Unauthorized FLIR (Lorex) Cloud Access (2022)

Traditionally, closed circuit tv (CCTV) cameras and digital video recorders (DVRs) have been stand-alone, self-contained systems. If the ability to access these systems remotely was required it was most commonly achieved by opening a port on a firewall and allowing access from the Internet to the DVR or camera directly. Although effective, that method of access left what was in many cases a potentially vulnerable device exposed to the Internet and your internal network. Case in point: our previous blog post on Dahua DVRs.

Cloud services seemingly provide a much better access option for these devices. Instead of allowing inbound access into your own network from the Internet, you could simply enable what is typically a proprietary cloud service for your flavor of device. That configuration would allow the DVR or CCTV camera to communicate to the cloud service on the Internet. Any remote access or monitoring would occur by accessing the cloud service. There would be no inbound access through your firewall and even a vulnerable device would not be exposed to the Internet at large.

Cloud services can certainly provide security benefits such as not having to expose your CCTV DVR to the internet to view cameras remotely. But there's a yin to that yang. If an attacker finds a flaw in the cloud, there is no need to scan the internet for DVRs because there's now one place of access to all of them. For those of you who are already done reading, here's a synopsis of the rest:

  1. I got a new FLIR/Lorex DVR in hopes of viewing it through the FLIR cloud without exposing it to the internet.
  2. The device I received was a Dahua-manufactured DVR.
  3. I found a flaw in the FLIR Cloud that allows anyone build a tunnel to any port on anyFLIR Cloud-connectedDVR, so long as they have the device ID.
  4. I found device IDs on the internet, picked one, tunneled into it, and was able to gain unauthorized access by exploiting a known Dahua issue.These devices support a maximum of 6 character passwords.
  5. You should care because an attacker who has guessed or happened to view your device ID can build tunnels into your private network to attack weaknesses in your DVR's various interfaces.

I've owned 3 home CCTV systems, the most recent two both being DVRs manufactured by Dahua. I've always marveled at the features provided by these consumer-level DVRs at such a low price point. I've also been stunned as to how much of an afterthought security seems to be for a product that is, by its definition, a security appliance.

I had to take my first Dahua system off the public internet because I found that Dahua's proprietary binary protocol did not perform authentication or authorization. I wrote a proof of concept Metasploit module that was later added to the main branch after some work by others in the security community.Itallows you to just send the command to say, change the admin's password. When working with Dahua on that issue, they stopped responding so I had to just disclose it. I told myself I'd never poke a hole through my firewall to a DVR again. Earlier this year another researcher published another means of gaining unauthorized accessto Dahua DVRs but this one used their janky web interface on HTTP/80. Default or predictable root telnet passwords are another issue that has plagued these devices in the past.

Last year I noticed the company FLIR, most noteworthy for the "Forward-Looking InfraRed" cameras they sell to law enforcement/military, had acquired Lorex Technologies, a consumer CCTV company. Lorex by FLIR was offering cloud-enabled DVRs that supported 1080p resolution using my existing coax. "Nice," I thought, "Now I can check my cams from anywhere without publicly exposing them on the internet." I bought a system, booted up the DVR, and found it was Dahua. "Oh well.FLIR Cloud! No inbound ports!"I naively told myself.

Connecting to the system is easy but made complicated by the sheer number of client applications. You have the FLIR Cloud CMS available in Windows or MacOS. There are also Android and iOS versions of FLIR Cloud. Then there's the FLIR Secure mobile apps that seems to access the video in a different way. The DVRs have web interfaces that require special browser plugins as well. After a little research, the problems I discovered resided in the FLIR Cloud itself and the way Windows and MacOS Cloud Clientsoftware connected to users' DVRs.

When I first connected my DVR to FLIR Cloud I noticed all I had to do was enter the device ID as well as a username/password to my DVR. The device ID was fuzzable: a model-specific three-letter prefix followed by 9 hex digits (MMMHHHHHHHHH). The device was brand new so the username was admin and the password was 000000. FLIR Cloud did make me change the default password but it still enforced a max length of six characters. It seemed like all Ineeded to access a new DVR was its device ID and default creds.

