A secure setup with Dahua NVR cameras

D

d5775927

Getting comfortable
Dec 11, 2019
368
310
Israel
Hi,
I have a great system of Dahua pruchased from Andy.
I have a NVR and 5 Dahua cameras.
The camera don't have internet access, i've used a managed switch and a VPN.
I've sent one of my neighbors a snapshot from 5442 ZE (the old gen) and we was amazed from the quality.
He wants same system as I have, however, he is not tech savy.
I don't want to install him a replica of my system, because I'll need to provide him support (which I prefer not to).
TL;DR: Is there a quick and easy way to setup Dahua NVR and Cameras in a secure way (but to be able to view/download recordings and get notifications)?
 
If using a POE NVR, the cameras will by design be isolated from the Internet by virtue of a private subnet hosted by the NVR.
For remote access and notifications set up P2P on the NVR and install the DMSS app on his smartphone, there are versions for Android and iOS.
 
  • Like
Reactions: Flintstone61 and bigredfish
TonyR said:
If using a POE NVR, the cameras will by design be isolated from the Internet by virtue of a private subnet hosted by the NVR.
For remote access and notifications set up P2P on the NVR and install the DMSS app on his smartphone, there are versions for Android and iOS.
Click to expand...
Do you trust the Dahua NVR to be safe?
Also, NAT prevent inbound access but not outbound, so the IPCSs or NVR can phone home or still have a backdoor.
It happened to me, this why I moved to VLAN.
 
  • Like
Reactions: Flintstone61
d5775927 said:
Do you trust the Dahua NVR to be safe?
Also, NAT prevent inbound access but not outbound, so the IPCSs or NVR can phone home or still have a backdoor.
It happened to me, this why I moved to VLAN.
Click to expand...
I would prefer setting up a VPN server on his router and VPN client app on smartphone BUT......you said yourself you don't want to become his on-call IT person so something's got to give......a P2P app may not be the most secure solution, especially on many China cloud servers but many, many people use Dahua P2P without issue.

Wait for some more input if you're on the fence.:cool:
 
  • Like
Reactions: bigredfish and d5775927
d5775927 said:
Do you trust the Dahua NVR to be safe?
Also, NAT prevent inbound access but not outbound, so the IPCSs or NVR can phone home or still have a backdoor.
It happened to me, this why I moved to VLAN.
Click to expand...

On newer Dahua equipment, P2P is no more or less safe than any other application that uses P2P (like many of the favorite free VPNs)
As @TonyR said, using a NVR with built in PoE ports prevents the cameras from outbound calls, just like your VLAN.

What you might see if you use P2P is the Dahua NVR contacting the P2P server and the AWS push message server. Like ALL P2P applications this is to handshake and ask for messages. It's normal and not a security issue. Unless someone invents a way to make two machines contact each other to exchange information without making a connection, its just how it works.

Look at the non-user initiated traffic outbound from your Samsung TV, Laptop, BI PC, or Gaming machine and tell me again why the concern?

In addition to 8 cameras on the NVR PoE switch I have a 4K-T and a 5442 both connected to an unmanaged switch on my LAN that don't attempt any connections at all. So I think 99% of this hand wringing over securing Dahua cameras is way overblown.

IMG_8529.jpg IMG_8528.jpg
 
  • Like
Reactions: TonyR
bigredfish said:
Look at the non-user initiated traffic outbound from your Samsung TV, Laptop, BI PC, or Gaming machine and tell me again why the concern?
Click to expand...
I only have a Linux machines, since it's open source, I'm less concerned.
In my previous hack, I didn't have port forwarding to the NVR.
Maybe your NVR is secure for now, until the next vulnerability is discovered.
Also, I like the model of my NVR, since it small, cheap and gets the job done.

When a family member needed a camera I've recommended him TP-LINK tapo for indoor use, since it's much easier to setup and use ( and no need for VLANs, I trust TP-LINK more than Dahua).
Yes, I know WIFI, is big no no, but the camera also have an SD card, so the wifi is not an issue.
 
So have you decided yet what to do or recommend to your neighbor?:rolleyes:
 
d5775927 said:
I only have a Linux machines, since it's open source, I'm less concerned.
In my previous hack, I didn't have port forwarding to the NVR.
Maybe your NVR is secure for now, until the next vulnerability is discovered.
Also, I like the model of my NVR, since it small, cheap and gets the job done.

When a family member needed a camera I've recommended him TP-LINK tapo for indoor use, since it's much easier to setup and use ( and no need for VLANs, I trust TP-LINK more than Dahua).
Yes, I know WIFI, is big no no, but the camera also have an SD card, so the wifi is not an issue.
Click to expand...

Dahua NVRs are Linux
I dont port forward either.
Same as your laptop or connected TV. Almost ALL machines are secure until the next valunerability is discovered
Me too. I Iike my NVR

TP-Link Tapo uses P2P
 
Last edited:
bigredfish said:
Dahua NVRs are Linux
I dont port forward either.
Same as your laptop of connected TV. Almost ALL machines are secure until the next valunerability is discovered
Me too. I Iike my NVR

TP-Link Tapo uses P2P
Click to expand...

TP-Link and the app has had some issues recently as well....as you said they are all vulnerable.

heimdalsecurity.com

Vulnerabilities in TP-Link IoT Devices Can Get You Hacked

Four new vulnerabilities have been discovered in the TP-Link Tapo L530E smart bulb and TP-Link’s Tapo app.
heimdalsecurity.com heimdalsecurity.com
 
  • Like
Reactions: awonson and d5775927
TonyR said:
So have you decided yet what to do or recommend to your neighbor?:rolleyes:
Click to expand...
I saw that some high end Asus routers support both VLAN and VPN.
But I don't know how easy it is to configure.
Also, when using VPN he will not get notifications in the DMSS app.
So, I don't have any recommendation for him.
 
