32

I keep reading about hackers accessing laptop and home security camera systems. Most home users are using SOHO routers meaning they are on a private IP range behind a NAT. I realize NATs aren't designed for security, but if an IP camera is behind one, how can a hacker access it?

Would it require either the camera's software or the router to have a security hole (0 day, bad code) or end-user misconfiguration (weak/default password, open/mapped ports) that would let the attacker in?

Brack
  • 455
  • 1
  • 4
  • 6
  • 1
    If your router has uPnP enabled it is very simple for a internal device to open an inbound port and listen to it. That allows external attack on the device without having to hack the router first. – Thorbjørn Ravn Andersen Jul 14 '16 at 07:14

4 Answers4

39

The cameras are often designed for ease-of-use by people who want to watch the streams of their goldfish or children. To make it easy to use, the cameras often call home to the manufacturer's website for remote viewing. Often these sites are insecure.

Another method is UPnP sets up automatic port forwarding:

https://en.wikipedia.org/wiki/Universal_Plug_and_Play#NAT_traversal

One solution for NAT traversal, called the Internet Gateway Device Protocol (IGD Protocol), is implemented via UPnP. Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and add or remove port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client.

It's easy to disable these features if you're aware of them.

mgjk
  • 7,535
  • 2
  • 20
  • 34
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/42474/discussion-on-answer-by-mgjk-how-can-my-ip-camera-be-hacked-behind-a-nat). – AviD Jul 14 '16 at 09:07
24

Typically this happens with in a few scenarios

  • End-user puts the device in the DMZ because they want to access it remotely and can't be bothered trying to figure out port-forwarding rules. This might happen if a user is Torrenting or has a NAS or other device they want to access from the public internet.
  • User has allowed direct access to the device via ingress port-forwarding or firewall rules which makes it accessible to probes / attacks. Again, this scenario might be common with a torrenting user or owner of a NAS or DVR that they want to access from the outside world.
  • An internal device on the network has been compromised and returned a reverse shell to the attacker. Since most (if not all) SOHO routers allow all egress traffic this connection is allowed to take place. The attacker then moves laterally through the network via the originally compromised machine.
  • The edge router itself is compromised and allows access from the outside world.

There are a variety of ways of bypassing the NAT but the aforementioned are probably the most common attack scenarios.

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47
  • 3
    Good answer, it does not help when firmware contains back doors either. Peers on the network (RDP VNC etc.).. Streaming on an external server which is then compromised. But laptops, 99.99% of the time it is stealthy remote access malware. – mckenzm Jul 14 '16 at 03:02
10

It is possible that the camera is still reachable from the network, even if UPnP, port forward is disabled, and the camera is behind NAT.

Some camera manufacturers use "UDP hole punching method".The API looks like the following:

  1. The camera sends UDP packets to a server every 30 seconds or less. This makes this connection alive, thus the camera can be reached from the server.

  2. The client software initiates a connection with the camera server, and it sends the camera ID to the server.

  3. The camera server connects to the camera through the alive UDP connection, and it notifies the camera that a client is trying to connect to the camera.

  4. The camera connects to the client software directly. If the client software is not behind NAT or firewalled, the connection succeeds. Now there is a working UDP channel between the client software and the camera.

In reality, this process is a bit more complicated with more scenarios, but this is basically how a camera can be reached via the camera server, only by knowing its camera ID.

UDP hole punching explained

user2716262
  • 611
  • 3
  • 12
  • IMHO this should be the answer. The technical detail I wanted to know. – Booji Boy Apr 06 '17 at 19:09
  • +1 for the very common, no config needed, no security possible, method. I'd give more upvotes for the diagram if I could – kaay Aug 03 '18 at 08:31
1

An other avenue for compromise is "cross site request forgery" (XSRF)

Wiki - XSRF

Where, essentially, the home user, safe behind their NAT, browses to a page which loads some JavaScript in the background which basically says "hit your local router's admin page and open up a way for me in" or "hit your camera's admin page and log in with these default creds, and let me in"

This happens invisibly to the browsing user, but to the camera or router, the request appears to come from "inside" the trusted perimeter and the door is opened.

JesseM
  • 1,882
  • 9
  • 9