Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

58,000 Security Camera Systems Critically Vulnerable To Attackers

Unknown Lamer posted about a year and a half ago | from the your-curtains-are-ugly dept.

Bug 157

Sparrowvsrevolution writes with news of some particularly insecure security cameras. From the article: "Eighteen brands of security camera digital video recorders are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company's firewall, according to tests by two security researchers. And 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, are accessible via the Internet. Early last week a hacker who uses the handle someLuser found that commands sent to a Swann DVR via port 9000 were accepted without any authentication. That trick would allow anyone to retrieve the login credentials for the DVR's web-based control panel. To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPnP) which maps the devices' location to any local router that has UPnP enabled — a common default setting. ...Neither Ray Sharp nor any of the eighteen firms have yet released a firmware fix."

cancel ×

157 comments

Sorry! There are no comments related to the filter you selected.

Never attribute to malice... (1, Interesting)

AK Marc (707885) | about a year and a half ago | (#42722543)

What, nobody has complained about this being an intentional backdoor yet? The Chinese are out to get us.

Re:Never attribute to malice... (1)

Nyder (754090) | about a year and a half ago | (#42722573)

What, nobody has complained about this being an intentional backdoor yet? The Chinese are out to get us.

You are first post, people will get saying that in a few...

Re:Never attribute to malice... (-1)

Anonymous Coward | about a year and a half ago | (#42722687)

Shut the fuck up, you moron. The chinks are definitely out to get us, and assholes like you are helping them. You should move to some third-world shithole like france where chink influence can't do any harm.

The Chinese or Uncle Sam ?? (4, Insightful)

Taco Cowboy (5327) | about a year and a half ago | (#42722699)

The Chinese are out to get us

If I were you, I'll be more worried about Uncle Sam

Re:The Chinese or Uncle Sam ?? (1)

Anonymous Coward | about a year and a half ago | (#42722775)

worse yet... uncle sam and the chinese collaborating on something like this.

Re:The Chinese or Uncle Sam ?? (0)

Anonymous Coward | about a year and a half ago | (#42722779)

Situation Normal, All Fed Up

For when you need something more then your typical SNAFU. you can rely on the Feds!

"The Chinese" are Uncle Sam (0, Offtopic)

decora (1710862) | about a year and a half ago | (#42722907)

I don't know if you recall that 'bailout of 2008' but the Chinese Government is the only reason that the entire banking system didn't collapse. They own something like a trillion dollars worth of things like Treasury Bonds as well as Mortgage Securities.

According to Hank Paulson's book, Russia wanted to team up with China, call the debt, and make us go bankrupt and the banks die. China refused.

Partly because Hank Paulson, when he worked for Goldman Sachs, had spent several years in China getting to know the higher ups.

Now pull some bills out of your wallet. See the signature? Henry "Hank" Paulson. Treasury Secretary.

Re:"The Chinese" are Uncle Sam (2)

ub3r n3u7r4l1st (1388939) | about a year and a half ago | (#42722997)

Of course the Chinese can't afford to see the U.S. banking system collapse. Just turn around almost everything you can touch. Can you see where it is being manufactured? Who's going to buy the stuff if no one has any money left?

Re:"The Chinese" are Uncle Sam (3, Insightful)

Gordonjcp (186804) | about a year and a half ago | (#42723727)

Who's going to buy the stuff if no one has any money left?

The entire rest of the world. China isn't particularly dependent on one country with no money.

Re:"The Chinese" are Uncle Sam (0)

Anonymous Coward | about a year and a half ago | (#42723581)

You show your ignorance of economics. They cant just call thier debt as they please. It is akin to a regular person calling in thier debt in the form of a savings bond whereit is worth a lot less then what you paid until it matures. Any way the Chinese (the largest debt carrier for the US) only has about 8% of our total debt. Good youtubevideo if you want to learn somthing instead of talking out of your ass... http://www.youtube.com/watch?v=3ugDU2qNcyg

Re:The Chinese or Uncle Sam ?? (1)

alostpacket (1972110) | about a year and a half ago | (#42723389)

Uncle Samurai?

Re:Never attribute to malice... (5, Insightful)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#42722923)

What, nobody has complained about this being an intentional backdoor yet? The Chinese are out to get us.

I'm inclined to keep "Never attribute to malice something much stupider than malice would have implemented" in mind as a variant on the usual phrase.

Given the hordes of profit-driven, variously political, and simply lulz-oriented attackers on the internet, relatively blatant backdooring(when you are in the privileged position of being the guys shipping the firmware, no less, hard to ask for more insider access than that) amounts to squandering an advantage. Had the units shipped with, say, a bugged sshd that is hardcoded to always allow access via keypair auth with a specific private key, it is both much more likely that nobody would ever have noticed, and that nobody but the intended attacker would ever have been able to make use of the vulnerability. A wholly unauthenticated hole, on the other hand, is an open invitation to every bot-herder and na'er-do-well on the planet to come and have a rummage through the systems, leading to much greater competition for the creator of the backdoor.

Re:Never attribute to malice... (2)

shitzu (931108) | about a year and a half ago | (#42723105)

Well... If you plug your random DVR (or print server, or any device for that matter) tcp port through your router, you deserve what you get. If you leave upnp on, you deserve what you get. Openvpn costs nothing.

Re:Never attribute to malice... (1)

stjobe (78285) | about a year and a half ago | (#42724039)

Pray it's the Chinese... and it's not SCORPION STARE.

Although if you know what that is and don't have GAME ANDES REDSHIFT clearance, I'm afraid you're in for a change in work environments - hope you like British bureaucracy!

shunky (-1)

Anonymous Coward | about a year and a half ago | (#42722545)

Shanghai Shunky Machinery Co.,ltd is a famous manufacturer of crushing and screening equipments in China. We provide our customers complete crushing plant, including cone crusher, jaw crusher, impact crusher, VSI sand making machine, mobile crusher and vibrating screen. What we provide is not just the high value-added products, but also the first class service team and problems solution suggestions. Our crushers are widely used in the fundamental construction projects. The complete crushing plants are exported to Russia, Mongolia, middle Asia, Africa and other regions around the world.
http://www.mcrushingplant.com
http://www.crusher007.com
http://www.sand-making-machine.com
http://www.china-impact-crusher.com
http://www.cnshunky.com
http://www.bestssj.com
http://www.shunkyen.com
http://www.crusheren.com
http://www.crusher02.com
http://www.portablecrusherplant.net
http://www.csconecrusher.com

Re:shunky (1)

webmistressrachel (903577) | about a year and a half ago | (#42722899)

WTF?

