Anyone with I.T. experience here?

[markebenson]

Hacker is getting into camera system. Anyone familiar with Lan/Wan firewall settings, etc?

Thx



.............................................

 

[mopowr steve]

How do you know there is a hacker gettin into camera system?

 

[Hv&Lv]

Hacker is getting into camera system. Anyone familiar with Lan/Wan firewall settings, etc?

Thx



.............................................

What camera??
how old is your router?
Are you using a new WEP2 or 3 or is it set open?

 

[synchro]

Are you using a new WEP2 or 3 or is it set open?

Do you mean WPA2 or WPA3 instead?

 

[Hv&Lv]

Do you mean WPA2 or WPA3 instead?

Yes. I’ve been to some where the owners leave the routers open. Most now take WEP2. Haven’t been around one that only works on WEP in a while now

 

[zbang]

"Getting in" can mean a heap of things. Gotta know a lot more about the set-up.

If these are wireless cameras- use WPA2 (not WEP2) and don't advertise the wifi SSID (and change it everywhere now).
Keep the camera and system f/w updated.

 

[Hv&Lv]

Do you mean WPA2 or WPA3 instead?

WPA. I’ll get my fingers right in a minute or teo

 

[tom baker]

1. See if camera software has 2 factor authorization. Ring had security issues, now they have 2FA, which is a email or text to log in
2. Change default PW.
3. Turning off SSID will help some, determined hackers can still find wi fi
4. Better is to use MAC blocking, ie in the router enter a list of allowed mac ids. Every device has a mac,
5. Use a really long wi fi pw, 18 characters, run a pw strength checker on it.

 

[hillbilly1]

Use a different password for everything! Hackers can also infiltrate the service provider and get your passwords no matter how long they are. I had that happen on two other forums I’m on, Google alerted me the passwords were compromised, and gave the last four letters of the long password I used, and I had only used that password on two sites, and they had been hacked, not me, but if I had used the same password elsewhere, they could.

 

[paulengr]

If you have Ring did you give permission for basically anyone (“law enforcement”) to use your system? Not even sure you can disable this.

On the network side one thing that helps a lot is to configure your routers firewall to block everything external then use port forwarding only on what you want to let in. My providers modem sucked so I set it up as “pass through” and use my own. So unlike the default software I could see “everything”. One thing I noticed right away is that there are people and entire organizations (governments) continuously scanning random addresses looking for anything open. Verified via reverse DNS. Then you get a login/password attempt, about 3 attempts per hour so it doesn’t trigger most security software because of default “ignore” settings. This goes on 24/7. I just outright blocked the standard login ports not out of security concerns but because it was wasting my time going through the logs.

As an example of how poor security is, I closed out and moved out of an area serviced by Comcast over ten years ago, with a forwarding address and with final bill payment. Multiple of their scammy debt collectors contacted me attempting to collect on a $800 bill. Turns out they were hacked 4 times over the past 10 years and had all my info stolen which somebody used against them to somehow rack up YEARS of internet service. They wanted me to pay them money, hire lawyers, make affidavits and all kinds of stuff to clean up their mess. So don’t think for a moment that the leak may not be law enforcement or your own ISP.

It has reached a point where I have realized that anything “cloud based” or any login/password anywhere outside of your control is probably compromised. So you need to compartmentalize everyone and face the fact that cloud based anything is detrimental. By way of crazy examples I stopped getting spam calls when I deleted Google Maps.

 

[markebenson]

How do you know there is a hacker gettin into camera system?

You can see the ip and action here. It is an older Dahua Syatem. This bug turns the brightness down to 0, changes the lan ip throwing the machine offline, and renames the cameras to hacked1, hacked2, etc.

 

[tom baker]

If you have Ring did you give permission for basically anyone (“law enforcement”) to use your system? Not even sure you can disable this.

