Slashdot Mirror
58,000 Security Camera Systems Critically Vulnerable To Attackers
Sparrowvsrevolution writes with news of some particularly insecure security cameras. From the article: "Eighteen brands of security camera digital video recorders are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company's firewall, according to tests by two security researchers. And 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, are accessible via the Internet. Early last week a hacker who uses the handle someLuser found that commands sent to a Swann DVR via port 9000 were accepted without any authentication. That trick would allow anyone to retrieve the login credentials for the DVR's web-based control panel. To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPnP) which maps the devices' location to any local router that has UPnP enabled — a common default setting. ...Neither Ray Sharp nor any of the eighteen firms have yet released a firmware fix."
What, nobody has complained about this being an intentional backdoor yet? The Chinese are out to get us.
Learn to love Alaska
"As Seen On TV"
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
Damn! and i was just looking for a system for my house and my mom's house.
it's not like you should have anything unprotected by a firewall.
I've fallen off your lawn, and I can't get up.
No network issue here, I never connected the system to the network.
One of the last things the system recorded, was the wee little hands of the owner's 4 year old grandson, playing with the mouse. He made all 16 little boxes in the status grid turn black. Just 16 little clicks.
Of course the point was that with most standard firewalls in their default setting, this automatically punches it's own holes through the firewall, it's a feature....
So it's more like "it's not like you shoud have this unprotected by a firewall that you have carefully setup yourself without any autoconfiguration options"
I can't even get my Swann DVR to work right WITH the login credentials!
I am a geek attorney, but not your geek attorney unless you've already retained me. This is not legal advice.
That these system will punch holes in a upnp capable router is part of the problem. Many people may not realize their DVR is even accessible from outside. Step number one on any home routers I setup is to disable upnp because malicious software also likes to punch holes.
We bought a 24 channel q-see brand DVR. When it went to boot up, during disk initialization, it specifically mentioned '/dev/sda' and such, so I knew it ran some embedded Linux. I decided to check it out via nmap to see if there was anything interesting running. Port 23 was open. I telnet-ed into the damn thing and was able to log into root with no password. Needless to say, that was fixed.
Port knocking is where the inbound system won't connect until a series of unsuccessful attempts is tried on a known sequence of ports - the system will open the door only when the visitor gives the "secret knock".
For example, a system won't normally accept connection requests. If the visitor attempts (unsuccessfully) ports 1010, 1050, 3042, and 4725 in that order, the system then accepts a connection at port 9000. (Use different numbers and length as needed for security.)
It is nigh impossible for a security audit to detect this type of camouflage. This technique has been well-known for years.
If China were putting back-doors in hardware systems, they could make them virtually impossible to find.
That's circumstantial evidence that this isn't a case of espionage on the part of the manufacturer. It's more likely a flaw in the software or a debugging port that wasn't compiled out in the released version.
The Chinese are out to get us
If I were you, I'll be more worried about Uncle Sam
Muchas Gracias, Señor Edward Snowden !
Is there really anyone in the world who hasn't turned this monstrous security hole off yet?
The previous owner of the motel I work at got ripped off by a company that installed one of these 16 camera systems. The cameras never work right, and I knew something funny was was with the DVR when it said that you need IE and Active-X to watch it!
My current boss occasionally asks me to connect it up like the system his uncle (his boss) has, and I keep blowing him off, not because it would be hard, but because I'd both have to open a hole in the firewall to the outside world AND it would be fully accessible to anyone on the motel wi-fi system.
Erm...full disclosure, I worked in casinos, and also don't feel like being constantly under surveillance, either...
UPNP can trivially allow incoming ports on the firewall. And so what? You allow outbound connections, don't you?
There is very little difference between malicious programs being able to create its own outbound connections and being able to accept inbound connections: In either case, the malicious software is able to communicate and can accomplish whatever nefarious task its creators envision.
Why would I trust a program to create connections but not enough accept them?
In practice, I leave UPNP turned on. If I were paranoid enough to disable it, I'd also be sufficiently paranoid to never, ever execute any code that I'd not written or reviewed myself, with a firewall that denies everything by default in both directions...and I just don't have time for that.
