> Better-quality devices will almost certainly be better protected against this kind of thing, and may for example block all incoming traffic until they’re paired with another device and set up manually. Still, this is a good reminder that it really is a jungle out there.
This seems like a bold claim, unless they define "better quality".
How would the malware even know that the camera was connected in? Especially if you're on a home network (which is firewalled / has NAT on).
I suspect that it must be the central server that this camera reports to that is infected, either directly, or indirectly with some program sitting at a nearby router listening for traffic.
Because the camera requests port forwarding from your firewall using UPnP. Now your mobile app connects directly to port 83785 and streams video from the camera without any firewall hassles. The problem now is that hackers can also connect to port 83785 and exploit unpatched security holes.
If a firmware update exists, its probably too technically challenging for Joe User to find and install. For a lot of these devices, there isn't even a published fix. These manufacturers are just rebranding some generic camera from a larger manufacturer or using the same camera and IoT guts and putting them into different cases. These companies probably don't even have a software developer on staff who has access to these firmwares, just perhaps a binary blob, assuming they have any software people on staff at all.
They're just mass scanning for known IoT ports. UPnP opens up the port for everyone. My port number is an example. This blogger found his camera opening up port 80 via UPnP:
Polling sounds the most likely. Note that previously compromised cameras can be used to perform tasks such as port scanning other IP addresses. They can also be used to compromise other devices in the home network.
If you knew about the risk, you would have secured your router firewall
I suppose there's a follow-up story to be had on routers that come with UPNP enabled by default, because wherever that's the case, your firewall has a hole poked in it as soon as the device powers up and connects to the LAN.
Assuming the router is somehow allowing NAT punctures or port forwarding, or if there is no router, then any easily compromised device will be compromised within 5 minutes of connecting it to the Internet.
Usually much less than 5 minutes. There's just that much Internet scanning.
If NAT is configured properly, then there is no risk.
News flash: If you expose a device web-accessible port to an internet IP with no firewall and leave the default user name and password intact, it will get hacked.
Put your shit behind firewalls and change the default user name and password to something secure. This is common sense stuff, people. Port scanners have existed for ages.
It almost looks like the camera producer/someone from an internal team was responsible for either giving out backdoor or actually infecting the camera...
What is the expected time between port scan for an arbitrary IPv4 address? Is the level of scanning activity so high (or so well-targeted to "promising" address spaces) that one should expect to be scanned in minutes?
I have between 2500 and 40,000 SSH login attempts on a server on my home broadband in Denmark, usually around 30,000. That's one every 90 seconds or so.
Wow.
I don't know about other ports, other than HTTP I don't have any open.
A server on slow home broadband in the UK is only receiving 100-300 attempts per day. It's almost identical to the one in Denmark, except the broadband is terrible.
Several servers in a university's IP space has about 5000-10000 attempts per day.
Are most of these things spread via random IPv4 address probes? Are we going to be a somewhat safer when networks are IPv6-only due to the size of the address space vs the used addresses?
Maybe. Windows had a single company behind it, and as I recall Bill had to issue a company-wide cease and desist order to get people to stop developing and focus on security for a while.
IoT may always be plagued by cheap hardware with buggy software from fly-by-night companies.
Having flashbacks to the 'bad old days' of similar things happening to Windows machines (PCs, ATMs, etc). Microsoft, the gigantic, near-monopoly company in the space with a jillion very smart people working for it, struggled with such issues for many years (though eventually reined it in).
This time, though, I don't see a tenable path to actually fix this. The IoT industry is terribly, terribly fragmented. Few business models incentivize providing ongoing maintenance once they've sold you their gizmo. Few consumers have the ability to detect that this is happening.
I suspect that security and compatibility issues will cripple a large chunk of the IoT industry, with bigger players slowly picking off the profitable/useful chunks with niche products customers will think of as 'safe' (read: Amazon/Google's many IoT products).
In the mean time, I'll continue avoiding smart/IoT devices in my house. The risks seem to far, far, outweigh the rewards.
36 comments
[ 3.1 ms ] story [ 102 ms ] threadThis seems like a bold claim, unless they define "better quality".
I suspect that it must be the central server that this camera reports to that is infected, either directly, or indirectly with some program sitting at a nearby router listening for traffic.
If a firmware update exists, its probably too technically challenging for Joe User to find and install. For a lot of these devices, there isn't even a published fix. These manufacturers are just rebranding some generic camera from a larger manufacturer or using the same camera and IoT guts and putting them into different cases. These companies probably don't even have a software developer on staff who has access to these firmwares, just perhaps a binary blob, assuming they have any software people on staff at all.
https://www.pentestpartners.com/blog/hacking-the-aldi-ip-cct...
Also Brian Krebs examined that Foscam camera and found it enabled a P2P protocol and opened a port on the firewall using UPnP as well:
https://krebsonsecurity.com/2016/02/this-is-why-people-fear-...
If you knew about the risk, you would have secured your router firewall. If you did not know, you wouldn't be rushing to install the firmware.
Once the camera is compromised, it can modify the firmware being transmitted (to compromise it) or prevent its install.
I suppose there's a follow-up story to be had on routers that come with UPNP enabled by default, because wherever that's the case, your firewall has a hole poked in it as soon as the device powers up and connects to the LAN.
Usually much less than 5 minutes. There's just that much Internet scanning.
If NAT is configured properly, then there is no risk.
Put your shit behind firewalls and change the default user name and password to something secure. This is common sense stuff, people. Port scanners have existed for ages.
I haven't been able to find a company who provides a quality POE device that allows me to control the feed into something like Zoneminder.
Do I have to use something more analog to be "safer" from something like this?
https://www.ubnt.com/unifi-video/unifi-video-camera-g3-dome/
I'm going to get some for my new house. I already have some of their other gear and it has been rock solid so far.
Does the camera firmware open a UPNP tunnel in AP to its telnet port?
Does this guy's Wifi router enable anyone one to open tunnels in his AP router?
Wow.
I don't know about other ports, other than HTTP I don't have any open.
A server on slow home broadband in the UK is only receiving 100-300 attempts per day. It's almost identical to the one in Denmark, except the broadband is terrible.
Several servers in a university's IP space has about 5000-10000 attempts per day.
I expect the IoT to go though a similar phase, but eventually get fixed and be secure enough.
IoT may always be plagued by cheap hardware with buggy software from fly-by-night companies.
Question: interesting tweets Rob, is it used Dynamic DNS when it is initially setup? If no , how is it exposed to internet?
Answer: I had to map the external port 23 on the firewall to the device.
This time, though, I don't see a tenable path to actually fix this. The IoT industry is terribly, terribly fragmented. Few business models incentivize providing ongoing maintenance once they've sold you their gizmo. Few consumers have the ability to detect that this is happening.
I suspect that security and compatibility issues will cripple a large chunk of the IoT industry, with bigger players slowly picking off the profitable/useful chunks with niche products customers will think of as 'safe' (read: Amazon/Google's many IoT products).
In the mean time, I'll continue avoiding smart/IoT devices in my house. The risks seem to far, far, outweigh the rewards.