Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Topics (not sure which fora)
when not sure where to post, post here and mods will move it to right forum.
User avatar
Dynamic
Posts: 213
Joined: Friday 12 July 2013 14:50
Target OS: -
Domoticz version:
Location: Enschede
Contact:

Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by Dynamic » Saturday 09 September 2017 8:31

I was watching a repo made by a Dutch website. In the end, they show a Domoticz-installation wich they can control without username/password.

Warning for all Domoticz-users: please check your security!

For the developers: maybe it’s good to make Domoticz by default only available with username/password with the need to change it after first login?

Repo: http://www.tubantia.nl/enschede/hele-we ... ~a7e583e6/

snuiter
Posts: 34
Joined: Saturday 17 June 2017 12:30
Target OS: Raspberry Pi
Domoticz version: beta
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by snuiter » Saturday 09 September 2017 10:01

I must say I don't understand why I am still surprised this happens. The webcam is not so interesting but the fact that you can control someones home so easily that is serious. Looking at my own experience and setup you start with one device and very quickly it expands and don't review if the security is good enough, although I do have an username and password.

Agree that users of the software need to be aware that a password is a minimal requirement to assure security. Anyone has some basic tests to assure setup is secure and protected apart from the basic user/pwd setup?

Eddiever
Posts: 60
Joined: Thursday 27 April 2017 20:32
Target OS: Raspberry Pi
Domoticz version: V3.8153
Location: The Netherlands (Hoogeveen)
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by Eddiever » Monday 11 September 2017 21:36

I did not do a port forwarding in my router, thus my domoticz is unavailable from the outside. Or am I wrong?
RPi 2B with Domoticz and cam module RPi 3 with cam module
1 rftxtrx433E module 1 solar-edge SE-3500
1 Sonoff Touch 3 Sonoff wifi swithes 6 kaku modules

SweetPants
Posts: 1584
Joined: Friday 12 July 2013 21:24
Target OS: Linux
Domoticz version: V3.8742
Location: The Netherlands
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by SweetPants » Monday 11 September 2017 22:02

Eddiever wrote:
Monday 11 September 2017 21:36
I did not do a port forwarding in my router, thus my domoticz is unavailable from the outside?
wrong, when configuring port forwarding, you open up a port from the outside. if not using HTTPS or certificates, everybody can access your domoticz system

Eddiever
Posts: 60
Joined: Thursday 27 April 2017 20:32
Target OS: Raspberry Pi
Domoticz version: V3.8153
Location: The Netherlands (Hoogeveen)
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by Eddiever » Monday 11 September 2017 22:05

And how can I disable the access from the outside world? LIke I said, no portforwarding in my router. So how can they access my domoticz server?
RPi 2B with Domoticz and cam module RPi 3 with cam module
1 rftxtrx433E module 1 solar-edge SE-3500
1 Sonoff Touch 3 Sonoff wifi swithes 6 kaku modules

pvm
Posts: 896
Joined: Tuesday 17 June 2014 22:14
Target OS: NAS (Synology & others)
Domoticz version: Stable
Location: NL
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by pvm » Monday 11 September 2017 22:06

SweetPants wrote:
Monday 11 September 2017 22:02
Eddiever wrote:
Monday 11 September 2017 21:36
I did not do a port forwarding in my router, thus my domoticz is unavailable from the outside?
wrong, when configuring port forwarding, you open up a port from the outside. if not using HTTPS or certificates, everybody can access your domoticz system
Huh? How can someone from outside have access when no port forwarding is configured?
Synology NAS, PI3, ZWave, Xiamo zigbee devices, BTLE plant sensor

User avatar
Egregius
Posts: 2429
Joined: Thursday 09 April 2015 12:19
Target OS: Linux
Domoticz version: Beta
Location: Beitem, BE
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by Egregius » Monday 11 September 2017 22:13

They can't, don't worry.
Without port forwarding you're 100% safe.
With port forwarding you must set a good user/password combo and only use https. On top of that use fail2ban to block failed login attempts immediately.

Eddiever
Posts: 60
Joined: Thursday 27 April 2017 20:32
Target OS: Raspberry Pi
Domoticz version: V3.8153
Location: The Netherlands (Hoogeveen)
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by Eddiever » Monday 11 September 2017 22:15

Thanks again Egregius, now I can sleep ;)
RPi 2B with Domoticz and cam module RPi 3 with cam module
1 rftxtrx433E module 1 solar-edge SE-3500
1 Sonoff Touch 3 Sonoff wifi swithes 6 kaku modules

User avatar
mrf68
Posts: 223
Joined: Monday 23 February 2015 13:45
Target OS: Windows
Domoticz version: 3.4834
Location: Netherlands
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by mrf68 » Monday 11 September 2017 22:21

Click bait title. They bring it as "news"? Specific install of whatever software can be vulnerable. Those cameras are listed on websites for years, using default login names and passwords. TU students are surprised?? Am I missing something?
----------
3x RPi
1x W2k12 (vm)
3x RFXcom433e
1x Razberry board
KAKU: 9x APA3-1500R, 2x ACDB-7000C, 3x AMST-606, 1x APIR-2150, 1x AWS-3500, 1x ATMT-502
Z-wave: 8x Everspring AN145
Misc: 2x wireless doorbells

Eddiever
Posts: 60
Joined: Thursday 27 April 2017 20:32
Target OS: Raspberry Pi
Domoticz version: V3.8153
Location: The Netherlands (Hoogeveen)
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by Eddiever » Monday 11 September 2017 22:25