On another note, "from the your-curtains-are-ugly dept.", my curtains are lovely, thank you.

ON TOPIC, mods, read the headline AND the subtitle!

Re:shunky (4, Funny)

Anachragnome (1008495) | about a year and a half ago | (#42723571)

I really don't care about cameras watching rock crushers...

Can someone please post a short-list of the ones covering strip clubs? 58,000 is a lot to sort through. Thanks in advance.

No Surprise (4, Funny)

hduff (570443) | about a year and a half ago | (#42722547)

"As Seen On TV"

Re:No Surprise (0)

Anonymous Coward | about a year and a half ago | (#42722999)

"As Seen On TV"

Yeah, the first thing I thought of when I saw the headline was an episode of "Supernatural". Frank Deveraux had taught Dean Winchester how to commandeer Security cameras. When brother Sam saw Dean do it (Sam is the guy you usually see sitting at a laptop), he said, "You have to teach me how to do that."

well ... (0)

Anonymous Coward | about a year and a half ago | (#42722553)

it's not like you should have this unprotected by a firewall.

Re:well ... (2)

fyngyrz (762201) | about a year and a half ago | (#42722563)

it's not like you should have this unprotected by a firewall.

it's not like you should have anything unprotected by a firewall.

Re:well ... (4, Informative)

fluffy99 (870997) | about a year and a half ago | (#42722671)

That these system will punch holes in a upnp capable router is part of the problem. Many people may not realize their DVR is even accessible from outside. Step number one on any home routers I setup is to disable upnp because malicious software also likes to punch holes.

Re:well ... (4, Interesting)

adolf (21054) | about a year and a half ago | (#42722879)

Step number one on any home routers I setup is to disable upnp because malicious software also likes to punch holes.

UPNP can trivially allow incoming ports on the firewall. And so what? You allow outbound connections, don't you?

There is very little difference between malicious programs being able to create its own outbound connections and being able to accept inbound connections: In either case, the malicious software is able to communicate and can accomplish whatever nefarious task its creators envision.

Why would I trust a program to create connections but not enough accept them?

In practice, I leave UPNP turned on. If I were paranoid enough to disable it, I'd also be sufficiently paranoid to never, ever execute any code that I'd not written or reviewed myself, with a firewall that denies everything by default in both directions...and I just don't have time for that.

UPNP makes things work better: From BT to software updates to gaming on a PS3, UPNP helps keep the clusterfuck of NAT from being absolutely horrible.

So the score, so far, for UPNP seems to be this:

Problems that UPNP solves for me: Several.
Problems that UPNP creates for me: None.

Meanwhile, TFA is more about the fact that some hardware devices that may never see a software upgrade have one or more security holes which can be exploited over the network...which is interesting and all, but really has nothing to do with UPNP: If such devices were secure and trustworthy to begin with, there would never be a reason to firewall them at all, let along worry about UPNP.

Re:well ... (2)

Frojack123 (2606639) | about a year and a half ago | (#42722933)

There is very little difference between malicious programs being able to create its own outbound connections and being able to accept inbound connections: In either case, the malicious software is able to communicate and can accomplish whatever nefarious task its creators envision.

Bullshit. If your device has a reason to create an outbound connection, it is (for the most part) limited to one connection to one place for a specific purpose. (Disregarding intentionally buggered on-board software designed with malicious intent). So your cloths dryer can send you an email telling you its on fire, or your tablet can fetch your email, and stuff like that. However, as pointed out in the present article, even a disbeliever like you should see that opening an inbound port is an entirely different affair. An inbound port is open to the entire world, anyone can connect, and, (baring any on-device security), they can do pretty much anything the device is capable of doing.

Re:well ... (2)

Miamicanes (730264) | about a year and a half ago | (#42723217)

> An inbound port is open to the entire world, anyone can connect, and, (baring any on-device security),
> they can do pretty much anything the device is capable of doing.

And 9 times out of 10, unless the homeowner couldn't figure out how to do it, any device that accepts incoming connections on a port probably has a port from the router's public IP address forwarded to its internal IP address *anyway*.

Yes, barring device security, they can do whatever they'd like. That's why the device HAS security. So they can't.

The biggest problem with internet cameras and DVRs isn't the fact that they can use UPnP to "punch holes" -- it's the fact that 99.9% of the damn cameras don't allow you to authenticate via SSL (valid certificate or not), and instead send your login credentials in the clear over the wi-fi network at Starbucks. I wish to ${deity} that routers had a "reverse https proxy" function that would accept inbound https connections, strip the ssl, and transparently forward the traffic to the same port of an internal IP address where there's a device that's too stupid to know how to do SSL.

I won't be losing sleep tonight worrying about my cameras' ability to coax the router into forwarding arbitrary ports to them. I'd lose quite a bit of sleep if I didn't have the internet-connected camera in my bedroom wired up to the burglar alarm through a relay that cuts the power to it whenever the alarm isn't in "away" mode, and a similar relay that cuts power to the switch connecting those cameras to the router. Technically, I could have gotten away with just one relay on the switch, but I couldn't sleep with the camera's red light blinking at me regardless of whether or not it was connected to the router at the time.

Re:well ... (1)

julesh (229690) | about a year and a half ago | (#42723413)

I wish to ${deity} that routers had a "reverse https proxy" function that would accept inbound https connections, strip the ssl, and transparently forward the traffic to the same port of an internal IP address where there's a device that's too stupid to know how to do SSL.

