Page 1 of 1

Camera backdoor

Posted: Tue Sep 15, 2020 11:53 am
by Greg_Talyor
I read a 2017 article on the Dahua backdoor <https://ipvm.com/reports/dahua-backdoor>. Is this practice wide spread? Apparently, Axis (2018) had a security breach too <https://www.csoonline.com/article/32827 ... ntrol.html>. How could we block such access in a typical home network. I do have holes on my router on port 443 for Zoneminder <https://myip/zm> and port 9000 for Event Server.

What about Mirai <https://www.csoonline.com/article/32587 ... ernet.html>?

Ta.

Re: Camera backdoor

Posted: Tue Sep 15, 2020 1:30 pm
by Magic919
Best to keep cameras off the internet. Hikvision used to have a huge problem with this.

They can't get to the cameras via the two ports you have open.

Re: Camera backdoor

Posted: Tue Sep 15, 2020 2:04 pm
by Greg_Talyor
That's reassuring. I might wish to look at the cameras when I'm away now and then. But I don't need to manage anything remotely, so no ssh nor vpn.

BTW, noip.com seems to be exceedingly expensive. It costs $25 a year, whereas my entire web hosting package is only ~$150. Is it possible to run my own DDNS from my web server? It is a shared hosting; I don't have root access. My ISP says no.

Ta.

Re: Camera backdoor

Posted: Tue Sep 15, 2020 2:15 pm
by Magic919
You should look at DuckDNS for dyanamic IP. It's free.

I use AWS Route 53 for this.

Re: Camera backdoor

Posted: Tue Sep 15, 2020 4:05 pm
by mikb
Greg_Talyor wrote:
Tue Sep 15, 2020 11:53 am
Is this practice wide spread?
As a lot of these backdoors aren't documented (security through obscurity) it's hard to know until they get exploited, or unless you worked at the company making them ;)

For one camera, there was an unpublished URL (e.g. http://camera/video.cgi , http://camera/admin.cgi etc. format) which lead to a page which would disgorge the settings of the camera (resolution, frame rate, current time/date, admin password, y'know, stuff like that!) -- and you didn't need to be logged in to do it. Bad.

For other cameras, there was a hard-wired undocumented admin account (in addition to the usual admin/root etc. that you can change the password on) which was embedded and not changeable. Meaning, anyone with that knowledge could access the camera, nothing you could do would stop it.

A lot of these things are found by nosy people reverse engineering the binary firmware blob (which in many cases is made up of a bootloader, a filesystem blob of a cutdown Unix-like operating system, a filesystem blob of HTML/CSS and templates for the look-and-feel of the GUI) and working from there.

"binwalk" is a useful utility on firmware blobs, as is the ability to slice up a binary single file based on the output of "binwalk", and feed it to various decompressers (lzma, gzip, bzip ...) or "strings" to pick out readable stuff.

Best to keep the cameras firewalled from the internet, and trust your firewall isn't backdoored too.

Re: Camera backdoor

Posted: Tue Sep 15, 2020 5:01 pm
by Greg_Talyor
mikb wrote:
Tue Sep 15, 2020 4:05 pm
Best to keep the cameras firewalled from the internet, and trust your firewall isn't backdoored too.
Thanks for very comprehensive info. I think I can trust the Debian team.

Ta.