Comment

Comment on Thousands of private camera footages from bedrooms hacked, sold online - VnExpress International

In general, cloud services have far better security than DIY systems. All of the hacked systems in this article are home based systems.

source

Sort:hotnew top

guitarsarereal@sh.itjust.works ⁨9⁩ ⁨months⁩ ago

All of the hacked systems in this article are home based systems.

[citation needed] because that’s not in the article. According to the article, attackers used automated scanning software, which strongly implies they brute-forced cameras connected to the Internet with default or weak credentials. That has nothing to do with whether or not the service is based in the cloud.

In general, cloud services have far better security than DIY systems

As a matter of fact, it’s known that the leading cloud-based surveillance system, Ring, has been subject to employee abuse and user accounts have been widely compromised via credential stuffing. In fact, Amazon is currently facing a proposed order from the FTC over the fact that they allowed abuse by employees and more or less knew for years that their lax security practices were placing their customers in danger.

Cloud based security only gets better when regulators force cloud providers to improve security, after cloud providers allow hackers to harm thousands to millions of customers.

I’m just gonna say it again: the cloud is just someone else’s computer.

source
- GamingChairModel@lemmy.world ⁨9⁩ ⁨months⁩ ago
  
  According to the article, attackers used automated scanning software, which strongly implies they brute-forced cameras connected to the Internet with default or weak credentials. That has nothing to do with whether or not the service is based in the cloud.
  
  This is a known problem with popular brands of security cameras sold in Vietnam, that the default configuration has an admin password of “admin” or “12345” accessible from the public Internet. They’re basically sold insecure, and rely on customers to consciously adopt a custom configuration to be secure.
  
  Although, in order to be publicly accessible, one would imagine that they’ve had to configure their firewall to let outside signals to the devices themselves.
  
  Either way, it doesn’t have anything to do with the cloud, and the parent comment is basically right about that.
  
  source
  - WhatAmLemmy@lemmy.world ⁨9⁩ ⁨months⁩ ago
    
    Although, in order to be publicly accessible, one would imagine that they’ve had to configure …
    
    I’m guessing there are providers in Vietnam offering remote access accounts and apps, the same as 90% of IP security cameras on AliExpress, Amazon, eBay etc. Most of the zero config ones are authenticated with a cloud server 24/7 to enable remote viewing. This being Vietnam specific leads me to believe that the “hackers” are actually a domestic crime org selling compromised hardware; could be as simple as opening the box and obtaining device information (like the serial, MAC, or QR code) before shipping the product.
    
    source
- MonkderZweite@feddit.ch ⁨9⁩ ⁨months⁩ ago
  
  In general, cloud services have far better security than DIY systems
  
  Even if it were so; less money to be made than from a company, so less interest and investition to hack it.
  
  source
WhatAmLemmy@lemmy.world ⁨9⁩ ⁨months⁩ ago

In general, cloud services have far better security than DIY systems.

Where are you pulling this from? These aren’t “DIY”. DIY is when you roll your own remote network access (e.g. VPN, DDNS, port forwarding, etc) or FOSS software/hardware. The QR code authentication mentioned in the article sounds like these are generic IP security cameras of stock firmware that utilize a cloud server to enable remote viewing over the internet. Even reputable cloud services use the same method to connect or setup individual cams.

All of the hacked systems in this article are home based systems.

That doesn’t mean the exploits used are of no fault of the user — from the vendors authentication implementation, software, or hardware.

source
bruhduh@lemmy.world ⁨9⁩ ⁨months⁩ ago
You can’t connect home system that is never connected to internet, basically make home server and hook up cameras and don’t ever connect that to internet

source
- 520@kbin.social ⁨9⁩ ⁨months⁩ ago
  Bro, if I find any ingress point onto your network, I can connect to your cams.
  
  Little brother downloads a Trojanised pirate copy of a game? I can connect to your cams via your lil bro's computer.
  
  Not patched your stuff and there was a drive-by-download and RCE exploit? I can do it through your computer.
  
  Your firewalls are important but they aren't impenetrable.
  
  source
  - asbestos@lemmy.world ⁨9⁩ ⁨months⁩ ago
    Yeah, but you’d pretty much need to target the person so these blanket hacks where a bunch of cameras are exposed aren’t really possible
    
    source
    520@kbin.social ⁨9⁩ ⁨months⁩ ago
    No I don't. Like the first example above I can simply trojanise an executable, and release it to the public.
    
    Once I'm on your network, the first thing I'm going to do is see what I'm working with. That means a network and system info sweep. If I'm efficient, I already have a script to do this.
    
    That sweep will reveal the presence of the camera. I might be interested in extortion material or I can sell this to a criminal gang, if I can get it open. I already have the camera's MAC address, so finding the make and model isn't too hard.
    
    Then I might browse to it, see what system software it is running. Then I would try default usernames and passwords (people don't always change them) and see if there are any usable exploits on the software.
    
