Webcam Security – Guide to keep the hackers out.

I’m sure you have read about the hackers and malware that are accessing people’s webcam and spying on them. We’ll here are my tips to make it as hard as possible for them to succeed.

PfsenseThe first thing you need to do is use a decent firewall. I hear you saying now, oh yeah just buy a firewall? We’ll actually you can make your own for free. I use PfSense, a popular open source network security solution. All you need is an old PC, and 2 NIC’s ( Network Interface Cards ) you can get them on Amazon for £5 easily.

There are plenty of guide out there showing you how to setup PfSense , so you can follow those, but we want to use it to secure our webcam’s, right ?

The first golden rule on webcam security is, DON’T MAKE IT FREELY ACCESSIBLE ON THE INTERNET. 
The second golden rule is DO  NOT USE DEFAULT USERNAMES AND PASSWORDS! EVER!
This doesn’t mean you can access it when you are away from home, just means to have to do it differently, safely.

So we have to set-up the IP camera to be accessed locally on the LAN.webcam

So my IP Cameras are on my network lets say 192.168.1.3 is the ip address. I can only access this when i am at home,  right? Wrong!
This is where a VPN comes in and if your using PfSense, that has a built in VPN Server!

You need to setup PfSense to act as a VPN Server, and set a firewall rule to allow access from the VPN to the LAN.

This is how I set-up my access to all my internal stuff when I am out and about. I use OpenVPN on my mobile and this allows me to connect back to the correctly configured PfSense box via the VPN which uses a AES-256-CBC cipher (Generally seen as highest level security, and used for top secret communications by the US government. Tends to be the slowest of all the ciphers evaluated. Theoretically provides protection against quantum computing which doesn’t quite exist just yet) and SHA512 Authentication. If you have chosen a decent password anyone trying to crack it with a normal computer will have dissipated into nothingness as part of the heat death of the universe before it finishes cracking that password 🙂 If the NSA or QCHQ are having a go, they probably just plant malware somewhere else and bypass all the hard work of cracking.

So accessing your home webcam via a secured VPN hosted at your own home, is the safest way to go! This VPN solution should also be used when you are using public WiFi, don’t want someone with Metasploit running a MITM attack and reading all your juicy data flowing over the network. VPN as much as you can.

The other thing you need to do is set-up the firewall rules correctly.
NAT

I have setup my camera’s to allow traffic on ports 5**1 and 5**2.
I have also locked it down that it can only be accessed from a specific IP range.
*2.**2.0.0/16
Anyone else not on that range, will not be able to access the camera’s even if they had the correct external WAN address.

So to get to the camera from outside the network they need:-

1 .External gateway
2. Need to be on a specific IP range
3. Need to know the ports ( a scan wont work as I am running SNORT and this will block their connections )
4. Username and Password of the web cameras, both have different logins.

 

 

 

This is the best way to keep your web cameras safe and be able to access them remotely.

Even if you do not use web cameras / IP Cameras, i suggest setting up PfSense or getting someone to do it for you as a bare minimum to your home security setup.

If you want to know more about PfSense then please let me know and I will add more information for you. Might even do another tutorial if its requested.