2

I'm a bit new to the raspberry pi. Currently, I have a raspberry pi cam using motion to stream live video to a local HTTP address. It can only be accessed locally in my home network. I read some articles which said I need to enable port forwarding if I want to enable global access to my raspberry pi cam over the internet. However, I realize there are a lot of security risks. I was wondering if someone could explain what these security risks are and how I could fix them.

Ajay
  • 51
  • 1
  • 3

1 Answers1

2

The motion package needs a couple of ports open, a web-control port and one or more streaming ports. It looks like the defaults are 8080 for web control and 8081, 8082, etc. for streaming. Port forwarding will forward a port on your edge router to the corresponding port on the Pi running motion.

Do not believe that 'they' will not find your open ports, even if you use ports other than the defaults; there are many port scanning tools available, and the people you should worry about know about and use those tools. Security by obscurity does not work.

The most obvious risk is that your camera stream will be visible to people you don't know. The motion package uses HTTP by default, but can be configured to use HTTPS (see this answer), and HTTP basic authentication by default. That means the password is sent as plain text with every authenticated HTTP transaction. If the Pi running motion is connected to your router using WiFi, then anyone close enough to receive your WiFi signal can potentially sniff the password, depending on how and whether the WiFi signal is encrypted.

A probably greater threat is password-guessing. An adversary who can either sniff or guess your password can control your motion installation. The documentation for motion says:

Anyone with access to the remote control port (http) can alter the values of options and save files anywhere on your server with the same privileges as the user running Motion. They can execute any command on your computer with the same privileges as the user running Motion. Anyone can access your control port if you have not either limited access to localhost or limited access using firewalls in the server.

Note that WPA encryption on your WiFi and configuring TLS (HTTPS) will mitigate password sniffing, but not password guessing.

Another potential threat is that may be are errors in the motion software that allow access to the file system or elevation of privileges. Once an adversary is 'in' your system, they can use it as a base to attack anything else on your local network, even devices to which you have not opened ports. They can also attack other systems outside your network, and those attacks will come from your router's pubic IP address. An 'attack' could be as simple as downloading copyrighted matter, which your ISP might detect and penalize. It could be as severe as attacking a military facility; even if such an attack is unsuccessful, the evidence will point at you.

Those are at least some of the risks. You can't 'fix' them, but you may be able to mitigate at least some of them. My own advice would be not to do this unless you have a compelling reason.

  • Do not run motion as user pi, which can run sudo without a
    password, and never as user root.
  • Use a random password generated by software you trust, such as a password manager program, and make it a long one.
  • Turn off port forwarding when you don't need it.
  • If your router has a 'guest network' provision, put the Pi running motion there, rather than on the same network with the rest of your stuff.
  • "Harden" the Pi by removing any software not needed by motion.

I'm sure there are things you can do that I haven't mentioned. Doing the things I have mentioned will reduce, but not eliminate, the risk.

Edit: Also see this answer

Bob Brown
  • 1,037
  • 8
  • 12
  • Hey thanks for the response. Whats the point of creating a random password if people can sniff it if they are close to my home wifi – Ajay Mar 22 '20 at 18:51
  • @Ajay Depending on how your WiFi is encrypted, that may provide a layer of protection. Also, everyone in the world can hammer on that control page, not just those who are close by. – Bob Brown Mar 22 '20 at 18:55
  • 1
    Thank you for this complete response. As you said, "The motion package uses HTTP, not HTTPS, and HTTP basic authentication.", are you sure about it? After motion version 4.1.1, it's possible to enable the Stream_TLS option on the configuration file and it's going to work on HTTPS. The default version of motion on the Raspbian is 4.1.1 and you can install a newer version with other approaches except apt. Also, it has an option that you can enable MD5 Authentication. --> – M. Rostami Mar 22 '20 at 22:21
  • 1
    <-- I know, MD5 is not secure enough but it's better than a plain-text authentication. I addition, please check my answer which is about increasing motion security and please if there is mistakes, shows me them. – M. Rostami Mar 22 '20 at 22:21
  • @M.Rostami Regarding HTTPS, no, I'm not sure; thank you. I based that off documentation found here: https://motion-project.github.io/ I'm not sure what TLS buys one on the streaming port. I see from your other answer that it could be enabled on the control port, which is the important one. Yes, MD5 is an improvement, especially if TLS isn't available on the control port. I'd still worry about password-guessing and the potential for errors in the motion software. – Bob Brown Mar 22 '20 at 22:33
  • 1
    There is no need to using the web control page. It's a dump tool (I appreciate what the motion team has done but It may originate to me because I don't know the usage of that). However, I always disable the web control option on the configuration file. -- "errors in the motion software", Yes. there is a lot of security concentration here. -- I believe if someone intended to increase the security of the motion it's possible because there is a lot of references and documentation. -- However, thank you, Dr. Brown, for explanation. – M. Rostami Mar 22 '20 at 22:59