Have you considered setting up a VPN? Routers with integrated VPN functions are affordable these days (e.g. http://www.google.co.uk/products/catalog?q=dsl+router+vpn&sugexp=chrome,mod%3D11&um=1&ie=UTF-8&cid=11302817784067722053&sa=X&ei=Z3UHUfSWJrGp0AWNzYCwAw&ved=0CGMQ8wIwAw [google.co.uk] ). Alternatively, it wouldn't be too hard to set up the system you describe on a server inside your network and just forward your ports on the router to that system.

Re:well ... (1)

MartinSchou (1360093) | about a year and a half ago | (#42723615)

I couldn't sleep with the camera's red light blinking at me regardless of whether or not it was connected to the router at the time.

Easily fixed with tape or a pen.

It's how I fix the issue I have with 99% of all electronic equipment these days, as they seem to insist on being able to illuminate a room with their "LOOK AT ME!!!" lights. And I think that's the first time in pretty much forever, I've ever wanted to use the blink-tag.

Re:well ... (1)

adolf (21054) | about a year and a half ago | (#42723649)

It's how I fix the issue I have with 99% of all electronic equipment these days, as they seem to insist on being able to illuminate a room with their "LOOK AT ME!!!" lights.

The best feature of my NEC 2090UXi monitor (other than its beautiful IPS LCD panel) is that the power indicator can be adjusted from a glaring eye-burning blue to either amber or green, and then dimmed to such an extent that it ceases to be bothersome and becomes a useful status indicator. (These functions are part of its on-screen menus.)

The worst feature of the Asus monitor on my desk beside it is the strip of red vinyl electrical tape that covers the eye-burning blue LED. (I find that red tape lets enough blue light through to be useful, without blacking it out completely. Yellow, green, white, and blue vinyl tapes were less than satisfactory.)

Re:well ... (1)

MartinSchou (1360093) | about a year and a half ago | (#42723737)

The single worst offender I can remember, was a mouse with an LED behind the company nameplate so intense, that you could read the name (mirrored) on the ceiling in daylight.

Re:well ... (1)

julesh (229690) | about a year and a half ago | (#42723393)

Bullshit. If your device has a reason to create an outbound connection, it is (for the most part) limited to one connection to one place for a specific purpose. (Disregarding intentionally buggered on-board software designed with malicious intent).

You're disregarding exactly the situation the GGP post was describing as the reason he turned UPNP off. GP's reply was a reasonable response: if you're assuming that software inside your network is malicious, it doesn't need UPNP to cause mischief... it'll probably hook up to an IRC server or similar in order to accept incoming commands, so that isn't a good reason to disable UPNP.

Now, this situation is (presumably) not malicious, but that doesn't make GP's response invalid. OTOH, I have to query how rare situations like this are. Very few devices automatically create firewall holes for themselves without user confirmation. Most UPNP routers make it very easy to monitor what holes you do have. The proportion of such devices that have massive security flaws like this is also likely to be low. I'm not therefore convinced that this situation is, on balance, enough to make me want to turn UPNP off.

Re:well ... (1)

adolf (21054) | about a year and a half ago | (#42723533)

An outbound port is also open to the entire world: Hence, how your clothes drier can send you an email to tell you that it is on fire (and get a buffer overflow from a compromised SMTP server in exchange, possibly with the help of a poisoned DNS server, MITM attack, etc).

*shrug*

If a device can't be trusted to behave itself on the Big, Bad Internet, it probably shouldn't be trusted in a common LAN environment either (what, with WEP being trivially broken and WPA attackable with surprisingly small effort).

Indeed, if people kept their networks tidy (even Windows does a good-enough job of this these days by itself, let alone the secure-by-default BSDs and their ilk), we wouldn't need to care much if one wayward appliance got hacked because even with local access from a compromised box the rest of the stuff on the network is still secure.

Nothing is secure enough for the internet. (0)

Anonymous Coward | about a year and a half ago | (#42724133)

One of the many things that bothers me about Linux is its password obsession. It's difficult to use without typing your password in all the fucking time. So you tend to want to make that password short.

However, Linux uses the same password for remote SSH connections that it uses for local desktop authentication. Thus, if you set your desktop password to "whatever" so that it's something that is easy to type a hundred times a day, then your SSH server now accepts connections with that same easy password. Perhaps there's some way to make the two passwords different, but even if there is, it doesn't change that, by default, Linux does everything it can to encourage you to use a simpler password (by making you type it in for every trivial thing) while doing nothing at all to tell you that you have the option of using a much more secure password for remote connections.

The easiest way to solve this problem is to just not allow SSH connections via your router. Why expose sshd to the internet anyway? With remote exploits appearing in every service from time to time, since apparently even a small task like accepting a password and verifying it is nearly impossible to program without overflowing a buffer, there's no way you can allow any software to accept connections from the internet without opening yourself to a remote exploit anyway. Perhaps your software is secure today, but will it be secure next week? Will you even know right away when the next exploit is discovered, or will it be in the wild for a few weeks first?

So to say that anything that isn't secure enough to talk to the internet isn't secure enough to be on my LAN is to say that I can't SSH from one computer to another, or share files between my computers, or share a printer, or do anything at all between the computers in my house that random people who happen to discover the next exploit in some random piece of software can't do with my computers.

Honestly, I've only once ever allowed remote connections into my LAN from the internet, and for that I wrote my own application to accept connections, read the first 64 bytes, and compare them to a list of one-time-use passwords. If a match was found, it spawned pppd, and removed the password from the list so that it could never be used again. If no match was found, it just closed the connection. The simple fact is that authenticating remote users isn't a difficult task. It's just unfortunate that no one but myself seems to be able to do so without security advisories being released for their software years after everyone's been relying upon it to keep them secure. Once you authenticate a user, the rest of your software can be buggy as fuck and it doesn't matter since you know you're talking to a trusted user, but for some reason, programmers just don't care to put any extra effort into verifying that just that one small piece of code is well-written.

Re:well ... (2)

fluffy99 (870997) | about a year and a half ago | (#42722939)

Meanwhile, TFA is more about the fact that some hardware devices that may never see a software upgrade have one or more security holes which can be exploited over the network...which is interesting and all, but really has nothing to do with UPNP: If such devices were secure and trustworthy to begin with, there would never be a reason to firewall them at all, let along worry about UPNP.

