How can my IP camera be hacked behind a NAT?
The cameras are often designed for ease-of-use by people who want to watch the streams of their goldfish or children. To make it easy to use, the cameras often call home to the manufacturer's website for remote viewing. Often these sites are insecure.
Another method is UPnP sets up automatic port forwarding:
https://en.wikipedia.org/wiki/Universal_Plug_and_Play#NAT_traversal
One solution for NAT traversal, called the Internet Gateway Device Protocol (IGD Protocol), is implemented via UPnP. Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and add or remove port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client.
It's easy to disable these features if you're aware of them.
Typically this happens with in a few scenarios
- End-user puts the device in the DMZ because they want to access it remotely and can't be bothered trying to figure out port-forwarding rules. This might happen if a user is Torrenting or has a NAS or other device they want to access from the public internet.
- User has allowed direct access to the device via ingress port-forwarding or firewall rules which makes it accessible to probes / attacks. Again, this scenario might be common with a torrenting user or owner of a NAS or DVR that they want to access from the outside world.
- An internal device on the network has been compromised and returned a reverse shell to the attacker. Since most (if not all) SOHO routers allow all egress traffic this connection is allowed to take place. The attacker then moves laterally through the network via the originally compromised machine.
- The edge router itself is compromised and allows access from the outside world.
There are a variety of ways of bypassing the NAT but the aforementioned are probably the most common attack scenarios.
It is possible that the camera is still reachable from the network, even if UPnP, port forward is disabled, and the camera is behind NAT.
Some camera manufacturers use "UDP hole punching method".The API looks like the following:
The camera sends UDP packets to a server every 30 seconds or less. This makes this connection alive, thus the camera can be reached from the server.
The client software initiates a connection with the camera server, and it sends the camera ID to the server.
The camera server connects to the camera through the alive UDP connection, and it notifies the camera that a client is trying to connect to the camera.
The camera connects to the client software directly. If the client software is not behind NAT or firewalled, the connection succeeds. Now there is a working UDP channel between the client software and the camera.
In reality, this process is a bit more complicated with more scenarios, but this is basically how a camera can be reached via the camera server, only by knowing its camera ID.