sixwheeledbeast Posted December 1, 2015 Share Posted December 1, 2015 The last one is the one that really interests me. I've used DVRs to pivot into networks on pen-tests several times now. They are generally not secure and once I am on them, I can use them to attack the rest of the network. No one suspects these little devices of being malicious. Installers don't know networks so can't firewall or partition them. IT won't touch them because they are installer by a third party. This also interests me from an installer POV too. I wanted to split this out to keep the other thread on topic. Do you find a large number of DVR's provide an attack route on to the network? Basic or Enterprise kit? Any models you can use as an example? Do you feel it's up to the manufactures to design them better or the installers to have them VLAN'd? etc... Quote Link to comment Share on other sites More sharing options...
Alpat Systems Posted December 1, 2015 Share Posted December 1, 2015 We advise the client of the potential risks and offer a solution. This is either re-configuring there existing routers/switches/firewalls or installing new CIsco kit or if on a budget we'll use smoothwall http://www.smoothwall.org/ For me, keep the network security separate. Its too complicated for a CCTV installer to undertake Don't forget a single DVR can provide a route onto a network. Below is an example of a system we've recently installed. Its using a Cisco 3925 service router, with layer 2/3 switch, server blade and application acceleration. Installed on the blade server is Milestone software for the CCTV (But this could have been a separate DVR plugged into the switch). Data/Voice/CCTV is all separated by VLANs and QOS is used. Quote Link to comment Share on other sites More sharing options...
PeterJames Posted December 1, 2015 Share Posted December 1, 2015 The last one is the one that really interests me. I've used DVRs to pivot into networks on pen-tests several times now. They are generally not secure and once I am on them, I can use them to attack the rest of the network. No one suspects these little devices of being malicious. Installers don't know networks so can't firewall or partition them. IT won't touch them because they are installer by a third party. This interests me, we used windows based DVRs with software and a after-market firewall/anti virus software. But this is a very expensive DVR in comparison top the cheaper DVR's we also install as budget systems. Most of which use a cloud based remote viewing software, I do worry the fact that there is so many of these recorders out there and it would not be hard for China to upload or write something into there recorders. Quote Link to comment Share on other sites More sharing options...
al-yeti Posted December 1, 2015 Share Posted December 1, 2015 Yeah then they could watch you in your pool , see if your on the phone to Korea Quote Link to comment Share on other sites More sharing options...
norman Posted December 1, 2015 Share Posted December 1, 2015 Getting in on all levels.. https://www.vtech.com/en/press_release/2015/statement/ al, don't you fit this range of kit? Quote Nothing is foolproof to a sufficiently talented fool. Link to comment Share on other sites More sharing options...
al-yeti Posted December 1, 2015 Share Posted December 1, 2015 Getting in on all levels.. https://www.vtech.com/en/press_release/2015/statement/ al, don't you fit this range of kit? Well not quite , I used to stick to Honeywell like ADT Moved with the times to HKC as ADT have no choice but to move to diy visonic kits slapped to the wall in a plug, I did consider visonic but realised its "tat" I think you call it? House bashing is the way forward eh?........ Quote Link to comment Share on other sites More sharing options...
norman Posted December 1, 2015 Share Posted December 1, 2015 Ah HKC, the ones with the speak and spell RKP, close I suppose. ADT have lowered their portfolio to edge into the HB's such as yourself. Quote Nothing is foolproof to a sufficiently talented fool. Link to comment Share on other sites More sharing options...
al-yeti Posted December 1, 2015 Share Posted December 1, 2015 Come on they house bashing for years already, some good hb to, I tell ya! Quote Link to comment Share on other sites More sharing options...
norman Posted December 1, 2015 Share Posted December 1, 2015 When I used to sub to Modern Alarms if we did a house it was (nearly) always a substantial house. Now (sadly imo) they have shifted their place in the market. It's now a numbers game imo. Quote Nothing is foolproof to a sufficiently talented fool. Link to comment Share on other sites More sharing options...
