Major security flaw found in MANY security DVR's

I have been waiting for things like this to happen.  DVR's aren't limited to the same fundemental issue...opening ports on your router to get access from the Internet is not the right way to do things.  For many years mfg's have been touting their products as "Access from anywhere in the world" capable.  It will only be a matter of time before there are more serious hacks.  For a company to take this approach is just plain being lazy.  VPN devices are available cheap, even in home routers.  If you want to look at your video, HA or anything else at home then do it right and setup good security.
 
Frederick C. Wilt said:
So how does the "hacker" get past the firewall security?
 
If you port forwarded to a device, then you opened a hole in your firewall.  Once they get to that device, it just depends on what the device is as to what they can do from there.  Getting past the user/pass on the device at the very least gives them control of the device.  If the device itself has a security flaw (like those cameras), or is a diversely capable device like a pc, they may be able to use it to forward themselves through to everything on the LAN.
 
Hi Lou,
 
With the firewalls I use you have to enter a user name and password, at an allowed time of day, to the right port, to get the firewall to open the connection to that port. More over the class of user limits what the user can connect to, when the user can connect and what the user can do.
 
So that provides a bit of security.
 
Frederick, what kind of firewall is that? They have to go to a web page to login and specify what port they want to use via a remote app and then they can connect with the app after authorizing via the web first? Based on how you're describing it, that's how it sounds like it would work to me. Never heard of a firewall working this way.
 
A lot of the point of that article is that so many people don't take security seriously. And, you have to remember that it's not just who you are having sex with. It's the people the people you are having sex with are having sex with. If they are lax, then any interaction with them in terms of transferring files, allowing access, providing any sort of login information, or personal sensitive information to, is only as protected as the laxest of them. And of course even people who attempt to take it seriously make mistakes, or don't have full information as to how they are exposed. This thread was an example. How many people even knew?
 
The required login thing, I don't see how that can really work. The apps aren't going to directly support that. So it would require that you open up the port separately for them to get in, and once open it's open. Those apps have to create their own connections once the port is available, which means anyone else could do it as well. Unless it's somehow creating a port forward that will only accept packets from the same IP address that logged in.
 
Ultimately, it would seem to me that a VPN type scenario is the only really generalized way to deal with it. But few people out there are going to do that. As phones proliferate, and the apps written for them are written by less and less (on average) knowledgable people and are being used by less and less knowledgable people, it's just going to get worse.
 
Frederick C. Wilt said:
Hi Lou,
 
With the firewalls I use you have to enter a user name and password, at an allowed time of day, to the right port, to get the firewall to open the connection to that port. More over the class of user limits what the user can connect to, when the user can connect and what the user can do.
 
So that provides a bit of security.
 
I'm with Jon on this, not heard of such a thing.  But what I think you have is not an open port. It sounds like you have a pre-configured but inactive port forward which you are turning on.  It sounds like it would be the same as me logging into my router remotely, and turning on the port forward I want, and then turning it off when done.
 
JonW said:
Frederick, what kind of firewall is that? They have to go to a web page to login and specify what port they want to use via a remote app and then they can connect with the app after authorizing via the web first? Based on how you're describing it, that's how it sounds like it would work to me. Never heard of a firewall working this way.
 
SonicWall.
 
Used them for many years.
 
VPN is certainly preferable but it can be a bear to get working sometime. I setup a phone app for my daughter to access her security system using VPN. It worked great. Then one day the phone could no longer establish the VPN connection. What had changed I have no idea. Perhaps something was updated in the phone. I was not able to find a way to get it working again. Very frustrating.
 
To get widespread usage I think that setting up VPN needs to be made much simpler, not so much at the router end but at the client end.
 
Frederick C. Wilt said:
To get widespread usage I think that setting up VPN needs to be made much simpler, not so much at the router end but at the client end.
 
Yes, I agree.  I have no problem getting 2 VPN routers at two locations to connect the two networks, but to get my phone or computer to tunnel into the vpn never seems to go well.
 
You can tunnel with SSH. 
 
Create a hash and save the same token on both sides. 
 
On the server side you can create different profiles using SSH for access; then once in login to the server.
 
Its a two step login.  
 
Many years ago used Sonic wall firewalls at home.  Very nice boxes.  I don't remember how much it was for the feature keys or whether it was a monthly cost any more (old now).
 
Frederick C. Wilt said:
Hi Lou,
 
Are you connecting two routers of the same make and model?
 
Yes.  I bought two identical models because I knew it would cause me few if any headaches.  And indeed, it works great.
 
Yes, same here. Same make and model. I've connected my home and my daughters home. Makes maintaining her computers, home automation system, etc much simpler.
 
As I've stated many times I use SSH with a password/key combo. Very secure, but it also opens the gates to my entire network. I have it running over port 443 so it will never be shut down by another network's security. Now for the complicated part.... I have to root my phones for it to work! So, if I can't root a phone... I can't access my network!
 
Back
Top