Title fixed by fenderman. I mistakenly though I was hacked. Turns out, I didnt read the help file.

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
I will tell everyone what happened later, but for right now I hope the creators read this.
I open the OUTSIDE ACCESS by clicking a little box (enable the HTTP web server in the Web server tab), and the software CREATES AN anonymous user (UNKNOWN TO ME, THE BI USER!!) that requires ZERO credentials, not even required to enter a user name!!! ??? Who in their right mind decided this was a good idea??? forget around you should read the manual... this is SUPER STUPID and I doubt anyone would WANT THIS!!! Why would it create a user without your knowledge and let alone create one anyway and no credentials at all on top of that!! ?
the local_console user created to not need a password... I unchecked it, and I can still get in locally without a password in the local account!!! Why? I have unchecked as enabled, but it still works!

I reopened the port just to see what happens when I put in my public ip as some have suggested, my whole system just pops up as if I logged in... WHY?? HOW?? So I go into the users tab and see that the software recreated the anonymous user THAT I DELETED because I clicked a little box and that's why it just popped up like that. I mean it JUST POPPED UP, my WHOLE SYSTEM!!! never asked for a user name or ANYTHING!! again, who in their right mind thought an end user would want this????

so just by opening a port for my use the software (without letting me know... yeah yeah read the manual) created a user that requires nothing..... upon doing so without me knowing allowed anyone in the world to just have at it and that's how they got in.

you guys can get mad at me if you want... this is just super stupid and I consider this a major flaw and it should be removed to auto create a user like that. Thank you everyone for your help in this matter.
Fool, why are you lying? BEFORE running your mouth and making FALSE accusations why dont you FUCKING TEST IT YOURSELF!!!!
FROM THE HELP FILE
"The local_console user is created automatically and is used only locally when you open the
software. There are ways to login locally using another account in order to limit access,
discussed in the Administration chapter{
"The user local_console is automatically created whenever you connect via the console (the PC
running Blue Iris). It is not possible to use this account remotely so that it cannot pose a
security threat."

MOST IMPORTANTLY, IF YOU DONT SET A PASSWORD FOR THESE ACCOUNTS YOU CANNOT ACCESS THEM EVEN LOCALLY. In fact, I just tested it and it wont allow access locally even if you did set a password. You are just a fucking idiot.
THE ONLY WAY that someone would have access as you described would be if YOU, like the fool you are, disabled authentication in the webserver advanced tab. So its not blue iris that is "super stupid" is it?

You know just enough about networking and blue iris to make stupid assumptions and false accusations.
 
Last edited:

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,446
Reaction score
47,571
Location
USA
This is an older post and was posted by someone in response to a specific brand, but as most of these internet devices never get an update to fix security holes, I suspect many of the same things being discussed in this post and the articles linked are still relevant several years later:


And how to retrieve a password:


The backdoor that a lot of cameras have that show the password out in the open for anyone to see:


Passwords changing...so also make sure UPnP is turned off in the router:


This happened to be Amcrest, but could happen to any camera connecting to a cloud:


I could go on and on with links just from this site....do a (web browser of choice) search on hacking cameras or IoT devices and see how easy it is. Like this popular doorbell cam: Amazon Ring doorbells exposed home Wi-Fi passwords to hackers – TechCrunch

And don't think using HTTPS for cameras make them secure. Many articles showing that when logging into the camera with a web browser over HTTPS, the initial login to the site is done using SSL. But then it establishes a connection to the HTTPS port again (for the media service) and sends all of its commands unencrypted. This means the username and passwords are being sent unencrypted. This was a security vulnerability found in Foscam, but I suspect it is in others as well. I suspect this is how my friend was hacked and someone was sending pictures of her taken from her Foscam camera to her wifi printer that she set up using the QR code.

TL : DR - do not use UPnP, P2P, Port Forward, opening ports, or anything that "makes life easy connecting the new device to the internet" because most, if not all, manufacturers have big security flaws that opens your router and system to being hacked. By nature, that simplicity is opening it up so that you can easily connect.
 

spend2much

n3wb
Joined
Feb 9, 2017
Messages
18
Reaction score
9
Fool, why are you lying? BEFORE running your mouth and making FALSE accusations why dont you FUCKING TEST IT YOURSELF!!!!
FROM THE HELP FILE
"The local_console user is created automatically and is used only locally when you open the
software. There are ways to login locally using another account in order to limit access,
discussed in the Administration chapter{
"The user local_console is automatically created whenever you connect via the console (the PC
running Blue Iris). It is not possible to use this account remotely so that it cannot pose a
security threat."
I deserve this to some level, but you can't read like me, and flew off the handle before reading what I said..... I'm talking about the automatically created anonymous account not the local one, while making the loca_console (that I wanted) the anonymous one gets created automatically that I did NOT WANT and I would think most users would not want that to happen. you have it right there in the quote... LOL
I just saw you are an administrator... you talk like that? you should reprimand yourself. Maybe read some of the valuable information from others on how to prevent MY MISTAKE and take pride in how these users are helping out dumb asses like myself.

