Slashdot Mirror
58,000 Security Camera Systems Critically Vulnerable To Attackers
Sparrowvsrevolution writes with news of some particularly insecure security cameras. From the article: "Eighteen brands of security camera digital video recorders are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company's firewall, according to tests by two security researchers. And 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, are accessible via the Internet. Early last week a hacker who uses the handle someLuser found that commands sent to a Swann DVR via port 9000 were accepted without any authentication. That trick would allow anyone to retrieve the login credentials for the DVR's web-based control panel. To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPnP) which maps the devices' location to any local router that has UPnP enabled — a common default setting. ...Neither Ray Sharp nor any of the eighteen firms have yet released a firmware fix."
What, nobody has complained about this being an intentional backdoor yet? The Chinese are out to get us.
Learn to love Alaska
"As Seen On TV"
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
it's not like you should have this unprotected by a firewall.
Damn! and i was just looking for a system for my house and my mom's house.
No network issue here, I never connected the system to the network.
One of the last things the system recorded, was the wee little hands of the owner's 4 year old grandson, playing with the mouse. He made all 16 little boxes in the status grid turn black. Just 16 little clicks.
At least its not the tyrannical US that has the backdoor into all your bases >_>
I can't even get my Swann DVR to work right WITH the login credentials!
I am a geek attorney, but not your geek attorney unless you've already retained me. This is not legal advice.
We bought a 24 channel q-see brand DVR. When it went to boot up, during disk initialization, it specifically mentioned '/dev/sda' and such, so I knew it ran some embedded Linux. I decided to check it out via nmap to see if there was anything interesting running. Port 23 was open. I telnet-ed into the damn thing and was able to log into root with no password. Needless to say, that was fixed.
Port knocking is where the inbound system won't connect until a series of unsuccessful attempts is tried on a known sequence of ports - the system will open the door only when the visitor gives the "secret knock".
For example, a system won't normally accept connection requests. If the visitor attempts (unsuccessfully) ports 1010, 1050, 3042, and 4725 in that order, the system then accepts a connection at port 9000. (Use different numbers and length as needed for security.)
It is nigh impossible for a security audit to detect this type of camouflage. This technique has been well-known for years.
If China were putting back-doors in hardware systems, they could make them virtually impossible to find.
That's circumstantial evidence that this isn't a case of espionage on the part of the manufacturer. It's more likely a flaw in the software or a debugging port that wasn't compiled out in the released version.
The Chinese are out to get us
If I were you, I'll be more worried about Uncle Sam
Muchas Gracias, Señor Edward Snowden !
I do 'need to know' that ! :)
Is there really anyone in the world who hasn't turned this monstrous security hole off yet?
Turn off UPNP and run this behind a firewall. Want to watch your cameras remotely, use OpenVPN and connect into your network. Problem solved.
And some places just leave their camera control panels COMPLETELY open to the public!
store48.viewnetcam.com
The previous owner of the motel I work at got ripped off by a company that installed one of these 16 camera systems. The cameras never work right, and I knew something funny was was with the DVR when it said that you need IE and Active-X to watch it!
My current boss occasionally asks me to connect it up like the system his uncle (his boss) has, and I keep blowing him off, not because it would be hard, but because I'd both have to open a hole in the firewall to the outside world AND it would be fully accessible to anyone on the motel wi-fi system.
Erm...full disclosure, I worked in casinos, and also don't feel like being constantly under surveillance, either...
I been exploiting this for months!!!
WTF?
On another note, "from the your-curtains-are-ugly dept.", my curtains are lovely, thank you.
ON TOPIC, mods, read the headline AND the subtitle!
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
I have a QSEE QC model DVR. It does not appear to be one of the companies effected by this bug but it has its own problems.
The unit comes with the user "admin" that can not be disabled and can not be blocked from remote access. Any users you add and the built in default users including the admin account are limited to 6 character alpha-numeric passwords. The device has default passwords that can and should be changed but there is no process that reminds you or forces you to do so other then a text blurb in the setup instructions. Connecting to the device from a web browser is regular http and not encrypted. My cameras are only outside, the DVR is in my DMZ and although I'm not to worried about someone trashing the device config or watching my cameras, I still limit access to the device from my firewall to only a few select source IP addresses my work ip for example) for most of the day.
I don't know if you recall that 'bailout of 2008' but the Chinese Government is the only reason that the entire banking system didn't collapse. They own something like a trillion dollars worth of things like Treasury Bonds as well as Mortgage Securities.
According to Hank Paulson's book, Russia wanted to team up with China, call the debt, and make us go bankrupt and the banks die. China refused.
Partly because Hank Paulson, when he worked for Goldman Sachs, had spent several years in China getting to know the higher ups.
