"Don't buy cheap Chinese-made security cameras, because their security may just be terrible"

Cljs said:
Foscam Security Cameras Full of Security Flaws

Foscam here, but how many other Chinese manufacturers have similar problems?
Click to expand...
Many cameras have such flaws (but also well known cameras have flaws that are still undercover and kept undercover on purpose to avoid vendors to patch them) but for those flaws listed they are "usable" only if you open their access port (HTTP and/or RTSP and/or FTP, and/or Telnet...) directly from Internet access and this is a main security issue by itself.

But you also have well known brand cameras that are old and no more supported by the vendor, with security flaws discovered "recently" that will never be fixed, the same with your Android Phone if it's a bit old or any other computing/electronic things.

Those low cost chinese cameras are cheap partly because the guys do not spend too much time/resources/money into security implementation, but you have workaround with VPN or Reverse Proxy but still... security flaws are discovered every day including OpenVPN for example but they are fixed very quickly.

So the main word is never expose a camera directly on Internet.
 
  • Like
Reactions: bigredfish
Yup. Fixing a problem in firmware is one thing, but if 99.99% of affected devices never update, then what?
 
Dodutils said:
Those low cost chinese cameras are cheap partly because the guys do not spend too much time/resources/money into security implementation...
Click to expand...

Reading in the article about all the ways the cameras are compromised, the problem seems to go beyond a simple failure to try hard enough to make them secure, I get the sense that the manufacturers are deliberately building backdoors in.

Is that overly paranoid?
 
And if they don't use P2P, which to many users seems like like an attractive option.
But the reality is that the average user thinks that port forwarding is a great facility providing something they want. And they are ignorant of the risks.
 
Dodutils said:
...
So the main word is never expose a camera directly on Internet.
Click to expand...

So, does "never expose a camera directly on Internet" mean then you have no way to ever view them remotely?

When everyone talks about bad "Chinese" cameras...are there any other kind? Meaning is there any camera made. at any price in the U.S. or some other country you would trust? I assumed pretty much all cameras, and their respective firmware were made in china or other foreign country.

And when everyone talks of "Cheap" Chinese cameras, most of the models people love here, Hick and Dahua, really fall into that price category.

So is the answer just to lock cameras down to home and only view at home and miss out on a lot of the functionality?

Is there a simpler solution to just be able to safeguard the important stuff in your computer \ network where you may have private or financial information and who cares if someone somehow can view the garage or back door to the yard?
 
nbstl68 said:
So, does "never expose a camera directly on Internet" mean then you have no way to ever view them remotely?

When everyone talks about bad "Chinese" cameras...are there any other kind? Meaning is there any camera made. at any price in the U.S. or some other country you would trust? I assumed pretty much all cameras, and their respective firmware were made in china or other foreign country.

And when everyone talks of "Cheap" Chinese cameras, most of the models people love here, Hick and Dahua, really fall into that price category.

So is the answer just to lock cameras down to home and only view at home and miss out on a lot of the functionality?

Is there a simpler solution to just be able to safeguard the important stuff in your computer \ network where you may have private or financial information and who cares if someone somehow can view the garage or back door to the yard?
Click to expand...

Dahua and Hikvision is not what I qualify as "cheap" cameras they are rather expensive for Chinese products. What I call "cheap" is rather all those Top-201, Digoo M1Q... there are tons of such cams that cost nothing but which have nearly no security.

And whenever you have for example RTSP protocol with login/password (some of those cheap cams may not have any password at all !) RTSP is not encrypted and those cheap cams do not do SecureRTSP.

When I say "never expose directly" this do not mean the are not accessible as I also said "access it thru a VPN".

And for those P2P feature, they are so easy but nobody knows exactly what is behind, who own the central servers, do the login informations go thru or do they store them ? you can ask any cheap vendor they will not answer you because often they do not own the P2P servers but have an agreement with P2P hosters.
 