(Video) How To Migrate from FLIR Cloud to Lorex Cloud App

Unauthorized FLIR (Lorex) Cloud Access (1)

At this point I started to get concerned that something in the FLIR Cloud software was building a tunnel to the DVR based strictly on the device ID as a means of authentication. It sure looks like if if you watch their setup videos:

I ran a packet capture while adding my DVR in FLIR Cloud. I saw a DNS request go out to resolve an A-record that is: DEVICE_ID.INT.OZVISION.OZSN.NET. Then I saw UDP traffic to whatever that resolves too. Among all that was a STUN negotiation. After this, the FLIR Cloud Client app started to communicate directly to.... my home IP address. So much for not exposing the DVR to the internet. Maybe it used UPNP to open the port or something I thought.

Unauthorized FLIR (Lorex) Cloud Access (2)

But wait. After the DNS resolution, the first UDP packet appeared to authenticate with whatever service the DNS resolved to. What is Ozvision? Who is Ronny Weiser?Apparently Ozvision is a cloud-based video servicepartnered with Dahua.

Unauthorized FLIR (Lorex) Cloud Access (3)

The response looked like an authentication success message.

Unauthorized FLIR (Lorex) Cloud Access (4)

(Video) How To Migrate from FLIR Secure to Lorex Cloud App

I took a look in the Windows FLIR Cloud folder structure and found this. A private key and cert for Ronny Weiser.

Unauthorized FLIR (Lorex) Cloud Access (5)
ThenI found this binary, "P2PClientAPP" in the MacOS "FLIR Cloud Client." I ran it with no arguments and it basically took a device ID, and optionally some local/remote port arguments, and built a tunnel to the device from there. That's pretty bad. Considering how vulnerable Dahua DVRs have been in the past, that a new auth bypass was released just recently, that they only take six character passwords at a maximum, and that we were tunneling through people's firewalls into a potential internal pivot point, I didn't really want this device on my network all of a sudden.

Unauthorized FLIR (Lorex) Cloud Access (6)

The Windows Cloud Client had two similar executables.

Unauthorized FLIR (Lorex) Cloud Access (7)

Both of these seemed to be affected by the same issue.

Unauthorized FLIR (Lorex) Cloud Access (8)

People had posted images of their DVR device IDs on the web. Many of these were tutorials from resellers who didn't know the significance of the ID and then possibly resold them unwittingly.

(Video) Updated 2019 Lorex Cloud PC Software

Unauthorized FLIR (Lorex) Cloud Access (9)

I wondered, were any of these things affected by therecent Dahua auth bypassthrough port 80?FLIR seemed to have issued firmware updates but claimed in their security advisory that the FLIR Cloud would prevent compromise.This is one of the benefits I heavily considered when I decided to buy the system. Unfortunately, that all breaks down when FLIR packages the key and tool to tunnel into DVRs based only on their device IDs.

Unauthorized FLIR (Lorex) Cloud Access (10)

I connected to a DVR at random on port 80.

Unauthorized FLIR (Lorex) Cloud Access (11)

Alright, there's the web interface on it.

Unauthorized FLIR (Lorex) Cloud Access (12)

I'll try and retrieve the hash using the public PoC for that recent auth bypass.

(Video) How to install and configure FLIR Cloud Client Software

Unauthorized FLIR (Lorex) Cloud Access (13)

Dang, this one was vulnerable. JTR has a hash type for Dahuas. The password to this DVR ended up being an old default Dahua password.Cracking these is always a forgone conclusion with a max password length of 6 characters.

Unauthorized FLIR (Lorex) Cloud Access (14)

Now I can just make a new tunnel to the video feed port, 35000.

