Categories and Search Box

Friday, February 24, 2012

Security and IP Cameras


While being a security device by vocation, an entry-level IP camera is rarely secure itself: the embedded server does not offer any way to encrypt your login and the data stream. Fortunately there are ways around it, as well as common sense practice to reduce the risks.



If you're willing to spend 300€+, there are IP cameras with embedded SSL on the market (Axis, Panasonic, ...), but if, like me, you preferred buying 6 cheap chinese ipcams instead for that price, you can only use plain, unencrypted HTTP. Thanks to this lack of security, the role your "security" device can be completely inverted by opening a wide open window inside your home. The dream of any potential burglar planning an on-site visit!

First: the obvious ... restrict the HTTP and FTP accounts to reduce potential damage.
The first thing for any unencrypted access to your LAN is to only use it with a dedicated combination of user name and password that is used nowhere else (not even for the FTP service), so to ensure that if your IP cam login is ever "sniffed" by a hacker, the intrusion will be confined to your camera, and won't extend to your NAS, or computer!
Furthermore, the role of the account used for accessing from the WAN should be limited to Visitor (access to fixed view only) or Operator (access to PTZ control), to prevent any intruder from tempering with the configuration and clearing the traces of his visit in the log (you should inspect the log regularly for hints of unusual access).

The FTP service account: this other login will be easily compromised if you use the same user/password as fort the HTTP server or if you upload picture to an FTP server on the Internet. So the same kind of precaution applies here: use another unique user/password set with limited access to the target server, so the potential hacker won't be able to use that account to pump all your data.



Next: consider solutions to prevent intrusions.

1. If you are only accessing your IP cameras from fixed external locations, consider setting up your home router to allow incoming HTTP and FTP requests from these fixed IP addresses only. This alone will greatly reduce the likelihood of an intrusion.


2. If you have a Network Access Server (or NAS), you may have a choice of options:
e.g., the Synology DiskStation range offers a Surveillance Station to control your cameras through its HTTPS access. In the case of Synology though, you need to purchase extra licences to control more than one camera.
powerful


3. Some NAS and routers, come with a VPN server, and this is your best free option.
While PPTP is slightly easier to set up,  OpenVPN is generally acknowledged as faster and more reliable.

To make it work with the outside world, you need to check that you router allows the VPN traffic to  pass through. This option is usually present in the user interface and needs to be enabled.

If a firewall is on, further set up is needed to allow traffic through the required ports.
Generally it is UDP 1194 for OpenVPN, and  TCP 1723 + GRE (Generic Routing Encapsulation, IP protocol ID 47) for PPTP.

Once your VPN connection is working, a tunnel is created between your remote client and your intranet at home (i.e. behind the NAT). 
As a result, every server in your LAN can be accessed just as if you were home.


Therefore, you will now use the intranet IP addresses of your cameras to connect to them, but you'll be the only one to watch!




24 comments:

  1. Merci pour ce topic concernant la sécurité ;)

    tiens, si ça t'intéresse:

    WANSVIEW NC-536MW
    HD MEGA PIXEL 720P WIFI PT IR-CUT SD

    http://forum.hardware.fr/hfr/HardwarePeripheriques/Webcam/unique-wansview-camera-sujet_56652_1.htm

    Bye
    @+

    ReplyDelete
  2. bbah and others,
    Since you are so expert in this subject maybe you could help me..

    I updated firmware on clone F8908W by DX, succesfully with latest suitable FW 11.14.2.28, Wifi with old firmware was working bad, now with new I'm not able to establish a connection with the router by WIFI.

    The strange thing is that the CAM is able to find my router on WIFI (netgear dg834gt) automaticallt (scan), then when I do submit, wait for the re-booting and unplug the ethernet my PC is not able to connect with the cam and in particular also I don't find the cam in the attched devices of my router.

    I'm confused, I do n't think is an HW problem since somehow WIFI work (find the hotspot and with old F/W was more or less working..)could be a router setting?
    I tried with all the kinds of enchryptions..

