D-Link Forums

The Graveyard - Products No Longer Supported => IP Cameras => DCS-932L => Topic started by: cardinalsfan on February 06, 2014, 07:22:51 AM

Title: Cameras Hacked!
Post by: cardinalsfan on February 06, 2014, 07:22:51 AM
Good morning all.  Thought I would post here about a recent experience, both for some answers and to give others some tips. 

We have 3 DCS-932L cameras in the house.  2 in the living room, facing different directions and one right over the front door.  We've had them for 8 months or so now and we love them.  A couple weeks ago I was told I needed to update the firmware to make sure they would continue to work with the dlink website and android app.  I did as I was told and things worked fine.

We have motion detection email set up on all the cameras.  Yesterday I got an email with just 1 frame, rather than the normal 6.  I looked and noticed a new email address listed in addition to our normal ones.  I also noticed that it was a test email rather than the normal motion detection.

I immediately logged into my cameras to see what was going on.  Someone had hacked into the cameras and added his email address (a disposable mailinator address) and FTP site to 2 of the cameras.  He turned on FTP images and email images.  I got it all fixed within about 3 minutes so he didn't get much, maybe 3 images at the most.  He also added an account to one of the cameras.  The FTP was from the following site, which I'm sure he hacked and stole as well (http://www.swfwmd.state.fl.us/).  They do have an FTP service and I tried to log in with his info (they use email addresses as passwords) but I wasn't able to get in. 

I think this all happened because I didn't change the username/password from the default after the firmware update and it was easy for him to get in.  I've updated the password and turned off the account creation feature and deleted the account he made and removed all his info. 

My question is this - would he have to have been on my local network to hack the cameras or could this have happened remotely?  What can I do to keep this from happening again?

Be careful out there and be sure to update your passwords after the update!!
Title: Re: Cameras Hacked!
Post by: FurryNutz on February 06, 2014, 07:49:31 AM
Need to make sure all devices have PWs set and not given out to anyone that doesn't need to have it. Mydlink account, Router, WiFI, NAS and Cameras should be setup with security. It's possible that he could have done this locally on your LAN side if he got access via LAN wired or wireless or maybe from mydlink.com.

Need to check your router and make sure nobody is accessing the router that isn't authorized. Set up IP reservations and maybe start using MAC Filtering.

My 2 cents...
Title: Re: Cameras Hacked!
Post by: cardinalsfan on February 06, 2014, 07:58:43 AM
Everything has a password now and none of them match.  There is no way he did this through wired LAN and I'd be surprised if it was through my local wireless either.  I checked my router while it was going on and didn't see any IP addresses that I didn't recognize. 

I guess I should start with MAC filtering and IP reservations to keep everyone else off my network.  My access code is 50 some odd characters long but I do have a guest account active. 

My best guess is he got the IP for the cameras (if that's possible) or did it from mydlink.com.  I need to update that password now. 

We got these cameras because we were robbed and they made us feel more secure.  Now someone has hacked these cameras and I've lost my sense of security again. 

Thanks for the help furrynutz, I need to research MAC filtering now!
Title: Re: Cameras Hacked!
Post by: FurryNutz on February 06, 2014, 08:22:56 AM
Keep us posted. If there PWs were not set before then setting them now will gain you sense of security. You'll be ok.

Title: Re: Cameras Hacked!
Post by: cardinalsfan on February 06, 2014, 08:27:01 AM
I had passwords on everything other than the cameras.  I had passwords before the firmware update but didn't realize they got reset to the defaults after the update.

I just did MAC filtering and IP reservations and changed the passwords on everything. 

I'm just over-reacting I think, mostly because I can't figure out how he got in.  If I knew whether it was from my local network or just from the cameras (via IP or mydlink) I'd feel better.  Either way, those security holes are fixed now. 
Title: Re: Cameras Hacked!
Post by: FurryNutz on February 06, 2014, 09:31:43 AM
Yes, any FW update will clear PWs. Also it's recommended to not update FW unless you are experiencing issues. However come to the forums and let us help you troubleshoot the problems first before updating FW. Not all FW updates will fix anything. There maybe other areas to look at that can cause problems that FW won't fix. If we can't fix the problems here then we'll recommend updating FW.

