Home Tags Security camera

Tag: security camera

Reolink Argus security camera, First Look: Weather-proof and battery-powered

This versatile and reasonably-priced IP65-rated camera is suitable for small businesses as well as homes.

Reolink Argus security camera, First Take: Weather-proof and battery-powered

This versatile and reasonably-priced IP65-rated camera is suitable for small businesses as well as homes.

Eagle Eye Networks buys Panasonic’s cloud video surveillance service and Nubo...

Cloud-based video management specialist Eagle Eye Networks expands its global reach by acquiring Panasonic's video surveillance solution.

Dealmaster: Memorial Day deals like $350 off a Dell Inspiron 15...

Plus savings on dash cams, smart TVs, monitors, smart vacuums, and more.

Dealmaster: Get $10 when you sign up for a 30-day Amazon...

$10 in Amazon money for trying out its music platform! What a deal.

Dahua video kit left user credentials in plain sight

Bad code or backdoor? Whichever it was, patch it now Chinese security camera/DVR company Dahua is pushing firmware patches after accusations by a security researcher that a swathe of its products carried a back door.…

25% off Kuna Smart Home Security Outdoor Light & Camera –...

Kuna is a smart home security camera in a stylish outdoor light that detects and allows you to interact with people outside your door. The security device includes HD live and recorded video, two-way intercom, alarm, smart motion detection alerts to your phone, and more. Easy 15 minute installation with no batteries to replace so you have continuous protection around the clock. Be protected at all times - Access HD live video with its 720P wide angle camera, communicate via its two way intercom from your mobile device, or activate its 100 dB alarm siren.
Smart light control lets you turn on or off your lights remotely, or program a schedule for when you're away. Access live video or review & download events for 2 hours free or up to 30-days on an optional subscription plan, starting as low as $4.99 per month.

This Kuna security light averages 4 out of 5 stars from over 600 people (read reviews), and its typical list price of $199 has been reduced 25% to $149.
See the discounted Kuna Smart Home Security Light and Camera on Amazon.To read this article in full or to leave a comment, please click here

41% off Netgear Arlo Security System Wireless HD Camera, Indoor/Outdoor, Night...

The Arlo camera is a 100 Percent Wire-Free, completely wireless, HD smart home security camera – so you can get exactly the shot you need – inside or out.

The Arlo camera is weatherproof and includes motion detection, night vision, and apps.
It can capture clips and send you alerts whether you’re at home or away for round-the-clock peace of mind.  These motion activated cameras initiate automatic recording and alert you via email or app notifications.

Free apps enable remote monitoring from anywhere and with the built-in night vision you’ll even see in dark.  This security camera currently averages 4 out of 5 stars on Amazon from almost 10,000 customers (read reviews) and its list price of $219.99 is currently discounted 41% to $129.99. This story, "41% off Netgear Arlo Security System Wireless HD Camera, Indoor/Outdoor, Night Vision - Deal Alert" was originally published by TechConnect.

UCam247 tells El Reg most of its cams aren’t vulnerable to...

IoT vendor in prompt, polite, sensible, security shocker IoT security camera vendor UCam247 has contacted The Register to say most devices in the wild aren't vulnerable to the “single URL pwnage” vulnerability. Yesterday, we reported that more than 30 cameras from seven vendors had shipped with a modified GoAhead Web server. Among other things, the modification introduced a simple-to-the-point-of-stupidity pre-authentication buffer overrun: a URL longer than 256 bytes is copied to a 256-character stack. We contacted all the affected vendors, and to its credit, UCam247's managing director Paresh Morjaria has responded. We provide his full response below: Thanks for making us aware of the potential bug in the firmware used in both our IP cameras and those of many other brands that sell in the UK. Our firmware engineers have advised that in their testing the potential exploit is not an issue in firmware version 6.10 and above and should not be a issue. The vast majority of our customers are now using v6.14 and later but those that are still running firmware older than 6.10 will be contacted to advise them to update the firmware asap. That said, we have asked our engineers to continue testing this and other related work around exploits that 'may' exist just to ensure the bug is patched for as necessary and fully.

