Slashdot Mirror
58,000 Security Camera Systems Critically Vulnerable To Attackers
Sparrowvsrevolution writes with news of some particularly insecure security cameras. From the article: "Eighteen brands of security camera digital video recorders are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company's firewall, according to tests by two security researchers. And 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, are accessible via the Internet. Early last week a hacker who uses the handle someLuser found that commands sent to a Swann DVR via port 9000 were accepted without any authentication. That trick would allow anyone to retrieve the login credentials for the DVR's web-based control panel. To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPnP) which maps the devices' location to any local router that has UPnP enabled — a common default setting. ...Neither Ray Sharp nor any of the eighteen firms have yet released a firmware fix."
"As Seen On TV"
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
it's not like you should have anything unprotected by a firewall.
I've fallen off your lawn, and I can't get up.
Damn! and i was just looking for a system for my house and my mom's house.
Is your mom hot?
Well, I guess we'll find out soon enough...
Of course the point was that with most standard firewalls in their default setting, this automatically punches it's own holes through the firewall, it's a feature....
So it's more like "it's not like you shoud have this unprotected by a firewall that you have carefully setup yourself without any autoconfiguration options"
I can't even get my Swann DVR to work right WITH the login credentials!
I am a geek attorney, but not your geek attorney unless you've already retained me. This is not legal advice.
That these system will punch holes in a upnp capable router is part of the problem. Many people may not realize their DVR is even accessible from outside. Step number one on any home routers I setup is to disable upnp because malicious software also likes to punch holes.
We bought a 24 channel q-see brand DVR. When it went to boot up, during disk initialization, it specifically mentioned '/dev/sda' and such, so I knew it ran some embedded Linux. I decided to check it out via nmap to see if there was anything interesting running. Port 23 was open. I telnet-ed into the damn thing and was able to log into root with no password. Needless to say, that was fixed.
Port knocking is where the inbound system won't connect until a series of unsuccessful attempts is tried on a known sequence of ports - the system will open the door only when the visitor gives the "secret knock".
For example, a system won't normally accept connection requests. If the visitor attempts (unsuccessfully) ports 1010, 1050, 3042, and 4725 in that order, the system then accepts a connection at port 9000. (Use different numbers and length as needed for security.)
It is nigh impossible for a security audit to detect this type of camouflage. This technique has been well-known for years.
If China were putting back-doors in hardware systems, they could make them virtually impossible to find.
That's circumstantial evidence that this isn't a case of espionage on the part of the manufacturer. It's more likely a flaw in the software or a debugging port that wasn't compiled out in the released version.
The Chinese are out to get us
If I were you, I'll be more worried about Uncle Sam
Muchas Gracias, Señor Edward Snowden !
The previous owner of the motel I work at got ripped off by a company that installed one of these 16 camera systems. The cameras never work right, and I knew something funny was was with the DVR when it said that you need IE and Active-X to watch it!
My current boss occasionally asks me to connect it up like the system his uncle (his boss) has, and I keep blowing him off, not because it would be hard, but because I'd both have to open a hole in the firewall to the outside world AND it would be fully accessible to anyone on the motel wi-fi system.
Erm...full disclosure, I worked in casinos, and also don't feel like being constantly under surveillance, either...
UPNP can trivially allow incoming ports on the firewall. And so what? You allow outbound connections, don't you?
There is very little difference between malicious programs being able to create its own outbound connections and being able to accept inbound connections: In either case, the malicious software is able to communicate and can accomplish whatever nefarious task its creators envision.
Why would I trust a program to create connections but not enough accept them?
In practice, I leave UPNP turned on. If I were paranoid enough to disable it, I'd also be sufficiently paranoid to never, ever execute any code that I'd not written or reviewed myself, with a firewall that denies everything by default in both directions...and I just don't have time for that.
UPNP makes things work better: From BT to software updates to gaming on a PS3, UPNP helps keep the clusterfuck of NAT from being absolutely horrible.
So the score, so far, for UPNP seems to be this:
Problems that UPNP solves for me: Several.
Problems that UPNP creates for me: None.
Meanwhile, TFA is more about the fact that some hardware devices that may never see a software upgrade have one or more security holes which can be exploited over the network...which is interesting and all, but really has nothing to do with UPNP: If such devices were secure and trustworthy to begin with, there would never be a reason to firewall them at all, let along worry about UPNP.
Kid-proof tablet..
What, nobody has complained about this being an intentional backdoor yet? The Chinese are out to get us.
I'm inclined to keep "Never attribute to malice something much stupider than malice would have implemented" in mind as a variant on the usual phrase.
Given the hordes of profit-driven, variously political, and simply lulz-oriented attackers on the internet, relatively blatant backdooring(when you are in the privileged position of being the guys shipping the firmware, no less, hard to ask for more insider access than that) amounts to squandering an advantage. Had the units shipped with, say, a bugged sshd that is hardcoded to always allow access via keypair auth with a specific private key, it is both much more likely that nobody would ever have noticed, and that nobody but the intended attacker would ever have been able to make use of the vulnerability. A wholly unauthenticated hole, on the other hand, is an open invitation to every bot-herder and na'er-do-well on the planet to come and have a rummage through the systems, leading to much greater competition for the creator of the backdoor.
