Matt Brown Digs Deep Into an IP Camera's Firmware — and Finds a Hard-Coded Root Password - eviltoast
  • corroded@lemmy.world
    link
    fedilink
    English
    arrow-up
    53
    arrow-down
    1
    ·
    3 months ago

    This is one of several reasons why I keep all my cameras and any other IoT devices on a separate VLAN that has no access to the internet and no access to the rest of my home network. The only bridge is my DVR server, but that’s something I can’t get around.

    Before it was set up this way, I saw a huge amount of requests on my DNS server from the cameras, each one resolving the manufacturer’s domain name. It was probably innocuous, but why take the risk? There is absolutely no reason whatsoever that a security camera needs access to anything.

    • e0qdk@reddthat.com
      link
      fedilink
      English
      arrow-up
      16
      ·
      3 months ago

      There is absolutely no reason whatsoever that a security camera needs access to anything.

      NTP is useful to correct clock drift, but otherwise, I’d agree.

      • kn33@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        edit-2
        3 months ago

        That’s true, but you could run NTP on the NVR or something. Or just whitelist the NTP server.

      • haulyard@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        3 months ago

        Serious question here as I’ve been debating moving all smart home stuff to either its own vlan (never done this before) or a different wireless network. I’ve got some POE cams that run through Scryoted on my nas to get into homekit. Is this all possible if the NAS is on a different network? Would I then have to move all my HomeKit hub devices (Apple TV, HomePod mini, etc) then also have to move?

        • TexMexBazooka@lemm.ee
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          3 months ago

          So, the way you would do this is creating separate VLANs, then using firewall rules to filter what communication is allowed between them.

          In my home for example, I use a few smart devices that are controlled over the LAN from your phone. Think like a chrome cast. I would rather those devices be on my IoT network than my main, but they break if devices from my primary network can’t find them.

          So I allow only those specific devices to communicate across my VLANs, with other devices (cameras, lights, etc) being dropped at the firewall.

          That’s the basics and can be accomplished with any semi-decent router/firewall. If you have any more specific questions regarding what hardware you have available shoot me a message and we can talk through it

          • sep@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 months ago

            Depends a bit on the device. But dor many it should be possible if you run a mdns repeater / proxy on the firewall.

        • Fillicia@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 months ago

          Depending what’s you router you can usually open communication between different VLAN for specific ip/port. So let’s say your camera use rtsp to send video data to your NVR you could allow for port 554 to be opened between your camera ip and the NVR.

          This means that even if someone has access to your camera they couldn’t do an ssh (port 22) or http/https (80/443) requests to your internal network.

          For PoE cams installed outside, creating a separate VLAN is an absolute must. Otherwise anyone could use the Ethernet cable to access your network and steal your data.

    • qjkxbmwvz@startrek.website
      link
      fedilink
      English
      arrow-up
      4
      ·
      3 months ago

      Any recommendations on cameras that work well local-only/don’t seem to make peculiar DNS requests?

      If I ever get around to installing cameras I’ll have them on their own, no-internet VLAN, but would prefer having well-behaved devices.

      • pezhore@lemmy.ml
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        3 months ago

        I’m a big fan of the Ubiquiti security cameras - all local data, decent quality. The downside is the price and availability, but if you can swing it - they’re pretty great.

      • corroded@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        3 months ago

        I have always used Amcrest cameras; they’re not expensive, and they tend to work well. They do make requests back to amcrest.com, but I don’t know for sure if that’s anything nefarious or if it’s just part of their built-in “cloud” capability or perhaps they’re looking for firmware updates. They integrate nicely with BlueIris or Frigate. I use BlueIris in a VM with virtual network adapters to my home network and my “camera” VLAN. BlueIris is accessible through a reverse proxy, but the cameras themselves have no access to the outside world.

        If you’re able to find a camera that doesn’t try to “call home,” I’d be surprised. At the very least, most manufacturers build in some kind of cloud accessibility into the camera’s firmware. In their defense, I think that most consumers want this capability; it’s much easier just to use the manufacturer’s app than to set up a self-hosted DVR.

        So to answer your question, no, I don’t have a good suggestion, but I also don’t think that what you’re asking for really exists (as unfortunate as that is). You could always set up a small SBC (like a raspberry pi) with a USB camera, but at that point, it’d probably be more cost-effective to just buy off-the-shelf cameras and some VLAN-aware networking hardware.

        • qjkxbmwvz@startrek.website
          link
          fedilink
          English
          arrow-up
          1
          ·
          3 months ago

          Thanks! That sounds like a good option. Mostly would want to avoid something that’s flooding the network with DNS requests — a few attempts at phoning home now and then are, like you say, probably inevitable.

  • onlinepersona@programming.dev
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    3 months ago

    Very cool. If telnetd is on there, maybe it’s already running and just spinning it up could be enough to then log into it - dunno if he tried that already. That would be even worse because anybody with access to the WLAN could then log into the camera if it’s on the same network.

    Anti Commercial-AI license