Unauthorized FLIR (Lorex) Cloud Access (15)

So there's the video. This one was at a major restaurant chain. What is more concerning for me is that there may very well be some RCE issues in these devices. We've already seen these things used in DDoS attacks. Given the right vuln, could one script this up and compromise the entirety of the FLIR Cloud in a night or two? I'm also worried about them being used as initial pivot points in more advanced attacks. These devices won't show up on enterprises' external network port/vuln scans.

Unauthorized FLIR (Lorex) Cloud Access (16)

The way I saw it, there were at least two things wrong here:

(Video) How To Use The Lorex Cloud App

  1. Some FLIR Cloud-enabled DVRs were prone to the recent Dahua vulnerability. Dahua seemed aware of it so I wondered if the device I connected to was not patched, or possibly some version that FLIR didn't know was still vulnerable.
  2. There is essentially no authentication to tunnel into any FLIR Cloud-joined device. The MacOS and Windows Cloud Client software were bundled with a certificate and contained CLI tools to create tunnels to arbitrary internal TCP ports on the devices.

At this point I began the disclosure process.I wish I could report that in 2017, that this is always a routine and smooth process, and that the affected vendor is willing to quickly implement a fix. I have one of these things at home so I take zero pleasure in dropping this before they've fixed the insecure FLIRCloud access. It wasn't easy even finding a disclosure contact at FLIR/Lorex. I disclosed this on 5/9/2017 and then agreed not to publish it more than 90 days from the disclosure date at FLIR's request. They purport to have resolved item #1 but apparently had no intention of fixing their insecure cloud access by that date.So here we are, over 150 days later.

If you don't want anyone with your device ID being able to bang against your DVR's various Dahua DVR interfaces, consider shutting it down. I've tried disabling UPNP on my network and I can still tunnel to myDVR with just a device ID. I'm not sure exactly how their cloud works and they weren't exactly candid when dealing with me.Somehow they build STUNNELS on demand. I imagine someone with more time may take this farther.

Disclosure Timeline:

  • 5/9/2017: Discovered FLIR Cloud unauthorized access issue
  • 5/9/2017: Initial contact to support@flir.com, support@lorextechnology.com, sales@flir.com, & sales@lorextechnology.com; received no response
  • 5/9/2017: Could not find appropriate incident response contact at FLIR/Lorex
  • 5/9/2017: Reached out to a FLIR security contact on LinkedIn, who forwarded the message to Vlad Kardashov (VP of Engineering)
  • 5/10/2017: FLIR responded asking details.
  • 5/10/2017: Sent FLIR the details of what I found.
  • 5/12/2017: FLIR acknowledged the details and asked for our disclosure timelines.
  • 5/16/2017: I responded and told him 90 days.
  • 6/20/2017: I asked for a status update.
  • 7/6/2017: FLIR responded confirming the issue with no detailed information, and asked if we could target August for public disclosure
  • 7/6/2017: I agreed to target August.
  • 8/30/2017: After noticing a firmware push to my DVR, I again asked for a status update.
  • 8/30/2017: FLIR responded explaining that the firmware should have fixed the issue.
  • 8/31/2017: I told FLIR the network access was still vulnerable but the recent Dahua vulnerability appeared patched.I specifically asked for FLIR's plans on fixing the insecure Cloud access issue.
  • 9/6/2017: FLIR responded with new information about a two-phase remediation plan he had never mentioned. The first phase was fix the Dahua issue and within a few weeks they would fix the insecure Cloud access.
  • 9/16/2017: I asked FLIR the following questions:
    • "When are you fixing the tunneling authentication issue?
    • How do you plan on fixing the tunnel authentication issue?
    • When are you going to update your advisory, (http://www.flir.com/securityinfo/) to include the models that you rolled out the patch for, like mine?
    • Which models did you roll that out for?
    • Do you intend to issue an advisory when you fix the tunneling authentication issue?"
  • 9/18/2017: Last response from FLIR: "Let me discuss internally, I’ll get back to you by end of the week."

FAQs

Is FLIR cloud now Lorex Cloud? ›

As a user of the FLIR Cloud app, we will be moving you over to an updated app called Lorex Cloud to ensure improved connectivity and reliability with your LHV or LNR Series Lorex device.

