There has been a lot of buzz lately in the news about the network security while remotely monitoring your security camera system. The news stories we watched notified its viewers about the vulnerability and informed anyone who owns a system to change their default passwords. While press releases are good, some information seemed to be lacking. So we've written this article to add more information that will be helpful to any end user of a security camera system.
Examples of Past Known Threats
Mirai is a malware used to infect Linux based IoT devices such as older security camera systems. It scans IP addresses looking for suitable targets across the internet. Anyone unfortunate enough to allow this has not taken the precaution of changing their username and password. This attack to the internet for remote access was a part of the 1.2Tbps DDoS attack against Dyn on October 21st, 2016. According to some researchers, rebooting the devices will effectively stop the attack, however if you do not take the necessary precautions to secure an older system you can be affected again in a matter of minutes. You can read more about the attack on Mirai's wiki page.
There's a website out there that has crawled tens of thousands of IP addresses looking for open ports to security systems much like the Mirai malware. Insecam checks to see if:
- They can reach your DVR to log in remotely
- They can log in using the default username and password
Once an open port is found they put the live feed on their website along with the approximate coordinates of the camera. In fact, you can sort by city and view what feeds are available. You can check if your cameras are on this site by following this link and selecting your city. If your system is not remotely accessible or you've changed your username and passwords from manufacturer default then you should not be on this list. Note: the default password on products sold by CCTV Camera World is secure and does not need to be changed from default. We configure passwords in our offices to ensure our customer's equipment is hack-proof before shipment.
Change the Default Password - For systems from before 2017
For DVRs/NVRs with the firmware beyond 2017, there is no reason to change the password. If your DVR firmware is from before 2017 change the admin user password to something specific to you. Changing the password of each IP camera is not necessary if you have IP cameras connected to an NVR's internal PoE ports as they are protected by the NVR. However, any IP cameras connected to a separate PoE switch, may need a firmware update or password change. Changing the password on an IP camera is a little more involved. You can follow our guide How to access a PoE Security Camera from a Computer on our blog to login to an IP camera. Account password settings are usually found in the System>Accounts or Users section of an IP camera's web interface.
QR Codes and P2P Services
Many models of IP security cameras, NVR's, and DVR's have a QR code that you can scan to easily view your camera or system remotely. It's a user-friendly feature that allows you to quickly view your cameras. P2P uses methods to bypass firewalls and uses Peer-to-Peer connections so the feed can broadcast to a user without port forwarding. You use a smartphone app to enter your username, password, and device ID. A remote cloud server, usually Amazon Web Services is used, where traffic from thousands of users is logged and then paired with the corresponding camera or recorder. How P2P services connect is up to the app, and not all of the P2P services are the same. There's nothing preventing a P2P app from forwarding your feed making it possible to be viewed by hackers. Due to the fact that P2P is NOT as secure of a method to view your security cameras remotely we do not recommend using P2P over port forwarding. Even if you were to use P2P, the time the feed is not as reliable as portforwarding. There is a wide array of forum posts talking about the lack of reliability.
We offer a portfowarding service available as a Networking Support Session. Purchasing a session will provide you with a half hour of time with our remote support technicians who can remote into your computer and assist with configuring port forwarding on a router or modem.
Forward Your Ports Instead
You can get the full functionality of remote viewing with increased reliability and security by forwarding ports in your router to the DVR and logging in directly. Port forwarding prevents the need to send data to cloud servers or compromising the security of your camera system. We have a growing knowledge base of articles explaining how to forward your ports, Port Forwarding Overview and Port Forwarding Articles. If you have a router that isn't covered, you can find more information about how to forward ports on your specific router at the following website: portforward.com. Using default network ports is another potential vulnerability that can be exploited by hackers. Our systems use the following default ports:
- HTTP 80
- TCP 37777
- UDP 37778
To stay protected while your system is connected to the Internet and prevent a backdoor exploit, you may want to change default ports to custom ones. You can essentially use any open port but here are a few examples:
- HTTP 45880
- TCP 45777
- UDP 45778
Every router is different, but the principle is always the same.
- Log into the router using the administrator account
- Find the port forwarding settings. Usually in the Firewall or Advanced settings.
- Create a new rule for each port:
- HTTP 45880
- TCP 45777
- Test your ports to see if they are open by visiting GRC Port Scan section and performing a custom port probe
- Save a configuration file in case your settings are defaulted
If your router is leased to you or managed by your ISP you can contact the company and have them assist with forwarding the ports. Most of the time it's faster to do it yourself.
Remote Viewing After Changing Your Ports
There are a few important steps to complete in order to view your system remotely if you changed the default ports to custom ones. Let's say you changed the ports to the numbers above - HTTP 45880, TCP 45777. Whether you're viewing your system through Web Service, SmartPSS, or a smartphone app, you will need to make changes to these methods of remote viewing. They are the following:
When viewing your system through Web Service using an Internet Explorer web browser, you need to add 45880 to the end of the DVR or NVR's IP address when viewing on a local network. For a DVR/NVR with an IP address of 192.168.1.108, you will need to type http://192.168.1.108:45880 into the browser. For remote viewing, you will use your external IP address followed by :45880. Make sure to include http:// in the beginning of the URL as this is necessary to access Web Service.
When adding a device in Smart PSS, the software uses the default TCP port of 37777. The port needs to be changed to reflect the updated TCP port number set in the DVR/NVR, which in this case is 45777.
When adding a device entry in the phone apps, the TCP port also defaults as 37777. This needs to be changed to 45777.
Create Your Own VPN
Corporations and businesses use VPNs as a solution for their telecommuting employees to be able to access files that are within their intranet and communicate as though they were connected locally. The data being tunneled through the web is encrypted so that it can't be easily accessed by just anyone. This is a very secure way to view your cameras. When you're using this method it's like you're viewing them locally. So there's no need to even forward your ports. Once you establish a connection with your VPN it's as though you're on your LAN ant home. One of the routers we recommend to our wireless clients is the ASUS RT-N66U. This router is fast! The processing in it is great, and it has a built-in VPN server. With a quick search, you can find an instructional video on setting it up. Of course, there are other VPN solutions out there, and anything with DD-WRT firmware should be able to configure a VPN. Ultimately the security and configuration of a network are up to the user. So, if you're having trouble setting it up try contacting a local Network Engineer.