Shitty Chinese WIFICAM cameras 0day root exploit alert


  • Banned

    https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
    http://securityaffairs.co/wordpress/57003/hacking/wi-fi-connected-cameras-flaws.html

    If you have any if these crappy IoT things (see first link above for hundreds of OEM re-brands), kindly dispose of them properly.



  • Iot Crash and Burn. Never bought into the IoT marketing bs myself. Thanks for the laugh ;D
    That list above is insane btw. DefCon or Blackhat has some video's out on more of the same.
    If your camera is not on this list chances are it is on another one.
    IoT, retarded concept. >:(


  • LAYER 8 Global Moderator

    Not sure I agree with IoT being a retarded concept as a whole.  What is retarded is a complete utter lack of any care to security..



  • @johnpoz:

    Not sure I agree with IoT being a retarded concept as a whole.  What is retarded is a complete utter lack of any care to security..

    Very true.
    Attempt too avoid security is noteworthy also. I like the tech alright, but seriously this was a train wreck we all saw coming long before now. First time I heard a fridge and IP in the same sentence I thought hmm what a waste of an IP. Second thought was security. This is going to be ugly.
    I think my words today expressed my Ahha! moment and frustration with the agony  knowing  the chaos to come. LOL. IoT just makes me want to scream out , LOOSE CANNON ON DECK!
    On paper concept is just fine its a concept right? But what a mess and waste.
    Just ranting I guess.
    People are like fish at times, dangle something new in front and they forget the hook.



  • Good lord after looking at that list is there ANYONE that makes a decent IP camera?



  • I guess there's no way to compete against the cheapo manufacturers even if you could produce something that works and offers reasonable security because the customer base is so ignorant of the security issues and basically don't care if there are zero day exploits, they don't see the point in firmware upgrades or paying little extra for better security, if they don't like the product they will buy a new one and an equally crappy one.


  • LAYER 8 Global Moderator

    "offers reasonable security because the customer base is so ignorant of the security issues"

    Very very good point!!!

    You see it here on the board, you would hope the people moving to pfsense vs the off the shelf router would have some concepts.. But you see it all the time, how do I forward rdp how do I open web gui to the wan..

    How do I bridge all the interfaces so everything is on 1 network ;)



  • @webtyro:

    First time I heard a fridge and IP in the same sentence I thought hmm what a waste of an IP. Second thought was security. This is going to be ugly.

    There are IoT refrigerators with cameras that stream the inside of the fridge. Maybe the crappy security camera should go in the fridge and stare back at the fridge camera. Battle of the insecure eyes.

    @Jailer:

    Good lord after looking at that list is there ANYONE that makes a decent IP camera?

    Amcrest? I have installed these for clients. Glad they are not on the list….yet.


  • Banned

    @Jailer:

    Good lord after looking at that list is there ANYONE that makes a decent IP camera?

    Perhaps Axis or Ubiquiti (and of course any cloud "feature" turned off). At least those are the brands that seem to produce kinda regular firmware updates for a reasonable period of product lifetime.



  • My chinese Dahua(!!) and Hickvision cameras and DVR are on a locked down VLAN. Remote access is done with VPN or a zoneminder streaming server on another VLAN.
    They have only NTP access to pfsense. No DNS resolution or anything else.

    Hickvision are pretty decent hardware, but often come from a grey market, with hacked chinese firmwares you cannot update without loosing english language.



  • @johnpoz:

    How do I bridge all the interfaces so everything is on 1 network ;)

    That's hilarious



  • @Soarin:

    @johnpoz:

    How do I bridge all the interfaces so everything is on 1 network ;)

    That's hilarious

    It would be if it was not so worrying and true!



  • ???




  • Does it link to Alexa and order a new roll when there are only a few sheets left?



  • @marjohn56:

    Does it link to Alexa and order a new roll when there are only a few sheets left?

    Still looking for the damn JTAG to see what crap firmware it has. Who knows what it is reporting. :o



  • @webtyro:

    Still looking for the damn j tag to see what crap firmware it has. Who knows what it is reporting. :o

    Perhaps if it all links together it will know when you've ordered a curry and will order extra rolls! ::)



  • @webtyro:

    ???



  • @marjohn56:

    @webtyro:

    Still looking for the damn j tag to see what crap firmware it has. Who knows what it is reporting. :o

    Perhaps if it all links together it will know when you've ordered a curry and will order extra rolls! ::)

    Any coder worth his weight in curry would write a proximity alert package to start pre-feeding sheets as your running towards it to tcpdump….


  • Banned

    So I'm simple when it comes to IT, I read through this but most of it doesn't make much sense to me.

    One of the main things I took away was this:

    It’s useful to note the tunnel bypasses NAT and firewall, allowing the attacker to reach internal cameras (if they are connected to the Internet)

    I certainly don't understand how the tunnel just "bypasses a firewall"? Either way it sounds like so long as the device doesn't have internet access then this is a non-issue?

    I have a cheap IP Cam, I believe that my configuration for it is secure but having seen this I'd like to ask here to get some feedback from those who know what they are talking about.

    • My IP Camera is on my LAN

    • My LAN rules are whitelist & IPv4 only

    • The only remote access to the Camera is over my OpenVPN server

    • The first three rules (after pfBlockerNG) are for the IP Camera(192.168.30.13):

    Pass/IPv4/UDP/192.168.30.13/any/192.168.30.1/123/any
    Block/IPv4/any/192.168.30.13/any/any/any/any
    Block/IPv4/any/any/any/192.168.30.13/any/any
    

    Is this secure?