Last edited:
  • Like
Reactions: e007
OK so the whole VPN thing is the way to go then as I have read elsewhere. I thought you were suggesting even VPN may be a bad idea and was confused. Thanks.
I think $170 for the Dahua 5321 is pretty cheap considering the quality of the image...and yeah, top 201---maybe classify as Mondo-cheap-o".
 
nbstl68 said:
OK so the whole VPN thing is the way to go then as I have read elsewhere. I thought you were suggesting even VPN may be a bad idea and was confused. Thanks.
I think $170 for the Dahua 5321 is pretty cheap considering the quality of the image...and yeah, top 201---maybe classify as Mondo-cheap-o".
Click to expand...

Yes what I meant about VPN is that it is the secure way to do it, I only said that as for any server/protocol/computing/electronics, flaws are discovered time to time including for VPN software but they are fixed quickly because security is the heart of such product ;-)

And if you want to really secure your VPN to the max if you expose your entire local network with it (but you can restrict it to only one IP or very small subnet behind) then add your own cetificate and OneTime Password like Google Authenticator that is quite easy to implement in OpenVPN server (but it has no connection with "Google" it is only the name of the auth).
 
e007 said:
Mmmm.. It's not a problem if the cameras are not portforwarded.
Click to expand...

Not really true. Not forwarding and/or blocking incoming ports just prevents unrequested incoming traffic. Unless you block/filter/isolate it in some way, then if it's on your network it can generate valid outgoing and two-way traffic in response all that it wants to just like any other local machine on your net. That includes simple annoying stuff like phoning home through at least potentially things like setting up tunnels, capturing local network traffic and forwarding it out, downloading and executing malware, attacks against remote and other local computers, altering its own firmware, etc., etc.
 
  • Like
Reactions: alastairstevenson
Mike A. said:
Not really true. Not forwarding and/or blocking incoming ports just prevents unrequested incoming traffic. Unless you block/filter/isolate it in some way, then if it's on your network it can generate valid outgoing and two-way traffic in response all that it wants to just like any other local machine on your net. That includes simple annoying stuff like phoning home through at least potentially things like setting up tunnels, capturing local network traffic and forwarding it out, downloading and executing malware, attacks against remote and other local computers, altering its own firmware, etc., etc.
Click to expand...
Well, backdoors that connect to servers. I know that few of the chinese cameras have Malware already. I've read some article that was about chinese Ip camera that made suspicious traffic to a chinese Ip address. But if it's just something like hardcoded accounts it isn't a problem.
 
e007 said:
Well, backdoors that connect to servers. I know that few of the chinese cameras have Malware already. I've read some article that was about chinese Ip camera that made suspicious traffic to a chinese Ip address. But if it's just something like hardcoded accounts it isn't a problem.
Click to expand...
The "suspicious" traffic is often produced by the P2P protocol that a lot of cams have today and as I said problem is that they all have their own P2P implementation, there is no standard RFC about it (or I may say a lot of P2P cams use the same P2P servers/protocol), it may also be the internal DynDNS-like system and yes some (but not that much) may come with real malware inside.
 
  • Like
Reactions: e007
e007 said:
Well, backdoors that connect to servers. I know that few of the chinese cameras have Malware already. I've read some article that was about chinese Ip camera that made suspicious traffic to a chinese Ip address. But if it's just something like hardcoded accounts it isn't a problem.
Click to expand...

Problem is that you don't really know what's in there. It's not "just a camera" as most people tend to think of it. Effectively, you're installing an unknown little Linux box inside your network and it can do most anything that any other computer can with whatever intentional or unintentional exploits/vulnerabilities that may come with it. People who would never do something stupid like clicking on potentially malicious links in an email won't even flinch at dropping a camera (or other similar device) into their network. At least potentially, they just installed a machine that can actively do the same thing all by itself unknown to them and whether they want it to or not. ; )

Granted there's some level of risk that you have to accept to do much of anything but just as a matter of principle and good practice you shouldn't trust any of these things whether they're cheap Chinese cams or otherwise. They all should be blocked both ways with limited reach into your network to the extent that you can and still have them be useful devices.
 
  • Like
Reactions: alejoh90, e007 and alastairstevenson
You must log in or register to reply here.
Top Bottom