On the network side one thing that helps a lot is to configure your routers firewall to block everything external then use port forwarding only on what you want to let in. My providers modem sucked so I set it up as “pass through” and use my own. So unlike the default software I could see “everything”. One thing I noticed right away is that there are people and entire organizations (governments) continuously scanning random addresses looking for anything open. Verified via reverse DNS. Then you get a login/password attempt, about 3 attempts per hour so it doesn’t trigger most security software because of default “ignore” settings. This goes on 24/7. I just outright blocked the standard login ports not out of security concerns but because it was wasting my time going through the logs.

Ring took some heat over poor security and they require 2 factor to log in.
And the user has the option to let police use system
I agree with your comments on routers, there are some settings that will make the router less visible.
Suggestion- use Gibson Research 'Shields Up' to scan a system (free) and look for open ports, A port is a like a door into your router, there are some 64,000,
Use really long passwords 16 or more characters, random and then a password manager to keep track of
With 2 Factor, most log ins send you a text msg with a numeric code to enter, thats pretty good, but better is Authy, when you log in, then a radom code is generated on your app and you enter that
I am going to start using a hardware based security key (Yubico). This is probably the most secure.

 

[markebenson]

Awesome! Since I am getting replies i will elaborate further. I thought there might me other electricians that expand into i.t. sound and dmx lighting like I do!

This client has 20 of the same model dvr in different locations.

All locations have static IPs no ddns.

Client owns and manages routers. Wifi is disabled.

Only 1 out of 20 of the client's locations has this problem, they all have the same model dvr, same model router, same isp provider.

The DVRS are made by Dahua, older unit with a 2014 firmware build, no further firmware support available. I know I can buy a new dvr I just want to understand the breach.

The hack is some type of bug that turns the brightness down to 0, changes the lan ip throwing the machine offline, and renames the cameras to hacked1, hacked2, etc. Defaulting the unit easily brings it back up but the problem happens about every 3 weeks again. We can see the hack on the dvr log with an ip from poland.

Router passwords and dvr passwords have been changed, makes no difference.

It has been suggested that the bug exploits the dvr using telnet. I do not know how to disable telnet.

All Dahua DVRs standardly use port 37777 for inbound access. I have just now changed the port number and have to wait on the results. I dont know if this bug would use port 37777 or if it does something on the (free for all) port 80.

Look forward to your comments.

 

[zbang]

a) telnet should be blocked by the router. Always.
b) block incoming connections from Poland in the router or block all except from specific addresses
c) if the DVR is accepting incoming connections and they're being forwarded through the router, WHY???? (almost never do that)

The only way you're going to deal with this is by significantly tightening the firewall rules in the router, and that means knowing a lot more about the setup.

 

[paulengr]

Awesome! Since I am getting replies i will elaborate further. I thought there might me other electricians that expand into i.t. sound and dmx lighting like I do!

This client has 20 of the same model dvr in different locations.

All locations have static IPs no ddns.

Client owns and manages routers. Wifi is disabled.

Only 1 out of 20 of the client's locations has this problem, they all have the same model dvr, same model router, same isp provider.

The DVRS are made by Dahua, older unit with a 2014 firmware build, no further firmware support available. I know I can buy a new dvr I just want to understand the breach.

The hack is some type of bug that turns the brightness down to 0, changes the lan ip throwing the machine offline, and renames the cameras to hacked1, hacked2, etc. Defaulting the unit easily brings it back up but the problem happens about every 3 weeks again. We can see the hack on the dvr log with an ip from poland.

Router passwords and dvr passwords have been changed, makes no difference.

It has been suggested that the bug exploits the dvr using telnet. I do not know how to disable telnet.

All Dahua DVRs standardly use port 37777 for inbound access. I have just now changed the port number and have to wait on the results. I dont know if this bug would use port 37777 or if it does something on the (free for all) port 80.

Look forward to your comments.