UPNP makes things work better: From BT to software updates to gaming on a PS3, UPNP helps keep the clusterfuck of NAT from being absolutely horrible.
So the score, so far, for UPNP seems to be this:
Problems that UPNP solves for me: Several.
Problems that UPNP creates for me: None.
Meanwhile, TFA is more about the fact that some hardware devices that may never see a software upgrade have one or more security holes which can be exploited over the network...which is interesting and all, but really has nothing to do with UPNP: If such devices were secure and trustworthy to begin with, there would never be a reason to firewall them at all, let along worry about UPNP.
Kid-proof tablet..
WTF?
On another note, "from the your-curtains-are-ugly dept.", my curtains are lovely, thank you.
ON TOPIC, mods, read the headline AND the subtitle!
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
There is very little difference between malicious programs being able to create its own outbound connections and being able to accept inbound connections: In either case, the malicious software is able to communicate and can accomplish whatever nefarious task its creators envision.
Bullshit. If your device has a reason to create an outbound connection, it is (for the most part) limited to one connection to one place for a specific purpose. (Disregarding intentionally buggered on-board software designed with malicious intent). So your cloths dryer can send you an email telling you its on fire, or your tablet can fetch your email, and stuff like that. However, as pointed out in the present article, even a disbeliever like you should see that opening an inbound port is an entirely different affair. An inbound port is open to the entire world, anyone can connect, and, (baring any on-device security), they can do pretty much anything the device is capable of doing.
F. Robert Jack
Meanwhile, TFA is more about the fact that some hardware devices that may never see a software upgrade have one or more security holes which can be exploited over the network...which is interesting and all, but really has nothing to do with UPNP: If such devices were secure and trustworthy to begin with, there would never be a reason to firewall them at all, let along worry about UPNP.
The connection to UPNP is that these devices are needlessly exposing themselves to attack by automatically opening inbound ports through the router using UPNP.
Alternative headline: 58,000 networks needlessly vulnerable because of UPnP usage.
Of course the Chinese can't afford to see the U.S. banking system collapse. Just turn around almost everything you can touch. Can you see where it is being manufactured? Who's going to buy the stuff if no one has any money left?
New Economic Perspectives
The reason we have such a thing going on is because of stuff like this... this is why i like OSS because if there is a problem i know that it will be fixed immediately instead of waiting for a patch to be released 6 months later. im not worried about China spying on us however i would worry about it if our government allowed something to be imported from another country without going thru some sort of software test before being sold...
Yeah, I know. I should have been more explicit in my post.
I'm not saying that port knocking should be the product API. Port knocking is a terrible security measure.
I'm saying that a backdoor could be hidden in such a way that it would be impossible to find - and port knocking is one of those methods. It's simple and effective - even if it's "security by obscurity".
Since this exploit is not well hidden, chances are it isn't a purpose-built backdoor, but more likely an oversight of some kind.
The difference is simple (but huge). To allow a program or device to make an outgoing NAT connection, i have to assume that it is not malicious. To allow programs and devices map incoming ports via upnp i have to assume that it is not malicious AND it is not buggy enough to allow gazillion script kiddies access to my network. So thanks, but no thanks on the upnp front - i keep my open tcp ports to a minimum.
Awesome! So will we have a remake of Rising Sun with China as the antagonist instead of Japan?
Let's see, we can work in say a Chinese router manufacturer, and a major U.S. database manufacturer, which buys the tech for a major software platform like say Java, and tie in purchases of real estate by Chinese cartels under assumed names, and uh, the Chinese military of course, and we can have some hot Chinese or maybe Taiwanese-American engineer at some corporate lab or maybe U.S. university.. it all seems to be pretty realistic. But who will play Sean Connery's role?
> An inbound port is open to the entire world, anyone can connect, and, (baring any on-device security),
> they can do pretty much anything the device is capable of doing.
And 9 times out of 10, unless the homeowner couldn't figure out how to do it, any device that accepts incoming connections on a port probably has a port from the router's public IP address forwarded to its internal IP address *anyway*.
Yes, barring device security, they can do whatever they'd like. That's why the device HAS security. So they can't.