cybergibbons Posted December 1, 2015 Share Posted December 1, 2015 I'll reply this evening. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
cybergibbons Posted December 1, 2015 Share Posted December 1, 2015 This also interests me from an installer POV too. I wanted to split this out to keep the other thread on topic. Do you find a large number of DVR's provide an attack route on to the network? Basic or Enterprise kit? Any models you can use as an example? Do you feel it's up to the manufactures to design them better or the installers to have them VLAN'd? etc... I've done a number of pen-tests of small to medium sized businesses where the DVR has been my entry point. I've just written a whitepaper for a client who should be releasing it in the new year that explains in detail why they are so bad. The primary problem is port-forwarding. If you open up the network so you can connect to the DVR, your entire network is reliant on the security of the DVR. Then the DVRs themselves have terrible security. Many of them have backdoor accounts, many run custom protocols with no authentication, many of them have other vulnerabilities. You can get root on them very quickly. Even if they aren't port forwarded to the Internet, a lot of them are vulnerable to attacks from desktop browsers - a carefully crafted link sent to someone in the shop can gain us control of the DVR if it isn't partition. Many of the Swann DVRs suffer from this issue: http://console-cowboys.blogspot.co.uk/2013/01/swann-song-dvr-insecurity.html Despite it being found years ago, new DVRs suffer from the same issue. I've found similar problems in Dahua (who make about 50% of the cheap Chinese DVRs), Evigilo, Dedicated Micros, Pelco. I've tried reporting some of these, and the vendors are totally unresponsive. Unlike the signalling issues though, these place networks are real and immediate risk, so I'm not releasing them. To fix it, it needs a bit of both. The manufacturers need to get better, but security is about layers. If you VLAN the DVR from the rest of the network, then you make most of these attacks much harder. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
sixwheeledbeast Posted December 1, 2015 Author Share Posted December 1, 2015 Unlike the signalling issues though, these place networks are real and immediate risk, so I'm not releasing them. That's fair comment. To fix it, it needs a bit of both. The manufacturers need to get better, but security is about layers. If you VLAN the DVR from the rest of the network, then you make most of these attacks much harder. From and installer POV we expect the DVR to be secure. I can understand why many are not, look at shellshock for example, These CVE's will never be updated in older DVR units. I wouldn't be surprised if most DVR's sold today are running outdated linux kernels or suffer from known exploits. The issue is as you say, the run of the mill engineer is bearly capable of punching some holes in the firewall and installing the client. This is where the manufacturers should step up IMO. After all you say about layers, you can put the DVR on a VLAN to protect the site but what about the private images stored on the DVR? Ultimately the installer would be responsible if anything did happen. Quote Link to comment Share on other sites More sharing options...
MrHappy Posted December 1, 2015 Share Posted December 1, 2015 What evil **** can I do with ftp & a dm? being a simple alarm monkey I guess I can do better than just changing files until it bricks ? Quote Mr Veritas God Link to comment Share on other sites More sharing options...
james.wilson Posted December 1, 2015 Share Posted December 1, 2015 question? Those that do port forward to an insecure device. If that device is used to gain access or rip a client off, who is liable? The client for allowing access to their router, the manufacturer for weak security or the installer for bypassing the security of the so called 'firewall'? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
cybergibbons Posted December 2, 2015 Share Posted December 2, 2015 That's fair comment. From and installer POV we expect the DVR to be secure. I can understand why many are not, look at shellshock for example, These CVE's will never be updated in older DVR units. I wouldn't be surprised if most DVR's sold today are running outdated linux kernels or suffer from known exploits. The issue is as you say, the run of the mill engineer is bearly capable of punching some holes in the firewall and installing the client. This is where the manufacturers should step up IMO. After all you say about layers, you can put the DVR on a VLAN to protect the site but what about the private images stored on the DVR? Ultimately the installer would be responsible if anything did happen. I think manufacturers should be obliged to produce secure devices and provide firmware updates for 3-5 years. Let's not be unreasonable - I'm not expecting a DVR to be totally resistant to attack. But the mistakes that are being made are basic and easily avoidable. Above all, you know that they are not driven by security - once the DVR is out of the door, they have made their money. What evil **** can I do with ftp & a dm? being a simple alarm monkey I guess I can do better than just changing files until it bricks ? DM? question? Those that do port forward to an insecure device. If that device is used to gain access or rip a client off, who is liable? The client for allowing access to their router, the manufacturer for weak security or the installer for bypassing the security of the so called 'firewall'? Personally, if I were you, I would have a disclaimer listing the risks for port-forwarding to a device inside the network. There are alternatives, but they are less convenient and they cost more. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
sixwheeledbeast Posted December 2, 2015 Author Share Posted December 2, 2015 There are alternatives, but they are less convenient and they cost more. What alternative solutions would you recommend? Quote Link to comment Share on other sites More sharing options...
