CGI SDK no longer functioning on 17r?

Have some questions or having issues with your IP Camera(s), Post them here for the mods and other users to assist you with.
rmchapa
Posts: 7
Joined: Tue Oct 03, 2017 5:23 pm

Re: CGI SDK no longer functioning on 17r?

Post by rmchapa »

I really wish I had stumbled upon this thread before buying my camera, I would have purchased a different one. Any word on if Amcrest Development is considering allowing an option to enable basic auth? I am attempting to integrate it into my webCoRE for Smartthings, and they don't have a mechanism for implementing digest auth.
Melvin
Site Admin
Posts: 2210
Joined: Wed Oct 14, 2015 2:20 pm

Re: CGI SDK no longer functioning on 17r?

Post by Melvin »

Hello rmchapa ,

The basic authentication was removed for security enhancement. So we are not sure it this will be reintroduced at this point.
Can't find your answer on the forum? Try our Knowledge Base! https://amcrest.zendesk.com/hc/en-us

Image
brbeaird
Posts: 2
Joined: Sat Oct 21, 2017 7:21 pm

Re: CGI SDK no longer functioning on 17r?

Post by brbeaird »

This is ridiculous. Wish I had known about this before I bought my last 2 cameras. Will be returning these to Amazon with a negative review.
rmchapa
Posts: 7
Joined: Tue Oct 03, 2017 5:23 pm

Re: CGI SDK no longer functioning on 17r?

Post by rmchapa »

Melvin wrote:The basic authentication was removed for security enhancement. So we are not sure it this will be reintroduced at this point.
Instead of reintroducing basic auth, can you possibly enable other auth methods? i.e. maybe allow u/p as arguments to the URL, or even as headers.
meisner
Posts: 7
Joined: Mon Dec 25, 2017 9:24 pm

Re: CGI SDK no longer functioning on 17r?

Post by meisner »

Please either supply an example of some web code (php, ajax, java, whatever) that will perform the digest authentication or bring back basic auth!!! I just purchased an IP2M-850E (it was not cheap!!!) to replace some of your failing Foscam cameras (that also were not cheap)...and now I can't integrate this new cam into my web page??? Ugggghhh!! So frustrating.
mephist0pheles
Posts: 2
Joined: Tue Mar 06, 2018 4:05 pm

Re: CGI SDK no longer functioning on 17r?

Post by mephist0pheles »

As far as I can tell this is still broken in 18R. Oddly only for configManager.cgi though. For example snapshot.cgi authenticates well for me with the identical command line:

Code: Select all

curl --digest -u admin:mypassword http://192.168.1.80/cgi-bin/snapshot.cgi -o snapshop.jpg

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 83488 100 83488 0 0 91683 0 --:--:-- --:--:-- --:--:-- 1970k

Code: Select all

curl --digest -i -u admin:mypassword http://192.168.1.80:80/cgi-bin/configManager.cgi?action=getConfig

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="Login to AMC001254ME3F1C0S0",qop="auth",nonce="430041563",opaque="aeb16a4d815afc61e11e7156a0b09f467d323a37"
Connection: close
CONTENT-LENGTH: 0

HTTP/1.1 200 OK
Content-type: text/plain;charset=utf-8
CONNECTION: close
CONTENT-LENGTH: 43

Error
ErrorID=2, Detail=Invalid Request!
mephist0pheles
Posts: 2
Joined: Tue Mar 06, 2018 4:05 pm

Re: CGI SDK no longer functioning on 17r?

Post by mephist0pheles »

I have contacted Amcrest with the above information and they acknowledge that this looks indeed like a bug. They are trying to fix it in the next firmware release. It does not look like they usually provide hot fixes or patches so we probably just have to be patient for the next firmware release.

To avoid any confusion: this will not reintroduce the basic authentication but it will fix the digest authentication so we all can control the camera(s) via curl and digest auth. For some strange reason this already works for snapshot.cgi and other endpoints but the most important one (configManager.cgi) is not working in 17R and 18R.
jantman
Posts: 33
Joined: Thu May 03, 2018 12:36 pm

Re: CGI SDK no longer functioning on 17r?

Post by jantman »

I just bought two Amcrest cameras on Amazon, my first from this company. One is a IP2M-841B (2.520.AC00.18.R, Build Date: 2017-06-29) and the other is a IPM-723W (2.400.AC02.15.R, Build Date: 2017-07-31).