Always check here in the forums or on D-Links main site or mydlink.com for FW update information. DO NOT TRUST any other sites or emails regarding FW updates!

You'll be fine now that you have set up security and changed PWs. Keep an eye on it and look at the routers connected devices once in a while to verify that only your devices are online and nobody else.

You'll be ok now.
Title: Re: Cameras Hacked!
Post by: cardinalsfan on February 06, 2014, 09:33:35 AM
Thanks again.  I only did the update because it was required by dlink to continue using the mydlink feature online and on my mobile phone. 

Title: Re: Cameras Hacked!
Post by: robert-e on February 06, 2014, 10:21:56 AM
@FurryNutz:  Are you sure that a firmware update resets the password to default.  I ask, because my password is still the same as it was when I first commissioned the camera with mydlink.com (using the wizard).  I have updated the firmware at least once, and perhaps twice, as it got updated without (I think) my intervention.  That being said, I notice that when I go through mydlink.com and access the Setup tab, and click on Advanced, it shows the username and a password.  I can then look at the password in the clear by just clicking a box.  I wondered about security at that time, but did not get too excited since all my camera is doing is monitoring the temperature in my furnace room.  (My neighbours do the "house watching" for me.)

OTOH, someone who is relying on mydlink.com and the camera for home security might be wise to look further into this.  Just my 2 c worth.

Regards,
Bob
Title: Re: Cameras Hacked!
Post by: FurryNutz on February 06, 2014, 11:58:20 AM
It's possible that DCS cameras don't reset PWs on upgrades. I believe that I experienced the same think on my 933L after letting MDL update it thru that service. I wonder if directly connecting to the camera via LAN cable and sending the FW update file that way would. I am somewhat new to the DCS camera's.

Having the User Name and PW on MDL could be a security concern if one would gain access to the MDL account. Something that would need to be reviewed by D-Link.

I know with D-Link routers, PWs do get blown away with FW updates.  ;)
Title: Re: Cameras Hacked!
Post by: JavaLawyer on February 06, 2014, 12:30:03 PM
A more likely scenario is that there may have been a key-logger or some other malware installed on the PC that you used to enter/save your account information and the hacker was pulling the data as you typed it.
Title: Re: Cameras Hacked!
Post by: FurryNutz on February 06, 2014, 12:41:17 PM
I would run a scan using Malware Bytes, it's free to use. Works well.
Title: Re: Cameras Hacked!
Post by: cardinalsfan on February 06, 2014, 07:20:55 PM
A more likely scenario is that there may have been a key-logger or some other malware installed on the PC that you used to enter/save your account information and the hacker was pulling the data as you typed it.

It found 5 items and I removed them.  

Either way, it didn't work and he's back.  Even though user account control is disabled he was able to make a new account on one of the cameras and sent out a test email.  Oh, he's also been sending vulgar emails (from an anonymous account) to the 2 email addresses where we normally get the motion detection emails. 

I'm going through and changing all my passwords and info.  I don't know what else to do at this point. 
Title: Re: Cameras Hacked!
Post by: FurryNutz on February 06, 2014, 09:07:47 PM
Take the camera off line for now. I would ask Javalawyer to teamview in with you and have a review of the camera and router settings. Something isn't right here...
Title: Re: Cameras Hacked!
Post by: cardinalsfan on February 06, 2014, 09:11:00 PM
Take the camera off line for now. I would ask Javalawyer to teamview in with you and have a review of the camera and router settings. Something isn't right here...

I hesitate to take them offline but I guess I have no choice right now.

I think he's been in my email (the one I use to send the motion detection emails) and gmail logged his IP.  Well, it logged an IP from Firefox, which is a broswer I never use.  It also had log ins from times I haven't been on so unless it was the camera, it was him.  Anything I can do with that IP address? 
Title: Re: Cameras Hacked!
Post by: FurryNutz on February 06, 2014, 09:16:14 PM
Does your router have hidden WiFi? I would hid the SSID after you change it and the PW.

What ISP modem do you have? You might just wired direct to the ISP modem with one PC for now until tomorrow. Turn OFF the WiFi or just disconnected the router and turn it off.