The biggest problem with internet cameras and DVRs isn't the fact that they can use UPnP to "punch holes" -- it's the fact that 99.9% of the damn cameras don't allow you to authenticate via SSL (valid certificate or not), and instead send your login credentials in the clear over the wi-fi network at Starbucks. I wish to ${deity} that routers had a "reverse https proxy" function that would accept inbound https connections, strip the ssl, and transparently forward the traffic to the same port of an internal IP address where there's a device that's too stupid to know how to do SSL.
I won't be losing sleep tonight worrying about my cameras' ability to coax the router into forwarding arbitrary ports to them. I'd lose quite a bit of sleep if I didn't have the internet-connected camera in my bedroom wired up to the burglar alarm through a relay that cuts the power to it whenever the alarm isn't in "away" mode, and a similar relay that cuts power to the switch connecting those cameras to the router. Technically, I could have gotten away with just one relay on the switch, but I couldn't sleep with the camera's red light blinking at me regardless of whether or not it was connected to the router at the time.
But if history is any indicator, there's a pretty good chance that someone will get arrested for disclosing this
I have the QC444 and you can telnet to it as root with no password.
Also when you access the camera, your creds go out via cleartext and you can easily see what your password is.
ActiveX is used to log in and manage the box remotely, also if you use a password longer than 6 characters, you cannot use the PSS software that they put otu on their web site.
There was also some weirdness with it trying to talk to IP address 70.151.24.203
Bullshit. If your device has a reason to create an outbound connection, it is (for the most part) limited to one connection to one place for a specific purpose. (Disregarding intentionally buggered on-board software designed with malicious intent).
You're disregarding exactly the situation the GGP post was describing as the reason he turned UPNP off. GP's reply was a reasonable response: if you're assuming that software inside your network is malicious, it doesn't need UPNP to cause mischief... it'll probably hook up to an IRC server or similar in order to accept incoming commands, so that isn't a good reason to disable UPNP.
Now, this situation is (presumably) not malicious, but that doesn't make GP's response invalid. OTOH, I have to query how rare situations like this are. Very few devices automatically create firewall holes for themselves without user confirmation. Most UPNP routers make it very easy to monitor what holes you do have. The proportion of such devices that have massive security flaws like this is also likely to be low. I'm not therefore convinced that this situation is, on balance, enough to make me want to turn UPNP off.
... but a feature. How else are the cops supposed to erase footage that condemns them and exonerates you?
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
I wish to ${deity} that routers had a "reverse https proxy" function that would accept inbound https connections, strip the ssl, and transparently forward the traffic to the same port of an internal IP address where there's a device that's too stupid to know how to do SSL.
Have you considered setting up a VPN? Routers with integrated VPN functions are affordable these days (e.g. http://www.google.co.uk/products/catalog?q=dsl+router+vpn&sugexp=chrome,mod%3D11&um=1&ie=UTF-8&cid=11302817784067722053&sa=X&ei=Z3UHUfSWJrGp0AWNzYCwAw&ved=0CGMQ8wIwAw ). Alternatively, it wouldn't be too hard to set up the system you describe on a server inside your network and just forward your ports on the router to that system.
This is why I have two routers... one is the cable company's router and I've set that to no remote admin, the other is hung off that router and is the real router for my network
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
An outbound port is also open to the entire world: Hence, how your clothes drier can send you an email to tell you that it is on fire (and get a buffer overflow from a compromised SMTP server in exchange, possibly with the help of a poisoned DNS server, MITM attack, etc).
*shrug*
If a device can't be trusted to behave itself on the Big, Bad Internet, it probably shouldn't be trusted in a common LAN environment either (what, with WEP being trivially broken and WPA attackable with surprisingly small effort).
Indeed, if people kept their networks tidy (even Windows does a good-enough job of this these days by itself, let alone the secure-by-default BSDs and their ilk), we wouldn't need to care much if one wayward appliance got hacked because even with local access from a compromised box the rest of the stuff on the network is still secure.
Kid-proof tablet..
I really don't care about cameras watching rock crushers...
Can someone please post a short-list of the ones covering strip clubs? 58,000 is a lot to sort through. Thanks in advance.
