Jump to content
Security Installer Community

Recommended Posts

Posted

Risks are unsecure devices rather than the act of port forwarding.

 

The equipment would need to adapted by having random default passwords for example.

 

I recall a blog on this very topic by Joe a while back.

Posted

Port forward should be the last resort with customers warned about the vulnerability.  Just because something is password protected, doesn't mean there's some other vulnerability available through the forwarded port. 

 

Installers are adding IP enabled devices in customers premises without having any idea of how secure the device and its internal protocols are.

 

VPN should be the preferred connection method, with the firmware in the VPN device being regularly updated to ensure that any vulnerabilities have been addressed.

Posted

Port forward should be the last resort with customers warned about the vulnerability.  Just because something is password protected, doesn't mean there's some other vulnerability available through the forwarded port. 

 

Installers are adding IP enabled devices in customers premises without having any idea of how secure the device and its internal protocols are.

 

VPN should be the preferred connection method, with the firmware in the VPN device being regularly updated to ensure that any vulnerabilities have been addressed.

 

VPN's also have vulnerabilities as you say. Ports are there for hosting applications.

In the future v6 will probably replace the need for NAT anyway.

 

I do agree devices aren't open enough to know about any vulnerabilities.

When they sell there kit there not interested in patching like the rest of the IT world, they move on.

 

I think more needs to be done from the manufacturers end.

 

Here's that blog

Posted

Yes, look at the recent-ish DiskStation episode - this was an exploit enabled simply by PF and nothing to do with weak passwords, and this wasn't exactly a poorly conceived back-street Chinese device.

So, I've decided to take my work back underground.... to stop it falling into the wrong hands

 

Posted (edited)

There are tools that allow even strong passwords to be broken, because the default usernames are used so the number of combinations has become significantly less.

 

I have a vpn capable router but don't know enough on how to set one up properly and in the middle of doing some long tern tests I don't want to f'up by trying but it certainly something to think about.

 

Although I have read there are different VPN's and not all of them are100% secure either, so what vpn model do I setup and how?, and how do I utilise that for access to an app for a panel or camera?

Edited by secureiam
Posted

Not easily, needs vpn clients on the devices etc. Talk talk didn't do it right, imagine if it was a dvr installed by 'insert name' at an employees home....

A security providers kit being the weakness used would be an issue to the provider.

I've said before tsi gets hundreds of attempts a day, but its patched, dynamic IP provides some protection but then ddns is used undoing some of that protection. I wonder how long till its in the news that a security system, not patched for over 5 yrs etc, is used as the attack point?

securitywarehouse Security Supplies from Security Warehouse

Trade Members please contact us for your TSI vetted trade discount.

Posted (edited)

Depends on your router or VPN gateway secureiam.  Something based around open source will likely be updated quickly when any issues are discovered.  If you're using one entry point, then it's easier to focus efforts to keep it up to date. Much easier to do that than to rely on very small teams of security equipment designers to find vulnerabilities and release fixes.  My personal experience of reporting such a vulnerability to one vendor of a 'third party approved' device, was that they just didn't want to know. :(

 

When your phone connects via VPN a secure tunnel is created into the private network and all apps/IP based programs behave as they would in the private network. All traffic between your external location and your VPN device is secure, so it doesn't matter anymore that your app traffic is plain text.  The 'vulnerable' devices remain in the private network.

Edited by GalaxyGuy
Posted

Unless its a corporate network the CCTV is likely to be no greater risk than any of the other items already on the network.

Most of the CCTV I have enabled for remote access has low end routers, often using default passwords & dynamic IP's.

I'd normally change router password, port forward & use my DNS provider

On the DVR/ NVR I'd normally change default ports & default passwords.

I've found lots of open or default stuff on the net to play with, many of these items have been up for yrs in default set up!

I made a mistake & left a phone system not fully secured, within 24hrs it had been found & there where thousands of attempts to make sip connections to it, only non std extensions & passwords saved the day.

Mr th2.jpg Veritas God

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.