Blue Iris

Re: Hello need some direction to find a solution

2024-03-21T21:27:11+00:00

Where

Statistics: Posted by TimG — Thu Mar 21, 2024 9:27 pm

Hello need some direction to find a solution

2024-03-21T15:51:58+00:00

!

SPAM ALERT!

Statistics: Posted by IAmATeaf — Thu Mar 21, 2024 3:51 pm

Re: Hello need some direction to find a solution

2020-06-09T04:48:52+00:00

Once they have access to a network device like your pc, your entire network is vulnerable. The point of this exercise was to prove that ngrok is not a secure connection as you stated.

It's an https connection and users have to go through ngrok to even access a URL.

You can set up authtokens, IP whitelists, IP policies, etc etc. within ngrok and make it as restricted as you want. I think it's a reasonably secure means of access. Maybe not secure enough to guard the casino's cameras but for my needs it's sufficient.

Statistics: Posted by Thixotropic — Tue Jun 09, 2020 2:54 am

Re: Hello need some direction to find a solution

2020-06-08T23:29:46+00:00

If your firewall/router supports it, check the logs. I had a cheap camera and, even though I disabled the Bonjour stuff, it connected to some weird place (Tanzania?). Logs are your friend. Most of the cameras I have seen contact a server on AWS (if you want to access it from the Internet), but who knows what controls those servers. We use VPN to connect.

Statistics: Posted by louyo — Mon Jun 08, 2020 11:29 pm

Re: Hello need some direction to find a solution

2020-06-08T20:11:05+00:00

But yeah, while no one wants to become part of a botnet and I'm hoping you don't have any cameras strategically placed near your showers, in the grand scheme of things we are low profile targets. Do your due diligence and you're fine.

Yep. If someone really really really wants to see live video of my side yard, they're welcome to it. No cams in the house, though.

Statistics: Posted by Thixotropic — Mon Jun 08, 2020 8:11 pm

Re: Hello need some direction to find a solution

2020-06-08T19:53:04+00:00

Actually the autoban setting is in the settings!

But yeah, while no one wants to become part of a botnet and I'm hoping you don't have any cameras strategically placed near your showers, in the grand scheme of things we are low profile targets. Do your due diligence and you're fine.

Statistics: Posted by Matts1984 — Mon Jun 08, 2020 7:53 pm

Re: Hello need some direction to find a solution

2020-06-08T19:06:17+00:00

For those bored or ultra paranoid, check out sites like shodan.io . Took me about 3 minutes to find a listing of >16,000 publicly available BI UI3 login pages... and yep, I confirmed access to a couple of them (didn't try logins). And remember this site is designed for the good guys.

Obviously I don't want people to be able to even see my BI login page, but frankly even if someone managed to find the right IP and port, they'd be up against a 25-character password and a 20-character user name. I suppose they could beat their heads against it trying out logins, but unless there's a flaw in the login code I don't see them gaining access.

I don't think BI has any kind of auto-banning for failed login attempts, but that would be a good addition to the app.

Statistics: Posted by Thixotropic — Mon Jun 08, 2020 7:06 pm

Re: Hello need some direction to find a solution

2020-06-08T18:10:17+00:00

Thats a tricky one as good malware (is that a thing?) is designed to be stealthy and elusive. Without good insight into whats happening on your network, it's nearly impossible. Consumer/ISP grade modem router combos have limited logging if any, but they may have some. As we've seen on these forums, cameras using BI do not need to initiate ANY communication whatsoever (unless they are doing NTP for timestamps - in which case they may also need DNS). Ideally they shouldn't be permitted anything so there isn't a chance to dial home, but even if they're not permitted its valuable to see what they're trying to do. Prior to some firmware updates, some of mine were quite chatty in ways I certainly did not want, while still others to this day want to connect to 'the cloud' and I do not have the ability to turn it off. It's very common for admins to overlook some services because "they're harmless" but once you read about things like ICMP tunneling, no means NO.

For those bored or ultra paranoid, check out sites like shodan.io . Took me about 3 minutes to find a listing of >16,000 publicly available BI UI3 login pages... and yep, I confirmed access to a couple of them (didn't try logins). And remember this site is designed for the good guys.

