I have been notified from my ISP that my network has attempted a port scan on a honey pot and thus pointed to my IP cameras as the culprits, suggesting an infection with the Mirai botnet. Here are the reports they received, showing the syn, syn+ack and ack handshakes (82.xx.yy.zz being my static IP address)
I have 2 IP2M-841 cameras I use for surveillance running firmware V2.420.AC00.18.R. Both cameras have strong admin passwords (not the default) and I set port forwarding on my router (Netgear R7000 with up to date firmware) 8080 and 8081 for the HTTP part and 37777 and 37778 for streaming the video to the Android app.
Is there anything I missed to secure the cameras further? Do the passwords transit in clear through the network? Could they be intercepted?
For my remote port forward access I use https on my 841 camera which should encrypt the password going over the wire. Change the password and reboot and see if the virus goes away, else reset to defaults and reload firmware.
Thanks. I suppose I need to create a certificate on the HTTPs setup page, using my IP fixed address, install the certificate on the camera and then forward the 443 port instead of the 80 port, am I correct?
I have created the certificate and can now use HTTPS to connect. Firefox however throws a warning:
The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported.
I suppose this is because Amcrest root cert is invalid/expired? I can of course bypass the warning and I suppose this is okay as long as I know what I am doing. Still it would be nice if Amcrest could provide a new certificate on their devices and harden security.
Seems to work fine, at least for the HTTPS part.
But please reassure me: when the Android app connects to the live stream on port 37777, is the password transmitted encrypted? I gather this is separate from the web interface for the camera, so this is also encrypted, isn't it?
I use the tinyCam app which doesn't use certs to connect via Https. Using certs ensures the server is who you think it is and prevents man in the middle attacks , and it also uses a better encryption. You have to install the public key cert you generated in your browser to avoid the warning. Not sure how the streaming RTSP protocol works with port 554. Hopefully it only allows the source IP to connect only after logging on with the https port.