And the root problem there is that the device itself is not secure, not that UPNP allowed the device to be attacked. That a device is going to be attacked should always be assumed as a given, whether or not it is exposed to the Internet as a whole.
If a device that is intended to operate on securely on a network, it had better actually do so securely. The devices in TFA don't. This is a device problem, not a network problem.
If I can't trust my DVR to be secure on the Internet, I sure as fuck can't trust it on a large LAN (or a small LAN with a Wifi connection).
Blaming UPNP is a red herring.
Kid-proof tablet..
Easily fixed with tape or a pen.
It's how I fix the issue I have with 99% of all electronic equipment these days, as they seem to insist on being able to illuminate a room with their "LOOK AT ME!!!" lights. And I think that's the first time in pretty much forever, I've ever wanted to use the blink-tag.
The best feature of my NEC 2090UXi monitor (other than its beautiful IPS LCD panel) is that the power indicator can be adjusted from a glaring eye-burning blue to either amber or green, and then dimmed to such an extent that it ceases to be bothersome and becomes a useful status indicator. (These functions are part of its on-screen menus.)
The worst feature of the Asus monitor on my desk beside it is the strip of red vinyl electrical tape that covers the eye-burning blue LED. (I find that red tape lets enough blue light through to be useful, without blacking it out completely. Yellow, green, white, and blue vinyl tapes were less than satisfactory.)
Kid-proof tablet..
Who's going to buy the stuff if no one has any money left?
The entire rest of the world. China isn't particularly dependent on one country with no money.
The single worst offender I can remember, was a mouse with an LED behind the company nameplate so intense, that you could read the name (mirrored) on the ceiling in daylight.
I did not say that closed TCP ports are an end to all security woes - i do not know where you took that from. I did not quote any probability of different attack vectors. I merely compared upnp on vs. upnp off situation and said that upnp off on the router is more secure than upnp on.
What you are saying, is essentially - "I have my front door key under the mat - and the only three people who used this key are people who i would have let in anyway. And that key under the mat is just common sense as the crooks can come in by breaking the window and through the chimney or con the cleaning lady anyway."
Your words, not mine.
The only sane approach (if there is a sane approach) is to mistrust every program, because a buggy program with network access is still buggy whether it can accept external connections or not: If uses data from other places, it is potentially exploitable.
The longer you avoid this concept, the longer that you'll willfully fail to have secure systems. Good luck!
No, that's not it at all.
Either you have good, secure stuff on your network, or you're a vulnerable target. End of story. Incoming connections don't matter any more than outgoing connections. (And if you think they do, you're lying to yourself. Go back to the first sentence in this paragraph and re-read it until you understand.)
Kid-proof tablet..
This is the *first thing* I turn off on a router. UPnP is basically a security hole by design.
Oolite: Elite-like game. For Mac, Linux and Windows
Yahoo group was created in 2009 for some hacking into these.
http://tech.groups.yahoo.com/group/q_see_hack
Again - all i said is that having upnp off is preferrable to having it on. I also hinted that the amount of buggy programs (PC software as well as software in devices like printers, DVRs, etc) is much larger than the amount amount of malicious programs.
I have not talked about any other security measures that are or are not, should or should not be in place. Instead of arguing my point - how and why is upnp on preferred to manually opening minimum number of ports - you attribute me a lot of things i have NOT SAID and argue with them. Keep up the good work.
Sounds like bullshit. The USA owes its creditors mostly in US dollars.
Say the USA owes you 2 trillion and you're stupid enough to try forcing them to pay up right now. If you're _unlucky_ instead of saying "Fuck off, we'll pay you when its due" the US Gov will tell the Federal Reserve to create the 2 trillion or so to pay you back now.
The Chinese Gov isn't that stupid. They haven't converted enough of their US dollars to tangible stuff yet.
Russia might not care so much - the USA doesn't owe Russia as much and the oil and gas prices going up against the USD due to its inflation might be neutral to even positive for Russia.
shadowrun anyone...?
