What to do about hacked DVR? Cameras still usable?

[linuxha]

Well, let's not get too carried away.
 
What you did "over the IP network" was gaining root access to a Linux system most likely by guessing the root password.  After that, if one is careful, one would be able to replace Linux software with a custom one: by scp'ing a tarball for example -- that's nothing special and any Linux sysadm worth his or her salt does that on a daily basis. However, one tiny mistake would have rendered the system inaccessible due to an unavailable network interface, for example or a kernel mismatch or a thousand  other different reasons. So, without physical access to the box the likelihood of converting even a wide open Linux system to a network traffic sniffer for example is pretty minuscule.

 
Any hacker worth his salt can build the appropriate image and drop it in remotely. I do similar functions with automated scripts. And if I build my IoT devices correctly it's not hard. Upgrading Cisco routers from 20 years ago was quite similar though only a dozen different models. I did it all over the world from my home and ran into less than 10 troublesome routers out of a thousand. Later routers had more flash room and better upgrade methods. We did have console access via a modem.
 

My point is that a camera as an example of a Linux system is as secure as any other exposed poorly protected  Linux box -- there's nothing special about them except that the manufacturer may not have spent enough time and thought on rather trivial security issues like using a more secure password. There's no value in raising security hysteria -- media is already quite good at it. Rather, providing information about what exactly is vulnerable would server a useful purpose indeed.
 
A VPN in one's router is quite adequate and easy way  to protect a home network.

Okay, I think I combined too much with a poor explanation and I don't consider this to be security hysteria. I really think the industry has underestimated the problem.

1. I did telnet into an insecure camera, vendor transgression #1 but hacking this thing was easy. I've since blocked it so it doesn't go out to the internet for anything.
2. I didn't use physical access to hack the device but it was behind a proper firewall so trying to get telnet'ng, ssh'ng, or http'ng to it from the outside won't work (need that vpn to get in).
3. The part I explained poorly was that IoT tends to mean that things connect to a command and control cloud service (like these poorly secured camera's). Compromise the cloud service and you can command the cameras. I think we'll be seeing a lot more of this as it's easier to bypass the security of the router.

The cheap cameras and DVRs that were used in the IoT attack a few months ago were of the 3rd kind (and perhaps the 1st also). There have been other cameras that have sat, wide open on the internet. I don't think the IoT attack was of that kind..

 

[linuxha]

Pete how do you protect from the inside out?
 
Using PFSense with two WAN and 4 LAN interfaces / VPN access and managed switches (well 3 24 port switches in place today).
 
Just recently added PFBlocker (geo IP blocking) to PFSense.  PFBlocker blocks outgoing requests.
 
Read about PFBlocker here ==>  MaxMind and here ==> PFBlocker.
 
BTW PFSense is free and it'll run BSD on just about any computer Intel / AMD / ARM based CPU.

 
Thanks Pete, I think I now have a pretty good reason to build a PFSense router. I seem to recall you posting the details on the build in previous posts. I'll have to look them up.

 

[pete_c]

Any old computer will work if it has two NICs.  USB boot  / install is preferred these days.  That said a CD ROM will work too.
 
You can download the ISO or IMG file and write it fine to a USB stick with Linux these days.
 
PFSense Download
 
I picked up 2-4 port Intel Gb cards on Ebay; new old stock really reasonably priced. 
 
You can put it on your network with two NICs (not using it as your main firewire router) and play with the web interface.
 
PFSense ==> NIC #1 WAN side DHCP to your current firewall / router
                     ====> NIC #1 LAN side with a static IP
 
Try the plugins; you cannot break anything if the PFSense box sits inside of you LAN network.

 

[vc1234]

Any hacker worth his salt can build the appropriate image and drop it in remotely. I do similar functions with automated scripts. And if I build my IoT devices correctly it's not hard. Upgrading Cisco routers from 20 years ago was quite similar though only a dozen different models. I did it all over the world from my home and ran into less than 10 troublesome routers out of a thousand. Later routers had more flash room and better upgrade methods. We did have console access via a modem.