Now pull some bills out of your wallet. See the signature? Henry "Hank" Paulson. Treasury Secretary.
The reason we have such a thing going on is because of stuff like this... this is why i like OSS because if there is a problem i know that it will be fixed immediately instead of waiting for a patch to be released 6 months later. im not worried about China spying on us however i would worry about it if our government allowed something to be imported from another country without going thru some sort of software test before being sold...
Yeah, I know. I should have been more explicit in my post.
I'm not saying that port knocking should be the product API. Port knocking is a terrible security measure.
I'm saying that a backdoor could be hidden in such a way that it would be impossible to find - and port knocking is one of those methods. It's simple and effective - even if it's "security by obscurity".
Since this exploit is not well hidden, chances are it isn't a purpose-built backdoor, but more likely an oversight of some kind.
Everything shall be crackable.
Awesome! So will we have a remake of Rising Sun with China as the antagonist instead of Japan?
Let's see, we can work in say a Chinese router manufacturer, and a major U.S. database manufacturer, which buys the tech for a major software platform like say Java, and tie in purchases of real estate by Chinese cartels under assumed names, and uh, the Chinese military of course, and we can have some hot Chinese or maybe Taiwanese-American engineer at some corporate lab or maybe U.S. university.. it all seems to be pretty realistic. But who will play Sean Connery's role?
But if history is any indicator, there's a pretty good chance that someone will get arrested for disclosing this
I have the QC444 and you can telnet to it as root with no password.
Also when you access the camera, your creds go out via cleartext and you can easily see what your password is.
ActiveX is used to log in and manage the box remotely, also if you use a password longer than 6 characters, you cannot use the PSS software that they put otu on their web site.
There was also some weirdness with it trying to talk to IP address 70.151.24.203
Well, considering the number of security cams that I can control simply by Googling for them, I can't say that this impresses me a hell of a lot.
Get rid of the cams directly on the Internet with no changes from the factory defaults and I'll be a bit more impressed.
Microsoft leads to Bluescreen; Bluescreen leads to downtime; downtime leads to suffering.
... but a feature. How else are the cops supposed to erase footage that condemns them and exonerates you?
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
I really don't care about cameras watching rock crushers...
Can someone please post a short-list of the ones covering strip clubs? 58,000 is a lot to sort through. Thanks in advance.
I work for a PSIM company and have personally written integrations for around 100 different Cctv DVR and NVR systems. The vast majority are completely insecure. Most allow anyone to view video if on the same network. Some don't even allow you to configure a username or password. All of them come with a default user and password which in my experience on production sites is rarely changed.
I'd never recommend a dvr nowadays. Set up a pc running a flavour of milestone Xprotect, buy ip cameras. Change the default passwords . Don't expose anything to the Internet . set up a vpn account into the milestone server if you require remote access.
This is the *first thing* I turn off on a router. UPnP is basically a security hole by design.
Oolite: Elite-like game. For Mac, Linux and Windows
One of the many things that bothers me about Linux is its password obsession. It's difficult to use without typing your password in all the fucking time. So you tend to want to make that password short.
However, Linux uses the same password for remote SSH connections that it uses for local desktop authentication. Thus, if you set your desktop password to "whatever" so that it's something that is easy to type a hundred times a day, then your SSH server now accepts connections with that same easy password. Perhaps there's some way to make the two passwords different, but even if there is, it doesn't change that, by default, Linux does everything it can to encourage you to use a simpler password (by making you type it in for every trivial thing) while doing nothing at all to tell you that you have the option of using a much more secure password for remote connections.
The easiest way to solve this problem is to just not allow SSH connections via your router. Why expose sshd to the internet anyway? With remote exploits appearing in every service from time to time, since apparently even a small task like accepting a password and verifying it is nearly impossible to program without overflowing a buffer, there's no way you can allow any software to accept connections from the internet without opening yourself to a remote exploit anyway. Perhaps your software is secure today, but will it be secure next week? Will you even know right away when the next exploit is discovered, or will it be in the wild for a few weeks first?
So to say that anything that isn't secure enough to talk to the internet isn't secure enough to be on my LAN is to say that I can't SSH from one computer to another, or share files between my computers, or share a printer, or do anything at all between the computers in my house that random people who happen to discover the next exploit in some random piece of software can't do with my computers.
Honestly, I've only once ever allowed remote connections into my LAN from the internet, and for that I wrote my own application to accept connections, read the first 64 bytes, and compare them to a list of one-time-use passwords. If a match was found, it spawned pppd, and removed the password from the list so that it could never be used again. If no match was found, it just closed the connection. The simple fact is that authenticating remote users isn't a difficult task. It's just unfortunate that no one but myself seems to be able to do so without security advisories being released for their software years after everyone's been relying upon it to keep them secure. Once you authenticate a user, the rest of your software can be buggy as fuck and it doesn't matter since you know you're talking to a trusted user, but for some reason, programmers just don't care to put any extra effort into verifying that just that one small piece of code is well-written.