There is very little difference between malicious programs being able to create its own outbound connections and being able to accept inbound connections: In either case, the malicious software is able to communicate and can accomplish whatever nefarious task its creators envision.
Bullshit. If your device has a reason to create an outbound connection, it is (for the most part) limited to one connection to one place for a specific purpose. (Disregarding intentionally buggered on-board software designed with malicious intent). So your cloths dryer can send you an email telling you its on fire, or your tablet can fetch your email, and stuff like that. However, as pointed out in the present article, even a disbeliever like you should see that opening an inbound port is an entirely different affair. An inbound port is open to the entire world, anyone can connect, and, (baring any on-device security), they can do pretty much anything the device is capable of doing.
F. Robert Jack
Meanwhile, TFA is more about the fact that some hardware devices that may never see a software upgrade have one or more security holes which can be exploited over the network...which is interesting and all, but really has nothing to do with UPNP: If such devices were secure and trustworthy to begin with, there would never be a reason to firewall them at all, let along worry about UPNP.
The connection to UPNP is that these devices are needlessly exposing themselves to attack by automatically opening inbound ports through the router using UPNP.
Alternative headline: 58,000 networks needlessly vulnerable because of UPnP usage.
Of course the Chinese can't afford to see the U.S. banking system collapse. Just turn around almost everything you can touch. Can you see where it is being manufactured? Who's going to buy the stuff if no one has any money left?
New Economic Perspectives
Well... If you plug your random DVR (or print server, or any device for that matter) tcp port through your router, you deserve what you get. If you leave upnp on, you deserve what you get. Openvpn costs nothing.
The difference is simple (but huge). To allow a program or device to make an outgoing NAT connection, i have to assume that it is not malicious. To allow programs and devices map incoming ports via upnp i have to assume that it is not malicious AND it is not buggy enough to allow gazillion script kiddies access to my network. So thanks, but no thanks on the upnp front - i keep my open tcp ports to a minimum.
> An inbound port is open to the entire world, anyone can connect, and, (baring any on-device security),
> they can do pretty much anything the device is capable of doing.
And 9 times out of 10, unless the homeowner couldn't figure out how to do it, any device that accepts incoming connections on a port probably has a port from the router's public IP address forwarded to its internal IP address *anyway*.
Yes, barring device security, they can do whatever they'd like. That's why the device HAS security. So they can't.
The biggest problem with internet cameras and DVRs isn't the fact that they can use UPnP to "punch holes" -- it's the fact that 99.9% of the damn cameras don't allow you to authenticate via SSL (valid certificate or not), and instead send your login credentials in the clear over the wi-fi network at Starbucks. I wish to ${deity} that routers had a "reverse https proxy" function that would accept inbound https connections, strip the ssl, and transparently forward the traffic to the same port of an internal IP address where there's a device that's too stupid to know how to do SSL.
I won't be losing sleep tonight worrying about my cameras' ability to coax the router into forwarding arbitrary ports to them. I'd lose quite a bit of sleep if I didn't have the internet-connected camera in my bedroom wired up to the burglar alarm through a relay that cuts the power to it whenever the alarm isn't in "away" mode, and a similar relay that cuts power to the switch connecting those cameras to the router. Technically, I could have gotten away with just one relay on the switch, but I couldn't sleep with the camera's red light blinking at me regardless of whether or not it was connected to the router at the time.
I have the QC444 and you can telnet to it as root with no password.
Also when you access the camera, your creds go out via cleartext and you can easily see what your password is.
ActiveX is used to log in and manage the box remotely, also if you use a password longer than 6 characters, you cannot use the PSS software that they put otu on their web site.
There was also some weirdness with it trying to talk to IP address 70.151.24.203
This is why I have two routers... one is the cable company's router and I've set that to no remote admin, the other is hung off that router and is the real router for my network
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
I really don't care about cameras watching rock crushers...
Can someone please post a short-list of the ones covering strip clubs? 58,000 is a lot to sort through. Thanks in advance.
Who's going to buy the stuff if no one has any money left?
The entire rest of the world. China isn't particularly dependent on one country with no money.
A local electronics/computer chain (now bankrupt) had all their security webcams on an open wifi network, and all the webcams had the default administrator password ("admin" of course). From a bench outside I was able to see everything going on in the store without even guessing the admin password.
they are when that one country represents nearly their entire customer base.
Sure, the US is important to China, but "nearly their entire customer base"? Ahh... EU is larger than the US to China (see http://www.stanlib.com/EconomicFocus/Documents/Global/ChinaexportstoEUvsUS.pdf). But agreed - letting US go bankrupt would definately be a hit to the Chinese economy.
Or edit the timestamp so that the ATM camera shows you there at the time the cops know that the suspect in the "Chainsaw Castrator" case made a withdrawal. (No hackers involved, that I know of, but back in the early 1990s, the Daily News ran a front-page photo of the suspect in a serial rape case, based on ATM footage. Except, oops, the time stamp was wrong and the poor shmuck was completely innocent.) (http://www.nytimes.com/1991/08/16/nyregion/man-in-photo-is-not-a-suspect.html) Now, consider what could be done today with actual malice, by crooks or by the cops who just want to arrest *someone*.