Is Lorex Cloud replacing FLIR cloud? ›

Launch the FLIR Cloud app, on login a prompt will appear Indicating that FLIR Cloud will soon be replaced by Lorex Cloud.

Is FLIR and Lorex the same? ›

FLIR initially acquired Lorex in late 2012 for CAD$59 million as part of an effort to bring thermal imaging technology to a broader customer base.

Is Lorex FLIR cloud free? ›

The FLIR Cloud Basic plan is free, and is included with all FLIR FX cameras. You can choose to opt out of the Basic plan or upgrade for additional features.

What is the default password for FLIR cloud? ›

Enter the client user name (default: admin) and password (default: admin) and click Login. Install FLIR Cloud™ Client from the CD or from www.flir.com/security/support on a PC or Mac in the same LAN as the IP camera.

What is the difference between Lorex Home and Lorex Cloud? ›

This Lorex app will let you do specific things and configurations that you cannot on different apps. The Lorex Home request to create an account that provides unique access to the cameras different than the Lorex Cloud, where you can see your device just by downloading the app.

Who bought FLIR cloud? ›

Demand for these products surged, putting stress on the company's supply chain. In January 2021, Teledyne Technologies announced that it had entered into a definitive agreement to acquire the company for $8 billion, against FLIR's 2019 revenue of $1.9 billion. The acquisition was completed in May 2021.

How do I access Lorex Cloud? ›

Tap the Lorex Cloud icon to open the app. Tap DVR/NVR/IP Camera.
...
Configure the following:
  1. Register Mode: Select Device ID.
  2. Name: Choose a name for your system of your choice.
  3. Device ID: Tap the QR code icon ( ) and line up the QR code on the top of your system using the camera on your mobile device.
Feb 10, 2021

What app does Lorex cameras use? ›

Install the FLIR Secure app, available for Android on the Google Play Store or iOS (Apple) on the App Store. Ensure you have connected to your DVR / NVR system or HD WiFi camera using the Lorex Secure / FLIR Secure app. Ensure you have recorded video on your HD WiFi camera that can be played back.

Is Lorex Chinese owned? ›

Both Lorex and Ezviz are providers of home security systems, including cameras and smart home accessories. They are also both owned by Chinese companies: Lorex is a subsidiary of Dahua Technology, and Ezviz is a video surveillance camera brand owned by Hikvision.

Where is the FLIR cloud app? ›

Install the FLIR Cloud app, available for Android on the Google Play Store or iOS (Apple) on the App Store. Ensure you have the IP address of your DVR / NVR. Click here for details on how to access system information on the LHV / LNR Series.

How do I use FLIR cloud? ›

To add a channel from the DVR / NVR in FLIR PC-NVR:
  1. Launch FLIR Cloud Client software on your computer, then click PC-NVR.
  2. Click the Plus icon ( ) to open the Add Channel window.
  3. Enter the device ID or IP address of the system you want to add.
  4. Select the channel you want to add using the checkbox, then click Import.
Sep 21, 2018

What is Lorex Cloud client? ›

The Lorex Cloud Client allows you to access your security system on your Mac or PC.

How do I get FLIR cloud online? ›

How to install and configure FLIR Cloud Client Software - YouTube

Does Lorex cameras have cloud storage? ›

Connect your Lorex surveillance system to the Videoloft cloud to securely back up and access your footage anytime, anywhere. Choose your Lorex cloud storage plan and get a 30-day free trial and free global shipping. See it in action!

