• March 28, 2024, 08:38:53 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: [1] 2 3

Author Topic: Cameras Hacked!  (Read 47091 times)

cardinalsfan

  • Level 1 Member
  • *
  • Posts: 13
Cameras Hacked!
« on: February 06, 2014, 07:22:51 AM »

Good morning all.  Thought I would post here about a recent experience, both for some answers and to give others some tips. 

We have 3 DCS-932L cameras in the house.  2 in the living room, facing different directions and one right over the front door.  We've had them for 8 months or so now and we love them.  A couple weeks ago I was told I needed to update the firmware to make sure they would continue to work with the dlink website and android app.  I did as I was told and things worked fine.

We have motion detection email set up on all the cameras.  Yesterday I got an email with just 1 frame, rather than the normal 6.  I looked and noticed a new email address listed in addition to our normal ones.  I also noticed that it was a test email rather than the normal motion detection.

I immediately logged into my cameras to see what was going on.  Someone had hacked into the cameras and added his email address (a disposable mailinator address) and FTP site to 2 of the cameras.  He turned on FTP images and email images.  I got it all fixed within about 3 minutes so he didn't get much, maybe 3 images at the most.  He also added an account to one of the cameras.  The FTP was from the following site, which I'm sure he hacked and stole as well (http://www.swfwmd.state.fl.us/).  They do have an FTP service and I tried to log in with his info (they use email addresses as passwords) but I wasn't able to get in. 

I think this all happened because I didn't change the username/password from the default after the firmware update and it was easy for him to get in.  I've updated the password and turned off the account creation feature and deleted the account he made and removed all his info. 

My question is this - would he have to have been on my local network to hack the cameras or could this have happened remotely?  What can I do to keep this from happening again?

Be careful out there and be sure to update your passwords after the update!!
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Cameras Hacked!
« Reply #1 on: February 06, 2014, 07:49:31 AM »

Need to make sure all devices have PWs set and not given out to anyone that doesn't need to have it. Mydlink account, Router, WiFI, NAS and Cameras should be setup with security. It's possible that he could have done this locally on your LAN side if he got access via LAN wired or wireless or maybe from mydlink.com.

Need to check your router and make sure nobody is accessing the router that isn't authorized. Set up IP reservations and maybe start using MAC Filtering.

My 2 cents...
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

cardinalsfan

  • Level 1 Member
  • *
  • Posts: 13
Re: Cameras Hacked!
« Reply #2 on: February 06, 2014, 07:58:43 AM »

Everything has a password now and none of them match.  There is no way he did this through wired LAN and I'd be surprised if it was through my local wireless either.  I checked my router while it was going on and didn't see any IP addresses that I didn't recognize. 

I guess I should start with MAC filtering and IP reservations to keep everyone else off my network.  My access code is 50 some odd characters long but I do have a guest account active. 

My best guess is he got the IP for the cameras (if that's possible) or did it from mydlink.com.  I need to update that password now. 

We got these cameras because we were robbed and they made us feel more secure.  Now someone has hacked these cameras and I've lost my sense of security again. 

Thanks for the help furrynutz, I need to research MAC filtering now!
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Cameras Hacked!
« Reply #3 on: February 06, 2014, 08:22:56 AM »

Keep us posted. If there PWs were not set before then setting them now will gain you sense of security. You'll be ok.

Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

cardinalsfan

  • Level 1 Member
  • *
  • Posts: 13
Re: Cameras Hacked!
« Reply #4 on: February 06, 2014, 08:27:01 AM »

I had passwords on everything other than the cameras.  I had passwords before the firmware update but didn't realize they got reset to the defaults after the update.

I just did MAC filtering and IP reservations and changed the passwords on everything. 

I'm just over-reacting I think, mostly because I can't figure out how he got in.  If I knew whether it was from my local network or just from the cameras (via IP or mydlink) I'd feel better.  Either way, those security holes are fixed now. 
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Cameras Hacked!
« Reply #5 on: February 06, 2014, 09:31:43 AM »

Yes, any FW update will clear PWs. Also it's recommended to not update FW unless you are experiencing issues. However come to the forums and let us help you troubleshoot the problems first before updating FW. Not all FW updates will fix anything. There maybe other areas to look at that can cause problems that FW won't fix. If we can't fix the problems here then we'll recommend updating FW.

Always check here in the forums or on D-Links main site or mydlink.com for FW update information. DO NOT TRUST any other sites or emails regarding FW updates!

You'll be fine now that you have set up security and changed PWs. Keep an eye on it and look at the routers connected devices once in a while to verify that only your devices are online and nobody else.

