My house security and automation systems are all behind a firewall and access to them is proxied, including the video feed concentrator for the security cameras. I've had folks call this overkill but I won't directly expose any IoT-like thing to the Internet these days.
I done more or less exactly the same - IoT devices are on a separate hotspot, they can't talk out to anything (even pings to the gateway are dropped), and the only thing that can talk in is a specific address on my LAN.
No. They can't route out themselves (only through the proxy, which they don't know how to use and won't accept outbound connections from them anyway), and there is no UPnP enabled on that network.
Recently I watched a news segment in Korea about CCTVs connected to the internet without proper security: so many were wide open, and some could even record sound and play it real-time, and their lists were plainly accessible on some websites. The reporter said that the government had responded by blocking these websites from the Korean internet but people still found ways to access them via VPN.
There is or was a subreddit for linking to such potentially unintentionally accessible live feeds. One way to find them was to google certain terms/directory structures/page names that the viewing pages contained. Sometimes they even had panels that let you control the camera's direction.
“It’s unfortunate, but each camera will need to be updated manually by users,”
So most people aren't going to bother unless they get an alarming email from the manufacturer (assuming they even have a list of customer email addresses). Although these appear to be DVR systems for commercial use so it's more likely that a business would have a service contract with someone to manage these things. The service vendor would probably be more inclined to patch the thing than the business owner would.
Ah, security cameras. Never-updated linux boxes, frequently with homegrown http servers, often with secret hardcoded credentials in clear text laying around in the firmware blob.
Calling the second one a bug is ridiculous. “If the file /tmp/moses/ exists on the file system then an unauthenticated remote attacker can list all of the non-admin users and change their passwords“. That functionality is way too intentional.
That would only be a headline if the VPN software were somehow camera-specific, which seems unlikely. That fact alone is a benefit to using general-purpose security tools: more eyes on it, making a zero-day that much less likely (and a fix that much faster).
Another benefit is that updating a single instance of firewall or VPN software is much easier than updating dozens of cameras. Of course, if there are more VPN clients than cameras, that ceases to be true.
Adding such a layer is also just a kind of defense-in-depth. With the instant example, both the cameras and the VPN software (or firewall) would have to have vulnerabilities, at the same time.
Put the cameras behind firewalls, only allow access to them from the NVR, and only on the port(s) the NVR needs. No reason the entire internal network should have direct access to them.
It’s not a bad idea to stick them on their own VLAN as well, with access exclusively to the NVR and/or specific management devices. Their only purpose is to feed video back to specific systems, why let anything else touch them at all?
If you've got more mid-range network gear you might consider setting up a simple RADIUS system and switching to 802.1x auth (with just a basic guest portal or something for visitors) and per-port VLAN control as necessary. Makes it very convenient to segment out and isolate IoT, video, and VoIP into their own independent segments, best practice not just for security but performance and functionality as well. While it takes a bit more setting up it's also interesting and adds safety and versatility over time, plus you don't need any extra gear or cable. Worth a bit of consideration anyway if you have time and/or enjoy that sort of thing, along with a decent local VPN setup. The latter should also become even better over the next few years as WireGuard support spreads.
Agreed, but it has become a holdover catch-all term roughly meaning 'permanantly affixed, security camera' no matter the actual tech. I suspect many built for the purpose still use ccd detectors, but I lack domain knowledge in this case.
Any Internet-connected device is, in fact, a server, and must be seen and managed as one. This means strict control of installed services and, first and foremost, regular updates of all its software components (including firmware). If you acquire and install such a server which either can’t be updated or one which you know, realistically, won’t get any updates six months after installation, that’s asking to lose.
In my experience, keeping software and firmware aggressively up to date is far more likely to randomly break functionality and workflow and require my time and effort to fix than doing nothing and crossing my fingers I'm not subject to a zero-day. I can't even imagine how annoying this would be for someone without technical know-how. I think manufacturers who seem desperate to trick users into installing updates could go a long way by reducing the associated dread.
If you don’t update, you will be subject to an exploit, and you and your devices will then possibly be unwitting members of (possibly multiple) botnets.
Not updating for X days just increases the risk from only zero-day exploits to the risks of X-or-less-days exploits.
I look some more at the mainstream security devices.
I look again at the cheap cameras and Linux boards.
Sadly, security cameras are among the most hackable targets on the Internet, because You™ haven't released that competitive solution you've been thinking about that prioritizes security over unnecessary bells and whistles. When you do, you'll corner that vocal fraction of the community you've always been wanting to meet.
It doesn't have to be a bureaucratic, incoherent, legacy-burdened headache built from clipboard-remixed vendor samples. Linux, no blobs, a couple lightweight services; and you're done. Remote access in the palm of your hand? Too easy. Anything is possible when you design without agendas.
--
Your plaintext passwords (which were also using in two other places - argh) just leaked from a vendor's stolen cloud database.
A HTTP URL hack that dumps the root password into the browser window surfaced seven months ago.
36 comments
[ 4.4 ms ] story [ 80.3 ms ] threadBonus if it has a mobile app/interface, my use case is video monitoring of my kids rooms while they sleep.
https://www.schneier.com/blog/archives/2016/02/eavesdropping...
Recently I watched a news segment in Korea about CCTVs connected to the internet without proper security: so many were wide open, and some could even record sound and play it real-time, and their lists were plainly accessible on some websites. The reporter said that the government had responded by blocking these websites from the Korean internet but people still found ways to access them via VPN.
As if that's the crux of the problem.
The mind boggles.
> Shodan is the world's first search engine for Internet-connected devices
So most people aren't going to bother unless they get an alarming email from the manufacturer (assuming they even have a list of customer email addresses). Although these appear to be DVR systems for commercial use so it's more likely that a business would have a service contract with someone to manage these things. The service vendor would probably be more inclined to patch the thing than the business owner would.
https://www.youtube.com/watch?v=B8DjTcANBx0
Another benefit is that updating a single instance of firewall or VPN software is much easier than updating dozens of cameras. Of course, if there are more VPN clients than cameras, that ceases to be true.
Adding such a layer is also just a kind of defense-in-depth. With the instant example, both the cameras and the VPN software (or firewall) would have to have vulnerabilities, at the same time.
(obligatory https://www.shodan.io/ link ;) )
Not updating for X days just increases the risk from only zero-day exploits to the risks of X-or-less-days exploits.
Network live IP video cameras directory Insecam.com http://www.insecam.org/
I look at cheap camera modules and Linux boards.
I look some more at the mainstream security devices.
I look again at the cheap cameras and Linux boards.
Sadly, security cameras are among the most hackable targets on the Internet, because You™ haven't released that competitive solution you've been thinking about that prioritizes security over unnecessary bells and whistles. When you do, you'll corner that vocal fraction of the community you've always been wanting to meet.
It doesn't have to be a bureaucratic, incoherent, legacy-burdened headache built from clipboard-remixed vendor samples. Linux, no blobs, a couple lightweight services; and you're done. Remote access in the palm of your hand? Too easy. Anything is possible when you design without agendas.
--
Your plaintext passwords (which were also using in two other places - argh) just leaked from a vendor's stolen cloud database.
A HTTP URL hack that dumps the root password into the browser window surfaced seven months ago.