Sophos Cloud Optix
An occasional security blogger named someLuser, who has an interest in embedded devices, recently wrote up the results of some hacking he did a security review he carried out on a popular brand of network-enabled security camera.
His report was picked up in turn by the Metasploit team, who confirmed and clarified someLuser‘s discoveries.
You should head to someLuser‘s post for the technical detail, and for some interesting photographic insights into the sort of inquisitiveness you need to investigate embedded devices, but here’s a very brief summary:
- You can remotely persuade the device to reveal usernames and passwords for the administrative console.
- You can remotely persuade the device to run a command shell and connect back to your computer so you can control it.
- If it can, the device uses Universal Plug and Play (UPnP) so it is accessible even from outside your network.
Obviously, security cameras with security holes (especially those that record and store footage for later use) represent a rather thorny privacy problem.
A buggy web database may leak “life metadata” about you, such as your birthday, your phone number, or enough information to let someone guess the answers to your secret security questions.
But a leaky surveillance device may reveal physical details about you and your actual life. Live on camera, if that’s not stating the obvious.
You won’t be alone if you feel that’s even more chilling than having a crook try to spend your money. You can often get your money back from your financial institution; you can’t get your personal privacy back once you’ve been under someone’s prying eyes.
What can you do about this?
In the immediate term, as the Metasploit guys point out, putting your organisation’s security cameras behind a traditional connection-filtering firewall is a good start. Block inbound connections to your cameras and they can’t be attacked remotely.
If you’re able to operate your cameras on their own internal network or VLAN, and segregate it from the rest of your internal network, you’ve isolated any potentially vulnerable surveillance devices still further from compromise. In fact, you probably want to do this anyway, even if you don’t think your cameras are remotely exploitable.
The problem in this case, especially for home or small business users, is UPnP.
Plug-and-play is the generic name, in software and hardware, for the protocols that make it easier to connect stuff up and to get it to work.
As you can imagine, convenience of this sort is often the enemy of security, because it can make it too easy to get devices and servers going, and may expose them online much more widely than you expected.
Many consumer and small business routers – the hardware that sits between you and the internet to keep them apart – support UPnP by default. One peculiarly dangerous UPnP feature automates the process by which a computer outside your network can connect to, and interact with, devices inside.
Modern networks usually use NAT, or Network Address Translation. This is the system that lets several PCs share one internet connection, and was introduced nearly 20 years ago to make IP numbers (which are only 32 bits long in IPv4) go further and last longer.
One side-effect of NAT is that it makes it easy for computers to connect out, but impossible, by default, for outsiders to connect inwards.
This happens because the NAT router doesn’t know, when an incoming connection arrives, which of your internal computers to connect to. (Telephone receptionists on your switchboard can answer calls, but can’t put them through to a specific person unless they have an internal directory handy. Same sort of problem for a NAT router.)
NAT, therefore, offers you a little bit of extra security against intrusion, but you get that security as a side-effect, not by design.
And UPnP includes a protocol that allows internal devices, your router, and outside parties to negotiate their own connectivity automatically. The switchboard operator (with or without an internal directory) is cut out of the loop, and incoming calls can find their target automatically.
For this reason, you almost certainly don’t want UPnP enabled on your router.
Turning it off will reduce your attack surface area dramatically, security cameras or not.
Fancy using the free Sophos UTM Home Edition?
You get web and email filtering, web application security, IPS, VPN and more for up to 50 IP addresses.
Yes, it helps you keep outsiders where they belong, on the outside!
(Note: registration required.)
Image of security camera courtesy of Shutterstock.
OK.
"…you almost certainly don't want UPnP enabled on your router by default."
How does a Senior Technophobe check his Router and disable UPnP?
Or should I stop reading nakedsecurity 'cause I'm just too dumb to get it?
Errrrrrrrr….I was hoping you wouldn't ask that 🙂 Problem is that routers vary in their features and their configuration interface by vendor, model, year of release, phase of moon, level of cosmic radiation. (I exaggerate for effect, but you get my drift.)
I'm afraid I can't suggest much more than to try any or all of the following:
* Pore through the router manual. (Try getting a PDF version so you can search it easily.)
