News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Author Topic: Are You Using And Accessing Your IP Cameras Securely?  (Read 9750 times)

  • ***
July 17, 2014, 10:55:32 am
Any IP Camera owner can optionally easily get and use All my many different IP Camera examples bundled together with one hour of one-on-one support to implement them. Save Time and Money Click Here!

Complete List With Links To All Live IP Camera Example Demos:

http://107.170.59.150/

1. Please verify that your IP Camera has the most current firmware installed in it. It should be noted that while you may think since your IP Camera is working ok that it's OK to not upgrade to the most current firmware release for your IP Camera.

Sadly. Nothing could be farther from the truth. Many IP Camera firmware releases include security vulnerability FIXES that have been fixed. So if you don't install the most current firmware releases for your IP Cameras you expose your IP Cameras to those that look and prey on IP Cameras still having those security vulnerabilities which have not been fixed.

2. If you access your IP Cameras from time to time over insecure Internet connections or display your IP Cameras in web pages you may wish to peek at what you could be exposing about your IP Camera, while doing do here:

http://foscam.us/forum/showing-secure-methods-using-php-to-display-your-ip-cameras-t8721.html

3. If your IP camera has the ability to be accessed using HTTPS secure methods vs. HTTP unsecure methods. You may wish to think about NOT port forwarding your HTTP port for your IP Camera and instead only port forwarding your HTTPS port for your IP Camera. While technically you could still potentially be exposed to a man-in-the-middle attack over a unsecure Internet connection it's still much better to communicate with your IP Camera remotely using HTTPS access methods vs. HTTP access methods when possible.

4. Sadly. Many IP Camera owners never take the time to check, see and learn what information can be or is exposed, when accessing their IP Cameras remotely.

While this may at first seem trivial and you may think if you ever notice any abuse of your IP Camera, by others. That you will simply at that time, change the password for your IP Camera and all will be back to normal.

The bitter truth is. If you as an example exposed a Admin User Level Id and Password for that Admin User Level Id for your IP Cameras over a unsecure Internet connection while accessing your IP Camera remotely. It's possible that any Email and/or FTP User credentials stored in your IP Cameras configuration data can be accessed and exposed by others using that Admin Logon to your IP Camera. Potentially causing you to lose control of those accounts. Not simply your IP Camera.

Issues like this apply to any device you may access remotely from unsecure Internet connections that may contain sensitive data in that devices configuration data. So this is not limited to IP Cameras.

Don
« Last Edit: January 20, 2015, 03:11:44 am by TheUberOverLord »

  • No avatar
  • *
August 26, 2014, 08:35:02 am
Does this really Do you have a summary of this came from.

  • ***
August 26, 2014, 02:42:07 pm
Does this really Do you have a summary of this came from.

The summary can be found by using the link in the original post.

Don

  • No avatar
  • *
November 21, 2014, 02:52:17 am
your Item is beautiful. where are you buy that?? I want it very much.

  • ***
December 28, 2014, 09:25:48 am
your Item is beautiful. where are you buy that?? I want it very much.

Any IP Camera owner can optionally easily get and use All my many different IP Camera examples bundled together with one hour of one-on-one support to implement them. Save Time and Money Click Here!

Don

  • ***
January 06, 2015, 09:26:31 pm
It's important to note that this interface is dual purpose. It can be used to securely access your IP Cameras for personal use as well as in webpages on websites for public access securely by others. Using HTTP or HTTPS access modes even for IP cameras that don't support HTTPS. Never exposing any information about your IP cameras DDNS, ISP IP Address, Port or User credentials.

The Interface works with all IP Camera models and works with and is compatible with any Internet browser capable device from Computers to Tablets and Phones to TVs. Allowing you to use it with all your devices and/or anyone viewing your websites using any of their devices.

Here is an example of adding an optional transparent .png image for a help button that can be merged with your IP Cameras images. Which you can also make clickable as your IP Cameras images are being displayed in real-time. Both for static and automatic refreshing real-time images from your IP Cameras:



Live example below of the IP Camera used above. Using automatic real-time refreshed images from the same IP Camera. Once you use the link below. When you click on the "Help" button area you are taken to the first post here. Any other area in the IP Cameras image is not clickable:

http://107.170.59.150/ok/SecureImageDisplay.htm

The IP Camera being used above is a Foscam FI8904W. Which is a MJPEG based IP Camera that does not natively support HTTPS access methods. This Interface allows both HTTP and HTTPS access methods to be used with any IP Camera.

