Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
Moderators: leecollings, remb0
- Dynamic
- Posts: 109
- Joined: Friday 12 July 2013 14:50
- Target OS: -
- Domoticz version:
- Location: Enschede
- Contact:
Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
I was watching a repo made by a Dutch website. In the end, they show a Domoticz-installation wich they can control without username/password.
Warning for all Domoticz-users: please check your security!
For the developers: maybe it’s good to make Domoticz by default only available with username/password with the need to change it after first login?
Repo: http://www.tubantia.nl/enschede/hele-we ... ~a7e583e6/
Warning for all Domoticz-users: please check your security!
For the developers: maybe it’s good to make Domoticz by default only available with username/password with the need to change it after first login?
Repo: http://www.tubantia.nl/enschede/hele-we ... ~a7e583e6/
-
- Posts: 67
- Joined: Saturday 17 June 2017 12:30
- Target OS: Raspberry Pi / ODroid
- Domoticz version: beta
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
I must say I don't understand why I am still surprised this happens. The webcam is not so interesting but the fact that you can control someones home so easily that is serious. Looking at my own experience and setup you start with one device and very quickly it expands and don't review if the security is good enough, although I do have an username and password.
Agree that users of the software need to be aware that a password is a minimal requirement to assure security. Anyone has some basic tests to assure setup is secure and protected apart from the basic user/pwd setup?
Agree that users of the software need to be aware that a password is a minimal requirement to assure security. Anyone has some basic tests to assure setup is secure and protected apart from the basic user/pwd setup?
- Eddiever
- Posts: 105
- Joined: Thursday 27 April 2017 20:32
- Target OS: Raspberry Pi / ODroid
- Domoticz version: 2022.1
- Location: The Netherlands (Hoogeveen)
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
I did not do a port forwarding in my router, thus my domoticz is unavailable from the outside. Or am I wrong?
- Eddiever
- Posts: 105
- Joined: Thursday 27 April 2017 20:32
- Target OS: Raspberry Pi / ODroid
- Domoticz version: 2022.1
- Location: The Netherlands (Hoogeveen)
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
And how can I disable the access from the outside world? LIke I said, no portforwarding in my router. So how can they access my domoticz server?
-
- Posts: 550
- Joined: Tuesday 17 June 2014 22:14
- Target OS: NAS (Synology & others)
- Domoticz version: 4.10538
- Location: NL
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
Huh? How can someone from outside have access when no port forwarding is configured?SweetPants wrote: ↑Monday 11 September 2017 22:02wrong, when configuring port forwarding, you open up a port from the outside. if not using HTTPS or certificates, everybody can access your domoticz system
Synology NAS, slave PI3, ZWave (Fibaro), Xiaomi zigbee devices, BTLE plant sensor, DzVents, Dashticz on tablet, Logitech Media Server
- Egregius
- Posts: 2582
- Joined: Thursday 09 April 2015 12:19
- Target OS: Linux
- Domoticz version: v2024.7
- Location: Beitem, BE
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
They can't, don't worry.
Without port forwarding you're 100% safe.
With port forwarding you must set a good user/password combo and only use https. On top of that use fail2ban to block failed login attempts immediately.
Without port forwarding you're 100% safe.
With port forwarding you must set a good user/password combo and only use https. On top of that use fail2ban to block failed login attempts immediately.
- Eddiever
- Posts: 105
- Joined: Thursday 27 April 2017 20:32
- Target OS: Raspberry Pi / ODroid
- Domoticz version: 2022.1
- Location: The Netherlands (Hoogeveen)
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
Thanks again Egregius, now I can sleep
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
Click bait title. They bring it as "news"? Specific install of whatever software can be vulnerable. Those cameras are listed on websites for years, using default login names and passwords. TU students are surprised?? Am I missing something?
- Eddiever
- Posts: 105
- Joined: Thursday 27 April 2017 20:32
- Target OS: Raspberry Pi / ODroid
- Domoticz version: 2022.1
- Location: The Netherlands (Hoogeveen)
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
No click bait title. Just a warning to "less" good users of Domoticz because it shows in the video that they did have access to a domoticz server in the place Almelo (which user of this forum is from Almelo and hasn't secured his/hers server?). Grateful to topic starter!
-
- Posts: 708
- Joined: Saturday 27 February 2016 12:49
- Target OS: Raspberry Pi / ODroid
- Domoticz version: 2020.2
- Location: NL
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
I have a port forwarded in the router, and I use a userid/pw to protect the user interface.
