Posted: 8/5/2013 12:21:53 PM EDT
| I have a couple Foscam fi8910w IP cameras. I had them set up for port forwarding but I read an article regarding some serious vulnerabilities. I have updated the firmware and I don't leave any devices with default or weak passwords but I'm concerned about how vulnerable these cameras are and how I could detect if they were compromised. I presume there is almost zero vulnerability when I have port forwarding turned off with my router but does the router's firewall provide any help at all with port forwarding turned on? What can I do to increase security and still access the cameras via the web? |
| With remote vulnerabilities in the device itself there's not much you can do aside from making it only available on your local LAN. Your average home router won't have this type of functionality but one option is to add firewall rules to only allow incoming connections from certain IP's (ex: if you want to access your cameras from your work pc) or setup a VPN server on your network (probably not something the average person will do). |
|
Quoted:
With remote vulnerabilities in the device itself there's not much you can do aside from making it only available on your local LAN. Your average home router won't have this type of functionality but one option is to add firewall rules to only allow incoming connections from certain IP's (ex: if you want to access your cameras from your work pc) or setup a VPN server on your network (probably not something the average person will do). This. Under 'average person' circumstances there aren't many other steps to take (2FA, reverse ssh port forwarding, vpn). I would only add that you can choose to forward a high random port from the outside to your camera's default port, that way you at least won't be hit by the Shodan scans and other garbage. Obviously this doesn't provide any additional protection by someone targeting you. Also since the bug got press you have the option to spam the Foscam people demanding they release a fix and then update. But that's wishful thinking. |
| There is an updated version of the firmware which fixes some of the issues. It is not as easy to access the camera now but it can be done. The login credentials allow unlimited attempts and they only allow twelve characters for the password so it can be brute forced easily. What sort of things can I do to protect the other devices on my network? What range of ports would you consider "high" enough to reduce my exposure to port scanning attacks? |
|
Is there any access log available in the camera interface where you can see successful/failed logins to the camera? What about on your router - any facilities available to log connections that go through your port forward? What kind of router? It may be capable of utilizing a different firmware that has more firewall/logging features. (e.g. dd-wrt) How do you access the cameras outside your home network? Via home IP + browser? Mobile app? These things will affect the type of solutions that will work for you.
The easiest and most likely option available to you right now was mak0's suggestion of whitelisting IP addresses or blocks that can access that port forward on your home IP. You would configure this on your router. For example, if you only access the cameras at the office you might go to some WhatIsMyIP site at work and configure the allow list on your router/firewall to only allow that IP/block to use the camera port forward. (this is only a contrived example, far from foolproof) That said, the obvious: Update the firmware in the cameras - I didn't review the firmware but the changelog references the security issue in the OP as 'improved'. Use a secure transport (HTTPS option on the cameras interface). Use a complex password, if you're hard limited to 12 characters this just means using "$0.me cR4p_9" or whatever, varying case, numbers, specials, and spaces. Random 'high' port is an easy step to avoid the mass scanning but as previously mentioned doesn't do much for anyone targeting you. Just choose something high that's not associated with a web service or something in the 3xxxxx range. |
|
Thanks. The camera does have a log. I access the device at home through the LAN and for the time being, I've just turned off port forwarding. When I'm out, I use a mobile phone to access the camera.
Are there any steps I can take to protect other devices on the LAN from the camera? |
|
Quoted: I have a couple Foscam fi8910w IP cameras. I had them set up for port forwarding but I read an article regarding some serious vulnerabilities. I have updated the firmware and I don't leave any devices with default or weak passwords but I'm concerned about how vulnerable these cameras are and how I could detect if they were compromised. I presume there is almost zero vulnerability when I have port forwarding turned off with my router but does the router's firewall provide any help at all with port forwarding turned on? What can I do to increase security and still access the cameras via the web? does the router's firewall provide any help at all with port forwarding turned on? Negative. What can I do to increase security and still access the cameras via the web? First, you need to ask yourself what the tangible risk is. Computer security is about risk mitigation. If someone hacks your camera's web interface, what impact does that have on you? If you determine that the risk is a big deal, then you can start working on how to mitigate it. Sounds to me like your primary risk is going to come from HTTP over a single port for each device. A simple cheap PC with smoothwall installed will cost you $200 and will give you very granular control over your traffic. It also has some Intrusion Detection capabilities (Snort, IIRC) that will aid you in detecting attacks against the web interfaces of the cameras. You also should change the default port to something above 1024. So you'd access your video feed at http://1.1.1.1:60033 |
|
Quoted:
Are there any steps I can take to protect other devices on the LAN from the camera? Most routers/APs come with a "Guest Wireless" capability, you can choose to put the cameras on the Guest wifi which should prevent them from accessing the LAN. Different routers have different access control granularity when it comes to this but you can still set up keys on the Guest wifi and access devices on it from the LAN, but devices on Guest can't access the LAN segment. |
|
One other way around this is to use one of the remote PC control systems to view the files. So, log on to a PC on the network, then view the camera from PC --- across LAN --- Camera. Note, all of those tools have drawbacks, look for one that installs on the PC and then you log into a web page to get access. "PCanywhere" doesn't cut it because that's just a different kind of security problem. We use "WebEx" at work, and I can get to any one of my PCs or servers (that have the software installed, configured and a connection) by logging into their web page first. Make sure the tool works by "calling out" through the firewall rather than opening up something on the firewall. I like the guest network idea from above. What are you monitoring? Maybe something that FTPs or emails files would be better. Basically treat it like a static web cam type thing where a snapshot is taken and uploaded to a web site (that way, you can set up more advanced credentials, and the files only look like a password protected web site not a juicy camera target). There would be no messing with opening stuff on your router then either.
|
|
I don't see anywhere that I can set up a guest account for the router. We are currently just using the cameras as baby monitors but we hoped to get a couple more to use as security cameras.