cybergibbons Posted December 2, 2015 Share Posted December 2, 2015 And just to give you an idea of costs and time - it would probably take about 5 days of work for me to say "This DVR with this given firmware in this configuration is secure enough to be on your network" with any level of confidence. That's clearly not feasible - an installer can't pay be 5 days of consultancy each time he wants a DVR checked out. It has to fall to the vendor. Currently, I would recommend: 1. VLAN to isolate all security devices from the rest of the network. 2. VPN into the network to access the DVR (this is the convenience bit) rather than rely on port-forwarding. 3. Careful outbound firewalling of the network to attempt to limit damage should someone get in. The problem that still remains is oversight - if the DVR does get owned, how does anyone tell? Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
datadiffusion Posted December 2, 2015 Share Posted December 2, 2015 How about Axis kit? Quote So, I've decided to take my work back underground.... to stop it falling into the wrong hands Link to comment Share on other sites More sharing options...
cybergibbons Posted December 2, 2015 Share Posted December 2, 2015 I've not looked at Axis DVRs. IP cameras are not the worst but no better than Hikvision. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
PeterJames Posted December 2, 2015 Share Posted December 2, 2015 And just to give you an idea of costs and time - it would probably take about 5 days of work for me to say "This DVR with this given firmware in this configuration is secure enough to be on your network" with any level of confidence. That's clearly not feasible - an installer can't pay be 5 days of consultancy each time he wants a DVR checked out. It has to fall to the vendor. Currently, I would recommend: 1. VLAN to isolate all security devices from the rest of the network. 2. VPN into the network to access the DVR (this is the convenience bit) rather than rely on port-forwarding. 3. Careful outbound firewalling of the network to attempt to limit damage should someone get in. The problem that still remains is oversight - if the DVR does get owned, how does anyone tell? So points1 and 2 may be hard to do in some circumstances, point 3 I already do, point 4 (and I know you havent numbered it) is there a way of setting up intruder detection and email warning if a windows PC is owned ? Quote Link to comment Share on other sites More sharing options...
MrHappy Posted December 2, 2015 Share Posted December 2, 2015 cyber, clear some pm's as there something i wanna send you... Quote Mr Veritas God Link to comment Share on other sites More sharing options...
norman Posted December 2, 2015 Share Posted December 2, 2015 Dirty boy. Quote Nothing is foolproof to a sufficiently talented fool. Link to comment Share on other sites More sharing options...
datadiffusion Posted December 2, 2015 Share Posted December 2, 2015 I've not looked at Axis DVRs. IP cameras are not the worst but no better than Hikvision. Sorry, I meant the cams Surprised at that as they seem to offer a lot of seemingly esoteric security / IPsec options. Not that that makes them more secure by default, I know. And I've never used Hik IP so can't compare. Quote So, I've decided to take my work back underground.... to stop it falling into the wrong hands Link to comment Share on other sites More sharing options...
sixwheeledbeast Posted December 2, 2015 Author Share Posted December 2, 2015 And just to give you an idea of costs and time - it would probably take about 5 days of work for me to say "This DVR with this given firmware in this configuration is secure enough to be on your network" with any level of confidence. If there all fitted to the same standard and specification, surely this would only need doing once for each model/firmware? Again I would expect the manufacturer to have had this done externally. I also agree with PJ about 1 and 2 being hard to implement on some networks. Point 3 should be done as standard for anyone with knowledge of setting up firewalls, however, someone with a network background would understand this in more depth than an alarm monkey. Quote Link to comment Share on other sites More sharing options...
cybergibbons Posted December 3, 2015 Share Posted December 3, 2015 cyber, clear some pm's as there something i wanna send you... Done. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.