The server providing the HTTPS example below using the same IP Camera as above. Is using a self-signed certificate for demonstration purposes. So you will see a warning message because of that, when using the link below:

https://107.170.59.150/ok/SecureImageDisplay.htm

If you view the HTML source code for the above examples. You will see that absolutely nothing is exposed about the IP Camera being used in the examples. No DDNS, no ISP IP Address, no Port or User credentials are exposed or made known. Making the use of this Interface for private and public use to access your IP Cameras. Totally secure.

The Interface itself is also protected from direct use as well. Example:

http://107.170.59.150/ok/SecureImageDisplay.php

Restricting how and where the interface can be used from. The Interface also supports forcing the username and password of your choice in order to access the Interface as an option. With as many IP Cameras being displayed at the same time as you choose.

This specific image used in these examples shown here for the help button, is in the public domain and is free to use and can be found, edited, resized and/or downloaded there. All at the same website below:

https://openclipart.org/detail/109645/help-button-by-jhnri4

Just wanted to give you some idea of how easy it is to find/locate images in the public domain that can be used to merge with your real-time IP Cameras images. Without any need or requirement to be a graphics artist. Which you can also make clickable, if you desire or to simply use as a watermark or logo.

Complete details about all the abilities of this totally secure Interface for your IP Cameras ("Which are many"), can be found here:

http://foscam.us/forum/topic8721.html

Don
« Last Edit: January 08, 2015, 08:51:22 am by TheUberOverLord »

  • ***
January 14, 2015, 01:02:45 pm
Note: Images can be any size. Some smaller images are used for some demonstrations here.

New Live Demonstrations have been added for Hikvision and Panasonic IP Cameras here:

http://107.170.59.150/Hikvision/ Small Images For Demonstration.

http://107.170.59.150/Hikvision/AllHikvisionWithZoom.htm Global and Individual Zoom For All Hikvision Demo Cameras. Zoom % is configurable.

A unique logon and password can also be required to access one or more IP Cameras if you wish as well. Example:

http://107.170.59.150/Hikvision/SecureImageDisplayLogin.php User: admin Password: admin

As with the other demonstrations they can also use HTTPS access methods. The server hosting the demos is using a self-signed certificate so you will see warnings when using the link below:

https://107.170.59.150/Hikvision/ Small Images For Demonstration.

https://107.170.59.150/Hikvision/AllHikvisionWithZoom.htm Global and Individual Zoom For All Hikvision Demo Cameras. Zoom % is configurable.

A unique logon and password can also be required to access one or more IP Cameras if you wish as well. Example:

https://107.170.59.150/Hikvision/SecureImageDisplayLogin.php User: admin Password: admin

These methods can be used with communicating to the IP Cameras directly or via their iVMS/NVR/DVR as well.

Don
« Last Edit: January 20, 2015, 12:58:03 am by TheUberOverLord »

  • ***
January 20, 2015, 03:12:17 am
Complete List With Links To All Live IP Camera Example Demos:

http://107.170.59.150/

Don

  • ***
May 04, 2015, 03:29:24 pm
Here is live working example using one IP Camera with the clickable images and logos option for this Interface enabled. That after 10 IP Camera images are displayed. A "Resume" button is displayed and must be clicked to continue.

This can help to limit bandwidth while staying on the same web page vs. jumping to another web page after a specified time period has elapsed. Which was the only option to help limit bandwidth prior to this new option.

Since this method is not based on time. It makes sure that whatever a web page visitors Internet bandwidth speed is will not impact the amount of images being displayed before a "Resume" button is presented:

http://107.170.59.150/FI9805WBandwidth.htm

1. The above allows 10 images from the IP Camera to be displayed. It does not matter if that takes 2 seconds, 2 minutes or 2 hours to display those 10 images from the IP Camera.

In the example above. Once 10 images from the IP Camera are displayed. A button prompting to resume is displayed and when clicked on. The button then disappears and then 10 more images from the IP Camera are displayed. A button prompting to resume is displayed and when clicked on. The button then disappears and then 10 more images from the IP Camera are displayed.