  • Since my IPCAM use also ipv6, I choose to put them all on a dedicated vlan with no internet gateway at all.
    My first solution has been put them on a blacklist alias.



  • @Jailer:

    Good lord after looking at that list is there ANYONE that makes a decent IP camera?

    Bosch and Dallmeier probably


  • Banned

    Also the dummy plastic ones should be pretty safe.



  • @Jailer:

    Good lord after looking at that list is there ANYONE that makes a decent IP camera?

    I believe foscam are originally made from Canada. Not just sure about its video quality.


  • Banned

    Company Profile
    ShenZhen Foscam Intelligent Technology Co.,limited is a leading professional high-tech company which provides IP video camera and solutions in China.

    Foscams are well known for their awful security. I wrote the above firewall rules to try to secure my Foscam.
    Still interested in any feedback on if I can consider my Camera secure or not?


  • LAYER 8 Global Moderator

    "Block/IPv4/any/any/any/192.168.30.13/any/any"

    That is on your lan interface tab, and your lan network is 192.168.30 and your camera is .13??

    That rule is useless on the lan interface.. Nothing on the lan would be talking to pfsense to talk to your camera.  And if the traffic was coming from the internet or another vlan the rules on the lan interface are not evaluated.

    If you would like your rules exampled - them post them.. not this ascii art..

    ""bypasses a firewall""

    You don't understand how tunnel through a firewall outbound can be used to talk to the client behind the firewall without the firewall doing anything about that traffic??


  • Banned

    I don't have access for screenshot right now, but is the attached screenshot clearer for the rules?

    I'm not trying to block the IP Camera from the LAN, I access it with devices on the LAN. I'm trying to block it from the web.




  • The third rule is entirely non-functional assuming you have correct WAN rules that are not allowing incoming connections to the camera.

    And yes, pfSense does stateful filtering and that means you'll never need the kind of rules the the third rule is now. Return traffic for connections is automatically handled by the state mechanism and you don't have to take it into account either when writing block rules, block only on the side where the connections are coming from.


  • Banned

    Yeah that's what I thought, I put them on there while jsut starting out pfSense, deleting that rule.



  • @pfBasic:

    Company Profile
    ShenZhen Foscam Intelligent Technology Co.,limited is a leading professional high-tech company which provides IP video camera and solutions in China.

    Foscams are well known for their awful security. I wrote the above firewall rules to try to secure my Foscam.
    Still interested in any feedback on if I can consider my Camera secure or not?

    Thanks for the heads up about foscam poor security features.



  • Has anyone tried the brand Net gear? How is it?


  • Banned

    a lot of these cheaper cameras use the same software, and pcb boards inside varying shaped and branded housings ive noticed, amazon is a good place to look and see identical cameras listed under 10 different brand names.



  • I bought a Go pro 3 black edition and a couple of truck accessories at 4WheelOnline. In the box it stated it has an IP Camera function/capabilities. Anyone tried it yet?

    I found a link how to have it done; http://www.instructables.com/id/Gopro-Hero-3-Black-Edition-IP-camera/



  • Many cameras are made by hikvision though they have their own firmware versions.  I generally recommend going with hikvision since they put out new firmware versions on a regular basis.



  • Heh, where I live a hick vision camera would be very appropriate.  ;D



  • Is it possible to securely access the cameras via the vpn server, blocking outbound over the normal wan gateway or is that still to much of a risk?


  • LAYER 8 Global Moderator

    What do much of a risk - a vpn to access your iot devices.  That would be fine.  If your worried about them phoning home or some bad place then block their outbound access.  This has nothing to do with your accessing them via a vpn connection.



  • If your worried about them phoning home or some bad place then block their outbound access.

    Fully agree - 99% of the connection risk with any of the current IP cameras (good or bad) comes from the network design (or rather lack of).
    The notion that you can attach these things willy nilly to your LAN, give them a random IP address via DHCP and let uPNP setup all your router's external port forwarding is Not Going to End Well.

    Give the cameras and NVR their own network isolated from other traffic.
    Add internal access only as necessary.
    Allow external access through some means of VPN (NOT port forwarding!).

    In other words apply some best network practices for potentially insecure devices that might have valuable information


  • LAYER 8 Netgate

    The notion that you can attach these things willy nilly to your LAN, give them a random IP address via DHCP and let uPNP setup all your router's external port forwarding is Not Going to End Well.

    lol



  • If only IoT devices connected to a smart home system, and that connected to the internet. Eliminate the dozens of appliance specific attacks and eliminate the security issues



  • @bilbo:

    Is it possible to securely access the cameras via the vpn server, blocking outbound over the normal wan gateway or is that still to much of a risk?

    Thats how i did it. 12 Hikvision IP cams connected to a Hikvision POE NVR. The NVE is connected direct to its own interface on my pfSense appliance with all outbound blocked (as well as access to/from any of the other interfaces). I VPN in to the network to view the live feeds when needed…

    FYI the industry is starting to wake up.

    http://z-wavealliance.org/mandatory-security-implementation-z-wave-certified-iot-devices-takes-effect-today/


Log in to reply