No click bait title. Just a warning to "less" good users of Domoticz because it shows in the video that they did have access to a domoticz server in the place Almelo (which user of this forum is from Almelo and hasn't secured his/hers server?). Grateful to topic starter!
RPi 2B with Domoticz and cam module RPi 3 with cam module
1 rftxtrx433E module 1 solar-edge SE-3500
1 Sonoff Touch 3 Sonoff wifi swithes 6 kaku modules

manjh
Posts: 242
Joined: Saturday 27 February 2016 13:49
Target OS: Raspberry Pi
Domoticz version: 3.8153
Location: NL
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by manjh » Monday 11 September 2017 22:35

I have a port forwarded in the router, and I use a userid/pw to protect the user interface.
When I change the PW, I see that I need to logon with that new pw.
But once logged on, I can close/restart the browser without the need to log on. And I don't see a way to logoff...
Am I missing something?

Edit: there is a logout button. But how can I force a logout when I close the browser?

Also, how can I switch on https?
Hans

pvm
Posts: 896
Joined: Tuesday 17 June 2014 22:14
Target OS: NAS (Synology & others)
Domoticz version: Stable
Location: NL
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by pvm » Tuesday 12 September 2017 0:45

manjh wrote:
Monday 11 September 2017 22:35
I have a port forwarded in the router, and I use a userid/pw to protect the user interface.
When I change the PW, I see that I need to logon with that new pw.
But once logged on, I can close/restart the browser without the need to log on. And I don't see a way to logoff...
Am I missing something?

Edit: there is a logout button. But how can I force a logout when I close the browser?

Also, how can I switch on https?
I do not know about the logout,sorry
You can configure port forwarding for (only) your https port
Synology NAS, PI3, ZWave, Xiamo zigbee devices, BTLE plant sensor

User avatar
Dynamic
Posts: 213
Joined: Friday 12 July 2013 14:50
Target OS: -
Domoticz version:
Location: Enschede
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by Dynamic » Tuesday 12 September 2017 7:48

This topic was not meant to be clickbate. I just wanted to warn other users for unsafe Domoticz-installations.

User avatar
jannl
Posts: 883
Joined: Thursday 02 October 2014 6:36
Target OS: Raspberry Pi
Domoticz version: Beta
Location: Geleen
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by jannl » Tuesday 12 September 2017 8:16

Egregius wrote:
Monday 11 September 2017 22:13
They can't, don't worry.
Without port forwarding you're 100% safe.
With port forwarding you must set a good user/password combo and only use https. On top of that use fail2ban to block failed login attempts immediately.
Basically, as long as you are connected to the internet, you are never 100% save.
But indeed, without port-forwarding you are a lot saver.

poudenes
Posts: 252
Joined: Wednesday 08 March 2017 10:42
Target OS: Linux
Domoticz version: 3.7392
Location: Amsterdam
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by poudenes » Thursday 21 September 2017 9:11

thanks for the post. Checked my system. Removed the http forwarding and leave https.
Already had a good username and password. (Use 1password to generate 20 characters passwords)

Would be nice if Domoticz add 2-way authentic verification
RPi3 with OSMC - RPi3 with Domoticz - Dashticz - MiLight - Nanolead Aurora - KaKu - Logitech Hamony - Nest - RFLink

manjh
Posts: 242
Joined: Saturday 27 February 2016 13:49
Target OS: Raspberry Pi
Domoticz version: 3.8153
Location: NL
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by manjh » Thursday 21 September 2017 11:32

poudenes wrote:
Thursday 21 September 2017 9:11
Removed the http forwarding and leave https.
Where did you do this? I checked my router, the only choices I have is TCP or UDP!
Hans

User avatar
jannl
Posts: 883
Joined: Thursday 02 October 2014 6:36
Target OS: Raspberry Pi
Domoticz version: Beta
Location: Geleen
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by jannl » Thursday 21 September 2017 11:39

http is TCP over port 80 (normally)

poudenes
Posts: 252
Joined: Wednesday 08 March 2017 10:42
Target OS: Linux
Domoticz version: 3.7392
Location: Amsterdam
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by poudenes » Thursday 21 September 2017 13:01

manjh wrote:
Thursday 21 September 2017 11:32
poudenes wrote:
Thursday 21 September 2017 9:11
Removed the http forwarding and leave https.
Where did you do this? I checked my router, the only choices I have is TCP or UDP!
I removed the forwarding in my TimeCapsule (Router)
RPi3 with OSMC - RPi3 with Domoticz - Dashticz - MiLight - Nanolead Aurora - KaKu - Logitech Hamony - Nest - RFLink

User avatar
jannl
Posts: 883
Joined: Thursday 02 October 2014 6:36
Target OS: Raspberry Pi
Domoticz version: Beta
Location: Geleen
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by jannl » Thursday 21 September 2017 13:27

And if you use https on Domoticz, use some obscure port for forwarding, like 23456 or so.

R0yk3
Posts: 39
Joined: Sunday 24 July 2016 21:51
Target OS: Raspberry Pi
Domoticz version: beta
Location: the Netherlands
Contact:

Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

Post by R0yk3 » Thursday 21 September 2017 13:42

Why not use a vpn connection?

Post Reply

Who is online

Users browsing this forum: pikapt and 8 guests