    ReplyDelete
  3. @alberto76
    I compiled some popular causes in this post. The bottom line is: keep everyting simple and short, from AP name to encryption key. Long keys, long Access point name and symbols in them are the most likely sources of such troubles.

    ReplyDelete
  4. Thank you Bubba, I tried without encryption ( I live in the country side:))and my AP name was NETGEAR..
    In the meanwhile I'm seeking info on 360° also contacting the OEM that is the company reecam and aparently they are trying to answer me...
    Since I'm not really familiar I cannot understand how is possible that:
    a: scan works
    b: with older FW somehow was working
    c: with new FW doesn't work.

    Maybe is a FW problem, even if I used the one foscam suggested to use ( the size in bytes of file matched and I took it from the DX forum) and the flashing proceeded without issues.

    A question: do you think it may be possible/useful to flash again an older firmware?

    Thank you again.

    ReplyDelete
  5. These ip cameras are all very similar in hardware and it is mostly the WebUI file that gives them a different look. The main hardware differences reside in the size of the flash memory, which is why some large firmware can brick a camera with small flash, and also the brand of the component, like the wifi module.
    Depending this, in some case, the channels above 11 cannot be used. Maybe another thing for you to check.
    Also, if your lucky enough to get a recent firmware directly from the manufacturer, that would be worth a try.

    ReplyDelete
  6. Hello - bubbah and the others.

    I bought an IP camera from Dealextreme - it looks like https://www.dealextreme.com/p/standalone-ip-wireless-wifi-lan-camera-with-night-vision-and-pan-tilt-motors-26358

    But I have a problem with limited Wifi - it works just near router. And then I read on the bottom of your FAQ
    http://www.gadgetvictims.com/2008/12/faq-for-ip-cameras.html

    that this can be an antenna issue.
    Is there any additional information how to repair this. I'm a noob ... so sorry.

    ReplyDelete
  7. @Iztok Grilc
    You will just need to unscrew the bottom plate (you have to punch through the warranty seal but you wouldn't return it for repair anyway) and remove it.
    It will then be quite easy to follow the wire from the PCB to the antenna connector and check if it's loose or damaged.

    ReplyDelete
  8. Thank you, I will try next week (at the moment I'm on vacation) ...

    ReplyDelete
  9. In my case the cable is connected to Antenna. I'm pushing with the manufacturer (reecam: www.netwave.cn) about firmware confirmations and also opening a ticket with DX.
    I already opened the bottom. Do you think I breached the warranty?
    I also tried with low channels number in the router.
    Maybe I'd try to downgrade the firmare and reset completely the cam.

    It is sad that WIFI is not working since apart from this I think is a good product.
    Bye

    ReplyDelete
  10. @alberto76
    If you had to pierce a "warranty" sticker to unscrew the bottom, then it officially voids it. However, it is unlikely that you are willing to pay the shipping (often as high as the camera price) to return the camera, so just don't tell them and see how they (Dx or Reecam) can help. Maybe the Wifi card is dead and could be replaced somehow...

    ReplyDelete
  11. I opened the camera, but I didn't find nothing suspicious with antenna ... After that, I tried again. Nothing changed - Wifi worked, but just a meter from router. When I go a meter and half, it stops. I really don't have any more ideas. I also tried other antenna, but all the same.
    Will changing the firmware (i read that it is dangerous procedure) helps?

    ReplyDelete
  12. I don't think that changing the firmware will do anything to this. It looks like a range/antenna problem since it works beside the router (which also rules out a defective wifi module actually). Tempering with the firmware will only make thinks worse here.

    ReplyDelete
  13. if you have running a pc or server at home: STunnel is a good solution to add SSL to the IPCams.
    www.stunnel.org

    relevant section of config file:

    ;[https]
    accept = 192.168.1.53:8443
    connect = 192.168.1.95:80
    TIMEOUTclose = 0


    accept-IP is the IP of the pc, connect-IP is the IP of the cam.

    regards, Josy

    ReplyDelete
  14. Multi-vendor IP camera web interface authentication bypass

    Vulnerability Note VU#265532: http://www.kb.cert.org/vuls/id/265532

    Overview

    The web interface firmware for Foscam and Wansview H.264 Hi3510/11/12 IP cameras contain an authentication bypass vulnerability. Other vendors that share the same base firmware image are also vulnerable.

    Description

    It has been reported that the web interface for IP cameras from several vendors including Foscam and Wansview contain an authentication bypass vulnerability. By visiting specific URLs, an attacker may be able to perform any function a normal user can. The admin password is also leaked through client side Javascript.

    Impact

    A remote unauthenticated attacker may be able to execute any command available to the web interface including full administrative functions.

    Solution

    We are currently unaware of a practical solution to this problem. Please consider the following workaround.

    ---------------------------------------------------------------------------------------------------

    I have created a test tool to help determine if your H.264 camera brand and model are currently exposed to this, since there are many brands and models that are.

    http://foscam.us/forum/h264-ip-camera-web-interface-authentication-bypass-test-tool-t3252.html

    Note: I reported this issue.

    This is why I took the time to create a tool to test for it being present. There maybe firmware released to fix this problem, if your camera is found to have it. New firmware is required to fix this issue.

    Don

    ReplyDelete
  15. Hello,
    I have Unidentified IP Camera, please help. It looks exactly like Foscam FI8908W BUT: there is a pin hole on the front (mic hole for better sound), there is NO I/O alarm input, and in settings there is: Device ID MEYE-008640-FFBFF, Device Firmware Version 26.2.0.125, Device Embeded Web UI Version 12.0.0.04

    Does anybody knows what is this piece of HW?

    Thanks!

    ReplyDelete
  16. continue... the camera looks exactly like wanscam JW0008...

    ReplyDelete
    Replies
    1. It is almost certainly a SRICAM AP001: http://sricam.it/prodotti/ap001.html
      They have that very same firmware version available for download on: http://sricam.it/download.html
      and they use MEYE-000xxx-xxxxx as free P2P.

      Cheers
      Bubbah

      Delete
  17. You are right! Genius... can you recomend THE BEST surveilance DW for those types of cams? I tried iSpy but it has no free remote (over internet) access. I need correct PTZ, recording and remote access.

    ReplyDelete
    Replies
    1. I published an article with some apps (it's a bit outdated)
      http://www.gadgetvictims.com/2009/08/third-party-software-for-foscam-ip.html

      BlueIris or WebcamXP are good software. I personally use Surveillance Station from Synology. It's good but each camera license cost almost the price of an actual IP Camera.

      Sricam is probably a OEM clone of some better known manufacturer, Maygion, Foscam, Wanscam,...
      You'll have to try various brands and models when evaluating BlueIris, WebcamXP,...to find out which one works.

      Delete
  18. Thank you. Last question. Are there some outdoor PTZ cameras as cheap as foscam/wanscams etc. ? Indoor models may reach price about 35USD. Outdoor models are about 100USD. It seems to be too much for a few more plastic.

    ReplyDelete
    Replies
    1. I've got this one outside under the porch for about for 3 years and still working, it was around 50$. Not really weatherproof though:
      http://www.gadgetvictims.com/2011/09/es-ip611w-ip-camera.html

      A real outdoor device with HD 720p, + PTZ + Wi-Fi can be found from 95$, like this one:
      http://www.ebay.com/itm/Wanscam-CMOS-3X-Zoom-HD-H-264-Wireless-PTZ-Dome-Networkt-IR-Outdoor-IP-Camera-HS-/191145779697?pt=PCA_Video_Conferencing_Webcams&hash=item2c812d21f1

      Can really comment on their quality as I didn't try any yet.

      Delete
  19. SRICAM AP001 - is it possible to turn off LED diod in the front?

    ReplyDelete
    Replies
    1. Maybe. Try the first trick explained here: http://www.gadgetvictims.com/2010/01/shortcuts-to-foscam-ip-camera-functions.html

      Delete
    2. NOPE it only asks me for user and password

      Delete