Back26 JUNE 2018
Take Control of your CCTV Connectivity -Top Tips to Correctly Set Up IP Cameras
The proliferation of remotely accessible CCTV systems, and in particular the use of cheaper IP cameras is a game-changer for the security industry. They’re cheaper, easy to install, and enable more premises to safely and remotely monitored 24/7. But, with opportunity comes risk and almost every day there’s a news report of IP cameras being turned into bots and used to spread malware. In short, the cameras need a connection that’s up to the job.
In this article, we talk about the Dynamic DNS settings in more detail and explore the right way to connect IP cameras.
These IP cameras or DVRs/NVRs are usually connected directly to the Internet. This brings a lot of responsibility in configuring these devices in a safe and secure way or else a hacker can get access to your network. Hackers can break your live remote monitoring/recording, they can inject a ransomware to your network, which can freeze your business operations or steal critical data such as credit cards or bank accounts.
These devices could even be the part of an internet flooding attack. As per the recent large scale CCTV hacks reported , hackers compromised 1000’s of networked DVR’s and CCTV cameras to do a massive DDoS attack which then brought down many Internet based services . The security side of CCTV cameras is always a hot topic, let’s have a look at the security in remote monitoring. Dynamic DNS is a common term used in CCTV world for remote monitoring.
Dynamic DNS is a service which allows the users to use a ‘hostname’ for remote connections instead of using a dynamically changing IP address. It maps a hostname to your IP address. The router on your network then periodically updates your IP to the Dynamic DNS service. So whenever your IP changes, the DNS also updates automatically. This means, even if your IP changes you still can connect to your network through that hostname.
Just knowing the IP is not enough for remote connections, by default the built in network firewalls are set up to reject all incoming traffic. This can be bypassed by doing port forwards, but doing this can then expose your whole private network to a wide open internet.
Many people think, it’s easy to set up a DDNS and are unaware about any security implications in doing it without considering other factors. A simple example is configuring DDNS to a DMZ zone without implementing any level of security. This exposes the whole public facing services in that DMZ directly to the internet. It then attracts a bunch of hackers, as it gives them an indication that you have some public-facing services hosted on your network. And for them, instead of scanning a whole IP network , they can simply scan hostnames to see every open ports and finds any vulnerable services like Telnet , SSH , FTP , HTTP etc. Most of the passwords for these services could be hard-coded and can be easily hackable.
Most of the CCTVs, DVRs/NVRs in production are relying on this combination of Port forwarding and Dynamic DNS.
Nowadays, DVRs usually come with their own dynamic DNS service and provide a dedicated DDNS portal for their customers. This helps users to set up their unique hostname without any hassle. However, it also opens many possibilities for hackers, as a little information gathering about the manufacturer would give them enough details about their standard port forwards, DDNS domain names etc.
So each Dynamic DNS user has a unique hostname. Just an example for dyndns.net, the unique hostname for a user would be a subdomain to the main domain, so that’s something like xxxx.dyndns.net.
Just a simple NSLOOKUP will give you the IP information of the domain name.
nslookup dyndns.net Non-authoritative answer: Name: dydns.net Address: 22.214.171.124
You can do the same for a subdomain. If that subdomain exists, we can see a similar output. I just tried with a ‘test’ and seeing it is non-existent.
nslookup test.dydns.net Can't find test.dydns.net: Non-existent domain
We can do a bulk operation to find all the subdomains associated with a main domain. This is the first phase of information gathering in a structured penetration testing .There are a number of free subdomain enumeration tools available to do this. The operator won’t even see it as a brute-force attack on their subdomains. They will just see a higher rate in DNS lookups than the average. The users will see nothing at all. This will give you a list of hostnames that are online, as the user has probably signed up for a service that was free from the provider the attacker now knows that the user is running some hardware from the manufacturer at that address. This means that an attacker knows the most likely default usernames and passwords or the default ones to use, they don’t even have to try lots.
This is the scanning phase and you can use Nmap/Zenmap to do this. This will list all the vulnerable services and open port numbers. The scan will be quicker if you can filter with few specific port numbers.
This is easier if you are doing it on a particular manufacturer. As we mentioned earlier, information gathering on a specific manufacturer will give you enough details about their standard port forwards, domain names etc.
Contact us today to ensure your cameras can only be accessed via your secure VPN.