You might go ahead and remove the camera from mydlink.com for now as well. You can add it back later...
Title: Re: Cameras Hacked!
Post by: cardinalsfan on February 07, 2014, 06:29:53 AM
Does your router have hidden WiFi? I would hid the SSID after you change it and the PW.

What ISP modem do you have? You might just wired direct to the ISP modem with one PC for now until tomorrow. Turn OFF the WiFi or just disconnected the router and turn it off.

You might go ahead and remove the camera from mydlink.com for now as well. You can add it back later...

No, the SSID is not hidden.  My modem is just a standard modem issues by my ISP.  It does not include wifi, only my router does that.  I turned the router off last night.

I let lastpass make a new password for the dlinksite, it should be very hard to crack.  All my computers have had malwarebytes run and all issues removed. 

I think (and hope) it's just someone messing around and now it'll hopefully be too tough for him to mess with so he'll give up.  I guess we'll find out.

My main worry is that it's someone planning to rob the house again and he's going to turn off the cameras and commit the robbery so there are no images of the act.  I'm pretty sure it's just some punk messing with us. 
Title: Re: Cameras Hacked!
Post by: FurryNutz on February 07, 2014, 07:16:29 AM
Internet Service Provider and Modem Configurations

What I meant is to disconnect your main host router and connect your PC up to the ISP modem directly for a while. This will eliminate any un-authorized Wifi or LAN connections. Just one PC and the modem. This will allow you to reset and change all web site and email PWs. Then I would connect one wired PC to the main host router and factory reset the router while it's not connected to the ISP Modem. Factory reset the  router with one wired PC connected to the router and get it configured. Setup new SSID and new PW on WiFi. I would hid the SSID from being broadcast, this will help some. Then set up the camera to the router. I believe you can input the hidden SSID name and PW and it should connect to the router.

Once you have the router and camera net up, go live with the router and camera. I highly recommend that you leave the camera un-registered with mydlink.com for a time until you can ensure that nobody is doing anything with the router and camera locally. Once you do that, and you know you have re-set up the mydlink.com with a new PW, then go and re-register the camera.

You need to configure the router and camera off line before going on-line with them. This should help stave off any un-authorized users.
Title: Re: Cameras Hacked!
Post by: cardinalsfan on February 07, 2014, 07:22:47 AM
I see what you're saying.  I'll work on doing all that this weekend. 
Title: Re: Cameras Hacked!
Post by: FurryNutz on February 07, 2014, 07:38:39 AM
Keep us posted...hope we can get this nailed down and more secure... ;)
Title: Re: Cameras Hacked!
Post by: FurryNutz on February 07, 2014, 09:07:02 AM
Internet Service Provider and Modem Configurations
Title: Re: Cameras Hacked!
Post by: JavaLawyer on February 07, 2014, 09:45:17 AM
I think this all happened because I didn't change the username/password from the default after the firmware update and it was easy for him to get in.

This part of your original post (referenced above) confused me from the get-go. Performing a firmware update on the DCS-932L will not impact the stored username/password combinations that you've previously defined. That said, there are only three ways the default password (blank field) can be re-instated: (1) a new password was never selected when you originally configured the DCS-932L out-of-the-box; (2) you reset the DCS-932L to the factory default settings; (3) you manually changed the password back to a blank field.
Title: Re: Cameras Hacked!
Post by: cardinalsfan on February 07, 2014, 11:23:42 AM
Internet Service Provider and Modem Configurations
  • What ISP Service do you have? Cable or DSL?
  • What ISP Modem Mfr. and model # do you have?

Cox Cable
Cisco DPQ3212
Title: Re: Cameras Hacked!
Post by: cardinalsfan on February 07, 2014, 11:29:06 AM
This part of your original post (referenced above) confused me from the get-go. Performing a firmware update on the DCS-932L will not impact the stored username/password combinations that you've previously defined. That said, there are only three ways the default password (blank field) can be re-instated: (1) a new password was never selected when you originally configured the DCS-932L out-of-the-box; (2) you reset the DCS-932L to the factory default settings; (3) you manually changed the password back to a blank field.