The connection to UPNP is that these devices are needlessly exposing themselves to attack by automatically opening inbound ports through the router using UPNP.

Re:well ... (2)

advocate_one (662832) | about a year and a half ago | (#42723515)

This is why I have two routers... one is the cable company's router and I've set that to no remote admin, the other is hung off that router and is the real router for my network

Re:well ... (1)

adolf (21054) | about a year and a half ago | (#42723603)

The connection to UPNP is that these devices are needlessly exposing themselves to attack by automatically opening inbound ports through the router using UPNP.

And the root problem there is that the device itself is not secure, not that UPNP allowed the device to be attacked. That a device is going to be attacked should always be assumed as a given, whether or not it is exposed to the Internet as a whole.

If a device that is intended to operate on securely on a network, it had better actually do so securely. The devices in TFA don't. This is a device problem, not a network problem.

If I can't trust my DVR to be secure on the Internet, I sure as fuck can't trust it on a large LAN (or a small LAN with a Wifi connection).

Blaming UPNP is a red herring.

Re:well ... (0)

Anonymous Coward | about a year and a half ago | (#42723133)

Remind me to never hire you as a security consultant! UPNP opens a connection to the outside. Any vulnerability in that protocol because exploitable by anyone on the internet. I know you were talking about malicious programs using UPNP from inside the LAN, but that only means that you really missed the point here.

Re:well ... (4, Informative)

shitzu (931108) | about a year and a half ago | (#42723135)

The difference is simple (but huge). To allow a program or device to make an outgoing NAT connection, i have to assume that it is not malicious. To allow programs and devices map incoming ports via upnp i have to assume that it is not malicious AND it is not buggy enough to allow gazillion script kiddies access to my network. So thanks, but no thanks on the upnp front - i keep my open tcp ports to a minimum.

Re:well ... (0)

adolf (21054) | about a year and a half ago | (#42723497)

To allow a program or device to make an outgoing NAT connection, i have to assume that it is not malicious. To allow programs and devices map incoming ports via upnp i have to assume that it is not malicious AND it is not buggy enough to allow gazillion script kiddies access to my network.

You oversimplification is astounding. You act as if you've never heard of PDF, Java, Flash, browser-based, [...] exploits, when in fact there is a broad history of non-malicious programs with various bugs that can allow a gazillion script kiddies access to your network without ever opening a single incoming port.

It's obvious to anyone that the door is wide-open at the point of first infection. What's not so obvious is that the door was actually open to begin with by virtue of operating a firewall that allows outgoing connections by default. Your sense of security is false.

So thanks, but no thanks on the upnp front - i keep my open tcp ports to a minimum.

So do I. I just went and checked and the only ports I have open to the outside right now via UPNP are the exact same ports I'd have opened up anyway: Two for Subsonic and two for my BT client. Nothing else seems interested in having an open port.

UPNP lets me use DHCP (without manually-assigned, static addresses being doled out) and still have things like these work just fine.

I think the primary difference between your line of thinking and my own is that I accept and understand that computers on a network are subject to attack from many vectors involving badly-written or intentionally malicious software, whereas you seem to assume that blocking inbound connections is a meaningful preventative measure.

Re:well ... (1)

shitzu (931108) | about a year and a half ago | (#42723815)

I did not say that closed TCP ports are an end to all security woes - i do not know where you took that from. I did not quote any probability of different attack vectors. I merely compared upnp on vs. upnp off situation and said that upnp off on the router is more secure than upnp on.

What you are saying, is essentially - "I have my front door key under the mat - and the only three people who used this key are people who i would have let in anyway. And that key under the mat is just common sense as the crooks can come in by breaking the window and through the chimney or con the cleaning lady anyway."

Re:well ... (1)

adolf (21054) | about a year and a half ago | (#42723949)

To allow a program or device to make an outgoing NAT connection, i have to assume that it is not malicious. To allow programs and devices map incoming ports via upnp i have to assume that it is not malicious AND it is not buggy enough to allow gazillion script kiddies access to my network.

Your words, not mine.

The only sane approach (if there is a sane approach) is to mistrust every program, because a buggy program with network access is still buggy whether it can accept external connections or not: If uses data from other places, it is potentially exploitable.

The longer you avoid this concept, the longer that you'll willfully fail to have secure systems. Good luck!

What you are saying, is essentially - "I have my front door key under the mat - and the only three people who used this key are people who i would have let in anyway. And that key under the mat is just common sense as the crooks can come in by breaking the window and through the chimney or con the cleaning lady anyway."

No, that's not it at all.

Either you have good, secure stuff on your network, or you're a vulnerable target. End of story. Incoming connections don't matter any more than outgoing connections. (And if you think they do, you're lying to yourself. Go back to the first sentence in this paragraph and re-read it until you understand.)

Re:well ... (1)

shitzu (931108) | about a year and a half ago | (#42724245)

Again - all i said is that having upnp off is preferrable to having it on. I also hinted that the amount of buggy programs (PC software as well as software in devices like printers, DVRs, etc) is much larger than the amount amount of malicious programs.

I have not talked about any other security measures that are or are not, should or should not be in place. Instead of arguing my point - how and why is upnp on preferred to manually opening minimum number of ports - you attribute me a lot of things i have NOT SAID and argue with them. Keep up the good work.

Re:well ... (0)

Anonymous Coward | about a year and a half ago | (#42723283)

The difference is that UPNP allows someone else in, while most devices that create outbound connections are just calling home or joining a network. It's not about paranoia, it's about basic fucking security 101.

And so is security by layers, if you're gonna naively reply that killing UPNP only solves part of the problem.

Re:well ... (4, Informative)

green1 (322787) | about a year and a half ago | (#42722655)

Of course the point was that with most standard firewalls in their default setting, this automatically punches it's own holes through the firewall, it's a feature....

So it's more like "it's not like you shoud have this unprotected by a firewall that you have carefully setup yourself without any autoconfiguration options"

Re:well ... (2)

LordLimecat (1103839) | about a year and a half ago | (#42722975)

Alternative headline: 58,000 networks needlessly vulnerable because of UPnP usage.