A local electronics/computer chain (now bankrupt) had all their security webcams on an open wifi network, and all the webcams had the default administrator password ("admin" of course). From a bench outside I was able to see everything going on in the store without even guessing the admin password.
they are when that one country represents nearly their entire customer base.
they are when that one country represents nearly all of the manufacturing contracts for products "made in china".
if the US goes down, China goes with it. China is trying to grow their economcy, not kill it and cause another revolution.
The guy who said the election was rigged won the presidency with the second-most votes.
they are when that one country represents nearly their entire customer base.
Sure, the US is important to China, but "nearly their entire customer base"? Ahh... EU is larger than the US to China (see http://www.stanlib.com/EconomicFocus/Documents/Global/ChinaexportstoEUvsUS.pdf). But agreed - letting US go bankrupt would definately be a hit to the Chinese economy.
Paulson is just trying to make himself out to be some sort of savior when in reality only if the Chinese were seriously fucking retarded would they even consider such a frankly ignorant move and I can't picture the Russians being that fucking stupid either.
One thing that should be as plain as the nose on your face is that kind of collapse NEVER stays local, it ALWAYS spreads. One need only look at the crash of 29 which even at the much slower pace of communications had spread across the globe in less than a year and by 32 had the entire planet in a full blown depression to see letting a large economy collapse like a house of cards is NEVER a good idea. Sure China has room for internal growth but nowhere near what it would take to replace their exports which would dry up and blow away like a fart in the breeze, as a collapsing America would probably drag a good chunk of the west with it, everything is just too interconnected.
As for TFA this just in....Cheap shitty code for cheap shitty cameras has holes you can drive a truck though. Oh and water is wet, the sky is blue, and night follows the day. Frankly if the code on ANY of that Cheapo Chinese Crap was anything but piss poor I'd be amazed. As somebody who has to install a bunch of that shit for customers I can tell you that you are lucky if you can even get through the installation without the installer crapping on itself, its obvious that its all about how cheaply they can crank these things out NOT about having decent software to go with the thing.
ACs don't waste your time replying, your posts are never seen by me.
There are several solutions to your problem.
One is to disallow password authentication via SSH. Then you can have weak passwords locally on the machine, and use public key authentication for remote access.
A second one is to only allow remote access to a special account with a long password, and then, when logging in remotely, su to the main account with the short password. This is a bit brittle, but would work.
A third is to re-examine how you're using your system -- you probably don't actually need to supply passwords all the time. There are other distros besides Ubuntu, and, contrary to what you might have heard, logging in as root to do system maintenance is both reasonable and allowed.
2*3*3*3*3*11*251
This problem has been solved with key based authentication. You should look into it.
Cheap storage VM.
It's all about cost benefit. What is the cost to prevent outbound connections? It creates alot of work for me and something nasty is probably going to sneak out through a commonly allowed port.
What is the cost to prevent inbound connections, practically nil. If something wants in, I can make a judgement and allow it. I can limit the type of traffic or source of inbound traffic on a specific port. I don't have to trust random developer to use tight restrictions.
Allowing upnp on any sort of "secure" setting is irresponsible and dangerous.
Cheap storage VM.
....is a documentary, then. Who knew?
Or edit the timestamp so that the ATM camera shows you there at the time the cops know that the suspect in the "Chainsaw Castrator" case made a withdrawal. (No hackers involved, that I know of, but back in the early 1990s, the Daily News ran a front-page photo of the suspect in a serial rape case, based on ATM footage. Except, oops, the time stamp was wrong and the poor shmuck was completely innocent.) (http://www.nytimes.com/1991/08/16/nyregion/man-in-photo-is-not-a-suspect.html) Now, consider what could be done today with actual malice, by crooks or by the cops who just want to arrest *someone*.
China is 25% of US imports and rising. US is 20% of Chinese exports and falling. We still need them more than they need us.
Learn to love Alaska
And the root problem there is that the device itself is not secure, not that UPNP allowed the device to be attacked.
No, both of those are the problem.
Unix is user friendly, it's just selective about who its friends are.
If you owe the bank a little money and you can't pay, you have a problem. If you owe the bank a lot of money and you can't pay, the bank has a problem.
Of course anyone interested at all in security should have disabled UPnP a long time ago. There's hardly a point to having a firewall if any compromised application can ask for a nice big hole in it whenever it wants.