This would continue forever. However the example above will go to a different web page after two minutes no matter how few or many times the resume button is clicked on. Effectively combining both the old and the new bandwidth limiting options this Interface supports. The example code below, does not included the jump to another web page after two minutes, additional logic. You can review the HTML source code of the link above to see that. If needed.

Of course you most likely want more than 10 images from the IP Camera to be displayed for each web page visitor viewing your IP Camera before displaying the button to resume.

So to change that, then you need to change the value of:

var maxCameraImages = 10;

To some other value other than 10. It should be noted that since this covers all IP Cameras on the same web page. The more IP Cameras you display on the same webpage you should increase the value of maxCameraImages based on the number of IP Cameras being displayed in the same web page.

So if you wanted roughly 10 images per IP Camera to be displayed for 5 IP Cameras being displayed on the same web page before a resume button was displayed. Then this would be the correct value for maxCameraImages:

var maxCameraImages = 50;

I say roughly. Because some IP Cameras may respond slower than the other IP Cameras on the same web page. So in the above example with 5 different IP Cameras being displayed on the same web page. After a total of 50 images for any IP Cameras were displayed, Then the resume button would display.

The JavaScript variable delayBetweenImages located in the <head> section of the HTML. Is used to control any delays/wait time, before requesting new images from the IP Camera after the last image has been displayed for the IP Camera. Which the example has this value set to 10 Milliseconds or 10/1000 of a second.

The JavaScript variable delayBetweenImagesOnError located in the <head> section of the HTML. Is used to delay a request for a new image from the IP Camera when there was an error trying to get the last image from the IP Camera. The example has this value set to 5000 Milliseconds or 5 seconds.

You can change both the values of these variables to suit your own needs.

The JavaScript variable currentCameraImages located in the <head> section of the HTML. Should be set to the number of IP Cameras being displayed in the web page in both places where it's being used in the <head> section of the HTML. So, if only one IP Camera is being displayed on the web page then it should be currentCameraImages = 1; Whereas if 5 IP Cameras were being displayed in the same web page then it should be set to currentCameraImages = 5; Again in both places where it's being used in the <head> section of the HTML web page.

2. The custom code is where it should be. On the client side, in the HTML/JavaScript of the browser being used to view the IP Camera(s).

3. This resume button logic should not be about time and should be about bandwidth instead. Because it's really all about not allowing someone to use up bandwidth by say accidentally or on purpose, minimizing a browser window which could be viewing the cameras forever. Wasting bandwidth. While still staying on the same web page.

It should be noted that this Interface always supported a timeout option that when a specific timespan was reached this Interface could jump to another web page.

These are just other methods to deal with the same thing. But not by jumping to another web page when that maximum numbers of IP Camera images have been displayed or a timespan is reached and instead staying on the same web page and adding a resume button that requires it to be clicked on, before continuing to display IP Camera images on the web page.

Example: Why using timespan for a resume button is a bad idea. A web page visitor with a slow Internet connection will still be able to view as many images from the IP Cameras as someone who has a fast Internet connection before seeing the resume button. This might not be the case if the resume button was based on a timer of how long the web page visitor was viewing the web page.

Because of #3. The example logic is set to a maximum number of IP Camera images being displayed before a resume button is displayed to continue and not based on how long the web page visitor has been viewing the web page.

There are four sections of custom code that need to be added to the client side HTML/JavaScript in the web page displaying your IP Cameras using this Interface and this resume button feature:

A. In the HEAD section of the HTML the following needs to be added:

Code: [Select]
<head>
<script type="text/javascript">
var delayBetweenImages = 10;
var delayBetweenImagesOnError = 5000;
var maxCameraImages = 10;
var currentCameraImages = 1;
function resetBandwidth()
{
   document.getElementById('BandWidthExceeded').style.display = 'none';
   document.getElementById('BandWidthExceeded').style.visibility = 'hidden';
   currentCameraImages = 1;
   document.getElementById("ourcam1").src = document.getElementById("ourcam1").src.substring(0, (document.getElementById("ourcam1").src.lastIndexOf("t=")+2))+(new Date()).getTime();
}
function checkBandwidth(ipCamera, error)
{
   if (currentCameraImages >= maxCameraImages)
   {   
       document.getElementById('BandWidthExceeded').style.display = 'block';
       document.getElementById('BandWidthExceeded').style.visibility = 'visible';
   } else {
       currentCameraImages++;
       if (!error)
           setTimeout(function() {ipCamera.src = ipCamera.src.substring(0, (ipCamera.src.lastIndexOf("t=")+2))+(new Date()).getTime()}, delayBetweenImages);
       else
           setTimeout(function() {ipCamera.src = ipCamera.src.substring(0, (ipCamera.src.lastIndexOf("t=")+2))+(new Date()).getTime()}, delayBetweenImagesOnError);
   }
}
</script>
</head>