Made in China. (1)

andydread (758754) | about a year and a half ago | (#42722555)

Damn! and i was just looking for a system for my house and my mom's house.

Re:Made in China. (5, Funny)

Anonymous Coward | about a year and a half ago | (#42722621)

Damn! and i was just looking for a system for my house and my mom's house.

Is your mom hot?

Well, I guess we'll find out soon enough...

Re:Made in China. (1)

antdude (79039) | about a year and a half ago | (#42723027)

It is 127.0.0.1.

How to make a fool of yourself with the cops. (1)

hamjudo (64140) | about a year and a half ago | (#42722609)

So there I was, trying to retrieve the video of the suspect for the cops, and it turns out that recording had been turned off on all 16 cameras 12 hours before the incident.

No network issue here, I never connected the system to the network.

One of the last things the system recorded, was the wee little hands of the owner's 4 year old grandson, playing with the mouse. He made all 16 little boxes in the status grid turn black. Just 16 little clicks.

Re:How to make a fool of yourself with the cops. (1, Interesting)

Technician (215283) | about a year and a half ago | (#42722675)

#1 lesson. Turn off Universal Plug and Play in your router and turn on the firewall. Open only ports you use.

Re:How to make a fool of yourself with the cops. (1)

MacGyver2210 (1053110) | about a year and a half ago | (#42722763)

Which will protect so well against a child playing with the physical hardware device on the premises.

Re:How to make a fool of yourself with the cops. (1)

alanshot (541117) | about a year and a half ago | (#42723001)

yep. I can see that happening again... and coincidentally I just finished firing off an email to an up and coming IP camera and managed wifi vendor that provides free NVR and WAP controller software... too bad none of their "server" software installs as a service. So not even a CHANCE of hiding it from little hands. (unless you want to jump through a bunch of hoops to force it into service mode)

And in this case all the kid would have had to do was THREE clicks to log grandpa's PC off. (thus shutting down the NVR... DOH!)

Re:How to make a fool of yourself with the cops. (1)

shitzu (931108) | about a year and a half ago | (#42723169)

Why would you let your kid use the same user account as yourself (or grandpa). Are you a fan of deleted documents? Just make a separate account for DVR, leave the soft running and fast-user-switch out of it. And a separate restricted accoun for the kid.

And on a side note - if the computer recording your cameras is in a place where a 3 year old can access it, this computer will probably be the very first thing stolen - so i think you are making this crap up.

Re:How to make a fool of yourself with the cops. (1)

n3r0.m4dski11z (447312) | about a year and a half ago | (#42723047)

One of the last things the system recorded, was the wee little hands of the owner's 4 year old grandson, playing with the mouse. He made all 16 little boxes in the status grid turn black. Just 16 little clicks.

The perfect crime...

Better than the US ? (0)

Anonymous Coward | about a year and a half ago | (#42722625)

At least its not the tyrannical US that has the backdoor into all your bases >_>

Remarkable technical prowess! (3, Funny)

mpoulton (689851) | about a year and a half ago | (#42722667)

I can't even get my Swann DVR to work right WITH the login credentials!

Re:Remarkable technical prowess! (1)

nschubach (922175) | about a year and a half ago | (#42722837)

I got a hold of one (ZModo) and after putting a known good hard drive in it it worked for a while and then suddenly the SATA controller must have fried. It will no longer recognize any hard disk. Since I didn't pay all that much for it, I pretty much consider it disposable. I'll probably end up using the cheap cameras I got on something a little less flaky.

Closed up a hole on our DVR (4, Interesting)

baobrien (2672743) | about a year and a half ago | (#42722691)

We bought a 24 channel q-see brand DVR. When it went to boot up, during disk initialization, it specifically mentioned '/dev/sda' and such, so I knew it ran some embedded Linux. I decided to check it out via nmap to see if there was anything interesting running. Port 23 was open. I telnet-ed into the damn thing and was able to log into root with no password. Needless to say, that was fixed.

Re:Closed up a hole on our DVR (0)

Anonymous Coward | about a year and a half ago | (#42722721)

Got a q-see as well. And this is exactly why I have mine only accessible via VPN.

Re:Closed up a hole on our DVR (2)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#42722953)

The soul-crushing thing about your story is that it suggests that somebody deliberately went to additional effort to build/install a telnet daemon while hacking the firmware together. That's just sick and wrong.

Re:Closed up a hole on our DVR (1)

thegarbz (1787294) | about a year and a half ago | (#42723713)

That's just sick and wrong.

Not to mention a godsend and a timesaver for debugging. Every embedded application I've ever made whether linux based or some tiny microcontroller on a UART had some terminal based debugging interface.

I'm willing to bet that this is just a leftover from testing that shouldn't have made it out the door.

Re:Closed up a hole on our DVR (0)

Anonymous Coward | about a year and a half ago | (#42723863)

How'd you fix it? Internal in-app control over telnet being toggled on/off?

Or a deeper linux system disabling?

Port knocking (5, Informative)

Okian Warrior (537106) | about a year and a half ago | (#42722695)

Port knocking is where the inbound system won't connect until a series of unsuccessful attempts is tried on a known sequence of ports - the system will open the door only when the visitor gives the "secret knock".

For example, a system won't normally accept connection requests. If the visitor attempts (unsuccessfully) ports 1010, 1050, 3042, and 4725 in that order, the system then accepts a connection at port 9000. (Use different numbers and length as needed for security.)

It is nigh impossible for a security audit to detect this type of camouflage. This technique has been well-known for years.

If China were putting back-doors in hardware systems, they could make them virtually impossible to find.

That's circumstantial evidence that this isn't a case of espionage on the part of the manufacturer. It's more likely a flaw in the software or a debugging port that wasn't compiled out in the released version.

Re:Port knocking (5, Interesting)

GNUALMAFUERTE (697061) | about a year and a half ago | (#42722783)

Port knocking is insane. It's the worst nightmare the security-through-obscurity mindset brought us, and it's so fucking annoying.