A new firmware is due to be released within the next couple of weeks containing some additional functional updates and any new fixes for this exploit will be rolled out in that as a matter of course. Regards Paresh Morjaria MD, UCam247 And from El Reg, thanks Paresh for keeping an eye on the inbox. ® Sponsored: Customer Identity and Access Management

Surveillance camera compromised in 98 seconds

All your cameras are belong to Mirai Robert Graham, CEO of Errata Security, on Friday documented his experience setting up a $55 JideTech security camera behind a Raspberry Pi router configured to isolate the camera from his home network. According to Graham's series of Twitter posts, his camera was taken over by the Mirai botnet in just 98 seconds. Mirai conducts a brute force password attack via telnet using 61 default credentials to gain access to the DVR software in video cameras and to other devices such as routers and CCTV cameras. After the first stage of Mirai loads, "it then connects out to download the full virus," Graham said in a Twitter post. "Once it downloads that, it runs it and starts spewing out SYN packets at a high rate of speed, looking for new victims." Graham said the defense recommended by the Christian Science Monitor – changing the default password of devices before connecting them to the Internet – doesn't help because his Mirai-infected camera has a telnet password that cannot be changed. "The correct mitigation is 'put these devices behind your firewall'," Graham said. ® Sponsored: Customer Identity and Access Management

No, you still don't need an RFID-blocking wallet

Back in January, I wrote one of my most popular posts ever: “Why you don’t need an RFID-blocking wallet.” As the title suggests, I argued that it’s a waste of money to buy a wallet with special shielding to protect your chipped credit card from RFID scanners wielded by street criminals seeking to snatch your credit card number. Since then, in true internet tradition, I’ve been called an idiot by dozens of people and received emails from RFID vendors saying I’m a disgrace—the latter begging me to tell people they also need a Faraday bag for their cellphones. (Tip: If you don’t want anyone tracking you via GPS, turn off your cellphone’s GPS feature.) I’ve also been emailed by people who are 100 percent sure, without any real evidence, that they were the victims of RFID-scanning criminals. Part of the confusion stems from the fact that many, if not most, people now have chip-and-pin cards—you can see the shiny chip right on the card, which you stick into a card reader (instead of sliding the card through). People assume chip-and-pin cards are vulnerable to scanning, but they’re not. RFID cards are contactless—and very likely you don’t have one. Still waiting Every story about the risks of RFID scanners features a white hat hacker showing it can be done, but not a shred of evidence has emerged that bad guys are sitting on popular corners wirelessly stealing credit card numbers. I still haven’t heard of a single case of real-life RFID scanning criminality. Even the wallet vendors’ websites have no verifiable links or testimonies from actual victims. To be honest, at this point, I’m surprised an RFID-protection vendor hasn’t paid a criminal to get caught, so they could point to a real-life story. Plenty of “believers” have told me it’s obvious why the real RFID scanning criminals haven’t been caught yet—it’s a wireless crime. In their world, it’s impossible to catch wireless criminals. Never mind that we’ve been successfully tracking criminals wirelessly and prosecuting them for decades. If there were a huge contingent of RFID criminals, we would eventually catch some, and it would be such big news that it would spread like wildfire across the internet. If someone stole a credit card number using an RFID scanner, created a counterfeit card, and got busted, as part of the plea agreement the accused would reveal exactly how the crime had been committed. This plea would have details about the scanner, the victims, and how much money had been stolen. That’s how our justice system works. Where are those stories? Even the popular debunking website Snopes.com has commented on RFID crime, giving it a “Mixture” truth rating. Why “Mixture”? Because it can’t find any real evidence RFID theft is occurring, although it debunks at least one news source that claimed to show a real RFID criminal. Make no mistake—criminals who want to make money know about this supposedly easy crime. Hacker researchers have been writing about the risks since RFID-enabled items first came out. Here’s an article from industry luminary Bruce Schneier from 2006. Not cost efficient Given all this, you might be surprised to learn I think that RFID-scanning criminals do exist. There are nearly 100 videos on the internet from all over the world showing good guy hackers demonstrating how it can be done. It’s a potential risk. But because the real-life occurrence is so rare, it’s a small risk. Why? Because it’s not cost-efficient. Real-life criminals steal credit card numbers all the time, but they don’t sit on corners for hours hoping to catch a few dozen card numbers. They steal hundreds of thousands of cards and resell them for cheap to anyone who wants to buy them. In 10 minutes, any criminal with enough smarts to even know what RFID scanning is can spend a $100 to buy 1,000 credit card numbers off the internet from any number of illegal dealers, with far less risk of being captured on a security camera. Focus on real threats I have no problem with someone buying an RFID-protecting wallet or a Faraday bag for a cellphone or car keys. We all make our own risk and buying decisions on a daily basis. I’m just saying that for most people it doesn’t make much sense. We’re each hit by a myriad of risks every day. In the computer world alone, we get introduced to somewhere around 13 to 16 new individual security vulnerabilities every day, year after year. They never stop coming. A prudent person looks at the various risks, weighs the likelihood and potential damage of each of them against the other, and picks those to spend time and money on. I use the example of people who visit me in Key Largo: Almost all of my visitors worry about potential shark attacks when we go snorkeling and diving. Some are so terrified they won’t get in the water. I tell them there has never been a documented, unprovoked shark attack in the history of Key Largo (at least since the 1800s, if not earlier). The risk of shark attacks worldwide is something like one in 1 million (70 to 100 deaths among hundreds of millions of potential encounters). But the odds that those same people might be killed by driving their car to my house are about 1 in 12,300. As humans, we are terrible at ranking risks, even when told the true odds. Where I was wrong I have one update to the original post: I said most of the credit cards in the world don’t have RFID in them. That’s still true. But in some countries, like Canada and Poland, RFID-enabled credit cards are the norm. Even in those countries, I can’t find reports of real RFID-scanning criminals. Of course, cases of RFID-scanning criminals caught by police may simply have not made it to the web yet—but you’d think that the dozens of vendors selling RFID-protecting wallets and purses would be linking to those stories like crazy. Guess what? They haven’t. Still, if I haven’t convinced you, go ahead and buy that RFID-protecting wallet. It’s your money and your risk decision. Me, I’ll wait until I hear that RFID crime is on the rise—or better yet, until I have an RFID-enabled credit card. Friends who have shown me their RFID wallets did so because their new credit cards came with a chip, which they assumed was RFID in nature. It wasn’t. They were carrying the regular, nonwireless, chip-and-pin cards.

