Massive network intrusion

Comments

13 comments

  • Avatar
    Chris Hewitt

    YUP! If you purchase a Chinese WiFi camera what do you expect? This is a known serious security issue.

    I have a WiFi camera with two ports open directly to the internet (I have researchers that need to view the camera).

    I used to have a Blue (I now have a hyper-Gold), and it did just fine blocking all the attacks. I blocked regions and attacks when they happened and now it is very rare that I see any attempts.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @chris I’m aware. there are two strategies (o.k. I’m over simplifying):

    1. keep the cameras from having any access to the internet but allow access to my LAN. If the manufacturer is trying to spy on my that’s not much help. There is also no sign of that looking at network traffic. So this is o.k. but means I have to VPN in to see my cameras.
    2. keep the camera isolated from my network because all the attacks come from outside using simple brute force attacks. So long as the passwords are super secure, changed often, and the cameras have no connection to my LAN, the harm is minimal. No VPN necessary, but some risk that my cameras could be hacked. No sign anyone has been able to get in, but that is due to cujo (before I got fiewalla). With Firewalla’s new rules, I may be able to figure out how to feel safe with setup 2 or I may stick with keeping it to LAN only. When my Gold arrives I will play around with that.
    0
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    If you follow the updated NIST 800-63B standard you really don’t have to change your password.

    I think you really should block regions. Many (most?) of these cameras use UPNP. It’s amazing how chatty they are calling home. I have a wake up light that wants to call home every ten minutes. This Chinese company is clever and uses Amazon US-West. I block the site only for the light.

    With the Gold I’m comfortable with my research webcam exposed to the internet. My only issue is that the Gold doesn’t see the traffic.


    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    I may do something like that. With Blue I could only block a few regions, it wasn’t enough. Really, I want to whitelist the US and block everything else. Most attacks are coming from outside the US.

    My Gold is supposed to arrive today and the fun begins to configure.

    When the camera is left unprotected there hundreds, sometime a thousand hits/hour. So I feel better changing the password every so often.

    0
    Comment actions Permalink
  • Avatar
    Frédérick Laflèche

    @Michael,

    In my experience changing the exposed port to a non standard one eliminates 99% of login attempts. For example my systems used to get thousand of login attempts on port 22 (SSH). Now port 22 is blocked and an other port is used. No more login attempts. 

    Hope this helps

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    My experience is quite different. My cameras are on an obscure port. 

    these guys scan ports, find an open port and use brute force attempts to guess passwords. 

    1
    Comment actions Permalink
  • Avatar
    Frédérick Laflèche

    Good, to know. 

    0
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    @Michael I wouldn’t be surprised if you got scanned by shodan and they now have your camera in their DB. I suspect if you pick another obscure port you might dramatically cut back the number of attacks.

    I use port 90 and it seems to be okay.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Chris, I've been dealing with this for years. Obviously, in that time my IP has changed (since I have changed ISPs and never have a static IP. I tried changing my port. I'm not using a standard port to begin with. 

    As I said, if I change the port for a short time I see attacks slow or stop but pretty quickly they ramp right back up. It makes sense if you consider how these attacks work. 

    0
    Comment actions Permalink
  • Avatar
    Chris Thomas

    Another option is to disable UPNP, and perhaps restrict outbound traffic from the camera(s).

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    UPnP is off. Outbound traffic isn't the issue for two reasons. 

    1. The attacks are clearly inbound attempts to gain access. Perhaps to the cameras but also to the network in general. 

    2. I need access to the cameras. Yes, I can start VPN and get access but with some rules I have been able to block intrusions for now. If they come back I may have to go back to using VPN for access. 


    0
    Comment actions Permalink
  • Avatar
    Chris Thomas

    Restricting access to US netblocks would prevent a large portion of the internet from accessing your exposed ports.

    Additionally, if you are only accessing your cameras from your mobile device, you could lookup the netblock that your cellular carrier is allocating IP addresses from and use that netblock instead of a us netblock source list.

    For instance, I'm on ATT and I usually get a public IP in the 107.77.x.x range.  Thus I could write a rule that permits traffic from 107.64.0.0/10 to my firewall on a specific port.

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Exactly. 

    0
    Comment actions Permalink

Please sign in to leave a comment.