this post was submitted on 18 Dec 2023
480 points (97.4% liked)

Technology

59594 readers
2814 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] EvergreenGuru@lemmy.world 192 points 11 months ago (3 children)

This is why you shouldn’t use cloud services for personal security, because the cloud is just someone else’s computer.

[–] deweydecibel@lemmy.world 58 points 11 months ago* (last edited 11 months ago)

Also, quit putting unnecessary, Internet connected cameras indoors.

I seriously cannot fathom the amount of people that seem to want to put cameras up in their own bedrooms and just let them stream video constantly.

It has nothing to do with any serious home security, and everything to do with mindless consumerism. Hopefully it's a trend that will pass.

[–] w2tpmf@lemmy.world -5 points 11 months ago (8 children)

In general, cloud services have far better security than DIY systems. All of the hacked systems in this article are home based systems.

[–] bruhduh@lemmy.world 31 points 11 months ago (3 children)

You can't connect home system that is never connected to internet, basically make home server and hook up cameras and don't ever connect that to internet

[–] deweydecibel@lemmy.world 6 points 11 months ago* (last edited 11 months ago)

The problem is cameras like these, the kind that people are putting up inside their own homes, facing their living spaces, their own damn bedrooms, they're sold to people that have this desire to be able to check in with those cameras remotely at any time, without a good reason.

The only reason my mother seems to have crap like this set up is so she can see the dogs when she's not home. They're just sleeping.

Internet connected, living space directed cameras are this bizarre consumer electronics trend that has no legitimate use case for like 90% of the people that rush to use it. Certainly not one that merits the security risks and the privacy invasion that they are inviting on themselves.

[–] 520@kbin.social 3 points 11 months ago* (last edited 11 months ago) (4 children)

Bro, if I find any ingress point onto your network, I can connect to your networked cams.

Little brother downloads a Trojanised pirate copy of a game? I can connect to your cams via your lil bro's computer.

Not patched your stuff and there was a drive-by-download and RCE exploit? I can do it through your computer.

Your firewalls are important but they aren't impenetrable.

[–] asbestos@lemmy.world 20 points 11 months ago (1 children)

Yeah, but you’d pretty much need to target the person so these blanket hacks where a bunch of cameras are exposed aren’t really possible

[–] Hyperreality@kbin.social 9 points 11 months ago (1 children)

Seperate network that's physically not connected to a network which connects to the internet or cameras with local storage.

You can't hack into the wildlife camera in my backgarden. It doesn't even have wifi, just an SD card.

Of course, that's less useful if you want to check up on your house when you're away.

[–] bruhduh@lemmy.world 10 points 11 months ago

That's what I've been trying to say, thank you for backing me up

[–] jackoneill@lemmy.world 7 points 11 months ago (1 children)
[–] 520@kbin.social 3 points 11 months ago (1 children)
  1. not a common feature of home networks

  2. If the compromised machine has access to both vlans, you're still fucked

[–] jackoneill@lemmy.world 2 points 11 months ago (1 children)

It’s a feature on mine

That’s why my security has multiple layers

[–] 520@kbin.social 1 points 11 months ago* (last edited 11 months ago)

It isn't a common feature on ISP provided routers, which is what most people use. Some ISPs (example: my own) even make it exceptionally difficult to use other routers. I had to install OpenWRT on my retail router to get it, and getting that working was such a pain.

[–] lemann@lemmy.one 1 points 11 months ago

It kinda depends on the setup I think, especially when vlans and firewalls are involved, you'd likely need additional payloads to make further progress in that kind of environment IMO. Something granting persistent remote access to the compromised machine would be the most ideal option.

As always physical access is pretty much game over though lol.

My cams are only accessible via an authenticated endpoint hosted on a dedicated machine, which acts as a "bridge" between the VLAN that the cameras are on (no internet access), and another VLAN hosting internal services, like home assistant, plex etc.

Aside from physical access, the only way to access the cams (that I can think of) would be via some exploit in Home Assistant, or by brute forcing the password to (any of) my network switches to access the management VLAN, changing the VLAN the cameras are set on to something else (bypassing the routing, firewall setup, and auth "bridge" entirely). Or maybe just exploiting the bridge machine directly and dropping a payload to forward the cams out to the net via the services VLAN

With physical access, you could chop up the PoE for an external camera and using that as an ingress point - but you'd only have access to the cameras and the bridge machine unless you exploited that too. At this point the zabbix client on the bridge machine would have notified me that a camera's dropped off the network, unless you dropped a payload to force it to return a good status lol

Does sound like a very fun exercise though tbh

[–] w2tpmf@lemmy.world 3 points 11 months ago (1 children)

Half the reason to own a security camera system is so you can monitor it while away. Can't do that if the system isn't online.

