The Glade 4.0

I recently bought a home surveillance camera that connects to my wireless network and allows me to login and view the feed via the web (to keep an eye on my dog when I'm at work) using port forwarding to XXXXXXXX.myfoscam.com. I have the camera connected via port 80, which is the port that is being forwarded to XXXXXXXX.myfoscam.com. I kinda/sorta understand what port forwarding is but not well enough to know whether I'm creating some massive security hole in my network. The XXXXXX part of the url is a unique identifier for my camera, and even if you get that, there's a username and password required to log in and access the camera, of course, but other than that, is there anything else I can or should be doing to protect myself (e.g. using a different port)? Or is port forwarding just inherently risky no matter what?

Any advice would be much appreciated.

Port forwarding is inherently risky in that you are essentially exposing the device you're forwarding to on the internet. As in, anybody on the internet can access it the same way you do.

As such, whether this is a case where the risk is minimal depends entirely on the device so exposed and how thoroughly configured its security is, as well as the potential exploits that exist for it.

Worst case scenarios? There's an unpatched/undiscovered flaw that could give a malicious person the capability of executing unauthorized code on this device, which could easily expose the rest of your network. How likely is that? I honestly can't say, as it will depend on the device.

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades

The opposite of security is accessibility. For something to be 100% secure it must be 0% accessible (even to you). A door (essentially port forwarding is a door in your firewall), even a good one with a strong lock, is less secure than a wall, and even a wall can be taken down if you work at it long enough/have the right tools.

If you want to access the camera from the internet (which you do) that means other people can as well. Assuming the device manufacturer has done their job and you have good password discipline the amount of effort taken to gain access to your camera probably outweighs the reward of anyone wanting to access it. However, if someone absolutely positively wanted to access your camera and your network by extension is probably only a matter of time.

The three best things you can do to make sure your door is as strong as it can be:
1. Good password discipline. (Long, alpha/numeric/symbol, never reused and changed on a regular basis)
2. Making sure your camera's firmware is up to date.
3. never check your camera from an unsecured WiFi network.

_________________
I prefer to think of them as "Fighting evil in another dimension"

Is some kind of two (or three) factor authentication an option?

I would hope that a company in the 'security' business would offer that as an option...

I haven't investigated the service in question, but it sounds like you've got a translation configured in your home router to send requests for http to the camera, and that you've given myfoscam.com the IP of your router? If it's an unprotected stream, anyone can view the transmission. There's things you can do to protect yourself, although I'm not sure what myfoscam.com provides in that manner. If I was doing it myself, I'd be tunneling streams via ssh, and making the result available via https, only accessible by an authenticated user. But I have a few more resources to do something like that than most people.

_________________

Thanks for the responses, folks. Sounds like I may just have to rely on Foscam's system itself being secure. There's no double authentication - just the single username/password prompt when you try to log in. I do use a pretty strong, unique password though. As for Shuyung's points: each Foscam camera comes with a unique ID# and the ability to view the feed from that camera by going to [ID#].foscam.org:[port number], where the port number is the one you're forwarding. The actual port forwarding, though, is done in my router's setup screen, where I do enter the IP address of the camera on my network and the port number I want to forward. Not sure whether that means I'm giving Foscam my network's IP address or just forwarding whatever transmission comes from that IP address through port 80 to the foscam.org url. (Clearly, I'm pretty clueless about this.) Don't know what "tunneling streams via ssh" means, but I'm not sure it's something the Foscam system allows.

As an experiment, would you mind pointing your browser to [your router's WAN IP]:80? Do this from a source outside your home. From inside your home, just point to [your webcam's IP]:80.

_________________

Aye, will do. Not sure what the WAN IP is off the top of my head, so I'll have to check when I get home tonight.

Yeah I had similar concerns when I created some TF2 servers. Essentially what I found is that depending on the port that is being forwarded, there isn't a whole lot someone can do without a piece of software listening on that port on your receiving end (and in TF2's case, only the servers are listening, and they are only listening for TF2 stuff).

Port 80, yeah, that's your standard HTTP port. And if the cam streams over that port, then, yes, likely someone else can view it as well. HTTPS (port 443) is what secures and encrypts HTTP data and typically SSL certificates are involved to ensure the connections are going to the right places. I'd check to see if there's an option for HTTPS/SSL/443 as well.

_________________
Les Zombis et les Loups-Garous!

Sorry for the delayed follow up. Here's what I've tried:


Couple of notes off the bat:

1. I changed the port for the camera to XXX. Unfortunately, though, it seems the 443/https approach that Numbuk suggests isn't supported by this camera yet. Maybe in a future firmware update, but for now, that means anyone could "sniff" my un/pw and the video feed itself, right? If so, that sucks, particularly for a bloody security camera.
2. I wasn't clear on what IP addresses you were looking for, so I ran tests using the following: (i) the default IP address of the router (I'll call it the "Default Router IP"); (ii) the IP address that my router setup menu refers to as the Internet IP Address, which is also what pops up on whatismyip.com (I'll call it the "Internet IP"); and (iii) the IP address assigned to the camera in my router's setup menu, which was just the Default Router IP with a different final set of numbers (I'll call it the "Camera IP").