Yahoo group was created in 2009 for some hacking into these.
http://tech.groups.yahoo.com/group/q_see_hack
Because if it isn't security by obscurity, then it isn't any more secure than asking for a password.
The obvious thing to do would be no port knocking, but instead ask for a password, and disconnect anyone who doesn't supply the correct password. However, it's a well-known fact that programmers cannot achieve even this simple task without risk of a buffer overflow or some other security vulnerability that will be discovered some day and used in the wild for days or months before it is discovered and patched. Therefore, it is necessary to paste your own security method on top of anything provided by the software you're using.
This is why the security must be obscure. If it's popular and well-known, like a standard service that implements port-knocking, then it is inevitable that we'll then be forced to add "monitoring attempted connections to random ports for a specific sequence" to the list of things that programmers cannot do without risk of a buffer overflow or some other security vulnerability. After all, just asking for a password and testing it's validity isn't a lot of code. If programmers can't do that without error, then what makes you think they can do something more complex like monitor connection attempts from potentially hundreds of computers at once?
Thus, the port knocking must remain obscure in order to be secure, because if it isn't obscure, then we'll inevitably one day learn that we can get into any computer simply by connecting to ports 4729, 12993, 3188, 23552 and 19993, which then triggers a buffer overflow, and allows our computer to connect to any service on the remote computer.
shadowrun anyone...?
Onvif commands for any at port 9988 on Dahua and its re-branders (Q-See, among others). Also, telnet is wide open.
http://www.cctvforum.com/viewtopic.php?f=19&t=33275&hilit=onvif+security
A local electronics/computer chain (now bankrupt) had all their security webcams on an open wifi network, and all the webcams had the default administrator password ("admin" of course). From a bench outside I was able to see everything going on in the store without even guessing the admin password.
Are you kidding me? Is this not Slashdot, where supposedly technically inclined individuals congregate?
UPNP is an epic disaster in terms of network security. Even a half-wit can see the difference between allowing a single program out to a single or few sites versus allowing everyone on the planet in to all of your services. What is the point of having a firewall at all if you are going to allow every device on your network to open ports to it?
The number of embedded devices installed on home networks these days is really quite amazing. Cameras, DVRs, security systems, TVs, game consoles, printers, computers, tablets, phones, routers, switches, refrigerators, it's really quite amazing. Most, if not all, of these devices have known and unknown vulnerabilities. Some of them, as described in this article, are epic gaping holes that would make goatse feel inadequate. What utter moron would think that it is even remotely acceptable to allow all of these devices to open access to themselves for the entire world to take a crack at them.
That you lack the knowledge or forethought to understand the implications of an open network or how to get simple NAT working is yet another clear case against the clueless use of UPNP. I sincerely hope that people reading this thread do not mistake your vociferous and argumentative nature as authority on the subject matter because you are a network security disaster, just like UPNP.
Incoming connections don't matter any more than outgoing connections. (And if you think they do, you're lying to yourself. Go back to the first sentence in this paragraph and re-read it until you understand.)
Are you high?
1. A malicious application might get out to its command and control server
2. Every person on the planet has open access to your known vulnerable systems.
Do you truly not see any difference between 1 and 2? You really think that these are equal risks? Are you high?
Real network security professionals see option 2 as utterly insane and completely unacceptable. They see option 1 as a lower risk that must be mitigated against. The two are not the same!
Oh no! Now those insidious hackers can see me walking down a street, or *gasp* even stopping to say hi to someone! I must shut myself inside and never go outside. I'm as concerned about my privacy as the next guy, but I really don't get why people get their nickers in such a twist about cameras in public areas, as long as they stay in public areas.
...it's over 9000?
(Really, has no one made this joke yet? Monday's over already! Time to get back in the game!)
....is a documentary, then. Who knew?
I just edit /etc/passwd and change my user id to 0. It has the advantage that the auto-login still works (since otherwise Linux Mint doesn't allow "administrators" to log in to the GUI) and many programs that would normally bitch at me for running as root fail to notice what I've done. The only downsides are that a lot of programs ignore the HOME environment variable and so half of my configuration files end up in /root/ and occasionally a file open/save dialog defaults to /root/ instead of my home directory. It's by far the simplest solution I've found to the never-ending requests for authentication.
I'll be just as able to hack security cameras once i get my nano augs IRL as i was able to hack them in Deus Ex 10 years ago.
http://i.cubeupload.com/T6cyLu.png