Camera backdoor

A place for discussion of topics that are not specific to ZoneMinder. This could include Linux, Video4Linux, CCTV cameras or any other topic.
Post Reply
Greg_Talyor
Posts: 34
Joined: Mon Aug 17, 2020 7:41 pm

Camera backdoor

Post by Greg_Talyor »

I read a 2017 article on the Dahua backdoor <https://ipvm.com/reports/dahua-backdoor>. Is this practice wide spread? Apparently, Axis (2018) had a security breach too <https://www.csoonline.com/article/32827 ... ntrol.html>. How could we block such access in a typical home network. I do have holes on my router on port 443 for Zoneminder <https://myip/zm> and port 9000 for Event Server.

What about Mirai <https://www.csoonline.com/article/32587 ... ernet.html>?

Ta.
Magic919
Posts: 1381
Joined: Wed Sep 18, 2013 6:56 am

Re: Camera backdoor

Post by Magic919 »

Best to keep cameras off the internet. Hikvision used to have a huge problem with this.

They can't get to the cameras via the two ports you have open.
-
Greg_Talyor
Posts: 34
Joined: Mon Aug 17, 2020 7:41 pm

Re: Camera backdoor

Post by Greg_Talyor »

That's reassuring. I might wish to look at the cameras when I'm away now and then. But I don't need to manage anything remotely, so no ssh nor vpn.

BTW, noip.com seems to be exceedingly expensive. It costs $25 a year, whereas my entire web hosting package is only ~$150. Is it possible to run my own DDNS from my web server? It is a shared hosting; I don't have root access. My ISP says no.

Ta.
Magic919
Posts: 1381
Joined: Wed Sep 18, 2013 6:56 am

Re: Camera backdoor

Post by Magic919 »

You should look at DuckDNS for dyanamic IP. It's free.

I use AWS Route 53 for this.
-
mikb
Posts: 586
Joined: Mon Mar 25, 2013 12:34 pm

Re: Camera backdoor

Post by mikb »

Greg_Talyor wrote: Tue Sep 15, 2020 11:53 am Is this practice wide spread?
As a lot of these backdoors aren't documented (security through obscurity) it's hard to know until they get exploited, or unless you worked at the company making them ;)

For one camera, there was an unpublished URL (e.g. http://camera/video.cgi , http://camera/admin.cgi etc. format) which lead to a page which would disgorge the settings of the camera (resolution, frame rate, current time/date, admin password, y'know, stuff like that!) -- and you didn't need to be logged in to do it. Bad.

For other cameras, there was a hard-wired undocumented admin account (in addition to the usual admin/root etc. that you can change the password on) which was embedded and not changeable. Meaning, anyone with that knowledge could access the camera, nothing you could do would stop it.

A lot of these things are found by nosy people reverse engineering the binary firmware blob (which in many cases is made up of a bootloader, a filesystem blob of a cutdown Unix-like operating system, a filesystem blob of HTML/CSS and templates for the look-and-feel of the GUI) and working from there.

"binwalk" is a useful utility on firmware blobs, as is the ability to slice up a binary single file based on the output of "binwalk", and feed it to various decompressers (lzma, gzip, bzip ...) or "strings" to pick out readable stuff.

Best to keep the cameras firewalled from the internet, and trust your firewall isn't backdoored too.
Greg_Talyor
Posts: 34
Joined: Mon Aug 17, 2020 7:41 pm

Re: Camera backdoor

Post by Greg_Talyor »

mikb wrote: Tue Sep 15, 2020 4:05 pm Best to keep the cameras firewalled from the internet, and trust your firewall isn't backdoored too.
Thanks for very comprehensive info. I think I can trust the Debian team.

