Page 2 of 3

Re: Hello need some direction to find a solution

Posted: Sun Jun 07, 2020 8:36 pm
by HeneryH
That is my question. While the traffic is encrypted, it doesnt require a certificate on the other end. So anyone scanning random ngrok addresses can find it and log in.
There are different types of certificates. Base https certs are used to encrypt but do NOT authenticate users to be anyone. You are correct that anyone who randomly connects will get an encrypted connection. When you talk about authenticating users with client specific certs, that is a whole new ball game that gets users into the weeds and details about encryption and certificate signing.

That is why if you don't think there is a risk of a third party snooping on your traffic and don't care about browser warnings that you are not using https then you wouldn't need to care.

If you want to ensure that users are who you think they are you have progressively more secure ways from a) the default user accounts in BI, b) a reverse proxy with user accounts and c) user certs.

Re: Hello need some direction to find a solution

Posted: Sun Jun 07, 2020 10:50 pm
by Thixotropic
oldguy wrote: Sun Jun 07, 2020 7:48 pm So anyone scanning random ngrok addresses can find it and log in.
How would they login? Isn't there a user name and password set?

Re: Hello need some direction to find a solution

Posted: Mon Jun 08, 2020 12:40 pm
by Matts1984
oldguy wrote: Mon Jun 08, 2020 2:51 am
Thixotropic wrote: Sun Jun 07, 2020 10:50 pm
oldguy wrote: Sun Jun 07, 2020 7:48 pm So anyone scanning random ngrok addresses can find it and log in.
How would they login? Isn't there a user name and password set?
Well thats the entire point. How secure is the password? For example, many of the camera exploits circumvent the password. If the password is enough, then why do you need ngrok, simply port forward.
Can you save us some time and enlighten us on what you do to secure your system for remote viewing. Or is it just fully air-gaped?

Re: Hello need some direction to find a solution

Posted: Mon Jun 08, 2020 2:08 pm
by Thixotropic
oldguy wrote: Mon Jun 08, 2020 2:51 am Well thats the entire point. How secure is the password? For example, many of the camera exploits circumvent the password. If the password is enough, then why do you need ngrok, simply port forward.


1) The only reason I use ngrok is just to prevent someone from snooping my password over an unencrypted connection.

2) How would someone be able to exploit or access the cameras if they can only access or login to BI? Maybe I've misunderstood what you're asking. (??)

Re: Hello need some direction to find a solution

Posted: Mon Jun 08, 2020 3:01 pm
by HeneryH
oldguy wrote: Mon Jun 08, 2020 2:51 am
Thixotropic wrote: Sun Jun 07, 2020 10:50 pm
oldguy wrote: Sun Jun 07, 2020 7:48 pm So anyone scanning random ngrok addresses can find it and log in.
How would they login? Isn't there a user name and password set?
Well thats the entire point. How secure is the password? For example, many of the camera exploits circumvent the password. If the password is enough, then why do you need ngrok, simply port forward.
https encryption will not address password security in the least. It is just encrypting content over the line.

If you have any worries about bad actors accessing your system, there are a few options:
  • Keep all cameras inaccessible from the internet. Cameras are one of the MOST frequently hacked devices. Consider every single one of them a weak link.
  • BI on an updated Win10 system exposed to the internet is moderately secure. We really don't know which web server Ken uses embedded in the product but we hope it is decent.
  • Using either a VPN or Reverse Proxy is even better as they are peer reviewed and way more secure.

Re: Hello need some direction to find a solution

Posted: Mon Jun 08, 2020 3:02 pm
by HeneryH
Thixotropic wrote: Mon Jun 08, 2020 2:08 pm
oldguy wrote: Mon Jun 08, 2020 2:51 am Well thats the entire point. How secure is the password? For example, many of the camera exploits circumvent the password. If the password is enough, then why do you need ngrok, simply port forward.


1) The only reason I use ngrok is just to prevent someone from snooping my password over an unencrypted connection.
I think the credentials are secure even without https. Not an expert but it would at least be hashed in some basic way.

Re: Hello need some direction to find a solution

Posted: Mon Jun 08, 2020 3:45 pm
by Thixotropic
HeneryH wrote: Mon Jun 08, 2020 3:01 pm
  • Keep all cameras inaccessible from the internet. Cameras are one of the MOST frequently hacked devices. Consider every single one of them a weak link.
This brings up a question for me- how would I know or how could I tell if a camera has been hacked or is misbehaving (calling home, etc)?

Re: Hello need some direction to find a solution

Posted: Mon Jun 08, 2020 6:10 pm
by Matts1984
Thats a tricky one as good malware (is that a thing?) is designed to be stealthy and elusive. Without good insight into whats happening on your network, it's nearly impossible. Consumer/ISP grade modem router combos have limited logging if any, but they may have some. As we've seen on these forums, cameras using BI do not need to initiate ANY communication whatsoever (unless they are doing NTP for timestamps - in which case they may also need DNS). Ideally they shouldn't be permitted anything so there isn't a chance to dial home, but even if they're not permitted its valuable to see what they're trying to do. Prior to some firmware updates, some of mine were quite chatty in ways I certainly did not want, while still others to this day want to connect to 'the cloud' and I do not have the ability to turn it off. It's very common for admins to overlook some services because "they're harmless" but once you read about things like ICMP tunneling, no means NO.

For those bored or ultra paranoid, check out sites like shodan.io . Took me about 3 minutes to find a listing of >16,000 publicly available BI UI3 login pages... and yep, I confirmed access to a couple of them (didn't try logins). And remember this site is designed for the good guys.

Re: Hello need some direction to find a solution

Posted: Mon Jun 08, 2020 7:06 pm
by Thixotropic
Matts1984 wrote: Mon Jun 08, 2020 6:10 pm For those bored or ultra paranoid, check out sites like shodan.io . Took me about 3 minutes to find a listing of >16,000 publicly available BI UI3 login pages... and yep, I confirmed access to a couple of them (didn't try logins). And remember this site is designed for the good guys.
Obviously I don't want people to be able to even see my BI login page, but frankly even if someone managed to find the right IP and port, they'd be up against a 25-character password and a 20-character user name. I suppose they could beat their heads against it trying out logins, but unless there's a flaw in the login code I don't see them gaining access.

I don't think BI has any kind of auto-banning for failed login attempts, but that would be a good addition to the app.

Re: Hello need some direction to find a solution

Posted: Mon Jun 08, 2020 7:53 pm
by Matts1984
Actually the autoban setting is in the settings!

But yeah, while no one wants to become part of a botnet and I'm hoping you don't have any cameras strategically placed near your showers, in the grand scheme of things we are low profile targets. Do your due diligence and you're fine.