My company develops a CCTV DVR/NVR. It's GNU/Linux based, we keep it up to date by offering free updates for life. Upgrades are not a huge firmware blob you need to download and then install (something customers won't do), It's a simple package (we use our own pkg management, and it's slackware-like), usually a few mb of download, but to the customer it's transparent. They just get a warning when they log-in, and the system lets them know via e-mail there are available updates, they can install them with a single click. The whole system is web-based, HTML5, and works out of the box on anything Gecko or Webkit based plus Opera (IE not supported). We don't require additional ports, everything works through a single HTTP port. Everything is session-based. We force the customer to use secure passwords, and to change them frequently. We use uPNP to open that single port, but that's when the customer runs the setup wizard, and we explain what we are going to do, and request customer authorization.

It's easy to do the right thing, and if the manufacturer does the right thing, you don't need any additional security (for example, you don't really need to firewall the damn DVR). Sadly, most manufacturers don't do the right thing. They don't even bother providing upgrades. And the customers don't usually care, even when you offer a better solution, most will go with the generic chinese crap just because it's a few dollars cheaper. That's why more secure and functional solutions such as ours are usually only found in corporations (95% of our customer base).

This issue is not restricted to DVRs, China doesn't give a fuck, and people in general only care about the price tag. That's a deadly combination for the technology used by 90% of the population.

Re:Port knocking (0)

Anonymous Coward | about a year and a half ago | (#42722971)

what's your company. I'd like to add something like that to our vendor list...

Re:Port knocking (0)

Anonymous Coward | about a year and a half ago | (#42723191)

I like what you're saying.

We force the customer to use secure passwords,

Well this is okay, so long as your definition of "secure" does not fall victim to the fallacy in this obligatory comic: http://xkcd.com/936/

and to change them frequently.

and now you've not only lost me, but I'm actually pissed off. If a password is secure, why should I have to change it frequently? Are you saying if someone compromises my password, it is actually no harm done for them to use it for up to 30 days, but then no more? Do you also force users not to repeat passwords, and then expect not to get passwords like "secretwinter2012" followed by "secretspring2013" (bet you can't guess the next one)?

How about this.. force some "complexity" -- and make sure you realize that 20 lowercase characters is more secure than 8 mixed caps/numbers/symbols, so if I put in 20 characters don't force me to use a symbol. Record the last login IP/hostname, and show it to me after I log in -- bonus points if you show a big warning when it's from an address I've never used before, and triple points if you provide context links to view audit logs or reset my password. Depending on how complex you want to get, use two factor authentication (especially when I log in from somewhere new).

Sorry to rant, but I'm so sick of crappy password implementations that think they're making things secure but actually do the exact opposite.

Re:Port knocking (0)

Anonymous Coward | about a year and a half ago | (#42723435)

and to change them frequently.

and now you've not only lost me, but I'm actually pissed off. If a password is secure, why should I have to change it frequently? Are you saying if someone compromises my password, it is actually no harm done for them to use it for up to 30 days, but then no more? Do you also force users not to repeat passwords, and then expect not to get passwords like "secretwinter2012" followed by "secretspring2013" (bet you can't guess the next one)?

As Google appears to have discovered, passwords are broken by design. Forcing to change password often indeed leads to people using something memorable (guessable), post-it-notes or hurts their brains and makes them forget them - making an easy recovery system a necessity. Each one of these options opens some sort of an attack vector.

Then again, never requiring a password change can result in exposure to credential harvesting. A single incident where password is lost on some device leads to an eternally compromised account.

Device/service combinations like SecurID address the security side of the issue but have shortcomings with respect to memory, so it's good I guess that someone like Google is redesigning the thing.

Re:Port knocking (0)

Anonymous Coward | about a year and a half ago | (#42723439)

I meant to write usability, where memory is just one aspect. Of course having to carry a magic device for each online service and tell them from each other sort of sucks too. I also am only learning to use the Preview button.

Re:Port knocking (2)

k8to (9046) | about a year and a half ago | (#42723269)

Sure hope you:

* Make it possible to disable or alter password expiry policies. This sort of thing just pushes people to put them on paper.
* Do not use UPnP without customer authorization.

Otherwise, I wouldn't really trust you / want to use your things.

Re:Port knocking (0)

Anonymous Coward | about a year and a half ago | (#42723281)

Port knocking is not like security by obscurity. The latter is used to mean that the method is hidden from the attacker. The method is port knocking and is well known. Rather, the challenge is to know the length and sequence of ports; this is more akin to a key (and has many interesting properties- there are 2^32 ports, and a sequence of knocks is theoretically unlimited).

Of course, it doesn't help that an attacker can simply sit and snif the router for traffic.. but for sporadic access (e.g. an exploit, perhaps in some cases soft- and hardware used for espionage) this can definitely be useful. Another scenario: Until a connection is established, the sequence is information-theoretically secure (because it cannot be guessed by an attacker). After, one can set up a TLS connection and use it to exchange a new random sequence of ports... you get the idea.

This isn't secret magic or something (you can still detect it, by attacking the hardware for example), but it is a ridiculously cool approach to setting up a secure connection. To come back to my original point: this is more akin to steneography than to security by obscurity. Similarly, hiding the usage of an algorithm is not security by obscurity. Security by Obscurity is to design a cryptographic system by your own hands for a specifc purpose (which almost never results in a secure system).

Re:Port knocking (1)

MartinSchou (1360093) | about a year and a half ago | (#42723599)

This issue is not restricted to DVRs, China doesn't give a fuck, and people in general only care about the price tag.

You mean in the same way that the US doesn't give a fuck? Or the EU. Or any other nation or continent you care to name.

No-one gives a fuck - that's the problem. If the collective we cared, security would be much higher, simply because insecure technology wouldn't sell.

Don't blame China - blame the retailers. Security costs money, and if retailers can save a thousand dollars on a million sales, they'll go with the cheaper alternative if they think it'll sell.

Race to the bottom and all that.

Re:Port knocking (1)

YurB (2583187) | about a year and a half ago | (#42723617)

works out of the box on anything Gecko or Webkit based plus Opera (IE not supported).