    If I come across a certain camera type with certain vulnerabilities a lot, making a script to autofuck these cameras is child's play.
    
    source
    -> View More Comments
  - Hyperreality@kbin.social ⁨9⁩ ⁨months⁩ ago
    Seperate network that's physically not connected to a network which connects to the internet or cameras with local storage.
    
    You can't hack into the wildlife camera in my backgarden. It doesn't even have wifi, just an SD card.
    
    Of course, that's less useful if you want to check up on your house when you're away.
    
    source
    bruhduh@lemmy.world ⁨9⁩ ⁨months⁩ ago
    That’s what I’ve been trying to say, thank you for backing me up
    
    source
  - jackoneill@lemmy.world ⁨9⁩ ⁨months⁩ ago
    Vlans
    
    source
    520@kbin.social ⁨9⁩ ⁨months⁩ ago
    
    not a common feature of home networks
    
    If the compromised machine has access to both vlans, you're still fucked
    
    source
    -> View More Comments
  - lemann@lemmy.one ⁨9⁩ ⁨months⁩ ago
    It kinda depends on the setup I think, especially when vlans and firewalls are involved, you’d likely need additional payloads to make further progress in that kind of environment IMO. Something granting persistent remote access to the compromised machine would be the most ideal option.
    
    As always physical access is pretty much game over though lol.
    
    My cams are only accessible via an authenticated endpoint hosted on a dedicated machine, which acts as a “bridge” between the VLAN that the cameras are on (no internet access), and another VLAN hosting internal services, like home assistant, plex etc.
    
    Aside from physical access, the only way to access the cams (that I can think of) would be via some exploit in Home Assistant, or by brute forcing the password to (any of) my network switches to access the management VLAN, changing the VLAN the cameras are set on to something else (bypassing the routing, firewall setup, and auth “bridge” entirely). Or maybe just exploiting the bridge machine directly and dropping a payload to forward the cams out to the net via the services VLAN
    
    With physical access, you could chop up the PoE for an external camera and using that as an ingress point - but you’d only have access to the cameras and the bridge machine unless you exploited that too. At this point the zabbix client on the bridge machine would have notified me that a camera’s dropped off the network, unless you dropped a payload to force it to return a good status lol
    
    Does sound like a very fun exercise though tbh
    
    source
- w2tpmf@lemmy.world ⁨9⁩ ⁨months⁩ ago
  Half the reason to own a security camera system is so you can monitor it while away. Can’t do that if the system isn’t online.
  
  source
  - aniki@lemm.ee ⁨9⁩ ⁨months⁩ ago
    Online or cloud-accessed? Those are two separate things.
    
    source
    DarkDarkHouse@lemmy.sdf.org ⁨9⁩ ⁨months⁩ ago
    It’s going to be cloud accessed. People who install these to check on whether Mittens is sleeping attend setting up a domain or remembering an IP.
    
    source
- deweydecibel@lemmy.world ⁨9⁩ ⁨months⁩ ago
  The problem is cameras like these, the kind that people are putting up inside their own homes, facing their living spaces, their own damn bedrooms, they’re sold to people that have this bizarre desire to be able to check in with those cameras remotely at any time.
  
  Legitimately, the only reason my mother seems to have crap like this set up in her home is so she can see the dogs.
  
  Internet connected living space directed cameras are this bizarre consumer electronics trend that has no legitimate use case for like 90% of the people that rush to use it. Certainly not one that merits the security risks and the privacy invasion that they are inviting on themselves.
  
  source
deweydecibel@lemmy.world ⁨9⁩ ⁨months⁩ ago
Maybe, but the difference is a lot more people are going to be looking to target the cloud provider than your home network. To say nothing of the fact that your videos on the cloud are subject to the terms and services that you agree to and those terms can be changed at any time. And also the fact that you can’t guarantee that the stuff you delete off of that server is actually being deleted.

source
- w2tpmf@lemmy.world ⁨9⁩ ⁨months⁩ ago
  
  a lot more people are going to be looking to target the cloud provider than your home network.
  
  I can show you logs with tens of thousands of hits from all IPs all over the globe trying to gain access to a single NVR that has a port open on the WAN side of a network.
  
  Besides email servers or FTP servers, cameras are the next highest thing target for attacks. The minute they go online they become a flaming red beacon for hackers.
  
  source
fmstrat@lemmy.nowsci.com ⁨9⁩ ⁨months⁩ ago
Blatantly false. Nowhere in the article does it say this.

source
- skankhunt42@lemmy.ca ⁨9⁩ ⁨months⁩ ago
  I’d almost say your exposure is bigger in the cloud. WAY more software involved, it’s shared environment, and someone elses computer… In addition, it’s complex to properly setup. People often leave it alone once they get it working, no security test or checks.
  
  Even IF it was because it was hosted at home, I blame the companies who build this shit. Market to end users, “super easy to use!!” But no security by default? Nuts.
  
  Enable auto updates, randomly generated admin password (no defaults like 123456), and support for more then 3 years will go a LONG way for the average consumer.
  
  source
aniki@lemm.ee ⁨9⁩ ⁨months⁩ ago
You have a source for that?

source