Camera backdoor

A place for discussion of topics that are not specific to ZoneMinder. This could include Linux, Video4Linux, CCTV cameras or any other topic.
Post Reply
Greg_Talyor
Posts: 24
Joined: Mon Aug 17, 2020 7:41 pm

Camera backdoor

Post by Greg_Talyor » Tue Sep 15, 2020 11:53 am

I read a 2017 article on the Dahua backdoor <https://ipvm.com/reports/dahua-backdoor>. Is this practice wide spread? Apparently, Axis (2018) had a security breach too <https://www.csoonline.com/article/32827 ... ntrol.html>. How could we block such access in a typical home network. I do have holes on my router on port 443 for Zoneminder <https://myip/zm> and port 9000 for Event Server.

What about Mirai <https://www.csoonline.com/article/32587 ... ernet.html>?

Ta.

Magic919
Posts: 409
Joined: Wed Sep 18, 2013 6:56 am

Re: Camera backdoor

Post by Magic919 » Tue Sep 15, 2020 1:30 pm

Best to keep cameras off the internet. Hikvision used to have a huge problem with this.

They can't get to the cameras via the two ports you have open.

Greg_Talyor
Posts: 24
Joined: Mon Aug 17, 2020 7:41 pm

Re: Camera backdoor

Post by Greg_Talyor » Tue Sep 15, 2020 2:04 pm

That's reassuring. I might wish to look at the cameras when I'm away now and then. But I don't need to manage anything remotely, so no ssh nor vpn.

BTW, noip.com seems to be exceedingly expensive. It costs $25 a year, whereas my entire web hosting package is only ~$150. Is it possible to run my own DDNS from my web server? It is a shared hosting; I don't have root access. My ISP says no.

Ta.

Magic919
Posts: 409
Joined: Wed Sep 18, 2013 6:56 am

Re: Camera backdoor

Post by Magic919 » Tue Sep 15, 2020 2:15 pm

You should look at DuckDNS for dyanamic IP. It's free.

I use AWS Route 53 for this.

mikb
Posts: 481
Joined: Mon Mar 25, 2013 12:34 pm

Re: Camera backdoor

Post by mikb » Tue Sep 15, 2020 4:05 pm

Greg_Talyor wrote:
Tue Sep 15, 2020 11:53 am
Is this practice wide spread?
As a lot of these backdoors aren't documented (security through obscurity) it's hard to know until they get exploited, or unless you worked at the company making them ;)

For one camera, there was an unpublished URL (e.g. http://camera/video.cgi , http://camera/admin.cgi etc. format) which lead to a page which would disgorge the settings of the camera (resolution, frame rate, current time/date, admin password, y'know, stuff like that!) -- and you didn't need to be logged in to do it. Bad.

For other cameras, there was a hard-wired undocumented admin account (in addition to the usual admin/root etc. that you can change the password on) which was embedded and not changeable. Meaning, anyone with that knowledge could access the camera, nothing you could do would stop it.

A lot of these things are found by nosy people reverse engineering the binary firmware blob (which in many cases is made up of a bootloader, a filesystem blob of a cutdown Unix-like operating system, a filesystem blob of HTML/CSS and templates for the look-and-feel of the GUI) and working from there.

"binwalk" is a useful utility on firmware blobs, as is the ability to slice up a binary single file based on the output of "binwalk", and feed it to various decompressers (lzma, gzip, bzip ...) or "strings" to pick out readable stuff.

Best to keep the cameras firewalled from the internet, and trust your firewall isn't backdoored too.

Greg_Talyor
Posts: 24
Joined: Mon Aug 17, 2020 7:41 pm

Re: Camera backdoor

Post by Greg_Talyor » Tue Sep 15, 2020 5:01 pm

mikb wrote:
Tue Sep 15, 2020 4:05 pm
Best to keep the cameras firewalled from the internet, and trust your firewall isn't backdoored too.
Thanks for very comprehensive info. I think I can trust the Debian team.

Ta.

FvdLaar
Posts: 10
Joined: Sat Apr 02, 2016 12:55 pm

Re: Camera backdoor

Post by FvdLaar » Tue Oct 20, 2020 1:48 pm

I like to keep my devices within a separate VLAN without any connection to the public internet. For IP camera's I try to use a Raspberry PI with both a VLAN addres and a regular network address (with access to internet). Then on the Raspberry PI it is the plan to run VLC to stream the IPcam and then pickup the VLC stream in ZM. Haven't got this working yet, but I think VLC is a nice "stream proxy" :-)

alabamatoy
Posts: 219
Joined: Sun Jun 05, 2016 2:53 pm

Re: Camera backdoor

Post by alabamatoy » Fri Jan 22, 2021 9:23 pm

There's numerous ways to skin this cat.

My ZM server has two NICs (a separate NIC is about $20 or so now, you can even use a USB-type). The backside NIC is on a dumb switch (Linksys etc, about $50) with all the cameras. Mine are all POE, so the UPS running the ZM box is also powering all the cameras as well. The ZM server runs DHCP on the backside NIC, so I can plug a new camera in and it gets an IP and all that. But the DHCP info contains no default gateway (yeah, broadcasts... but there's cons for every COA), and the ZM server is configured not to allow packet forwarding between the NICs....so the cameras are truly hidden from the internet unless someone hacks my ZM, in which im screwed anyhow. Also, this prevents the cameras from surreptitiously updating.

If you hafta have wireless, you can plug a WAP into the dumb switch and get your wireless for cameras. But I never saw the point of wireless for cameras, because there is no such thing...you gotta power the camera somehow, right? So you ARE going run a wire to it...why not run one CAT5/6 wire and ditch the wifi overhead and risk?

This has the secondary advantage of not clobbering my main router with managing a VLAN, and keeps all the camera traffic from clobbering the house wifi/Netflix etc.

HTH...

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests