| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by KMag 3768 days ago
	> It's basically a completely safe method and does not open up for anyone else to connect ... Yes, "only allows connections to a small number of peers". However, depending on how the IDs in the P2P overlay connection are chosen, an attacker may be able to select an ID that causes their node to be one of the nodes that your device contacts. Also, in the case where a remote login or remote execution vulnerability exists, the entire P2P network can be rapidly compromised, even though each node only punches holes in firewalls to a small number of other nodes.

1 comments

dimman 3768 days ago

I don't know where your getting the first part from? As I said earlier I don't know how they've chosen to protect themselves, I do hope they use certificates to authenticate camera/client to verify that the client has access to the camera and that the camera verifies that the client has access.

I don't think you understand how the technology works. Each camera does _not_ "punch holes to a small number of other nodes", it setups a direct connection between itself and the client device (you) using a technique called hole punching... It's just a simple connection between you and the camera, no server in between.

link

KMag 3767 days ago

Ahh, my background in decentralized P2P systems engineering, along with the phrase "Foscam admits that disabling the P2P option doesn’t actually do anything to stop the device from seeking out other P2P hosts online (see screenshot below)." lead me to believe they were using a DHT or other decentralized P2P system. I'd need more details to determine if they use a set of centralized coordination hosts or if they use a DHT or other decentralized system for the hosts coordinating the hole punching.

link

dimman 3767 days ago

I think (I still don't know the details of their implementation) the confusion is caused by them using the term P2P servers. I think thats actually STUN/TURN servers that they use as help to get P2P (direct) connections between camera and your application. So in that sense it's not a P2P server as you imagine it but just a bad name for what the server is meant to help out with :) Again, I don't know but given that I've worked with these type of technologies for years it would make sense.

link