A line like the below lines. In the function resetBandwidth above. Needs to be present for each IP Camera being displayed in the same web page. So, if you had five IP Cameras being displayed in the same web page then you would need one line for each IP Camera:

Code: [Select]
document.getElementById("ourcam1").src = document.getElementById("ourcam1").src.substring(0, (document.getElementById("ourcam1").src.lastIndexOf("t=")+2))+(new Date()).getTime();
document.getElementById("ourcam2").src = document.getElementById("ourcam2").src.substring(0, (document.getElementById("ourcam2").src.lastIndexOf("t=")+2))+(new Date()).getTime();
document.getElementById("ourcam3").src = document.getElementById("ourcam3").src.substring(0, (document.getElementById("ourcam3").src.lastIndexOf("t=")+2))+(new Date()).getTime();
document.getElementById("ourcam4").src = document.getElementById("ourcam4").src.substring(0, (document.getElementById("ourcam4").src.lastIndexOf("t=")+2))+(new Date()).getTime();
document.getElementById("ourcam5").src = document.getElementById("ourcam5").src.substring(0, (document.getElementById("ourcam5").src.lastIndexOf("t=")+2))+(new Date()).getTime();

B. The HTML IMG tag needs to have a unique id for each IP Camera being displayed, in the same web page. So, if you had five IP Cameras being displayed in the same web page then you would need one line for each IP Camera:

Code: [Select]
<img id="ourcam1" src="" onload='checkBandwidth(this, 0)' onerror='checkBandwidth(this, -1)' alt='' />
<img id="ourcam2" src="" onload='checkBandwidth(this, 0)' onerror='checkBandwidth(this, -1)' alt='' />
<img id="ourcam3" src="" onload='checkBandwidth(this, 0)' onerror='checkBandwidth(this, -1)' alt='' />
<img id="ourcam4" src="" onload='checkBandwidth(this, 0)' onerror='checkBandwidth(this, -1)' alt='' />
<img id="ourcam5" src="" onload='checkBandwidth(this, 0)' onerror='checkBandwidth(this, -1)' alt='' />

C. The JavaScript below the HTML IMG TAG(s) need to have one unique line per IP Camera being displayed, in the same web page. So, if you had five IP Cameras being displayed in the same web page then you would need one line for each IP Camera:

Code: [Select]
<script language="javascript" type="text/javascript">
document.getElementById("ourcam1").src = "SecureImageDisplay1.php?t=" + (new Date()).getTime();
document.getElementById("ourcam2").src = "SecureImageDisplay2.php?t=" + (new Date()).getTime();
document.getElementById("ourcam3").src = "SecureImageDisplay3.php?t=" + (new Date()).getTime();
document.getElementById("ourcam4").src = "SecureImageDisplay4.php?t=" + (new Date()).getTime();
document.getElementById("ourcam5").src = "SecureImageDisplay5.php?t=" + (new Date()).getTime();
</script>

D. You need to place this in the HTML where you wish the button to appear for resuming getting images from the IP Cameras:

Code: [Select]
<div id ="BandWidthExceeded" align="center" style="display:none;visibility:hidden">
<button type="button" onTouchStart="resetBandwidth()" onMouseDown="resetBandwidth()">Click To Resume</button>
</br></br>
</div>

Optionally. You can instead of using A. above. Use this for a time based resume button. You will still need to also do B., C. and D. from above as well. Place the below In the HEAD section of the HTML instead of A.

