Shitty Chinese WIFICAM cameras 0day root exploit alert
-
So I'm simple when it comes to IT, I read through this but most of it doesn't make much sense to me.
One of the main things I took away was this:
It’s useful to note the tunnel bypasses NAT and firewall, allowing the attacker to reach internal cameras (if they are connected to the Internet)
I certainly don't understand how the tunnel just "bypasses a firewall"? Either way it sounds like so long as the device doesn't have internet access then this is a non-issue?
I have a cheap IP Cam, I believe that my configuration for it is secure but having seen this I'd like to ask here to get some feedback from those who know what they are talking about.
-
My IP Camera is on my LAN
-
My LAN rules are whitelist & IPv4 only
-
The only remote access to the Camera is over my OpenVPN server
-
The first three rules (after pfBlockerNG) are for the IP Camera(192.168.30.13):
Pass/IPv4/UDP/192.168.30.13/any/192.168.30.1/123/any Block/IPv4/any/192.168.30.13/any/any/any/any Block/IPv4/any/any/any/192.168.30.13/any/any
Is this secure?
-
-
Since my IPCAM use also ipv6, I choose to put them all on a dedicated vlan with no internet gateway at all.
My first solution has been put them on a blacklist alias. -
Good lord after looking at that list is there ANYONE that makes a decent IP camera?
Bosch and Dallmeier probably
-
Also the dummy plastic ones should be pretty safe.
-
Good lord after looking at that list is there ANYONE that makes a decent IP camera?
I believe foscam are originally made from Canada. Not just sure about its video quality.
-
Company Profile
ShenZhen Foscam Intelligent Technology Co.,limited is a leading professional high-tech company which provides IP video camera and solutions in China.Foscams are well known for their awful security. I wrote the above firewall rules to try to secure my Foscam.
Still interested in any feedback on if I can consider my Camera secure or not? -
"Block/IPv4/any/any/any/192.168.30.13/any/any"
That is on your lan interface tab, and your lan network is 192.168.30 and your camera is .13??
That rule is useless on the lan interface.. Nothing on the lan would be talking to pfsense to talk to your camera. And if the traffic was coming from the internet or another vlan the rules on the lan interface are not evaluated.
If you would like your rules exampled - them post them.. not this ascii art..
""bypasses a firewall""
You don't understand how tunnel through a firewall outbound can be used to talk to the client behind the firewall without the firewall doing anything about that traffic??
-
I don't have access for screenshot right now, but is the attached screenshot clearer for the rules?
I'm not trying to block the IP Camera from the LAN, I access it with devices on the LAN. I'm trying to block it from the web.
-
The third rule is entirely non-functional assuming you have correct WAN rules that are not allowing incoming connections to the camera.
And yes, pfSense does stateful filtering and that means you'll never need the kind of rules the the third rule is now. Return traffic for connections is automatically handled by the state mechanism and you don't have to take it into account either when writing block rules, block only on the side where the connections are coming from.
-
Yeah that's what I thought, I put them on there while jsut starting out pfSense, deleting that rule.
-
Company Profile
ShenZhen Foscam Intelligent Technology Co.,limited is a leading professional high-tech company which provides IP video camera and solutions in China.Foscams are well known for their awful security. I wrote the above firewall rules to try to secure my Foscam.
Still interested in any feedback on if I can consider my Camera secure or not?Thanks for the heads up about foscam poor security features.
-
Has anyone tried the brand Net gear? How is it?
-
a lot of these cheaper cameras use the same software, and pcb boards inside varying shaped and branded housings ive noticed, amazon is a good place to look and see identical cameras listed under 10 different brand names.
-
I bought a Go pro 3 black edition and a couple of truck accessories at 4WheelOnline. In the box it stated it has an IP Camera function/capabilities. Anyone tried it yet?
I found a link how to have it done; http://www.instructables.com/id/Gopro-Hero-3-Black-Edition-IP-camera/
-
Many cameras are made by hikvision though they have their own firmware versions. I generally recommend going with hikvision since they put out new firmware versions on a regular basis.
-
Heh, where I live a hick vision camera would be very appropriate. ;D
-
Is it possible to securely access the cameras via the vpn server, blocking outbound over the normal wan gateway or is that still to much of a risk?
-
What do much of a risk - a vpn to access your iot devices. That would be fine. If your worried about them phoning home or some bad place then block their outbound access. This has nothing to do with your accessing them via a vpn connection.
-
If your worried about them phoning home or some bad place then block their outbound access.
Fully agree - 99% of the connection risk with any of the current IP cameras (good or bad) comes from the network design (or rather lack of).
The notion that you can attach these things willy nilly to your LAN, give them a random IP address via DHCP and let uPNP setup all your router's external port forwarding is Not Going to End Well.Give the cameras and NVR their own network isolated from other traffic.
Add internal access only as necessary.
Allow external access through some means of VPN (NOT port forwarding!).In other words apply some best network practices for potentially insecure devices that might have valuable information
-
The notion that you can attach these things willy nilly to your LAN, give them a random IP address via DHCP and let uPNP setup all your router's external port forwarding is Not Going to End Well.
lol