How do I reset my Lorex FLIR password? ›

Shared users cannot reset the password. Open your Lorex Home app.
...
Tap Forgot device password.
  1. Enter the email address associated with your account, then tap Send Reset Instructions.
  2. Get the temporary password from your email.
  3. Enter the temporary password in the Old Password field, then enter your New Password.
Dec 21, 2021

How do I reset my FLIR cloud password? ›

To modify your DVR / NVR password:
  1. Launch the FLIR Cloud app on your smartphone or tablet.
  2. Tap the Menu button ( ...
  3. Tap your DVR / NVR listed on the Device Manager menu, and then tap Settings.
  4. Tap Modify password.
  5. Enter and confirm a new 6-character password for your DVR / NVR, and then tap the Save icon (
May 18, 2018

What is the default password for Lorex? ›

By default, the system user name is admin and the password is 000000 . Passwords are enabled by default and are required to access the Main Menu or connect to the system using a computer or mobile device. If you forget the password to the system, you can reset it using the Lorex Secure app (see REFERENCE for details).

Is Lorex secure? ›

Lorex is a well-established security company with decades of experience. Customers praise its high-quality video, but complain about its lack of 24/7 customer support. Like all home security companies, Lorex has its pros and cons. But overall, it's a very trusted company with great reviews.

Can you view Lorex cameras remotely? ›

Monitor your property from wherever life takes you. Our amazing apps allow you to remotely access your security camera system directly from your smartphone or tablet.

Do Lorex cameras require a subscription? ›

No monthly fees: Unlike many security companies, Lorex doesn't require any monthly subscription fees or contracts. DIY installation: Lorex cameras are intended for easy DIY installation, so customers don't have to pay a professional.

Who bought FLIR cloud? ›

Demand for these products surged, putting stress on the company's supply chain. In January 2021, Teledyne Technologies announced that it had entered into a definitive agreement to acquire the company for $8 billion, against FLIR's 2019 revenue of $1.9 billion. The acquisition was completed in May 2021.

What is the Lorex Cloud app? ›

A professional app for professional security camera systems. Lorex Cloud keeps you connected no matter where life takes you.

What app do I use for my FLIR camera? ›

Getting started with your FLIR ONE

Install the FLIR ONE app on your phone/tablet from the App Store (iOS) or the Play Store (Android). Turn on your FLIR ONE by pressing the power button and wait until the steady orange light changes to a blinking green light. This means that the camera is ready for use.

How do I get FLIR cloud online? ›

How to install and configure FLIR Cloud Client Software - YouTube

Is Lorex technology a Chinese company? ›

Both Lorex and Ezviz are providers of home security systems, including cameras and smart home accessories. They are also both owned by Chinese companies: Lorex is a subsidiary of Dahua Technology, and Ezviz is a video surveillance camera brand owned by Hikvision.

Is FLIR out of business? ›

FLIR will now be included in Teledyne's Digital Imaging segment and operate under the name Teledyne FLIR.

What happened to FLIR Systems? ›

Teledyne Technologies, Inc. TDY has recently completed the acquisition of FLIR Systems, one of the pioneers in thermal imaging, in a cash-and-stock deal worth approximately $8.2 billion.

Videos

1. How To Connect A Lorex Camera To The Cloud - Get Lorex Cloud Storage
(Videoloft)
2. How To Connect A Lorex Recorder To The Cloud - Get Lorex Cloud Storage
(Videoloft)
3. How To access the System Information on my lorex DVR forgotten password
(Mind Crop)
4. Getting Started with Lorex FLIR Secure Tutorial
(Lorex Technology Inc)
5. How to setup the FLIR Secure WiFi Security Camera using the FLIR Secure App
(Lorex Technology Inc)
6. P2P Cloud DVR setup
(Ameta International)

Top Articles

You might also like

Latest Posts

Article information

Author: Prof. Nancy Dach

Last Updated: 09/01/2022

Views: 6059

Rating: 4.7 / 5 (57 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Prof. Nancy Dach

Birthday: 1993-08-23

Address: 569 Waelchi Ports, South Blainebury, LA 11589

Phone: +9958996486049

Job: Sales Manager

Hobby: Web surfing, Scuba diving, Mountaineering, Writing, Sailing, Dance, Blacksmithing

Introduction: My name is Prof. Nancy Dach, I am a lively, joyous, courageous, lovely, tender, charming, open person who loves writing and wants to share my knowledge and understanding with you.