Glad to hear there are people who sell things without IE support to businesses. World's changing for the better.

Re:Port knocking (0)

Anonymous Coward | about a year and a half ago | (#42722811)

So, port knocking is secure as long as nobody is listening in anywhere at all between your computer and the remote computer?

Kickass security there. Wouldn't it just be easier to use telnet? Same level of security (just requires nobody between you and the end host), but at least it asks for a password, and a password has a lot more complexity than 65535^4 possibilities.

Re:Port knocking (1)

Frojack123 (2606639) | about a year and a half ago | (#42723057)

So, port knocking is secure as long as nobody is listening in anywhere at all between your computer and the remote computer?

Kickass security there. Wouldn't it just be easier to use telnet? Same level of security (just requires nobody between you and the end host), but at least it asks for a password, and a password has a lot more complexity than 65535^4 possibilities.

People smart enough to set up port knocking don't use it as a substitute for private/public key encryption, they simply use it to keep the system from having to fend off dictionary attacks, by keeping the target ports closed. Even after you knock a port open, you still need to authenticate.

Should have been explicit (1)

Okian Warrior (537106) | about a year and a half ago | (#42723115)

Yeah, I know. I should have been more explicit in my post.

I'm not saying that port knocking should be the product API. Port knocking is a terrible security measure.

I'm saying that a backdoor could be hidden in such a way that it would be impossible to find - and port knocking is one of those methods. It's simple and effective - even if it's "security by obscurity".

Since this exploit is not well hidden, chances are it isn't a purpose-built backdoor, but more likely an oversight of some kind.

Re:Should have been explicit (0)

Anonymous Coward | about a year and a half ago | (#42723455)

Why does it have to be security by obscurity? What's preventing making a complex knock sequence requiring an actual secret?

Why Port Knocing Must Be Security by Obscurity (0)

Anonymous Coward | about a year and a half ago | (#42724205)

Because if it isn't security by obscurity, then it isn't any more secure than asking for a password.

The obvious thing to do would be no port knocking, but instead ask for a password, and disconnect anyone who doesn't supply the correct password. However, it's a well-known fact that programmers cannot achieve even this simple task without risk of a buffer overflow or some other security vulnerability that will be discovered some day and used in the wild for days or months before it is discovered and patched. Therefore, it is necessary to paste your own security method on top of anything provided by the software you're using.

This is why the security must be obscure. If it's popular and well-known, like a standard service that implements port-knocking, then it is inevitable that we'll then be forced to add "monitoring attempted connections to random ports for a specific sequence" to the list of things that programmers cannot do without risk of a buffer overflow or some other security vulnerability. After all, just asking for a password and testing it's validity isn't a lot of code. If programmers can't do that without error, then what makes you think they can do something more complex like monitor connection attempts from potentially hundreds of computers at once?

Thus, the port knocking must remain obscure in order to be secure, because if it isn't obscure, then we'll inevitably one day learn that we can get into any computer simply by connecting to ports 4729, 12993, 3188, 23552 and 19993, which then triggers a buffer overflow, and allows our computer to connect to any service on the remote computer.

Thank You (0)

Anonymous Coward | about a year and a half ago | (#42722709)

I do 'need to know' that ! :)

UPnP (1)

0123456 (636235) | about a year and a half ago | (#42722723)

Is there really anyone in the world who hasn't turned this monstrous security hole off yet?

Re:UPnP (0)

Anonymous Coward | about a year and a half ago | (#42722827)

Yes, about 99% of the people in fact.

Re:UPnP (1)

freemenow-linux (2825877) | about a year and a half ago | (#42723035)

apparently 99% of the people that do this dont do it right. i dont even allow WPS to be active on my routers and i tell business that i do work for to disable the feature for the fact that it is a security hole.. and UPnP is the worst idea that has been done including WPS fix the holes or get rid of the software and find something new...

no big deal (0)

CimmerianX (2478270) | about a year and a half ago | (#42722757)

Turn off UPNP and run this behind a firewall. Want to watch your cameras remotely, use OpenVPN and connect into your network. Problem solved.

Loco Pizza store 48 (0)

Anonymous Coward | about a year and a half ago | (#42722807)

And some places just leave their camera control panels COMPLETELY open to the public!
store48.viewnetcam.com

This is EXACTLY what I've been afraid of! (2)

storkus (179708) | about a year and a half ago | (#42722819)

The previous owner of the motel I work at got ripped off by a company that installed one of these 16 camera systems. The cameras never work right, and I knew something funny was was with the DVR when it said that you need IE and Active-X to watch it!

My current boss occasionally asks me to connect it up like the system his uncle (his boss) has, and I keep blowing him off, not because it would be hard, but because I'd both have to open a hole in the firewall to the outside world AND it would be fully accessible to anyone on the motel wi-fi system.

Erm...full disclosure, I worked in casinos, and also don't feel like being constantly under surveillance, either...

Re:This is EXACTLY what I've been afraid of! (1)

Frojack123 (2606639) | about a year and a half ago | (#42723067)

Erm...full disclosure, I worked in casinos, and also don't feel like being constantly under surveillance, either...

Just WHERE in a casino can you WORK and not be under constant surveillance?

Re:This is EXACTLY what I've been afraid of! (2)

julesh (229690) | about a year and a half ago | (#42723473)

Erm...full disclosure, I worked in casinos, and also don't feel like being constantly under surveillance, either...

Just WHERE in a casino can you WORK and not be under constant surveillance?

In the surveillance room?

Re:This is EXACTLY what I've been afraid of! (0)

Anonymous Coward | about a year and a half ago | (#42723485)

Asking to connect it up is probably just a test of whether you are psychologically wired to do something so stupid. Or then he really wants it and is already looking for someone more inclined to opening up all sorts of ports to motel guests, to replace you. Blowing your boss off intuitively sounds like the wise thing, but if you would like to please your inner geek, you might consider setting up an ssh tunnel instead of opening up everything. Not so hard to do but if you haven't done it before, practise with some hobby system until you figure out how it works and what goes on inside the setup.

SH@T! (0)

Anonymous Coward | about a year and a half ago | (#42722867)

I been exploiting this for months!!!

