security fail: home DVR/camera systems

-
Many people, such as myself, decide to invest in home security camera systems.  Most of them nowadays allow you connect directly to the system via your smartphone.   As I am in the computer security field, I tend to wonder just how secure things are in my own home.  So I put my NiteOwl 16 channel DVR system to the Pepsi challenge.  It failed horribly.

Whenever I send my username and password across the internet to look at my home security cameras, the credentials are sent in clear text.  Anyone in computer security knows is a not a good thing.  Clear-text credentials are very easy to intercept.  And most people don't know how to properly defend themselves and their home against cyber threats.  So lots of people will use one password for everything.  So if someone was to intercept this DVR password, the attacker has a lot of helpful information.

The intercepted information will include:

  1. the username, which is likely the username also used in at least one of the computers on the victim's home network. 
  2. the username's password, which is also likely to be the same password on the computer mentioned above
  3. the destination IP address, which tells the attacker where you are and what to attack.  
Given how many people use the same password for everything and leave their home network devices on the default settings, sending a clear-text password can be a recipe for disaster.  So let's see which home security DVR systems failed the test.


NiteOwl - failed



Zmodo - failed

A-See Pro - failed






Q-See:  no credentials passed at first, but I can't be sure it never will since I don't have the DVR to make a valid connection.  Chances are the exchange happens after the javascript file is executed.  If I can find someone with a Q-See system, I should be able to properly verify.
Samsung:  At first it looked ok since unlike the others, it was not sending clear text passwords up front.






But then i noticed it was providing a field called "Authorization" and a value that looked like a base64 code.   So i took the code to my favorite web site for decoding base64




And there is our username/password.  Weak security, but better than nothing compared to the others.











Defender:  same thing as Samsung, just base64

Lorex - failed
Swann - failed


still testing a few more, but so far I am not impressed by any of them.

My advice for now, if you have one of these systems, make sure the password you use to connect to the system is a password you do NOT use for anything else.  Also make sure the cameras are not recording anything sensitive.  If they are, I recommend disconnecting the DVR from the internet.

Comments

Post a Comment

Popular posts from this blog

Scion xB 2005 - Fuel Filter replacement DIY

-
Image
Warning: this is for educational purposes only.  Neither I nor anyone else on the planet is responsible for your stupid decisions and lack of thinking.  The information provided here is the best of my documenting ability and nothing more.  Like ANYTHING on the internet, it should not be considered as the full truth with no missing pieces.  If I leave anything out, it's your responsibility to find the rest of the puzzle.   ie, if you blow your car or yourself into a million pieces, it's YOUR fault. Note:  This took a lot more effort than I had anticipated even with the other DIY articles I found on this subject.  I personally will be paying someone to do it for me next time.  If you decide to take this on, I suggest you go ahead an replace the fuel pump while you are at it, as long as you have at least 60,000 miles on the toaster.  My pump died at 94k miles. Before you begin, make sure you have access to tools as you will need a wide range of them.  You will find out what s
Read more

Flashing Firmware to Creality CR-10 S5

-
Image
There are plenty of firmware flashing guides out there for CR-10 models, but not yet a lot for the CR-10 S5 model.  So I had to figure out how to flash the firmware based on what was available for other models. To  understand what is required, please refer to this video.  It has all of the major steps needed. This post is not meant as a full guide.  It's merely supplemental information that applies to the video below meant for the S5 model's of the CR-10 series.  https://www.youtube.com/watch?v=7J7NYnxL5vA So the basic idea is the CR-10's do NOT have a bootloader installed by default.  So in order to flash the firmware, you first have to burn the bootloader.  This can be done via an arduino because the CR-10's all use an arduino as their main processor. The CR-10 normally has a jumper to switch to USB power.  the S5 does not have this.  You can just disconnect the 120/240v power and plug in the USB cable and it will power the S5 board.   You wil need the boar
Read more

Using Radius authentication with SSH

-
The following will configure your linux-based SSH server to use a pre-defined radius server for authentication instead of plain password authentication.  You must configure the radius server before starting this configuration.  This is for Linux 64-bit bit but for 32-bit just change package names from .x86_64 to i686.: ·          Download install package (make sure the server can access the internet via port 80/443) # yum install freeradius  pam_radius.x86_64  pam_radius.x86_64  pam.x86_64  type y when it asks you if this is OK, hit ENTER ·          Edit the conf file # nano /etc/pam_radius.conf ·          Add the correct radius server info as follows 192.168.1.5        secret      5 192.168.1.6         secret      5 ·          Use CTRL-O to save the file and CTRL-X to exit. ·          Set file permissions # chmod 600 /etc/pam_radius.conf ·          edit the sshd_config file # nano /etc/ssh/sshd_c
Read more