I'm a software developer by profession, and spent three years at a previous job doing custom development for the network and wireless teams at a very large organization. I chose Amcrest specifically based on the "Amcrest HTTP Protocol API Specifications, Revision 2.12" PDF that I found on their website. Primarily because that document states that they support either basic or digest authentication, and all of the examples show Basic in use.
  1. I know that because of my occupation and interests, my network setup is quite different from most people. I don't want Digest auth. In fact, I don't want Basic auth either. I've installed my cameras on an isolated VLAN (network), and my intent was to have nginx running as a reverse proxy server for authentication for the cameras. Specifically, to allow viewing the cameras with no auth at all on the LAN, and using my existing auth for remote access (2048-bit RSA client certificate authentication, with session-based 2-factor MFA).
  2. While Digest is "more secure" than Basic, it is still NOT considered secure. It's horribly vulnerable to man-in-the-middle (MiTM) attacks, and MD5 is a weak enough hashing algorithm that if an attacker is able to capture the initial Digest authentication challenge (the WWW-Authenticate header on the initial 401 response) they'll certainly gain access. Especially given access to high-end GPUs and FPGAs, it's not terribly difficult to brute force Digest authentication in a few days (or less) if you happen to capture a successful authentication over the wire.
  3. Speaking from the perspective of securing the APIs of public websites that have thousands of attacks a day (which is part of what I do for a living), Basic authentication is still widely deployed, and an almost de-facto standard. The difference, though, is plain HTTP vs HTTPS. If something isn't secured with SSL/TLS (HTTPS), it's not secure. Digest prevents a password from being sent essentially in plaintext (base64 encoding), but it's still trivial to break. The authentication methods in Digest were developed in 1999, and designed to be secure against the attacks of 20 years ago. What would've taken weeks, months or years to crack back then can be done in hours or days now.
  4. The Amcrest devices that I received have the ability to serve over HTTPS, either generating the cert request themselves or uploading a cert and key. If you're the least bit concerned about the security over the network of your camera, setup certs for it. None of the other authentication methods are secure if an attacker can eavesdrop on the traffic.
I applaud Amcrest for taking security seriously and taking steps to improve the security of their devices. However, unfortunately Digest authentication has relatively poor support in clients, proxy servers, etc. and provides relatively little actual security against a moderately knowledgeable attacker compared to Basic. If the security of these devices is a real concern, I think it would be better to make it easier for people to enable TLS (HTTPS), possibly by leveraging LetsEncrypt (a free CA) and the Amcrest DDNS system, and re-enable Basic auth if a valid HTTPS certificate is used.

-Jason Antman
Principal Engineer, Tooling & Automation. Formerly, Wireless & Network Systems Engineer (among many other things).
Doing all sorts of crazy things to anything with an IP address.
http://www.jasonantman.com / http://github.com/jantman
jantman
Posts: 33
Joined: Thu May 03, 2018 12:36 pm

Re: CGI SDK no longer functioning on 17r?

Post by jantman »

I opened a support case about this yesterday. I received a response this morning that stated, in part:
I am sorry for the bad information you got about our cameras. You are correct, Basic Authentication is no longer supported on our IP Cameras, NVR's and DVR's since latest firmware updates.

This was an intended decision as our developer decided to move away from Basic Authentication due to major security concern. Our devices will work only on Digest Authentication from now on. We did suggest our product management team and developers to re-enable Basic Authentication as some sort of "optional" feature able to be disabled by the user. However, this suggestion was dismissed.
I've spent a bunch of time over the last three days trying to develop a reverse proxy that strips Digest auth, i.e. handles the auth on behalf of the user and presents a completely unauthenticated proxied view. I've got it working using a simple Python/Flask app, but the performance of MJPEG streaming is quite poor. It's really only useful for snapshots or CGI calls, or for really laggy (~30s behind, and reduced frame rate) MJPEG VGA streams. If that's of interest to anyone, the code is available at https://github.com/jantman/python-amcrest-noauth-proxy
Principal Engineer, Tooling & Automation. Formerly, Wireless & Network Systems Engineer (among many other things).
Doing all sorts of crazy things to anything with an IP address.
http://www.jasonantman.com / http://github.com/jantman
jvaleski
Posts: 2
Joined: Fri Dec 07, 2018 7:46 pm

Re: CGI SDK no longer functioning on 17r?

Post by jvaleski »

2.400.AC02.15.R, Build Date: 2017-07-31

neither BASIC or DIGEST work for me
Post Reply