36 comments

[ 4.4 ms ] story [ 80.3 ms ] thread
My house security and automation systems are all behind a firewall and access to them is proxied, including the video feed concentrator for the security cameras. I've had folks call this overkill but I won't directly expose any IoT-like thing to the Internet these days.
Unless you left upnp enabled, in which case all precations are useless.
Tell me, Mr. Anderson: what good is UPnP, if the firewall blocks it?
I done more or less exactly the same - IoT devices are on a separate hotspot, they can't talk out to anything (even pings to the gateway are dropped), and the only thing that can talk in is a specific address on my LAN.
Are they able to initiate outbound connections?
No. They can't route out themselves (only through the proxy, which they don't know how to use and won't accept outbound connections from them anyway), and there is no UPnP enabled on that network.
Do you mind if I ask what cameras / software you use? or a good site to read up on this topic?

Bonus if it has a mobile app/interface, my use case is video monitoring of my kids rooms while they sleep.

Having a CCTV on public IPs is calling for trouble.
Somewhat off-topic:

Recently I watched a news segment in Korea about CCTVs connected to the internet without proper security: so many were wide open, and some could even record sound and play it real-time, and their lists were plainly accessible on some websites. The reporter said that the government had responded by blocking these websites from the Korean internet but people still found ways to access them via VPN.

As if that's the crux of the problem.

The mind boggles.

There is or was a subreddit for linking to such potentially unintentionally accessible live feeds. One way to find them was to google certain terms/directory structures/page names that the viewing pages contained. Sometimes they even had panels that let you control the camera's direction.
That is also what shodan is about.

> Shodan is the world's first search engine for Internet-connected devices

“It’s unfortunate, but each camera will need to be updated manually by users,”

So most people aren't going to bother unless they get an alarming email from the manufacturer (assuming they even have a list of customer email addresses). Although these appear to be DVR systems for commercial use so it's more likely that a business would have a service contract with someone to manage these things. The service vendor would probably be more inclined to patch the thing than the business owner would.

Calling the second one a bug is ridiculous. “If the file /tmp/moses/ exists on the file system then an unauthenticated remote attacker can list all of the non-admin users and change their passwords“. That functionality is way too intentional.
Not to mention the name "moses". Definitely intentional.
Seriously folks... put all those cameras behind firewalls, and only grant access to them over a VPN.
Next: "Zero-Day Bug in VPN Software Allows Hackers to Access CCTV Surveillance Cameras"
That would only be a headline if the VPN software were somehow camera-specific, which seems unlikely. That fact alone is a benefit to using general-purpose security tools: more eyes on it, making a zero-day that much less likely (and a fix that much faster).

Another benefit is that updating a single instance of firewall or VPN software is much easier than updating dozens of cameras. Of course, if there are more VPN clients than cameras, that ceases to be true.

Adding such a layer is also just a kind of defense-in-depth. With the instant example, both the cameras and the VPN software (or firewall) would have to have vulnerabilities, at the same time.

Put the cameras behind firewalls, only allow access to them from the NVR, and only on the port(s) the NVR needs. No reason the entire internal network should have direct access to them.
It’s not a bad idea to stick them on their own VLAN as well, with access exclusively to the NVR and/or specific management devices. Their only purpose is to feed video back to specific systems, why let anything else touch them at all?
Agreed, all my IoT stuff has its own separate network with its own access point.
If you've got more mid-range network gear you might consider setting up a simple RADIUS system and switching to 802.1x auth (with just a basic guest portal or something for visitors) and per-port VLAN control as necessary. Makes it very convenient to segment out and isolate IoT, video, and VoIP into their own independent segments, best practice not just for security but performance and functionality as well. While it takes a bit more setting up it's also interesting and adds safety and versatility over time, plus you don't need any extra gear or cable. Worth a bit of consideration anyway if you have time and/or enjoy that sort of thing, along with a decent local VPN setup. The latter should also become even better over the next few years as WireGuard support spreads.
As opposed to all other days, where simple misconfiguration allows hackers to access CCTV surveillance cameras.

(obligatory https://www.shodan.io/ link ;) )

Doesn't CCTV stand for close circuit television? It shouldn't be applied when these are rather obviously not closed at all.
Agreed, but it has become a holdover catch-all term roughly meaning 'permanantly affixed, security camera' no matter the actual tech. I suspect many built for the purpose still use ccd detectors, but I lack domain knowledge in this case.
(comment deleted)
Any Internet-connected device is, in fact, a server, and must be seen and managed as one. This means strict control of installed services and, first and foremost, regular updates of all its software components (including firmware). If you acquire and install such a server which either can’t be updated or one which you know, realistically, won’t get any updates six months after installation, that’s asking to lose.
In my experience, keeping software and firmware aggressively up to date is far more likely to randomly break functionality and workflow and require my time and effort to fix than doing nothing and crossing my fingers I'm not subject to a zero-day. I can't even imagine how annoying this would be for someone without technical know-how. I think manufacturers who seem desperate to trick users into installing updates could go a long way by reducing the associated dread.
If you don’t update, you will be subject to an exploit, and you and your devices will then possibly be unwitting members of (possibly multiple) botnets.

Not updating for X days just increases the risk from only zero-day exploits to the risks of X-or-less-days exploits.

Is there anyone selling CCTV cameras with good software?
Come on, who hasn't penetrated a poorly-guarded CCTV system in their time? That's like hacker 101
I look at mainstream security devices.

I look at cheap camera modules and Linux boards.

I look some more at the mainstream security devices.

I look again at the cheap cameras and Linux boards.

Sadly, security cameras are among the most hackable targets on the Internet, because You™ haven't released that competitive solution you've been thinking about that prioritizes security over unnecessary bells and whistles. When you do, you'll corner that vocal fraction of the community you've always been wanting to meet.

It doesn't have to be a bureaucratic, incoherent, legacy-burdened headache built from clipboard-remixed vendor samples. Linux, no blobs, a couple lightweight services; and you're done. Remote access in the palm of your hand? Too easy. Anything is possible when you design without agendas.

--

Your plaintext passwords (which were also using in two other places - argh) just leaked from a vendor's stolen cloud database.

A HTTP URL hack that dumps the root password into the browser window surfaced seven months ago.