remote, unauthorised access to security camera recording systems," Moore concludes in a blog post that does a good job of summarising the issue"
As opposed to fuckwits behind cameras being provided with unauthorised access to my whereabouts, lack of dress-sense and allegedly suspicious demeanor .
-
Tuesday 29th January 2013 19:12 GMT Anonymous Coward
Alleged firmware flaws?
The hack only works if you first connect a cable to the serial port and run an activeX applet without authentication.
-
Tuesday 29th January 2013 19:54 GMT Anonymous Coward
Re: Alleged firmware flaws?
As far as I can tell, he used the cable etc to *find out* that this was an issue. I can't imagine it's required for the 'vulnerability' to work - if that's the case it's completely pointless. You might as well define every device with a hard drive as insecure because you could take it out and hack the OS at your leisure!
-
-
Tuesday 29th January 2013 21:30 GMT Mark Allen
Horrendous Security
It has always been the way with this kind of kit. I helped one client to get "remote access" to his cameras and found out that the company who supplied his cameras had written a useful document to explain how to install an ActiveX control to let IE access the cameras. The documents were clearly written by the guys installing the cameras as it basically told you to disable ALL security in your web browser to a point that ANY active X control from any untrusted site would be allowed to work.
In that example I at least sent them a copy of their document back updated with details on how to restrict access to just the relevant camera site instead of "the whole world".
This kit is all the same though. Slap dash construction in a cheap country. Then installed by people who don't understand computers. "Look at the pretty pictures".
Biggest joke of course being that these are "Security" cameras.
-
Tuesday 29th January 2013 21:34 GMT Anonymous Coward
Why not start with decent password policies?
Now, I think its good to have some attention for the risk of intrusions and the likes. However, it would sound more impressive if these agencies actually used some sane password policies to begin with.
Generalizing here, I know, but every once in a while you read stories where "hackers" gained access to such devices by merely guessing (!) the password. Because it is the street the device is in, or because no one bothered to change the factory defaults, or because all devices which fall under the supervision of a single police station all use the name of said station as password (a scenario which was discovered in Holland some time ago), etc.
Having some attention for security is a good thing, but I'd say start at the beginning.