Web access to Security Cameras

Reply
DavidH
Friendly Neighbour

Hi,

 

I'm a strata council member of a condo, and we have a dedicated IP for our security system.

It looks like Actiontec T2200M does not have a web UI, and we can't configure our NVR (network video recorder) to be seen outside the electrical room.

 

A couple questions,

1. Is it possible to configure port forwarding with Actiontec T2200M? If not, can we request a new router that would support this?

2. We tried to configure the ports from the NVR directly, but we couldn't find ports that are open. Do you have any recommendations on which ports to use for NVR setup?
3. What's the best phone number to call in? And what proofs do you require in order for one of the strata council members to talk about the account on behalf of the strata?

---------- Forwarded message ----------
From: David Sharpe 
Date: May 1, 2019, 12:31 PM -0700
To: David Hahn
Subject: RE: follow up

 

We tried 80/81/8080 and 8081, which are the typical ones used by security, they are definitely blocked.

 

557 through 576 are open, but we cannot use those in the NVR.

 

If 80 can be opened, then we can get it going.

 

Thank you,

 

David Sharpe

Senior Account Executive

Upcraft
Advocate

The T2200M is just a bridged modem, no port forwarding required.  The T2200h was a router but is now discontinued and the replacement current device is the T3200M and is also a router.  

 

That means whatever it is you have plugged into it is getting an unfiltered internet connection.  So your NVR is likely getting a public IP address on that connection unless you have your own router in between the t2200m modem and the internal network (highly recommended).

Yes certain inbound ports are blocked if you have a dynamic IP address.  If you subscribe to the static IP add on feature the ports are not blocked. But ports 8080 and 8081 should still have worked.  I suspect your camera NVR might have been hacked or disabled remotely.

 

I would not suggest you connect any NVR device directly to the internet and do not forward the ports to your NVR device either.  They are generally VERY insecure devices.  The general level of security of just about every NVR on the market is remarkably poor.  Hackers have automated programs to exploit the flaws in camera and NVR firmware to take them over and join them to their botnet activities.  Instead you will want a VPN gateway in between your internet connection and the NVR device at minimum.  Either a commercial VPN capable router or something open source like PFSense on a computer or appliance device designed to run this software is the way to go.  So anyone wanting to view the cameras would connect to the VPN endpoint first and then they can launch the camera app and you do not expose the vulnerable device directly to unsolicited external attacks.  

 

If you are right and the NVR you are using cannot be set to any other ports than it sure sounds to me like one of the ones with poor quality firmware and well know security vulnerabilities.  If it were exposed to the internet already I wouldn't be surprised if it has already been compromised and a possible reason it isn't working properly is the attackers have messed up the software on it.  There have also been some vigilante "grey" hackers going around and disabling vulnerable cameras to get them off the internet by exploiting the same vulnerabilities but instead of using your device for a botnet they will change the network settings to prevent it from working outside of your local network so that other hackers cannot use it for harm.

 

 

So

1. Get a VPN router.  If you do not know what you are doing in this area, hire a consultant. 

2. Reformat the camera system, reset everything to factory defaults and reload the firmware from known "good" firmware image.  It will likely still have the vulnerable software but if you have segmented it behind a good VPN firewall without direct external access it should at least work again.

 

 

For more info:

https://www.zdnet.com/article/over-nine-million-cameras-and-dvrs-open-to-apts-botnet-herders-and-voy...

https://krebsonsecurity.com/2017/03/dahua-hikvision-iot-devices-under-siege/

 

Or just google NVR botnet