Kind of related.. (0)

Anonymous Coward | about a year and a half ago | (#42722901)

I have a QSEE QC model DVR. It does not appear to be one of the companies effected by this bug but it has its own problems.

The unit comes with the user "admin" that can not be disabled and can not be blocked from remote access. Any users you add and the built in default users including the admin account are limited to 6 character alpha-numeric passwords. The device has default passwords that can and should be changed but there is no process that reminds you or forces you to do so other then a text blurb in the setup instructions. Connecting to the device from a web browser is regular http and not encrypted. My cameras are only outside, the DVR is in my DMZ and although I'm not to worried about someone trashing the device config or watching my cameras, I still limit access to the device from my firewall to only a few select source IP addresses my work ip for example) for most of the day.

Cyber War (1)

freemenow-linux (2825877) | about a year and a half ago | (#42723015)

The reason we have such a thing going on is because of stuff like this... this is why i like OSS because if there is a problem i know that it will be fixed immediately instead of waiting for a patch to be released 6 months later. im not worried about China spying on us however i would worry about it if our government allowed something to be imported from another country without going thru some sort of software test before being sold...

Eagle Eye (0)

Anonymous Coward | about a year and a half ago | (#42723139)

Everything shall be crackable.

Next movie plot (1)

mattr (78516) | about a year and a half ago | (#42723161)

Awesome! So will we have a remake of Rising Sun with China as the antagonist instead of Japan?

Let's see, we can work in say a Chinese router manufacturer, and a major U.S. database manufacturer, which buys the tech for a major software platform like say Java, and tie in purchases of real estate by Chinese cartels under assumed names, and uh, the Chinese military of course, and we can have some hot Chinese or maybe Taiwanese-American engineer at some corporate lab or maybe U.S. university.. it all seems to be pretty realistic. But who will play Sean Connery's role?

It's absurd (1)

itsphilip (934602) | about a year and a half ago | (#42723243)

But if history is any indicator, there's a pretty good chance that someone will get arrested for disclosing this

Q-See vulnerable too (3, Informative)

kamaaina (1071006) | about a year and a half ago | (#42723293)

I have the QC444 and you can telnet to it as root with no password.

Also when you access the camera, your creds go out via cleartext and you can easily see what your password is.

ActiveX is used to log in and manage the box remotely, also if you use a password longer than 6 characters, you cannot use the PSS software that they put otu on their web site.

There was also some weirdness with it trying to talk to IP address 70.151.24.203

Big Deal (1)

DakotaSmith (937647) | about a year and a half ago | (#42723347)

Well, considering the number of security cams that I can control simply by Googling for them, I can't say that this impresses me a hell of a lot.

Get rid of the cams directly on the Internet with no changes from the factory defaults and I'll be a bit more impressed.

Not a bug... (1)

mrbester (200927) | about a year and a half ago | (#42723403)

... but a feature. How else are the cops supposed to erase footage that condemns them and exonerates you?

No surprise there (0)

Anonymous Coward | about a year and a half ago | (#42723605)

I work for a PSIM company and have personally written integrations for around 100 different Cctv DVR and NVR systems. The vast majority are completely insecure. Most allow anyone to view video if on the same network. Some don't even allow you to configure a username or password. All of them come with a default user and password which in my experience on production sites is rarely changed.

I'd never recommend a dvr nowadays. Set up a pc running a flavour of milestone Xprotect, buy ip cameras. Change the default passwords . Don't expose anything to the Internet . set up a vpn account into the milestone server if you require remote access.

Stop Blaming China (-1)

Anonymous Coward | about a year and a half ago | (#42723635)

I'm a tech consultant for small and medium businesses. I'm desperately seeking a new profession.

People who don't know much about plumbing generally have the good sense to hire a plumber when their toilet breaks. Same thing with their electrical systems.

What is it that leaves unqualified people (most anyone who has not studied and/or practiced IT work), people who have enough sense not to mess with a simplistic breaker panel, with the belief that they are qualified to select, install, and maintain a component as vital and complex as a router or firewall? Usually these small offices host many unauthorized connections to China. They often remain unconcerned even after being confronted with evidence and solutions.

After one client suffered a real breech, I thought I finally had a narrative that small business owners could relate to, one that would prompt action. Even when confronted with the story of what happened (literally) down the street to a similar small business, they could care less ("Do you know how to setup Instagram?" being an example of a typical response).

I need more work, but their has been a tectonic shift from focusing on network security to shiny toys like iPhones. Perhaps it is the successful configuration of Gmail on such devices that serves to falsely bolster people's confidence...

More fundamentally, capitalism encourages slow and incremental change in response to business conditions (nobody has been buying the blueberry bagels, so lets not bake so many...) without much emphasis on scientific process. If its "working," we're "all good." Unfortunately, the same processes most business use to arrive at most of their critical decisions cannot be effectively applied to network security. The logic is something like this: "all the money that should be in the bank account is there, and I have not made any new enemies, therefore all is good" (until its not).

In any event, most Americans wear their technical illiteracy as a badge of honor. It would take a major sea change for our country to not end up over due to the massive denial and stupidity which abounds. Usually capitalism flushes out mistake makers to tender new opportunities for the next generation. Generation Greed figured out that they could clutch to power despite failure by lobbying to obtain socialistic bailouts as needed.

This has helped to poison opportunity for an entire generation and keep less-qualified individuals in positions of power.

The back door is open and their is a huge "Rape Me" sign affixed above it. Stupid, lazy, cheap consumers will increasingly get what they deserve as cyberwar and political attacks escalate. I pray I can stabilize myself in a different field so I don't have to help them clean up the mess that resulted from failing to value my work, opinions, and advice.

UPnP (1)

Alioth (221270) | about a year and a half ago | (#42724001)

This is the *first thing* I turn off on a router. UPnP is basically a security hole by design.

What a problem? (-1, Troll)

reinadaley (2827285) | about a year and a half ago | (#42724123)

as Amanda answered I'm stunned that some people can get paid $6701 in four weeks on the internet. have you seen this site FAB33.COM
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>