Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Surveilance Cameras infected with Malware??? How to secure it
#1
Jon just came to me here at work and requested to make sure surveillance cameras, that are part of Avid product, cannot make outside connections.

Its amazing that surveillance cameras can get infected, little search reveals there indeed were instances:
https://www.trendmicro.com/vinfo/us/secu...th-malware

We use OpenWRT reflashed routers, so the fix is to append one or more firewall rules into /etc/config/firewall

Code:
config rule
        option name 'Disable WAN Access for 192.168.1.5'
        option src 'lan'
        option dest 'wan'
       option proto 'all'
        option src_ip '192.168.1.5'
        option target 'REJECT'

After router reboot, we can still forward outside connection to 192.168.1.5 and camera can be freely accessed on local LAN, but all attempts to go outside will be rejected so even if camera is infected, the malware will not be able to call home.

Code:
user@camera:~ $ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 10.10.128.2 icmp_seq=1 Destination Port Unreachable

Code:
user@camera:~ $ wget google.ca
--2017-03-07 11:52:00--  http://google.ca/
Resolving google.ca (google.ca)... 216.58.192.163, 2607:f8b0:4009:80d::2003
Connecting to google.ca (google.ca)|216.58.192.163|:80... failed: Connection refused.

At this point traffic from camera is blocked. The only thing camera can do is to query local DNS server (which is usually a router), which gets forwarded to outside DNS server. Jon wants this closed as well, so here is another rule:

Code:
config rule
       option name 'Disable DNS Queries for 192.168.1.5'
       option src 'lan'
       option dest_port '53'
       option src_ip '192.168.1.5'
       option target 'REJECT'

Result:

Code:
user@camera:~ $ wget google.ca
--2017-03-07 12:27:35--  http://google.ca/
Resolving google.ca (google.ca)... failed: Name or service not known.
wget: unable to resolve host address ‘google.ca’

Note: the filter can be configured for MAC just instead src_ip use src_mac:

Code:
       option src_mac          00:00:00:00:00:00

Conclusion

At this point camera with IP 192.168.1.5 is perfectly accessible from outside, but all traffic and DNS queries initiated from it are blocked.

If camera spyware is deeply embedded and is capable to change or alias camera's IP and/or MAC, it will still be able to penetrate this security lock. To prevent that, user needs to utilize VLANs and lock down physical LAN port instead of particular IP. This will become impossible on WiFi, and best course of action is to firewall by MAC addresses. If a camera starts brute forcing 275 trillion possible MAC addresses, you will notice long before it breaks through (if one MAC test takes 1sec, brite force will take 9million years during which camera wont be able to function normally). Hypothetically, if the camera was designed for it and has two MACs, one can function normally and second can be secretly breaking through your firewall during 4.5million years halftime and then start talking to botnet in China Wink

Final conclusion: Ethernet+VLAN is most secure without even astronomically small chance of penetration if configured properly.
Reply
#2
Hi Roman,
I always wondered about how secure devices like cameras actually are. Very interesting for sure.
Bob D
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)