The example below will display the resume button 10 seconds after a web page visitor visits the web page. To change that timespan you will need to change both values below of 10000 Milliseconds to the value of your choice:

Code: [Select]
<head>
<script type="text/javascript">
var delayBetweenImages = 10;
var delayBetweenImagesOnError = 5000;
var maxCameraImages = 10;
var currentCameraImages = 0;
setTimeout(function(){currentCameraImages = maxCameraImages}, 10000);
function resetBandwidth()
{
   document.getElementById('BandWidthExceeded').style.display = 'none';
   document.getElementById('BandWidthExceeded').style.visibility = 'hidden';
   currentCameraImages = 0;
   setTimeout(function(){currentCameraImages = maxCameraImages}, 10000);
   document.getElementById("ourcam1").src = document.getElementById("ourcam1").src.substring(0, (document.getElementById("ourcam1").src.lastIndexOf("t=")+2))+(new Date()).getTime();
}
function checkBandwidth(ipCamera, error)
{
   if (currentCameraImages >= maxCameraImages)
   {   
       document.getElementById('BandWidthExceeded').style.display = 'block';
       document.getElementById('BandWidthExceeded').style.visibility = 'visible';
   } else {
       if (!error)
           setTimeout(function() {ipCamera.src = ipCamera.src.substring(0, (ipCamera.src.lastIndexOf("t=")+2))+(new Date()).getTime()}, delayBetweenImages);
       else
           setTimeout(function() {ipCamera.src = ipCamera.src.substring(0, (ipCamera.src.lastIndexOf("t=")+2))+(new Date()).getTime()}, delayBetweenImagesOnError);
   }
}
</script>
</head>

A line like the below lines. In the function resetBandwidth above. Needs to be present for each IP Camera being displayed in the same web page. So, if you had five IP Cameras being displayed in the same web page then you would need one line for each IP Camera:

Code: [Select]
document.getElementById("ourcam1").src = document.getElementById("ourcam1").src.substring(0, (document.getElementById("ourcam1").src.lastIndexOf("t=")+2))+(new Date()).getTime();
document.getElementById("ourcam2").src = document.getElementById("ourcam2").src.substring(0, (document.getElementById("ourcam2").src.lastIndexOf("t=")+2))+(new Date()).getTime();
document.getElementById("ourcam3").src = document.getElementById("ourcam3").src.substring(0, (document.getElementById("ourcam3").src.lastIndexOf("t=")+2))+(new Date()).getTime();
document.getElementById("ourcam4").src = document.getElementById("ourcam4").src.substring(0, (document.getElementById("ourcam4").src.lastIndexOf("t=")+2))+(new Date()).getTime();
document.getElementById("ourcam5").src = document.getElementById("ourcam5").src.substring(0, (document.getElementById("ourcam5").src.lastIndexOf("t=")+2))+(new Date()).getTime();

You can also view the HTML source code of the working example which is using one IP Camera as well. If needed:

http://107.170.59.150/FI9805WBandwidth.htm

Additionally. If you are worried about bandwidth abuse? You should also use this Interfaces optional protection from others trying to point to your copy of Interface in their own HTML/HTML JavaScript on their private devices or their web pages. The example below has this protection enabled and is a copy of the above link:

http://107.170.59.150/FakeFI9805WBandwidth.htm

As you can see. This feature that the Interface optionally supports protects you from people who are trying to link to the Interfaces SecureImageDisplay.php on your website using their own HTML and/or web pages.

You can review the above examples HTML source and see that it's no different then the real web page below:

http://107.170.59.150/FI9805WBandwidth.htm

You can test your copy of the Interface to see if anyone could do this by simply trying to access SecureImageDisplay.php on your website from the browser window of your choice. Example:

http://107.170.59.150/SecureImageDisplayFI9805W.php

If you can see your IP Camera while doing that. Then others can do the same. They could create their own HTML/JavaScript and view your IP Camera as long as they wish. Using excessive bandwidth while doing so.

So, you should enable the optional feature that the interface has which the above two examples are using.

Another feature which you can use with this Interface is to not allow your web page to be displayed inside another web page as an IFRAME in that web page. This will also help protect you from bandwidth abuse.

All that needs to be done to protect you from that happening is to add this JavaScript in the <head> section of your web page using the Interface to display your IP Cameras:

Code: [Select]
if (window.top !== window.self) window.top.location.replace(window.self.location.href);

You can view the HTML source of this working example to see that the above line is present in the working example as well:

http://107.170.59.150/FI9805WBandwidth.htm

Don