* Ask around on online forums, e.g. whirlpool.net.au.
* Click your way through the menus on your router and look for an option to control UPnP. (This can mean a lot of down-look-up-across-down etc.)
* Ask someone you know and trust for help.
If you can't find a UPnP configuration option in your router, you probably won't know whether it's not implemented (and therefore implicitly off), or turned on and just left on.
I think, as well or instead, that if you add port-blocking rules to your router to drop traffic to and from the following ports…
UDP port 1900
TCP port 2869
…you will inhibit UPnP working through your router.
Apologies for the rather nebulous and still-rather-techie answer. Please don't stop reading Naked Security…keep asking questions like this one!
PS. Can any other readers help BobPro or comment on the accuracy of my suggestions?
Hi BobPro,
First of all, sorry for not replying sooner. I did not realize this blog post concerned UPnP until I opened it and read it.
Paul is right, checking the manual of your router is the best way to check if it has UPnP functionality. He is also right about performing a search within that manual (most likely a PDF file) for the word UPnP and see what you find. If the manual is available as a .chm Help file or other format you should be able to search that too.
For any matches you get on UPnP, look on the same page as that match for any information about how to configure it. My routers manual explains what options you have with UPnP and even suggested disabling it if you don’t use it since it could be a security risk (helpful advice I thought). For me disabling UPnP simply consisted of un-ticking 3 checkboxes in the routers administration interface and clicking Apply.
I found UPnP under Advanced Setup->UPnP. This was visible immediately upon logging into the router.
My router, a ZyXel Prestige P-660HW-61 does have UPnP functionality but I had already disabled it last year when I read about the capabilities of UPnP. Previously it was enabled by default.
My router is very old by today’s standards and I hope to replace it by the end of this year. I am considering a draft 802.11ac router.
To be on the safe side, I have also configured the routers firewall to block all data on ports 1900 (UDP) and port 2869 (TCP) within my LAN. UPnP was already blocked by the firewall if access is attempted from outside the LAN (i.e. from the internet).
This is the easiest way to protect your network and devices from the risks of UPnP since all data has to travel through your router and if the router blocks those UPnP ports you are protected.
By the way, I ran the Rapid7 UPnP threat assessment tool in a test VM which just happened to have Java Version 7 Update 11 installed (it is disabled in the browser and I only use it run local Java apps in this VM). I say this since I didn’t realize this tool required Java. I quit the tool when it asked me for all of my personal details to register the program in order to run it.
This tool is available from the following link:
http://www.rapid7.com/resources/free-security-sof…
The US-CERT (part of the Department of Homeland Security) published its recommendations for UPnP in the following Vulnerability note:
http://www.kb.cert.org/vuls/id/922681
I have also opted for an even more defense in-depth strategy. It involves disabling some Windows services, which I detail how in my comment below.
I hope the above information is of assistance to you. If I can be of further assistance, please let me know.
Thank you.
I chose to disable the following 2 Windows services since I would rather not have any program on my PCs using UPnP without my knowledge. Yes my router will block it, but it shouldn’t be happening in the first instance.
Also, if your PC accesses the internet using another method i.e. other than your router e.g. a USB 3G dongle or equivalent device or you are using a public WiFi hotspot, you would not want your PCs UPnP capability being available for malicious reasons. This is especially important for laptops and tablet PCs.
Finally, I also suggest this approach since I prefer not to rely on any one method to keep me safe from harm. If you can use a second or even a third defensive measure too, it’s a good thing. Call me paranoid if you wish!
The services we will disable are the SSDP Discovery service and the UPnP Device Host service.
For instructions on how to disable a service, please see the following links. These links/steps are not specific to these services but they provide the general steps on how to achieve it.
For Windows XP:
http://www.jasonn.com/turning_off_unnecessary_ser…
For Windows Vista and Windows 7:
http://www.sevenforums.com/tutorials/2495-service…
For Windows 8:
http://www.eightforums.com/tutorials/12411-servic…
If you ever need to use UPnP you can easily return the services to their default settings.
Such default settings can be found from the following link:
http://www.blackviper.com/service-configurations/
To be extra thorough, I also added rules to the firewall on my PC to block ports 1900 and 2869. This would only be necessary if some program on your PC uses UPnP but does not make use of the default Windows services for UPnP.