Ta.
FvdLaar
Posts: 10
Joined: Sat Apr 02, 2016 12:55 pm

Re: Camera backdoor

Post by FvdLaar »

I like to keep my devices within a separate VLAN without any connection to the public internet. For IP camera's I try to use a Raspberry PI with both a VLAN addres and a regular network address (with access to internet). Then on the Raspberry PI it is the plan to run VLC to stream the IPcam and then pickup the VLC stream in ZM. Haven't got this working yet, but I think VLC is a nice "stream proxy" :-)
alabamatoy
Posts: 349
Joined: Sun Jun 05, 2016 2:53 pm

Re: Camera backdoor

Post by alabamatoy »

There's numerous ways to skin this cat.

My ZM server has two NICs (a separate NIC is about $20 or so now, you can even use a USB-type). The backside NIC is on a dumb switch (Linksys etc, about $50) with all the cameras. Mine are all POE, so the UPS running the ZM box is also powering all the cameras as well. The ZM server runs DHCP on the backside NIC, so I can plug a new camera in and it gets an IP and all that. But the DHCP info contains no default gateway (yeah, broadcasts... but there's cons for every COA), and the ZM server is configured not to allow packet forwarding between the NICs....so the cameras are truly hidden from the internet unless someone hacks my ZM, in which im screwed anyhow. Also, this prevents the cameras from surreptitiously updating.

If you hafta have wireless, you can plug a WAP into the dumb switch and get your wireless for cameras. But I never saw the point of wireless for cameras, because there is no such thing...you gotta power the camera somehow, right? So you ARE going run a wire to it...why not run one CAT5/6 wire and ditch the wifi overhead and risk?

This has the secondary advantage of not clobbering my main router with managing a VLAN, and keeps all the camera traffic from clobbering the house wifi/Netflix etc.

HTH...
dougmccrary
Posts: 1172
Joined: Sat Aug 31, 2019 7:35 am
Location: San Diego

Re: Camera backdoor

Post by dougmccrary »

...you gotta power the camera somehow, right?
In my case, I have outlets almost everywhere I want a camera - so, wireless for most of my cams.
AnotherBrian
Posts: 112
Joined: Tue Jul 27, 2010 6:36 am

Re: Camera backdoor

Post by AnotherBrian »

A simple way to block the cams is to configure the router so that the cams can't talk out the wan.

However, it is desireable to have the cams configured to set their clocks based on ntp.
So there you want to block access to the cams but also allow the cams to communicate to the ntp server. All you knowledgable ip folks here - how to configure so it can talk to the ntp server but no where else on the internet?
parky
Posts: 45
Joined: Sun Aug 28, 2011 8:41 am

Re: Camera backdoor

Post by parky »

how about setting up an NPT source on your server as that has external access and then you don't need the cameras to talk out

Well that's how mine works and there is a total block on all camera IP's from getting out
AnotherBrian
Posts: 112
Joined: Tue Jul 27, 2010 6:36 am

Re: Camera backdoor

Post by AnotherBrian »

mucho gracias :D :lol:
mikb
Posts: 586
Joined: Mon Mar 25, 2013 12:34 pm

Re: Camera backdoor

Post by mikb »

parky wrote: Thu Oct 07, 2021 6:59 am how about setting up an NPT source on your server as that has external access and then you don't need the cameras to talk out

Well that's how mine works and there is a total block on all camera IP's from getting out
Note that you may need to do a little more work here -- I had the same config as above: Cameras and NAS units "inside" my network that cannot be seen/cannot see out. But a requirement for an NTP server to set the time in camera/NAS config.

I already had a local NTP server "inside" (on the firewall machine) so used that in the "Other/Custom .... 192.168.X.X" option for the cameras/NAS -- and it didn't work.

Some tcpdumping later revealed that things were still trying to sync with ntp.chinese-something.com which, of course, they couldn't see. It was ignoring my custom entry, and still using one from a baked-in list of NTP servers. Bug, or conspiracy? :)

In the end, I put a fraudulent entry in my local DNS/hosts file for "ntp.chinese-something.com" as 192.168.X.X so everyone was happy, and then it worked fine.
Post Reply