I installed the upgraded firmware as soon as I found out about the issue and changed the usernames and passwords just in case. I have disabled port forwarding for the time being and I can just turn it on when we leave. I tried using a port in the 3xxxx range but the Kindle Fire can't seem to handle that so I went back down to a high four digit port. Hopefully, Foscam will publish new firmware. If they just allowed more complex passwords and set a lockout after several attempts, it would solve the vast majority of problems. Ideally, you could only change settings when the camera was plugged into the Ethernet. It would also be nice if they enabled SSL. I have an old Thinkpad that might still work but that would mean I'd have to leave that thing running all the time. On the other hand, I could also use it as a DVR. |
|
Quoted: I don't see anywhere that I can set up a guest account for the router. We are currently just using the cameras as baby monitors but we hoped to get a couple more to use as security cameras. I installed the upgraded firmware as soon as I found out about the issue and changed the usernames and passwords just in case. I have disabled port forwarding for the time being and I can just turn it on when we leave. I tried using a port in the 3xxxx range but the Kindle Fire can't seem to handle that so I went back down to a high four digit port. Hopefully, Foscam will publish new firmware. If they just allowed more complex passwords and set a lockout after several attempts, it would solve the vast majority of problems. Ideally, you could only change settings when the camera was plugged into the Ethernet. It would also be nice if they enabled SSL. I have an old Thinkpad that might still work but that would mean I'd have to leave that thing running all the time. On the other hand, I could also use it as a DVR. You can setup a reverse proxy that would facilitate SSL. |
|
Quoted:
Yes, if you have a multi-port managed router, you can logically segment them. The smoothwall I mentioned earlier will do this. Quoted:
Quoted:
Are there any steps I can take to protect other devices on the LAN from the camera? Is there a way to whitelist by MAC? That would be very handy. |
|
Quoted: Is there a way to whitelist by MAC? That would be very handy. Quoted: Quoted: Quoted: Are there any steps I can take to protect other devices on the LAN from the camera? Is there a way to whitelist by MAC? That would be very handy. Not in most UIs. It's almost always a blacklist as opposed to a whitelist. ETA: to be clear, I'm referring to retail/consumer wifi APs/routers. In commercial equipment both methods are usually available. |
|
Quoted:
Not in most UIs. It's almost always a blacklist as opposed to a whitelist. ETA: to be clear, I'm referring to retail/consumer wifi APs/routers. In commercial equipment both methods are usually available. Quoted:
Quoted:
Quoted:
Quoted:
Are there any steps I can take to protect other devices on the LAN from the camera? Is there a way to whitelist by MAC? That would be very handy. Not in most UIs. It's almost always a blacklist as opposed to a whitelist. ETA: to be clear, I'm referring to retail/consumer wifi APs/routers. In commercial equipment both methods are usually available. Now you're trying to make me spend money.  Thanks
|
|
Quoted:
Is there a way to whitelist by MAC? That would be very handy. Quoted:
Quoted:
Quoted:
Are there any steps I can take to protect other devices on the LAN from the camera? Is there a way to whitelist by MAC? That would be very handy. If I understand what you're asking correctly, my router does. I can set the MAC filter to allow or disallow the MAC addresses I put on the list. That only allows or disallows them access to the WLAN, though. I can't set permissions, so far as I can tell. |
|
Quoted: If I understand what you're asking correctly, my router does. I can set the MAC filter to allow or disallow the MAC addresses I put on the list. That only allows or disallows them access to the WLAN, though. I can't set permissions, so far as I can tell. Quoted: Quoted: Quoted: Quoted: Are there any steps I can take to protect other devices on the LAN from the camera? Is there a way to whitelist by MAC? That would be very handy. If I understand what you're asking correctly, my router does. I can set the MAC filter to allow or disallow the MAC addresses I put on the list. That only allows or disallows them access to the WLAN, though. I can't set permissions, so far as I can tell. Oh yea, my bad dude. You're right, you can MAC filter.  I'm a dork and I misunderstood the question. |
|
Not sure if it helps the OP, but what I intend on doing for my cameras is this. On the edge of my network I am putting in a Cisco managed switch. Its going to have a DMZ and LAN. Bridging the two is going to be a linux server acting as a firewall. Cameras are going to within the LAN. I will still be able to access them, but I will have to tunnel through a host in my DMZ to my LAN. ETA: In laymans terms: Layers of security with multiple access controls is my solution.
|