[–] aniki@lemm.ee 5 points 11 months ago (1 children)

Online or cloud-accessed? Those are two separate things.

[–] DarkDarkHouse@lemmy.sdf.org 1 points 11 months ago* (last edited 11 months ago)

It’s going to be cloud accessed. People who install these to check on whether Mittens is sleeping aren’t setting up a domain or remembering an IP.

[–] WhatAmLemmy@lemmy.world 29 points 11 months ago* (last edited 11 months ago)

In general, cloud services have far better security than DIY systems.

Where are you pulling this from? These aren't "DIY". DIY is when you roll your own remote network access (e.g. VPN, DDNS, port forwarding, etc) or FOSS software/hardware. I'd trust most DIY systems more than any cloud provider, because most DIY systems would be LAN only or VPN accessible. The QR code authentication mentioned in the article sounds like these are generic IP security cameras of stock firmware, that utilize a cloud server to enable remote viewing over the internet. Even reputable cloud services use the same method to connect or setup individual cams to their cloud.

All of the hacked systems in this article are home based systems.

That doesn't mean the exploits used are of no fault of the user — from the vendors authentication implementation, software, or hardware.

[–] deweydecibel@lemmy.world 12 points 11 months ago (1 children)

Maybe, but the difference is a lot more people are going to be looking to target the cloud provider than your home network. To say nothing of the fact that your videos on the cloud are subject to the terms and services that you agree to and those terms can be changed at any time. And also the fact that you can't guarantee that the stuff you delete off of that server is actually being deleted.

[–] w2tpmf@lemmy.world 1 points 11 months ago

a lot more people are going to be looking to target the cloud provider than your home network.

I can show you logs with tens of thousands of hits from all IPs all over the globe trying to gain access to a single NVR that has a port open on the WAN side of a network.

Besides email servers or FTP servers, cameras are the next highest thing target for attacks. The minute they go online they become a flaming red beacon for hackers.

[–] fmstrat@lemmy.nowsci.com 10 points 11 months ago (1 children)

Blatantly false. Nowhere in the article does it say this.

[–] skankhunt42@lemmy.ca 4 points 11 months ago

I'd almost say your exposure is bigger in the cloud. WAY more software involved, it's shared environment, and someone elses computer.... In addition, it's complex to properly setup. People often leave it alone once they get it working, no security test or checks.

Even IF it was because it was hosted at home, I blame the companies who build this shit. Market to end users, "super easy to use!!" But no security by default? Nuts.

Enable auto updates, randomly generated admin password (no defaults like 123456), and support for more then 3 years will go a LONG way for the average consumer.

[–] aniki@lemm.ee 6 points 11 months ago

You have a source for that?

[–] Adalast@lemmy.world 5 points 11 months ago (1 children)

Ok... But cloud services are centralized and have a lot more content to obtain, so that fundamentally makes them a more valuable target. This alone adds a level of relational security to maintaining a home backup of the information. Unless someone happens upon your home network and decides to hack it, or you download a file that sends up a flare, nobody is going to seek it out unless they know you have something specific they want.

[–] w2tpmf@lemmy.world 1 points 11 months ago* (last edited 11 months ago) (1 children)

Unless someone happens upon your home networ....

If you have an IP camera system exposed to the outside, they will "happen upon you" within the hour.

It's one of the top things searched for in wide net port scans.

But unlike those cloud services, your home network likely doesn't have enterprise level threat detection to alert you to it, or a team of network engineers to try to guard against it.

[–] Adalast@lemmy.world 1 points 11 months ago

Why the fuck are you broadcasting a beacon to come hack your network? Of course they are going to find it if you light it up like a Christmas tree with a giant neon sign. I said you set up your cameras to record locally. Only an idiot would set up a camera system with an unsecured exposed port. Hell, set up anything with an unsecured exposed port for that matter. Especially one that is an always broadcasting system. It doesn't even matter if you use a cloud provider at that point. All they have to do is hack an network hop near your home and install a man in the middle and they don't have to bother hacking a server farm to get your videos.