You block external access with a firewall (router). Sounds like there is an exploit for the DVR since passwords don’t matter. So block no just that IP but best way is block day that whole country or subnet. If you need to buy a cheap router/firewall that you have control over do it. Just block everything by default and open only ports you need. If it’s something like telnet block it except for known IPs such as clients servers and nothing else. On routers this is called port forwarding. I’ve have good luck with TP Link routers. Cheap, small, reasonably reliable, not as buggy as Cisco. There are similar ones out there.

 

[hillbilly1]

Look for an inside hacker. I had a call at a major auto parts store, they thought power quality was crashing their servers and registers. Added grounding, power monitoring and the whole deal, they replaced all of the computers, UPS, problem still kept happening. Turns out, an assistant manager was po’d he got passed over for his own store, and was causing the crashes since he had the passwords to get into the system.

 

[RumRunner]

You block external access with a firewall (router). Sounds like there is an exploit for the DVR since passwords don’t matter. So block no just that IP but best way is block day that whole country or subnet. If you need to buy a cheap router/firewall that you have control over do it. Just block everything by default and open only ports you need. If it’s something like telnet block it except for known IPs such as clients servers and nothing else. On routers this is called port forwarding. I’ve have good luck with TP Link routers. Cheap, small, reasonably reliable, not as buggy as Cisco. There are similar ones out there.

BLOCK THE WHOLE COUNTRY. . . . Yeah Right!

If an IT Tech who works for me--that does that, he’d be out of work tomorrow..

It would be a mistake for you to think that you are far ahead of those MALWARES that infest our networks. . . those malware programmers are way far ahead (smarter) than users. . . and they know all about work-arounds.
They are in front of their computers twenty hours or more a day while users like us-- are on our computers around six hours at the most- - - unless someone needs a life. lol
Your idea of blocking the whole country may sound easy for a regular joe. . . but it is an urban myth.
Someone advocating this approach may not even be familiar with the fundamentals of data architecture.

Modems, Routers, Switches and Repeaters etc belong to the lowest and least intelligent components of a network. . . they are the HARDWARE PART.

In order for you to have control over the network. . . you need to have a solid knowledge of the OSI Model (Open System Interconnect) and the Six-Layer Data Link and Physical Layers that comprise the OSI.

The “blocking the whole country” approach is replete with nonsense. No one can stop a user with malevolent intention by using a VPN (virtual private network).

VPN can mask someone’s IP address. . . .and he can make an entry by using a server that will look like the hacker is located in Nairobi or Puerto Rico without anyone knowing it.
In the case of Poland. . . keep in mind that these countries in Eastern Europe overlap in internet services.
The hacker doing this malicious stuff may not even be located in Poland.

What you see on your screen advertising in Slovakia would show on a website in the Czech Republic because of their close proximity for example. . . so you don’t really know where the hacker is coming from.

Blocking Poland will also block Belarus from gaining access--and you as a user as well.
Have you been cruising the Danube where you spend days in countries like Bulgaria, Romania, Hungary and on to Austria and Germany?

You will come to know with what I’m talking about.

 

[Rock86]

I know you are not a DIY'r, but the intro to this kind of explains simple reasons why cameras area easily hacked.

 

[tortuga]

WPA2 uses a 4 way handshake that is easily captured, as designers we should assume there is no secure WIFI.
That's why security, PV and lighting products with no ethernet port violate my design rule #2.
You need to re-flash the firmware of each camera, then change the default username / password for telnet on each camera before connecting them to the network.
The default login is root, the password is vizxv, They differ from those that are configured in the web interface, many do not even know about them.
Then you should get a security consultant to leave a 'honey pot' camera with the default user/name unchanged so they can track the criminal and what other things they have reached.
There is probably a hacked device inside the network that is giving someone access.
You need to find this device.

 

[synchro]

With 2 Factor, most log ins send you a text msg with a numeric code to enter, that's pretty good, but better is Authy, when you log in, then a random code is generated on your app and you enter that

I used an ACE card 20 years ago that provided a secure token code for 2 factor authentication.
I'm not sure why I'm still keeping it, but there's bigger things I need to get rid of first.