Camera backdoor

A place for discussion of topics that are not specific to ZoneMinder. This could include Linux, Video4Linux, CCTV cameras or any other topic.
Post Reply
Greg_Talyor
Posts: 24
Joined: Mon Aug 17, 2020 7:41 pm

Camera backdoor

Post by Greg_Talyor » Tue Sep 15, 2020 11:53 am

I read a 2017 article on the Dahua backdoor <https://ipvm.com/reports/dahua-backdoor>. Is this practice wide spread? Apparently, Axis (2018) had a security breach too <https://www.csoonline.com/article/32827 ... ntrol.html>. How could we block such access in a typical home network. I do have holes on my router on port 443 for Zoneminder <https://myip/zm> and port 9000 for Event Server.

What about Mirai <https://www.csoonline.com/article/32587 ... ernet.html>?

Ta.

Magic919
Posts: 167
Joined: Wed Sep 18, 2013 6:56 am

Re: Camera backdoor

Post by Magic919 » Tue Sep 15, 2020 1:30 pm

Best to keep cameras off the internet. Hikvision used to have a huge problem with this.

They can't get to the cameras via the two ports you have open.

Greg_Talyor
Posts: 24
Joined: Mon Aug 17, 2020 7:41 pm

Re: Camera backdoor

Post by Greg_Talyor » Tue Sep 15, 2020 2:04 pm

That's reassuring. I might wish to look at the cameras when I'm away now and then. But I don't need to manage anything remotely, so no ssh nor vpn.

BTW, noip.com seems to be exceedingly expensive. It costs $25 a year, whereas my entire web hosting package is only ~$150. Is it possible to run my own DDNS from my web server? It is a shared hosting; I don't have root access. My ISP says no.

Ta.

Magic919
Posts: 167
Joined: Wed Sep 18, 2013 6:56 am

Re: Camera backdoor

Post by Magic919 » Tue Sep 15, 2020 2:15 pm

You should look at DuckDNS for dyanamic IP. It's free.

I use AWS Route 53 for this.

mikb
Posts: 476
Joined: Mon Mar 25, 2013 12:34 pm

Re: Camera backdoor

Post by mikb » Tue Sep 15, 2020 4:05 pm

Greg_Talyor wrote:
Tue Sep 15, 2020 11:53 am
Is this practice wide spread?
As a lot of these backdoors aren't documented (security through obscurity) it's hard to know until they get exploited, or unless you worked at the company making them ;)

For one camera, there was an unpublished URL (e.g. http://camera/video.cgi , http://camera/admin.cgi etc. format) which lead to a page which would disgorge the settings of the camera (resolution, frame rate, current time/date, admin password, y'know, stuff like that!) -- and you didn't need to be logged in to do it. Bad.

For other cameras, there was a hard-wired undocumented admin account (in addition to the usual admin/root etc. that you can change the password on) which was embedded and not changeable. Meaning, anyone with that knowledge could access the camera, nothing you could do would stop it.

A lot of these things are found by nosy people reverse engineering the binary firmware blob (which in many cases is made up of a bootloader, a filesystem blob of a cutdown Unix-like operating system, a filesystem blob of HTML/CSS and templates for the look-and-feel of the GUI) and working from there.

"binwalk" is a useful utility on firmware blobs, as is the ability to slice up a binary single file based on the output of "binwalk", and feed it to various decompressers (lzma, gzip, bzip ...) or "strings" to pick out readable stuff.

Best to keep the cameras firewalled from the internet, and trust your firewall isn't backdoored too.

Greg_Talyor
Posts: 24
Joined: Mon Aug 17, 2020 7:41 pm

Re: Camera backdoor

Post by Greg_Talyor » Tue Sep 15, 2020 5:01 pm

mikb wrote:
Tue Sep 15, 2020 4:05 pm
Best to keep the cameras firewalled from the internet, and trust your firewall isn't backdoored too.
Thanks for very comprehensive info. I think I can trust the Debian team.

Ta.

FvdLaar
Posts: 10
Joined: Sat Apr 02, 2016 12:55 pm

Re: Camera backdoor

Post by FvdLaar » Tue Oct 20, 2020 1:48 pm

I like to keep my devices within a separate VLAN without any connection to the public internet. For IP camera's I try to use a Raspberry PI with both a VLAN addres and a regular network address (with access to internet). Then on the Raspberry PI it is the plan to run VLC to stream the IPcam and then pickup the VLC stream in ZM. Haven't got this working yet, but I think VLC is a nice "stream proxy" :-)

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests