Is your IP connected device safe.

[bernardgreen]

A word of caution. Having your equipment connected via IP / internet may not be as safe as you were told

http://www.dailymail.co.uk/news/art...se-Marc-Gilbert-wife-2-year-old-daughter.html

At the end there is a girl whose web cam was hijacked and used to take photos of her.

Turn off a web cam when not in use or point it at a blank wall.

 

[SimonH2]

Nothing new.

Most domestic routers arrive with uPNP turned on - it's a crazy "security is inconvenient so lets bypass it" setting.
Then many devices default to using uPNP to make themselves accessible from outside - for the convenience of the user so they can remotely access it without any effort.

So those two ingredients will automatically punch a hole through your inbound firewall to give remote access to the device.

Then the third ingredient is a software flaw that makes the device insecure. Sadly a lot of low end kit uses software that, trying to stay polite, is written on a budget by people who really don't know enough to do it properly.

These there things together mean that a large number of DVRs make the whole network insecure. There's a lot of DBRs from budget manufacturers, that all use the same software from a third party, with a huge flaw that makes the thing completely open. It not only makes the device insecure, but gives remote access to your entire network.

 

[plugwash]

Even without uPnP there are ways for a device behind a home router to make itself externally accessible. An "outbound connections only" policy really only gave an approximation of security both because apps will try and circumvent it and because at the end of the day and outbound connection will often be a link to a server which will bounce stuff to the client from anyone/anywhere. (take email for example, you only make an outbound connection to the email server but the email server will recieve emails from anyone and pass them to your email client).

 

[SimonH2]

True, but in the case where stuff is making a connection to an external server, it's not opening up access for all and sundry from anywhere. So in that case, the risk is really only from accessing a compromised server - it's a risk, but a considerably smaller target for an attacker to hit.

With the sort of kit and issue here, there's a combination of things - uPnP on by default in the router, and the device using it to create an externally accessible target - which make the device accessible from anywhere in the world with an internet connection. Then add sloppy security & coding (one might suggest, not a care for security when coding - bolt it on afterwards) which exposes more than was intended, and hey presto you have a much, much more serious problem than a device that makes a connection to an outside server in order to create an inbound route.

An example of the latter might be LogMeIn. With that, the device inside your network maintains an outbound connection to the LogMeIn service and sits there waiting for a connection request. The only way to access that connection is to go through the LogMeIn service - the device isn't directly accessible from anywhere on the internet. I'm inclined to think that LogMeIn are big enough to employ someone with a bit of security knowledge - it certainly won't be as wide open as these sloppily coded devices.