Statistics: Posted by Matts1984 — Mon Jun 08, 2020 6:10 pm

Re: Hello need some direction to find a solution

2020-06-08T15:45:55+00:00

Keep all cameras inaccessible from the internet. Cameras are one of the MOST frequently hacked devices. Consider every single one of them a weak link.

This brings up a question for me- how would I know or how could I tell if a camera has been hacked or is misbehaving (calling home, etc)?

Statistics: Posted by Thixotropic — Mon Jun 08, 2020 3:45 pm

Re: Hello need some direction to find a solution

2020-06-08T15:02:38+00:00

Well thats the entire point. How secure is the password? For example, many of the camera exploits circumvent the password. If the password is enough, then why do you need ngrok, simply port forward.

1) The only reason I use ngrok is just to prevent someone from snooping my password over an unencrypted connection.

I think the credentials are secure even without https. Not an expert but it would at least be hashed in some basic way.

Statistics: Posted by HeneryH — Mon Jun 08, 2020 3:02 pm

Re: Hello need some direction to find a solution

2020-06-08T15:01:38+00:00

So anyone scanning random ngrok addresses can find it and log in.
How would they login? Isn't there a user name and password set?
Well thats the entire point. How secure is the password? For example, many of the camera exploits circumvent the password. If the password is enough, then why do you need ngrok, simply port forward.

https encryption will not address password security in the least. It is just encrypting content over the line.

If you have any worries about bad actors accessing your system, there are a few options:

Keep all cameras inaccessible from the internet. Cameras are one of the MOST frequently hacked devices. Consider every single one of them a weak link.

BI on an updated Win10 system exposed to the internet is moderately secure. We really don't know which web server Ken uses embedded in the product but we hope it is decent.

Using either a VPN or Reverse Proxy is even better as they are peer reviewed and way more secure.

Statistics: Posted by HeneryH — Mon Jun 08, 2020 3:01 pm

Re: Hello need some direction to find a solution

2020-06-08T14:08:54+00:00

Well thats the entire point. How secure is the password? For example, many of the camera exploits circumvent the password. If the password is enough, then why do you need ngrok, simply port forward.

1) The only reason I use ngrok is just to prevent someone from snooping my password over an unencrypted connection.

2) How would someone be able to exploit or access the cameras if they can only access or login to BI? Maybe I've misunderstood what you're asking. (??)

Statistics: Posted by Thixotropic — Mon Jun 08, 2020 2:08 pm

Re: Hello need some direction to find a solution

2020-06-08T12:40:37+00:00

So anyone scanning random ngrok addresses can find it and log in.
How would they login? Isn't there a user name and password set?
Well thats the entire point. How secure is the password? For example, many of the camera exploits circumvent the password. If the password is enough, then why do you need ngrok, simply port forward.

Can you save us some time and enlighten us on what you do to secure your system for remote viewing. Or is it just fully air-gaped?

Statistics: Posted by Matts1984 — Mon Jun 08, 2020 12:40 pm

Re: Hello need some direction to find a solution

2020-06-07T22:50:20+00:00

So anyone scanning random ngrok addresses can find it and log in.

How would they login? Isn't there a user name and password set?

Statistics: Posted by Thixotropic — Sun Jun 07, 2020 10:50 pm

Re: Hello need some direction to find a solution

2020-06-07T20:36:16+00:00

That is my question. While the traffic is encrypted, it doesnt require a certificate on the other end. So anyone scanning random ngrok addresses can find it and log in.

There are different types of certificates. Base https certs are used to encrypt but do NOT authenticate users to be anyone. You are correct that anyone who randomly connects will get an encrypted connection. When you talk about authenticating users with client specific certs, that is a whole new ball game that gets users into the weeds and details about encryption and certificate signing.

That is why if you don't think there is a risk of a third party snooping on your traffic and don't care about browser warnings that you are not using https then you wouldn't need to care.

If you want to ensure that users are who you think they are you have progressively more secure ways from a) the default user accounts in BI, b) a reverse proxy with user accounts and c) user certs.

Statistics: Posted by HeneryH — Sun Jun 07, 2020 8:36 pm