Using those three IP addresses and the port number, I ran the following tests:

Default Router IP Tests

• From inside my home
  
  • [Default Router IP](no port) = prompt for router un/pw.
    
  • [Default Router IP]:XXX with port forwarding enabled = unable to connect.
  • [Default Router IP]:XXX with port forwarding disabled = unable to connect.
  
  
• From outside source
  
  • [Default Router IP](no port) = unable to connect.
  • [Default Router IP]:XXX with port forwarding enabled = unable to connect.
  • [Default Router IP]:XXX with port forwarding disabled = unable to connect.

Internet IP Tests

• From inside my home
  
  • [Internet IP](no port) = prompt for router un/pw.
  • [Internet IP]:XXX with port forwarding enabled = prompt for camera un/pw (see below for potential bypass).
    
  • [Internet IP]:XXX with port forwarding disabled = unable to connect.
  
  
• From outside source
  
  • [Internet IP](no port) = unable to connect.
  • [Internet IP]:XXX with port forwarding enabled = prompt for camera un/pw (see below for potential bypass).
  • [Internet IP]:XXX with port forwarding disabled = haven't been able to try this one yet.

Camera IP Tests

• From inside my home
  
  • [Camera IP](no port) = unable to connect.
  • [Camera IP]:XXX with port forwarding enabled = prompt for camera un/pw (see below for potential bypass).
  • [Camera IP]:XXX with port forwarding disabled = prompt for camera un/pw (see below for potential bypass).
  
  
• From outside source
  
  • [Camera IP](no port) = unable to connect.
  • [Camera IP]:XXX with port forwarding enabled = unable to connect.
  • [Camera IP]:XXX with port forwarding disabled = haven't been able to try this one yet.

The potential bypass is that whenever you get the prompt for the camera un/pw, if you just hit cancel, the camera interface pops up, but without the video feed. Whenever you try to do anything in the interface (e.g., change the user settings, DDNS settings, UPnP settings, etc.), however, it prompts for the un/pw again and hitting cancel at that point causes a "401 Unauthorized" screen to appear. So, it seems that you can't actually bypass the un/pw to view the feed or make any changes to the settings, but it's still a little disturbing that it allows you to access the interface at all.

Any thoughts? Something else I should test?

One thing I should note is that, although I don't like the idea of someone being able to access the camera's feed, my biggest concern is that by getting into the camera, they'd somehow be able to get into other devices on my home network (i.e. my computers or the router itself) and then either install malware or sniff meaningful logins (e.g. my bank account, credit card accounts, etc.). Is that an actual risk here, or is the worst-case scenario simply that some creeper could log into my camera and watch me making breakfast (since the camera's in the kitchen)?

Yes, https is a different protocol than http. Merely moving the server port to 443 does not make it https.

This is expected behavior. Internally, you do not have a redirect for the LAN IP of the router to the camera. Nor should you, that would just be weird. Externally, you're attempting to access non-routable IP space, which doesn't work.
I'm a shade surprised that your router is capable of performing a hair-pin turn and NATting correctly with a source internal destination external stream. That's actually poor behavior, although I'm guessing that consumer-grade gear does that on purpose to make things "just work" and cut down on support queries and complaints. Externally, that's all expected behavior (and apparently you've correctly disabled external access to your router).

That all looks as expected. Internally, you're directly contacting the camera, so the port forwarding status of the router is irrelevant, it's not in the picture (except inasmuch as it's also operating as your network switch). Externally, you're again attempting to access non-routable IP space, so none of that will work.

I'm guessing that XXXXXXXX.myfoscam.com is simply an A record pointing to your router's WAN IP. The only thing you might want to check (and I can't find that there is one), is to make sure there isn't a hardcoded backdoor password for Foscam cameras. Otherwise, since it seems that the camera's firmware is Linux-based, Foscam should find it fairly simple to produce an https option in the firmware.

I agree that it's unwanted behavior that an unauthenticated party can get any sort of interface at all. I'd check and see if there might not be a firmware upgrade that fixes that, as that's definitely a bug. If not, bug report and make sure they get you a fix.

Other than the firmware being Linux, I don't know enough about the camera to say. However, the WebUI and the firmware are two separate packages, it looks like. I don't know if there's a way to access the OS of the camera itself. There shouldn't be, and depending on how a code upgrade is performed it might be possible for a malicious party to build a trojaned replacement and drop it on, and then the sky is the limit. However, that's probably not a large worry, especially if you can get a fix for the unauthenticated interface access bug.

_________________

Cool, thanks for the laying it out for me, Shuyung.

Not much to add other than to second Shuyung's advice/analysis.

I doubt you have much to worry about, but yeah.... If it were me, I'd use SSH tunneling instead of port forwarding at the router. Or if I had to, a VPN. If I have to expose something to the internet, I'd rather it be a well-known quantity like a popular SSH server or VPN sever.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.

Well, you'll probably want to stop allowing outside access to your camera.
http://www.networkworld.com/news/2013/0 ... tml?page=1

Just saw this earlier, noticed "Foscam" in the brief blurb, and remembered this thread.

_________________