When I change the PW, I see that I need to logon with that new pw.
But once logged on, I can close/restart the browser without the need to log on. And I don't see a way to logoff...
Am I missing something?
Edit: there is a logout button. But how can I force a logout when I close the browser?
Also, how can I switch on https?
When I change the PW, I see that I need to logon with that new pw.
But once logged on, I can close/restart the browser without the need to log on. And I don't see a way to logoff...
Am I missing something?
Edit: there is a logout button. But how can I force a logout when I close the browser?
Also, how can I switch on https?
Hans
-
- Posts: 550
- Joined: Tuesday 17 June 2014 22:14
- Target OS: NAS (Synology & others)
- Domoticz version: 4.10538
- Location: NL
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
I do not know about the logout,sorrymanjh wrote: ↑Monday 11 September 2017 22:35 I have a port forwarded in the router, and I use a userid/pw to protect the user interface.
When I change the PW, I see that I need to logon with that new pw.
But once logged on, I can close/restart the browser without the need to log on. And I don't see a way to logoff...
Am I missing something?
Edit: there is a logout button. But how can I force a logout when I close the browser?
Also, how can I switch on https?
You can configure port forwarding for (only) your https port
Synology NAS, slave PI3, ZWave (Fibaro), Xiaomi zigbee devices, BTLE plant sensor, DzVents, Dashticz on tablet, Logitech Media Server
- Dynamic
- Posts: 109
- Joined: Friday 12 July 2013 14:50
- Target OS: -
- Domoticz version:
- Location: Enschede
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
This topic was not meant to be clickbate. I just wanted to warn other users for unsafe Domoticz-installations.
-
- Posts: 625
- Joined: Thursday 02 October 2014 6:36
- Target OS: Raspberry Pi / ODroid
- Domoticz version: 2022.2
- Location: Geleen
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
Basically, as long as you are connected to the internet, you are never 100% save.
But indeed, without port-forwarding you are a lot saver.
-
- Posts: 667
- Joined: Wednesday 08 March 2017 9:42
- Target OS: Linux
- Domoticz version: 3.8993
- Location: Amsterdam
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
thanks for the post. Checked my system. Removed the http forwarding and leave https.
Already had a good username and password. (Use 1password to generate 20 characters passwords)
Would be nice if Domoticz add 2-way authentic verification
Already had a good username and password. (Use 1password to generate 20 characters passwords)
Would be nice if Domoticz add 2-way authentic verification
RPi3 B+, Debain Stretch, Domoticz, Homebridge, Dashticz, RFLink, Milight, Z-Wave, Fibaro, Nanoleaf, Nest, Harmony Hub, Now try to understand pass2php
-
- Posts: 708
- Joined: Saturday 27 February 2016 12:49
- Target OS: Raspberry Pi / ODroid
- Domoticz version: 2020.2
- Location: NL
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
Where did you do this? I checked my router, the only choices I have is TCP or UDP!
Hans
-
- Posts: 625
- Joined: Thursday 02 October 2014 6:36
- Target OS: Raspberry Pi / ODroid
- Domoticz version: 2022.2
- Location: Geleen
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
http is TCP over port 80 (normally)
-
- Posts: 667
- Joined: Wednesday 08 March 2017 9:42
- Target OS: Linux
- Domoticz version: 3.8993
- Location: Amsterdam
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
I removed the forwarding in my TimeCapsule (Router)
RPi3 B+, Debain Stretch, Domoticz, Homebridge, Dashticz, RFLink, Milight, Z-Wave, Fibaro, Nanoleaf, Nest, Harmony Hub, Now try to understand pass2php
-
- Posts: 625
- Joined: Thursday 02 October 2014 6:36
- Target OS: Raspberry Pi / ODroid
- Domoticz version: 2022.2
- Location: Geleen
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
And if you use https on Domoticz, use some obscure port for forwarding, like 23456 or so.
-
- Posts: 37
- Joined: Sunday 24 July 2016 21:51
- Target OS: Raspberry Pi / ODroid
- Domoticz version: beta
- Location: the Netherlands
- Contact:
Re: Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!
Why not use a vpn connection?
Raspberry PI 3, raspbian, ZwaveMe, RFLink
Who is online
Users browsing this forum: No registered users and 1 guest