You'll be ok now.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

cardinalsfan

  • Level 1 Member
  • *
  • Posts: 13
Re: Cameras Hacked!
« Reply #6 on: February 06, 2014, 09:33:35 AM »

Thanks again.  I only did the update because it was required by dlink to continue using the mydlink feature online and on my mobile phone. 

Logged

robert-e

  • Level 2 Member
  • **
  • Posts: 75
Re: Cameras Hacked!
« Reply #7 on: February 06, 2014, 10:21:56 AM »

@FurryNutz:  Are you sure that a firmware update resets the password to default.  I ask, because my password is still the same as it was when I first commissioned the camera with mydlink.com (using the wizard).  I have updated the firmware at least once, and perhaps twice, as it got updated without (I think) my intervention.  That being said, I notice that when I go through mydlink.com and access the Setup tab, and click on Advanced, it shows the username and a password.  I can then look at the password in the clear by just clicking a box.  I wondered about security at that time, but did not get too excited since all my camera is doing is monitoring the temperature in my furnace room.  (My neighbours do the "house watching" for me.)

OTOH, someone who is relying on mydlink.com and the camera for home security might be wise to look further into this.  Just my 2 c worth.

Regards,
Bob
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Cameras Hacked!
« Reply #8 on: February 06, 2014, 11:58:20 AM »

It's possible that DCS cameras don't reset PWs on upgrades. I believe that I experienced the same think on my 933L after letting MDL update it thru that service. I wonder if directly connecting to the camera via LAN cable and sending the FW update file that way would. I am somewhat new to the DCS camera's.

Having the User Name and PW on MDL could be a security concern if one would gain access to the MDL account. Something that would need to be reviewed by D-Link.

I know with D-Link routers, PWs do get blown away with FW updates.  ;)
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

JavaLawyer

  • BETA Tester
  • Level 15 Member
  • *
  • Posts: 12190
  • D-Link Global Forum Moderator
    • FoundFootageCritic
Re: Cameras Hacked!
« Reply #9 on: February 06, 2014, 12:30:03 PM »

A more likely scenario is that there may have been a key-logger or some other malware installed on the PC that you used to enter/save your account information and the hacker was pulling the data as you typed it.
Logged
Find answers here: D-Link ShareCenter FAQ I D-Link Network Camera FAQ
There's no such thing as too many backups FFC

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Cameras Hacked!
« Reply #10 on: February 06, 2014, 12:41:17 PM »

I would run a scan using Malware Bytes, it's free to use. Works well.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

cardinalsfan

  • Level 1 Member
  • *
  • Posts: 13
Re: Cameras Hacked!
« Reply #11 on: February 06, 2014, 07:20:55 PM »

A more likely scenario is that there may have been a key-logger or some other malware installed on the PC that you used to enter/save your account information and the hacker was pulling the data as you typed it.

It found 5 items and I removed them.  

Either way, it didn't work and he's back.  Even though user account control is disabled he was able to make a new account on one of the cameras and sent out a test email.  Oh, he's also been sending vulgar emails (from an anonymous account) to the 2 email addresses where we normally get the motion detection emails. 

I'm going through and changing all my passwords and info.  I don't know what else to do at this point. 
« Last Edit: February 06, 2014, 07:23:55 PM by cardinalsfan »
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Cameras Hacked!
« Reply #12 on: February 06, 2014, 09:07:47 PM »

Take the camera off line for now. I would ask Javalawyer to teamview in with you and have a review of the camera and router settings. Something isn't right here...
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

cardinalsfan

  • Level 1 Member
  • *
  • Posts: 13
Re: Cameras Hacked!
« Reply #13 on: February 06, 2014, 09:11:00 PM »

Take the camera off line for now. I would ask Javalawyer to teamview in with you and have a review of the camera and router settings. Something isn't right here...

I hesitate to take them offline but I guess I have no choice right now.

I think he's been in my email (the one I use to send the motion detection emails) and gmail logged his IP.  Well, it logged an IP from Firefox, which is a broswer I never use.  It also had log ins from times I haven't been on so unless it was the camera, it was him.  Anything I can do with that IP address? 
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Cameras Hacked!
« Reply #14 on: February 06, 2014, 09:16:14 PM »

Does your router have hidden WiFi? I would hid the SSID after you change it and the PW.

What ISP modem do you have? You might just wired direct to the ISP modem with one PC for now until tomorrow. Turn OFF the WiFi or just disconnected the router and turn it off.

You might go ahead and remove the camera from mydlink.com for now as well. You can add it back later...
« Last Edit: February 06, 2014, 10:33:41 PM by FurryNutz »
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.
Pages: [1] 2 3