My rebuttal for each item:

(1): I selected a new password for each right after I installed them last April.
(2): I haven't done this
(3): I didn't do this either

I had the password set before the required firmware update and afterwards it went back to the default.  It didn't change any of my other settings.  I know it doesn't sound right but I promise you it's what happened.  I even remember wondering why my password wasn't working when I tried to log in after the firmware update.  I didn't think much of it and left it alone.

If it makes any difference, I updated the firmware from the house from the mydlink site.  Maybe that's why it got changed.

Either way my network and cameras are locked down now.  All passwords have been changed and most now use 10 digit generated passwords to be more secure.  We'll see what happens from here. 

Thanks for all the help everyone, I'll update later if this continues to happen. 
Title: Re: Cameras Hacked!
Post by: FurryNutz on February 07, 2014, 11:49:55 AM
I recommend from now on, anytime you do FW updates, ensure the the PW has remained or just input a new PW that way you know for peace of mine that PW is in place and has been changed by you only.

Keep us posted.
Title: Re: Cameras Hacked!
Post by: cardinalsfan on February 07, 2014, 11:57:28 AM
I recommend from now on, anytime you do FW updates, ensure the the PW has remained or just input a new PW that way you know for peace of mine that PW is in place and has been changed by you only.

Keep us posted.

That's a very good idea.  No matter how it happened, it's my fault that the PW was the default and was able to be hacked.  I still have no idea how he got in but I've locked down as much as I can.  We'll see what happens from here. 
Title: Re: Cameras Hacked!
Post by: FurryNutz on February 07, 2014, 12:25:54 PM
 ;)
Title: Re: Cameras Hacked!
Post by: JavaLawyer on February 07, 2014, 01:44:04 PM
Also, you can log into your web UI and change your password at any time if you feel it's been compromised, and only log into the web UI from a PC that you are confident is secure.

MAINTENANCE > Admin > ADMIN PASSWORD SETTING.
Title: Re: Cameras Hacked!
Post by: RYAT3 on February 07, 2014, 07:35:37 PM
I hesitate to take them offline but I guess I have no choice right now.

I think he's been in my email (the one I use to send the motion detection emails) and gmail logged his IP.  Well, it logged an IP from Firefox, which is a broswer I never use.  It also had log ins from times I haven't been on so unless it was the camera, it was him.  Anything I can do with that IP address? 

Block it in your router?

What router are you using?

Do you need port forwarding?

There are papers out there on how to hack these Cameras...And also how to search them out.

What OS are you using? Which Windows ...? Or Mac...?
What router are you using?

Some dcs camera logs show ip address accessed from. ..


Title: Re: Cameras Hacked!
Post by: RYAT3 on February 07, 2014, 07:49:24 PM
You can also do a whois lookup. . Or Google his ip... which is probably hacked to.

Trace route also. .nslookup..
Title: Re: Cameras Hacked!
Post by: cardinalsfan on February 08, 2014, 07:36:32 AM
Block it in your router?

What router are you using?

Do you need port forwarding?

There are papers out there on how to hack these Cameras...And also how to search them out.

What OS are you using? Which Windows ...? Or Mac...?
What router are you using?

Some dcs camera logs show ip address accessed from. ..


I don't think blocking it in my router will work as I'm more and more sure he didn't access the cams locally.  I use a Dlink DIR-655.  No need for port forwarding either.  I didn't know about the papers but between that and the default password, that might explain how this happened.  We have win 7 and win 8.1 computers in the house and 1 mac.  These cameras don't log IPs. 
Title: Re: Cameras Hacked!
Post by: cardinalsfan on February 08, 2014, 07:43:08 AM
You can also do a whois lookup. . Or Google his ip... which is probably hacked to.

Trace route also. .nslookup..


i did all of those and they didn't show my anything. 
Title: Re: Cameras Hacked!
Post by: ReverendTed on February 08, 2014, 08:33:59 AM
If you suspect your e-mail account associated with the cameras has been compromised, then that would be the first thing I'd check.  Once someone has access to your e-mail account, they can request a password reminder\reset e-mail.
Title: Re: Cameras Hacked!
Post by: FurryNutz on February 08, 2014, 10:51:33 AM
I would associate w a new email if thats the case.