Massive network intrusion
I noticed that my security cameras are getting a huge number of illegal login attempts.
a) many ips are showing local IPS like 10.x and 192.x
b) none of those could be legit based on my DHCP server
c) some are external IPs
d) this is clearly an automated attack as the attempts are several a minute and sometimes 1/second
I am running beta of Firewalla Blue. I had a port open so I could access my cameras externally without t having to VPN in. When I used to use a Cujo this worked great (if anything it had a few false positives but I could live with that. I assume Gold will address this but is there anything I can do besides closing this port until I receive my Gold?
-
YUP! If you purchase a Chinese WiFi camera what do you expect? This is a known serious security issue.
I have a WiFi camera with two ports open directly to the internet (I have researchers that need to view the camera).
I used to have a Blue (I now have a hyper-Gold), and it did just fine blocking all the attacks. I blocked regions and attacks when they happened and now it is very rare that I see any attempts.
-
@chris I’m aware. there are two strategies (o.k. I’m over simplifying):
- keep the cameras from having any access to the internet but allow access to my LAN. If the manufacturer is trying to spy on my that’s not much help. There is also no sign of that looking at network traffic. So this is o.k. but means I have to VPN in to see my cameras.
- keep the camera isolated from my network because all the attacks come from outside using simple brute force attacks. So long as the passwords are super secure, changed often, and the cameras have no connection to my LAN, the harm is minimal. No VPN necessary, but some risk that my cameras could be hacked. No sign anyone has been able to get in, but that is due to cujo (before I got fiewalla). With Firewalla’s new rules, I may be able to figure out how to feel safe with setup 2 or I may stick with keeping it to LAN only. When my Gold arrives I will play around with that.
-
If you follow the updated NIST 800-63B standard you really don’t have to change your password.
I think you really should block regions. Many (most?) of these cameras use UPNP. It’s amazing how chatty they are calling home. I have a wake up light that wants to call home every ten minutes. This Chinese company is clever and uses Amazon US-West. I block the site only for the light.
With the Gold I’m comfortable with my research webcam exposed to the internet. My only issue is that the Gold doesn’t see the traffic.
-
I may do something like that. With Blue I could only block a few regions, it wasn’t enough. Really, I want to whitelist the US and block everything else. Most attacks are coming from outside the US.
My Gold is supposed to arrive today and the fun begins to configure.
When the camera is left unprotected there hundreds, sometime a thousand hits/hour. So I feel better changing the password every so often.
-
@Chris, I've been dealing with this for years. Obviously, in that time my IP has changed (since I have changed ISPs and never have a static IP. I tried changing my port. I'm not using a standard port to begin with.
As I said, if I change the port for a short time I see attacks slow or stop but pretty quickly they ramp right back up. It makes sense if you consider how these attacks work. -
UPnP is off. Outbound traffic isn't the issue for two reasons.
1. The attacks are clearly inbound attempts to gain access. Perhaps to the cameras but also to the network in general.
2. I need access to the cameras. Yes, I can start VPN and get access but with some rules I have been able to block intrusions for now. If they come back I may have to go back to using VPN for access.
-
Restricting access to US netblocks would prevent a large portion of the internet from accessing your exposed ports.
Additionally, if you are only accessing your cameras from your mobile device, you could lookup the netblock that your cellular carrier is allocating IP addresses from and use that netblock instead of a us netblock source list.
For instance, I'm on ATT and I usually get a public IP in the 107.77.x.x range. Thus I could write a rule that permits traffic from 107.64.0.0/10 to my firewall on a specific port.
Please sign in to leave a comment.
Comments
13 comments