Keep onvif private, over internet

[NetEyeD]

Hi all,

I love onvif, makes configuring a lot easier, but, I hope I'm wrong, also a bit insecure.

I used onvif Manager and pointed it to a camera that was password secured over the internet on a different port than 80, not in my local network.
I didn't enter any passwords but it showed the streaming video and I was even able to delete users and create new ones, change passwords and look in someones backyard.

That's a big concern, as I believe I've closed all ports, secured it with a password and removed all default users.
Even disabled the ddns options.

Anyone any idea how I can prevent that a default tool bypasses all security without making the cam inaccessible over the internet?

 

[alastairstevenson]

I used onvif Manager and pointed it to a camera that was password secured over the internet on a different port than 80, not in my local network.
I didn't enter any passwords but it showed the streaming video and I was even able to delete users and create new ones, change passwords and look in someones backyard.

Cameras vary a lot in what's secured and what isn't.
The better firmware has the ability to set whether RTSP requires authentication, and what type of authentication. That's all ONVIF Device Manager is using to display the video stream. You'd get the same result using the likes of VLC.
But changing users should require authentication.
I'm guessing that maybe your ONVIF Device Manager is set with the same ID / passwords that are still at the default ( eg admin / admin or admin / blank) on the target camera.

You probably know that Hikvision got some bad press earlier in the year over camera security, where many installations were still using the default credentials.
They have improved that in some of the newer firmware by requiring the user to change from the default.
And even more in current firmware where there is no default password at all and the user is required to 'activate' the camera by creating one, without which there is no real functionality.

 

[NetEyeD]

I've even seen Onvif Manager retrieve passwords from a camera and placing it in the mjpeg url.h:
I'll do some tests on a pc where the app hasn't run on, see if it may have stored some passwords somewhere, but it's scary.

 

[alastairstevenson]

Just to correct any misunderstandings - ONVIF Device Manager must be given usable login credentials to log in to any cameras that you ask it to access.
Some of the time - you may forget that you have configured those.
Here is an example of what happens when they have been cleared by logging out of ODM:

 

[NetEyeD]

I've just started ODM on a system it hadn't run on before and connected to a camera over the internet.
Even though it didn't show me the video this time, I was able to reboot the camera.
I guess it's all about open ports...

 

[alastairstevenson]

It's about how the camera firmware has secured, or not, its very many functions.
It's quite common that 'ducking behind the login URL' to activate what should be a privileged function can be done without login credentials being supplied.
It can be a handy way to regain access to a camera where the ID/password has been lost, or reset to defaults, for example.
ONVIF Device Manager is not a hacking tool - it will only do what the target devices allow.

I'd be surprised if the camera you have experimented on is a Hikvision camera - their firmware is more professionally developed than many that I have seen.
I have not seen a low-level command yet on a Hikvision camera that hasn't correctly demanded authentication before being executed.

Would you care to share the brand where you've seen this poor behaviour?

 

[NetEyeD]

I've seen this behavior on Tway, Jovision and even Dahua. I heard that the camera's would be set to non-authenticated onvif in the firmware, not accessible for the users.
Nice! ...
If this is the case for these cams, then a local NVR and no portforwarding is the only option.