3

I have dozens of cheap security cameras in my offices. I was under the assumption that, once I changed the admin password, disabled the insecure "P2P Mode", disabled UPNP, disabled guest access and changed default ports I was safe.

After the Mirai hack, I was shocked to see that my "security" camera it's accessible via telnet with root:xc3511.

Speechless!

Now, the telnet port shouldn't be forwarded outside by the router, but still it's a problem. What if some PC on the LAN gets infected by some malware?

Anders
  • 64,406
  • 24
  • 178
  • 215
Magnetic_dud
  • 213
  • 1
  • 2
  • 5

5 Answers5

4

I would suggest that rather than trying to protect the camera from the outside world with a firewall that using a black hole router as the only gateway for these devices would be more restrictive - also if you have a physical device at the router's address then it would make monitoring of egress attempts more visible. Also, point the device to the same black hole for DNS queries.

If you need remote access then use a VPN with NAT.

symcbean
  • 18,278
  • 39
  • 73
2

The following controls should help secure your device:

  • Change the root password (if possible: See @crover's comment for more info)
  • Segment the network so that only the host administering the camera can connect to it
  • Block egress from the network from the camera's IP
  • Apply any vendor supplied patches or configuration changes
HashHazard
  • 5,105
  • 1
  • 17
  • 29
  • 1
    A lot of the time, that root password is in the firmware / boot image and cannot be changed without reflashing, unfortunately. Still worth a try - but if you do try it, make sure you fully power cycle the camera to see if it stays (ie, unplug for 30 seconds to ensure the memory is cleared, plug in again, see what root password it is using) – crovers Oct 25 '16 at 15:18
  • 1
    @crovers edited ;) – HashHazard Oct 25 '16 at 15:19
  • I tried changing the password, but it resets at reboot – Magnetic_dud Oct 26 '16 at 07:21
  • It's probably embedded in the firmware then. You'll need to use the other mitigating controls to reduce the risk of compromise. – HashHazard Oct 26 '16 at 12:18
1

There are a few things to do to protect your camera:

  1. Make sure you’re not using the default password. This way, even if you’re discovered, it’ll be harder to break in. Especially change any root passwords, where possible.
  2. Incapsula has a Mirai vulnerability scanner, which scans your IP to see what may be at risk. https://www.incapsula.com/mirai-scanner.html They also offer a Web Application Firewall (WAF) to put your device behind.
  3. Disable any unnecessary remote connections.
  4. Run the most up-to-date firmware to ensure discovered security vulnerabilities are patched. But realize that there are many unpatched vulnerabilities that remain. This is something that we are less likely to do for devices than our own home/work computer.
  5. Reboot and make sure everything still works.

And, as you mentioned, in the wake of Mirai, understand that your device is at risk even if you personally aren’t a target.

avi
  • 21
  • 2
0

Other than nagging your vendor for an update or replacing the cameras with something more secure, the only other option would be putting them on their own network, with limited and controlled access via another router. You can do this with some higher-end switches which support segmentation or you can just plug them into their own switch, with a firewall/router between, which limits access to those cameras only to the 'secured' ports.

crovers
  • 6,311
  • 1
  • 19
  • 29
0

I would put them on a separate network segment with no access to the Internet. The only access would be through a VPN gateway. You not only protect them from attacks but also secure your connection to them (as those cheap cameras don't support HTTPS).

In the future I would also recommend buying cameras from a reputable vendor with a good security track record (a network company such as Cisco/Ubiquiti).

André Borie
  • 12,706
  • 3
  • 39
  • 76