Leaks password, check. Leaks Wi-Fi password, check. Can be spoofed, check....

Another crud home CCTV box Here we have yet another example of an internet-facing home security camera that is about as secure a chocolate padlock. The surveillance cam, examined by security firm Bitdefender, comes with motion and sound detectors, two-way audio, built-in lullabies to send children to sleep, temperature and humidity sensors and a microSD/SDHC card slot. You can stream video from it in real-time across the web, and it's supposed to be used as a baby monitor, remote-controllable home CCTV, and so on. Its firmware does virtually nothing to protect it from miscreants around the world, we're told. When you switch it on, it creates its own unsecured Wi-Fi network so a management app running on a nearby smartphone can connect to it.

Then the app tells the camera how to connect to the home's wireless network so it can reach the internet. The home network's credentials are sent over the air from the app to the camera in plaintext, so anyone nearby snooping on the gadget's hotspot can get hold of the password to the home's private Wi-Fi. Next, when the app connects to the device directly over the internet – such as when the owner is out at work – the software uses basic HTTP authentication to log into the gadget, essentially exposing the plaintext username and password needed to access the device. The gizmo has a default username and password combination, although it can be changed by the owner.

Either way, it can be slurped by eavesdroppers or looked up from a manual, and used by anyone in the world to connect in and spy on victims.

Connections are allowed into the device from the outside world via UPnP.

The firmware and app also use Base64 to encode the traffic between themselves, which is trivial to decode. When the camera wishes to send an alert to the phone app, it contacts its backend servers using SSL and provides its hardware MAC address for authentication. However, the authentication checks are completely flawed.

This means anyone can ping the manufacturer's servers over HTTPS and provide the MAC address of a stranger's device to masquerade as that gizmo. You can potentially combine these security shortcomings to trigger a bogus alert to the phone app and capture the device's username and password login when the app tries to connect to the camera to see what the problem is, as Bitdefender explains: Every time it starts and at regular intervals, the device sends an UDP message to the authentication server, containing device data, an ID number represented by the MAC address and a 36-character code. However, the cloud server does not verify the code, it trusts the device’s MAC address to perform the authentication. Consequently, an attacker can register a different device, with the same MAC address, to impersonate the genuine one.

The server will communicate with the device that registered last, even if it’s rogue.
So will the mobile app.

This way, attackers can capture the webcam’s new password, if the user changes the default one. To speed up the process and grab the password faster, an attacker can take advantage of the camera’s push notification feature. Users can opt to receive notifications on their smartphone, specifically video alerts, whenever the camera detects any suspicious sound or movement in their homes. When the user opens the app to view the alert, the app will authenticate on the device using Basic Access Authentication and, thus, send the new password unencrypted to the hacker-controlled webcam. Finally, attackers can enter the username, password and ID to get full control of the user’s webcam, through the mobile app. Alexandru Balan, chief security researcher at Bitdefender, said that by changing the last six digits of the MAC address it is possible to brute-force access to other cameras, with a 9 or 10 per cent success rate, from anywhere in the world. "In a dark way, that's the fun of it," he said. "Most IoT attacks are proximity based – you have to be in range of the device itself.

But here you can hijack the camera and view its stream even through a firewall and private IP address." George Cabau, Bitdefender's antimalware researcher, explained: "Anyone can use the app [to access a camera] just as the user would.

This means turning on audio, mic and speakers to communicate with children while parents aren't around or having undisturbed access to real-time footage from your kids' bedroom.

Clearly, this is an extremely invasive device, and its compromise leads to scary consequences." Bitdefender is keeping quiet on the manufacturer's name until the issue is patched, but Balan said it was a well-known manufacturer with plenty of devices in circulation.

The vendor is working on a fix now. ®