At least these others helped me, and in a way angry people like you help too... HAHAHA I won't forget! but really, no need to swear like that. HAHA
Sorry everyone, didn't want to expose you to anything like that, but oh well... HAHAH
 
Last edited:

spend2much

n3wb
Joined
Feb 9, 2017
Messages
18
Reaction score
9
Virtual Private Networks (VPNs) are your friend {especially vs port forwarding}! If you really need to see something on your network from the Internet, such as remotely viewing a BI web server, setup a VPN Server and use a VPN client to connect to it. There are tonns of instructional information on how to do this and how to do it using the current better practices {I am really beginning to like Wireguard!}.

One positive thing about this set of posts. You got to see a community come out and assist you with your issue! As a fellow team mate of mine likes to say, "Go Team!"
That's how I'm looking at it too, lots of valuable information, and a solid reminder of securing your system, and reading manuals cover to cover... I have to go back and edit some of my rants so that fenderman calms down... HAHA anyhow I knew of some of these problems with cameras, but WOW I had no idea... in fact I found out another thing thanks to yourself and wittaj and others for so much above and beyond valuable information, a couple of my hikvision cameras were connecting with EZVIZ cloud! If it wasn't for MY MISTAKES, I would not have found this out.

Do you think you can point me to a tutorial on how to set these firewall rules? The cameras I'm using (here we go, I'm going to get yelled at...) amcrest indoor PTZ cameras (IP2M-841B-V3) to watch my pets from remote locations and also monitor their habits, they have health problems. These cameras are cheap and easy to use and the need for them is not permanent... unfortunately the need to watch the pets will not last forever, so I didn't want to install fancy ones in the house. while using these I did hear about the risks, so again, this is why I am here trying out BI and not using the P2P that amcrest offers (I was before getting the new router)

I actually just purchased a new ASUS router that has more control than my old supplied ATT and also has the ability to create a VPN, which I will do. I tried to find out where I can do some firewall rules, and well, I don't know how to do that either, I see where it is and where to enter the IPs and that, but nothing on how to tell it to drop WAN and log, I looked around now for a couple hours and do not see a video or anything specific on how to do that.



Somewhere along the line I will have to make it crystal clear for a new person finding this post that it was a mistake I made, and just a series of coincidences on my other computers doing strange things that made me feel my computers were hacked. The person getting into my system was real, and that too was my fault for opening ports like I did. and not realizing the anonymous account was in my users list, and acknowledge that the manual does clearly state these items. I know how all of you love this software, that's why I have been on this site for so long, I have had an NVR for many years, and now I thought about moving to this software that everyone loves, I sincerely apologize for bad mouthing the software, that was NOT at all my intention, I will however stand my ground that I don't understand why the anonymous account is there by default, but other than that I might just buy the license whether I buy another NVR or not, so fenderman doesn't track me down and try to beat me up or something. HAHA

Thanks again everyone, and I mean everyone.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,446
Reaction score
47,571
Location
USA
Yeah, almost certain now that BI and what you did with that wasn't what caused it - maybe - but I suspect that exploit was already there between the Hik and Amcrest and any other IoT device you may have. As you mentioned, that just happen to be the event that made you aware of the holes in the system.

That is one of the nice things about Blue Iris, is with the exception of true cloud based cams like Ring and Arlos of the world, almost every camera can use this software and then go in and completely remove all possibility of the cams being able to reach the internet and vice versa.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
I deserve this to some level, but you can't read like me, and flew off the handle before reading what I said..... I'm talking about the automatically created anonymous account not the local one, while making the loca_console (that I wanted) the anonymous one gets created automatically that I did NOT WANT and I would think most users would not want that to happen. you have it right there in the quote... LOL
I just saw you are an administrator... you talk like that? you should reprimand yourself. Maybe read some of the valuable information from others on how to prevent MY MISTAKE and take pride in how these users are helping out dumb asses like myself.

At least these others helped me, and in a way angry people like you help too... HAHAHA I won't forget! but really, no need to swear like that. HAHA
Sorry everyone, didn't want to expose you to anything like that, but oh well... HAHAH
YOU are a special kind of stupid. BOTH OF THOSE ACCOUNTS CAN NOT BE ACCESSED LOCALLY OR REMOTELY!!! You are a fucking moron as I explained. When I said "THESE accounts" you know those that are automatically created, you CANNOT ACCESS THEM!!! Its for THE SYSTEM!!!! TRY IT!!!
You again failed to READ THE FUCKING HELP file
"When anonymous access is permitted, you will see a user Anonymous added automatically to
the Users page in Settings. If you disable or limit this account, anonymous access will be
denied. In order to prevent anonymous access, retain the default setting Require from All
connections as discussed in the next topic."


HAHAH. dumbass (I hate the foolish hahaha you keep inserting to cover your stupidity). Stop lying about the software when YOU CHOSE to allow anonymous access. Once you deny anonymous access, even if the user is there it cannot be accessed as I explained.
You are too fucking stupid to use blue iris. There is a minimum 80 IQ required which you do not possess.
I fixed the title for you.
 
Last edited:

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Took care of IPCAM_user....Dont threaten me on my forum dipshit.
The op did not learn from is mistakes. He still repeating them and still claiming the software did something wrong when it did not. Still failed to read the help file. What an idiot.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,446
Reaction score
47,571
Location
USA
Was trying to explain to my neighbor with the Lorex all in one kit the downside to just scanning the QR code on the app. Low and behold, even Lorex does point out what they do:

Lorex provides an exclusive Easy Connect Wizard that automates the port forwarding process, or you can check the Router Port Forwarding Guide that provides instructions for a selection of different router models.

.
 
Top