If he's using a Dahua NVR and Dahua cameras there is no need for a VPN OR P2P to be enabled to receive push notifications.
The Push function is embedded in the NVR FW

bigredfish

Thread 'Dahua NVR, DMSS and P2P - How are they connected?'

So this is just a thread on my own testing/research of Dahua NVRs and how they interact with Dahua P2P and the DMSS app. YMMV
It can get quite complicated....and I caution that there have been different results from past versions of the DMSS app. SO, if you're using an old version of the app you may see different results.


Part #1)
Testing Remote Push Notifications

Lets start with how a Dahua NVR (older model NVR5216-16P-4K2SE) interacts with the DMSS app (Version - 1.99.842 / 11/12/2024 - reasonably new) to send you push alerts
I have no reason to believe that newer NVRs...
  • Like
  • Love
 
bigredfish said:
Dahua NVRs are Linux
I dont port forward either.
Same as your laptop of connected TV. Almost ALL machines are secure until the next valunerability is discovered
Me too. I Iike my NVR

TP-Link Tapo uses P2P
Click to expand...
Almost any device runs some version of Linux, the question is with which configuration or modifications.
For instance, I have a root access to my Xiaomi router and saw it sends a lot of data to Xiaomi cloud, not all the data is needed for using the router mobile app.
Also, you don't have an opt out feature, of stop sending info to Xiaomi.

I don't fully trust TP-Link, but I think their reputation with regards to vulnerabilities is better than Dahua.

I saw ubiquity have a new line of security cameras, since they are US based I trust them more than Chinese vendors.
So maybe this the best route, if you don't care about budget.
 
bigredfish said:
If he's using a Dahua NVR and Dahua cameras there is no need for a VPN OR P2P to be enabled to receive push notifications.
The Push function is embedded in the NVR FW

bigredfish

Thread 'Dahua NVR, DMSS and P2P - How are they connected?'

So this is just a thread on my own testing/research of Dahua NVRs and how they interact with Dahua P2P and the DMSS app. YMMV
It can get quite complicated....and I caution that there have been different results from past versions of the DMSS app. SO, if you're using an old version of the app you may see different results.


Part #1)
Testing Remote Push Notifications

Lets start with how a Dahua NVR (older model NVR5216-16P-4K2SE) interacts with the DMSS app (Version - 1.99.842 / 11/12/2024 - reasonably new) to send you push alerts
I have no reason to believe that newer NVRs...
  • Like
  • Love
Click to expand...
Yes, but the idea when using VLANS, is to prevent internet access to the NVR VLAN. Both inbound and outbound.
The NVR cannot send you push notifications without internet connection.
 
d5775927 said:
Yes, but the idea when using VLANS, is to prevent internet access to the NVR VLAN. Both inbound and outbound.
The NVR cannot send you push notifications without internet connection.
Click to expand...

No it cant.
So if you block all traffic and and out from your NVR, you have to use a VPN. (Or BI for that matter.)

Your internet connected TV or laptop cant work well if you block all inbound and outbound traffic to them either.

Im not sure I see the point, If you want ultimate security you unplug the ethernet cable. But that defeats the ability of the machine to operate as designed and as you want it to.
This is what grinds me about Internet security discussions. Its a circular firing squad.
 
  • Like
Reactions: awonson
bigredfish said:
Your internet connected TV or laptop cant work well if you block all inbound and outbound traffic to them either.

Im not sure I see the point, If you want ultimate security you unplug the ethernet cable. But that defeats the ability of the machine to operate as designed and as you want it to.
This is what grinds me about Internet security discussions. Its a circular firing squad.
Click to expand...
My TV that I had was not connected to the internet, I used Jellyfin to stream to it over WIFI.
My laptop run an operating system which it entire source code is available, this is not true for Dahua NVR or cameras.
So on my Laptop, if I only install applications that are open source (or from Ubuntu store) they are widely used and security tested by many people, I claim the risk is much lower, than using a closed source Chinese camera or router.

Im not sure I see the point, If you want ultimate security you unplug the ethernet cable. But that defeats the ability of the machine to operate as designed and as you want it to.
This is what grinds me about Internet security discussions. Its a circular firing squad.
Click to expand...
I want to be able to get notifications from the NVR, but I don't trust the NVR or Dahua cameras.
How do I get notifications if so?
I have other computer (Raspberry pi) that I do trust (that runs Linux), which is on the same VLAN as the NVR (actually, its on two VLANS, which is a compromise I had to do, so it will have a internet connection).
It receives notifications from the NVR and sends them to me over telegram.
This is a complex solution to setup, but I think it's quite safe.
The weak link is the Raspberry Pi, however, it has automatic updates enabled (and it doesn't need restart for updates, unlike the windows machine I stopped using a few years ago).
The Rasberry Pi also, notifies me if the cameras time is out of sync.
It takes care of clock change (day light savings).
I can also run custom logic, for instance, when i'm out of home, simulate presence (by turning on the lights to 2 minutes), when the camera detected a person nearby the house.
So I find this quite secure and functional, but if I had to setup this again, it would take me a day, it's not plug and play.

I don't claim my system is totally safe, there can be back-doors that are on the hardware or in firmware of CPU and such, but I don't have a nuclear reactor to guard, so I think what I have is good enough for me.
There can also be some three letters agency that have found/planted a software backdoor.
 
Yep that's how I would do it
 
You must log in or register to reply here.
Top Bottom