Secure CCTV and other web connected devices from hacking

 

While away from home I had read a news story about webcams and other home devices connected to the internet being hacked for use in vast networks to mount DDoS attacks. On returning home I found my old and trusty Foscam network camera was bricked. I suspect but with zero proof that it may have been the victim of a hacking attempt. I decided when replacing it to protect my kit as far as possible from any future attacks which are getting reported pretty frequently now with this BBC News story being the most recent I have seen at the time of writing.

The safest I can manage, apart from turning them all off, is to not have my cameras etc. accessible from the internet. I do still want to access them remotely though and to do that I need a VPN terminating in my home network. Fortunately my current router has inbuilt VPN support. In addition to protecting my kit the VPN can also be used to offer protection from hacking when using mobile devices on public WiFi networks.

After reading the list of stuff below which you need to do to best secure your web accessible equipment you decide it’s going to be too costly, too difficult, or just downright impossible then at the very least make sure that you change any default passwords to something reasonably secure and not in the list of the 10,000 most commonly used passwords. Be aware though that some of these units have default accounts which you can neither change nor delete – user admin with no password is quite common. If you find that is the case then either revisit the list of steps I’ve outlined, junk the device, or live with the fact that sooner or later it will be hacked.

Can I fix my stuff?

You’ll need to set up..

A Dynamic DNS service

Once again I’m lucky. I have a fixed IP so I can just use that instead. My Asus router also has an inbuilt Dynamic DNS option. Most consumer ISPs don’t offer fixed IP and often cheap routers don’t have on inbuilt dynamic DNS service or  the ability to automatically update one  you have an account on. Check google for your options here. Without one you’ve hit a brick wall.

Ability to fix local IPs

Check your router instructions. Another showstopper if you can’t do this. You need to fix the internal IPs of your web accessible devices so that your chosen app(s) can use the internal IPs to access them.

Ability to block devices from web access

If your devices use P2P technology, as most current devices do because of the difficulties setting up  the things listed above, this is an essential requirement. You’ll need to check your router firewall or maybe parental controls to see if you can do this. I had to use the firewall as on my own router as parental controls blocks also stopped access to the internal network.

A home VPN server

If you are using a low end consumer router of the type typically supplied by ISPs it may well not support an inbuilt VPN. If the ISPs insist you use their router you will need to look at more complex options such as using a Raspberry Pi or the like as an OpenVPN server – google is your friend here.

Finally…

You will also need at least some technical ability. As there are so many different routers you’ll either need to fathom out how to do these things yourself or find out from google

There is one other fly in the ointment – when using your VPN there is a slight overhead and your maximum downstream speed is going to be the upstream speed of your home broadband. I have 78/20 FTTC home broadband but if you have ADSL with it’s slow upstream you may not get the speeds you’d like.

Check your devices

With traditional web attached devices you got details about which ports they were using. These days everything seems to offer P2P technology and this dumbing down often hides such details away so you need to snoop a bit to get the required information.

The XMeye app that came with my HD H264DVR has the option to connect locally built in. If your device uses that and you are happy with the app you are all set. If you want to use a different app you’ll need to at least find which port it is using which I’ll mention later. My P2P DVR uses port 34567.

The webcam I got to replace my busted Foscam uses the Sricam app and that has no local connect option so you will need to use a different app and for that you need to find which port it is using. You may be able to get the information from google or you may need to port scan it. My webcam is ONVIF compliant and uses port 5000.

Android apps

Sorry but if you have an iPhone or Windows device you’ll need to find recommendations elsewhere.

The alternate viewer I use for my DVR is VMEye+. This can be a little flakey at times but in the main does work well.

I can recommend the excellent IP Cam Viewer Pro which has been able to view every webcam and DVR that I’ve owned – if your device isn’t listed then you can just enter the local IP and port and ask it to scan for a matching device. There are free versions you can try before buying.

I use Fing as my network scanner – it was this that told me my ONVIF camera was using ports 554 and 5000.

You’ll certainly need an OpenVPN client. I used OpenVPN Connect but there are many alternatives



So you’ve managed to set up a Dynamic DNS, fix the local IPs of your devices, and determine the ports they use. If the provided app doesn’t offer a direct local connection option you’ll need to have found an alternative viewer – probably IP Cam Viewer Pro as I’ve not yet found any camera it can’t support. Ok then off we go…

Setting up the VPN

These instructions are for my Asus DSL-AC68U router which is all pretty straightforward and hopefully similar for other routers supporting VPN.

Open up the router GUI, navigate to the VPN general settings page, enable the OpenVPN server, and add a user or two. Once that’s done you will see something like this..

DSL-AC68U Basic VPN settings page

DSL-AC68U Basic VPN settings page

One thing the default settings didn’t cover was having the client use the VPN for all web access and not just the local IPs you’ve specified in the viewer app(s). You need that for protection when using public WiFi but if you can live without that then you’ll only get the VPN overheads when accessing your home devices and not for all internet activity. If you want to set that option with my router it is in the Advanced VPN settings and is labelled “Direct clients to redirect Internet traffic”.

Your next step is to use that “Export” button on the general settings page to create the OVPN file which your clients will need to access your VPN. There are some detailed instructions for that linked to from my router which for your convenience I’ll copy below…



Check it out

You need to check out your access to your device(s) first while connected to your home WiFi.
Then disconnect your mobile from your home network, fire up OpenVPN on the mobile, and check you can still access your stuff over the mobile network.
All good? Fine. Problems – that’s why I said you’ll need some technical ability but most problems can be sorted using google.

Finally

Once everything is working correctly you can remove any port forwarding rules you may have set up earlier and make the firewall changes necessary to block internet access from any P2P type devices. Here is an example for my own router – hopefully yours will be similar. I have used the network services filter page to deny the IP for my DVR access to the internet on all ports for both TCP and UDP connections.

Router firewall settings page

Router firewall settings page

And now a couple of questions…

Do you really think flooding the market with insecure P2P devices to save the user a little effort in setting their stuff up was such a good idea after all?

Do you think saving a few quid a year by choosing an ISP that provides poor quality routers and insists you use them is a worthwhile economy.

There is every chance that most readers of this page will have some difficulties securing P2P devices because their near to useless ISP provided routers do nothing to help. My mid range router makes the job possible and even quite easy given the inbuilt VPN and DynDNS service.

Currently there are constant adverts for home automation products. My advice if you can’t secure them properly yourself and have to rely on the manufacturers is to think again.