I am not using the Windows Firewall but here are instructions for how to do this for Windows Vista, Windows 7 and Windows 8:
————————–
For Windows Vista:
To access the Security Center of Windows Vista, please follow these steps (depending on your Control Panel icon settings):
Go to Start->Control Panel->System and Security->Security Center
Go to Start->Control Panel->Security Center.
Beside the firewall heading, there should be an arrow pointing downwards. Click this to expand the information on the firewall. If it says Windows Firewall you are using the built in firewall of Windows (please refer to the article below (it is for Windows 7, but the steps are the same for Vista) on how block ports using the Windows Vista firewall not forgetting to create an outbound rule as well as the inbound rule discussed in that article).
If you see another named firewall showing here, again you will know that you are using a 3rd party firewall and you should consult their website on how to block a port or contact their technical support team.
http://maximumpcguides.com/windows-7/block-a-port…
For additional information on the Windows Vista firewall which you may wish to consult, please see the following link:
http://www.techrepublic.com/article/tap-into-the-…
————————–
For Windows 7:
To access the firewall of Windows 7, please follow these steps (depending on your Control Panel icon settings):
Go to Start->Control Panel->System and Security->Windows Firewall
Go to Start->Control Panel-> Windows Firewall
If you see a yellow message stating that “the (firewall) settings are being managed by vendor application (vendor name)”, again you will know that you are using a 3rd party firewall and you should consult their website on how to block a port or contact their technical support team.
If you don’t see this yellow message, please refer to the article below on how block ports using the Windows 7 firewall not forgetting to create an outbound rule as well as the inbound rule discussed in that article
————————– http://maximumpcguides.com/windows-7/block-a-port…
————————–
For Windows 8:
Press the Windows key (to access the Start screen of Windows 8).
Type “firewall” without the quotes, then left click the Settings tab below the search box on right hand side of the screen or press Windows Key + W. An icon for the Windows Firewall should appear on the left side of the screen.
Left click this Windows Firewall icon.
Please follow the steps from the above article for Windows Vista and Windows 7 to complete the process for blocking the ports for Windows 8. Please do not forget to create an outbound rule as well as the inbound rule discussed in that article.
————————–
For Windows Vista, Windows 7 and Windows 8, please follow the steps in the article above to block ports of the Windows firewall. Note that you will be blocking ports 1900 and 2869 which are used for UPnP connections.
You are blocking the UDP protocol on port 1900 and TCP on 2869.
I also chose to block TCP traffic on port 1900 and UDP traffic on port 2869. Again, probably not necessary but I have seen malware embedding data in HTTP GET requests as well as sending DNS requests on ports other than the default port of 53. So ports do get used in ways not intended.
DO NOT BLOCK port 53, I am using it as an example here only.
————————–
The Windows XP built-in firewall cannot block ports that you specify, although you can un-check the UPnP protocol from the Exceptions list of the Windows Firewall. For more information, please see the following link:
http://support.microsoft.com/kb/886257
————————–
I realize that the above instructions can be daunting, if you require any assistance, please reply to this comment and I will do my best to assist or please ask someone you know and trust for help.
I hope the above information is of assistance to you.
Thank you.
Thanks for another great article, Duck!
I just checked the UPnP setting on my NetGear router, and it's off by default. Are there actually routers that enable UPnP by default? If so, that's kinda scary.
Actually, I'm not sure. Where I wrote, "For this reason, you almost certainly don't want UPnP enabled on your router by default," I really mean "enabled as a matter of course" (whether it was turned on when you got the router or you turned it on yourself).
I have made it a bit cleared by changing it to say simply, "For this reason, you almost certainly don't want UPnP enabled on your router."
(Thanks for spotting this!)
There are a few that are enabled by default however there are lots which have UPnP turned on by kids (and adults) to get xbox live and other online gaming services working correctly.
My Linksys E1200 was enabled by default. That has now bee changed. Thanks for the info.
google: cisco routers backdoors
you’ll enjoy it, i promise.
I think it is no rocket science to have CCTV/IP Camera-based surveillance of each local government headquarter in a state.