No, "no hacker" can drop a firmware image  unconditionally if that's what you are implying.
 
He can attempt to do that only if a communication channel to the device (IP, serial) is  accessible, the channel was compromised, i.e. the channel is unprotected at all or the credentials are easily guessable, the device has embedded file transfer functionality, and the OS /firmware update in vivo succeeds, not just "bricks" the device. 
 
There's no magic dust that a "hacker" can sprinkle on any connected deice remotely and gain access to update firmware -- that's hysterical reporting on par with flying drones compromising  Phillips bulbs.
 
I agree, though, that relying on cloud service for HA may be problematic and not only for security reasons.

 

[drvnbysound]

So, assuming you've got a VPN setup. What information are you providing to authenticate your own connection?

 

[linuxha]

No, "no hacker" can drop a firmware image  unconditionally if that's what you are implying.
 
He can attempt to do that only if a communication channel to the device (IP, serial) is  accessible, the channel was compromised, i.e. the channel is unprotected at all or the credentials are easily guessable, the device has embedded file transfer functionality, and the OS /firmware update in vivo succeeds, not just "bricks" the device. 
 
There's no magic dust that a "hacker" can sprinkle on any connected deice remotely and gain access to update firmware -- that's hysterical reporting on par with flying drones compromising  Phillips bulbs.
 
I agree, though, that relying on cloud service for HA may be problematic and not only for security reasons.

 
Wow, I'm not doing well today (or good for that matter ;-) ). The 'worth their salt' part  was for building the correct images and installing the image.
 
Correct, they (hackers) must have access into the device either something telnet/ssh or via something that connects to a service to listen for commands. The malware community has had command and control for ages. The danger I was implying was for devices that can be commanded from the cloud. They start up, connect to the local network, then the internet, who knows what they're doing (netflow can show you some of what they're doing). After Initial setup we generally don't know much about the device. Your avg. consumer isn't ready for VPNs, VLANs and network segregation (or for IPv6 which should be hoisted on us soon).
 
Let me simplify this, many of us are worried about keeping the bad guys out and we're doing a better job at it. The thing I don't see us doing (except Pete ;-) ) is keeping devices from getting to the bad guys. My Tivo, TV, printers, NAS, cameras, etc. all want to sign up to talk to a cloud service. If that cloud service  is compromised is the device safe? No! Suddenly the Tivo can do a lot more than deliver TV content. If the device can be remotely controlled how would I know and what can I do (other than getting rid of my wife's Tivo? That won't go well ;-) ).

 

[pete_c]

It's just mostly about vigilance these days only a lot more than way long time ago.  
 
We gave up our lifetime DTivos a while ago and switching to DTV's DVRs was very painful and low on the WAF.
 
Today though it is her DTV stuff and my Kodi stuff (with HDHomerun going). 

 

[vc1234]

The danger I was implying was for devices that can be commanded from the cloud. They start up, connect to the local network, then the internet, who knows what they're doing (netflow can show you some of what they're doing). After Initial setup we generally don't know much about the device.

 I agree with the above unconditionally

 

[pete_c]

Most the average consumers have little IT technical (or security) knowledge base and much trust in to their own computers or telephones or tablets or the use of the cloud.   
 
That and the other side which involves management finds nefarious ways to make monies these days because they are not happy.
 
I have a power point presentation and software for cloud managed "hubs". What you can see and do with this stuff is phenomenal. That said it is today mostly automated and untouchable (well it is supposed to be).  
 
It's very easy these days for somebody to just get talked in to dumping a database for XX dollars and it happens all of the time.  
 
People will do anything for money and that is sad. 

 

[linuxha]

 I agree with the above unconditionally

 
I just read up on the Miria DDOS attack and it wasn't the kind of attack I described (a breach of a web service then compromising the device). It seems the compromised device owner put these devices right on the internet (no firewall) ... :blink: Wow, I just dumbfounded. I was a bit surprise at the numbers. A great many were from Asia/India, the US was 3rd.
 
Also while reading up I found that the security folks are now seeing NASs being compromised. Wow, attack device, storage and they get searchable storage. :axe: