Is my VERA Plus getting hacked?

erkme73 · June 22, 2017, 10:46pm

Recently I noticed in my Blue Iris (security NVR software running on Windows 7) that I had numerous unknown logins from off-shore IP addresses (all over the world). The logs indicated that they were logging in using my main credentials.

After changing both the username and password, within a few hours, they were back in again. Clearly something was exposing my brand new creds.

I am using my VERA Plus to send wget HTTP commands to my BI server. That get command contains credentials in the URL string:

luup.inet.wget(“http://192.168.1.81/admin?camera=MailboxZoom-11&trigger&user=BIUSERNAME&pw=BIPASSWORD”,10)

Notice that the URL is a local LAN IP (not an exterior WAN address).

So I once again changed my main UN and PW, but this time, created a new one for the VP (something I should have done in the beginning). The new username was VERA.

Within a few hours, I had this:

10 6/22/2017 6:19:15 PM Server Connected: 188.134.88.67
10 6/22/2017 6:19:16 PM VERA 188.134.88.67: Login
10 6/22/2017 6:19:51 PM Server Connected: 123.151.42.61
10 6/22/2017 6:19:51 PM VERA 123.151.42.61: Login

No more logins on my main credentials. Only on those that I use in the LUUP code (which is fired by my PLEG scripts).

I have no clue how an outsider would be able to view this credential-contianing URL given that it’s local - unless it’s being pushed to them by something on the VP, in the MIOS servers, or somewhere else in that chain.

Given that the intrusions are using ONLY the credentials that are in that string - and none of the other credentials used on the BlueIris server, I have to believe the compromise is somewhere in the VERA system.

Any ideas how to best resolve this? For now, I have disabled the VERA credentials on my BI machine, but that’s really crippled my system.

Cor · June 22, 2017, 11:21pm

Interesting.

I am doing the same. :-
Cor

phillid2 · June 23, 2017, 1:03am

Very interested myself. Do you have BI passing through your router to the Internet? If so, are you using a different port instead of 80?

erkme73 · June 23, 2017, 1:11am

Do you mean port forwarding? Yes, I’m using a different port - the one recommended in the setup (81). I would change that, but I have so many dependencies (family/friends/other BI servers) that regularly log in it would create a nightmare to try and rectify them. Besides, I’m sure these hackers would simply do a port scan to find out which one responds with the apache webservice.

erkme73 · June 23, 2017, 1:13am

What I need to do is get a bit more proficient in how IPTABLES work so I can have my router block all but known/friendly/domestic IP ranges. That would exclude 99.99% of the threat. It’s too bad the webserver w/in Blue Iris doesn’t have the native capability (like Filezilla FTP server).

futzle · June 23, 2017, 2:06am

Security researchers file this kind of thing under “data exfiltration”. It’s not just your Vera that knows about the password in the URL. Also privy to the URL is your router, the Blue Iris machine itself, and any intervening network switches or (possibly) other devices that have set their Ethernet ports to promiscuous mode.

You can conduct honeypot experiments to narrow down which machines are feeding the data to these external agents. One such experiment to exonerate Vera is: Create a user/password combination on the Blue Iris server and don’t tell Vera about it. Type the URL into a third computer’s web browser. Then wait and see if the Blue Iris server gets a hit from outside the LAN. There are other experiments you can do, all of which involve feeding unique data to individual devices and seeing who else learns about it.

By all means, block the external sites’ login attempts with a firewall on your router. But that may not prevent exfiltration of data from your LAN, and who knows what other data is being leaked?

Let us know how you go.

erkme73 · June 23, 2017, 2:13am

[quote=“futzle, post:6, topic:196563”]Security researchers file this kind of thing under “data exfiltration”. It’s not just your Vera that knows about the password in the URL. Also privy to the URL is your router, the Blue Iris machine itself, and any intervening network switches or (possibly) other devices that have set their Ethernet ports to promiscuous mode.

You can conduct honeypot experiments to narrow down which machines are feeding the data to these external agents. One such experiment to exonerate Vera is: Create a user/password combination on the Blue Iris server and don’t tell Vera about it. Type the URL into a third computer’s web browser. Then wait and see if the Blue Iris server gets a hit from outside the LAN. There are other experiments you can do, all of which involve feeding unique data to individual devices and seeing who else learns about it.

By all means, block the external sites’ login attempts with a firewall on your router. But that may not prevent exfiltration of data from your LAN, and who knows what other data is being leaked?

Let us know how you go.[/quote]

This is the kind of stuff that just makes me want to completely unplug. What you’re describing is what I’m doing now. I have a set of credentials that I’m using that have never been entered into VERA. 4 hours in, so far, no hits.

As for NICs that are set to promiscuous - is there a way to use a utility to find them? Something like wireshark?

futzle · June 23, 2017, 12:01pm

Here’s another test. This test can tell you if the Vera Luup subsystem (LuaUPnP) is sharing your credentials. Log into your Vera over SSH, and use the wget or curl shell commands to invoke the Blue Iris URL with the embedded credentials. This will send exactly the same packets over the network as your luup.inet.wget() call, except that it happens outside of LuaUPnP. If this doesn’t leak the password, but luup.inet.wget() does, then it implicates LuaUPnP.

As for NICs that are set to promiscuous - is there a way to use a utility to find them? Something like wireshark?

Promiscuous mode means that the interface captures packets that are addressed to a third party destination. It is a software-controlled setting so you can’t tell that an interface is promiscuous from outside it. This is how Wireshark can sniff packets that are just passing though. That’s only going to be an issue if you have an Ethernet hub or use Wi-Fi; read on.

Unless you are doing weird things with your network, or have a wireless link in between Vera and the Blue Iris server, you need only worry about devices that are directly between Vera and Blue Iris. The URL you used is a unicast address so the packet containing the password isn’t broadcast except along the most direct path.

If you’re using an Ethernet hub (not a switch), or if you use a Wi-Fi segment, then you are broadcasting packets and you should suspect every other device that is connected to that hub or that is on the same Wi-Fi channel.

erkme73 · June 23, 2017, 12:46pm

Thanks for the guidance.

Last night I checked the log of another BI server at my vacation home. It is wholly separate from the LAN I have at my primary home (no VPN tunnel). I also found an unknown IP address logging in with my admin credentials. But here’s what’s odd… It’s from Washington state, and the ISP/Provider data shows it is a Microsoft BingBot.

It is a LOGIN, not just a connected.

This makes me wonder how much of this panic is chasing ghosts. Is it possible that the BI log gets confused? I’ve noticed on several entries on my primary BI that the login shows the foreign IP, but the log out (with duration matching the total login time) was from my known LAN IP. Strange behavior that puts at least a little doubt on the accuracy of the logs.

andrewgarfield · June 23, 2017, 2:29pm

In the light of this current thread, I can’t help but re-read this last one again:

http://forum.micasaverde.com/index.php/topic,37242.15.html

My favorite bit is when Z-waver said:

[quote=“Z-Waver, post:3, topic:191927”]Port forwarding is a mistake. It is a mistake for cameras and DVRs, it is a mistake for alarms, it is a mistake for sprinklers, and it is a huge mistake for Vera. It doesn’t matter that there is a login prompt on the web page that you are accustomed to using. Indeed it is possible to configure Vera’s web interface with a password restriction, but there’s little security in doing so. Certainly not enough security to make port forwarding acceptably safe.

IoT devices are a huge risk and should not be port forwarded, in my opinion, ever. Even if you think that sprinklers are not sufficiently important to worry about, you’re failing to realize that the risk goes far beyond just affecting your lawn’s watering schedule. The sprinkler’s controller can become a communication gateway for an attacker to use as a beachhead inside your network which they can then use to reach all devices inside your network. Not to mention using it to attack other people’s networks, send spam or who knows what else. This makes port forwarding not only a risk to your own network but also a problem for everyone else on the internet.[/quote]

and then you said:

[quote=“erkme73, post:6, topic:191927”]I have no problem sacrificing some security in exchange for the liberty of handling my own direct access.

…

Again, port forwarding, with proper hardware intrusion detection on the NAT makes me more than comfortable enough.[/quote]

phillid2 · June 24, 2017, 12:05am

I minimize my port-forwarding but I may stop it completely and just use TeamViewer to look at systems and hardware within my LAN. This thread is a little disconcerting.

Z-Waver · June 24, 2017, 8:42pm

phillid2 · June 24, 2017, 9:52pm

My router allows me to ban ranges - but I have not looked into it very much. Years ago when I was running a web and FTP server, I saw a lot of attempted log-ins from Asia and Europe, but it was a script of typical usernames and passwords and seemed benign.