Computer vs. camera security

Contadino

Young grasshopper
Joined
Jan 25, 2022
Messages
45
Reaction score
23
Location
Wisconsin
So why do I need to be more concerned about security with a camera than I do with a PC? Is it because the PC operating system usually has a firewall and the camera doesn't?
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,448
Reaction score
47,571
Location
USA
Yep, that plus cameras rarely have security updates and your computer is constantly getting virus protection updates along with the firewall protection.

Plus cameras are usually setup with QR codes to make it simple and that basically blows a whole thru your router firewall.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
Shouldn't have your computer directly exposed to the Internet either really. Wouldn't rely on the windows firewall for that.
 

Contadino

Young grasshopper
Joined
Jan 25, 2022
Messages
45
Reaction score
23
Location
Wisconsin
MikeA, so if I don't rely on the pc firewall then I guess I am relying on the router right? In that case, if I put the camera behind the router then does that protect it? Still trying to understand why I need a VPN if I don't need one for my pc.
 

Contadino

Young grasshopper
Joined
Jan 25, 2022
Messages
45
Reaction score
23
Location
Wisconsin
Another follow up: if i connect the camera to the router without a vpn and use P2P does that "blow a hole through my firewall?"
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,448
Reaction score
47,571
Location
USA
Yes, using P2P, port forward, scanning a QR code, etc. is essentially blowing a hole thru your router firewall.

If the camera is connected to the router, then it has the chance to phone home or be hacked via a backdoor vulnerability.

Further, cameras connected to Wifi routers (whether the camera is wifi or not) are problematic for surveillance cameras because they are always streaming and passing data. And the data demands go up with motion and then you lose signal. A lost packet and it has to resend. It can bring the whole network down if trying to send cameras through a wifi router. At the very least it can slow down your entire system.

Unlike Netflix and other streaming services that buffer a movie, these cameras do not buffer up part of the video, so drop outs are frequent, especially once you start adding distance. You would be amazed how much streaming services buffer - don't believe me, start watching something and unplug your router and watch how much longer you can watch NetFlix before it freezes - mine goes 45 seconds. Now do the same with a camera connected to a router and it is fairly instantaneous (within the latency of the stream itself)...

The same issue applies even with the hard-wired cameras trying to send all this non-buffer video stream through a router. Most consumer grade wifi routers are not designed to pass the constant video stream data of cameras, and since they do not buffer, you will have issues. The consumer routers are just not designed for this kind of traffic, even a GB speed router.

So between security cameras being notorious for not being very secure on the internet (ironic isn't it) and the problems with them connected to routers, it is better to simply isolate them from the rest of your internet LAN.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
MikeA, so if I don't rely on the pc firewall then I guess I am relying on the router right? In that case, if I put the camera behind the router then does that protect it? Still trying to understand why I need a VPN if I don't need one for my pc.
It does assuming that the router/NAT/firewall doesn't let any traffic into your network other than that responding to requests originating from within the network. Which is how must all will default. So in that case, assuming that everything is working and not exploited in some way, no outside traffic will be able to access anything inside your network, but you can access whatever random outside site/service/whatever from within your network and pass that requested traffic back through. There's more to it but that's basically the model - unrequested outside traffic is blocked, outside responses to traffic originating from inside is passed through. And there's more to security on the internal side as well. e.g., You could have an internal device making rogue requests or sending other traffic out and doing other things within your network that you don't want. Which is why it's best to isolate the cams from the rest of your network and from having Internet access .

Where that breaks down is when people want to access their cams from outside their network (unrequested outside traffic). So they then open ports on the router/NAT/firewall to permit that. Easy but then there's a path through for whatever outside traffic to reach directly that device within your network. So you're then dependent on whatever security/vulnerabilities exists on that device. Which on most cams is kind of shaky. There are better ways to pass that traffic through using firewall rules, proxies, VPN, etc, but generally not the case for cams just sitting on an typical home network.

P2P works by setting up a connection/tunnel/whatever from within your network so, as in the model above, it permits that traffic to be passed through without opening ports on your router. But it has its own potential vulnerabilities. e.g., If credentials are exposed or compromised in some way then that could permit someone from outside to access the cam/device, if the access permits unwanted control/configuration of the device, etc.

VPN also works by opening a port on your router/firewall but in order to open the connection it requires credentials to be exchanged and sets up an encrypted connection vs just leaving the door unlocked and wide opne as in the case of an open port. In all cases, there exists the possibility of some vulnerability/exploit, which there have been for various VPNs, so that's not assured either but less likely and tends to be found and fixed quickly.
 

looktall

Getting comfortable
Joined
Sep 3, 2022
Messages
515
Reaction score
749
Location
Australia
Which is why it's best to isolate the cams from the rest of your network and from having Internet access .
And if you can't do that look for settings in your router to block service ports for specific devices on your network and block them all for your cameras.
That will block them from calling home or sending outbound connections to the internet.
 

tangent

IPCT Contributor
Joined
May 12, 2016
Messages
4,342
Reaction score
3,524
Consider a few scenarios
  • A computer (or other device like a smart tv) on your network gets infected with some flavor of malware that also infects vulnerable devices like routers and cameras. In some instances this might be not be able to breach the browser's sandbox it may only be able to attack devices on the network.
  • A guest or user on your network wants to knock out or gain unauthorized access to the cameras
  • You buy a camera at a government surplus auction and just your luck it has the special version of the software that gives gives a third party like a foreign government or botnet operator access to your local network.
  • The camera contains and undocumented insecure backdoor that's just waiting to be exploited
  • The camera has a security vulnerability that exposes other devices on your network.
the list goes on and on. the name of the game is attack surface reduction.
 

Contadino

Young grasshopper
Joined
Jan 25, 2022
Messages
45
Reaction score
23
Location
Wisconsin
Thinking about this further- I have a Smart things hub and a Carrier thermostat that I access remotely without using VPN. How insecure is this? If I put VPN on my router would these still be accessible?
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,448
Reaction score
47,571
Location
USA
Those are insecure as you are trusting a device that may not have any real security on it.

Many of these devices are cloud based or may need internet to work, so you would have to see if they can work without internet. If they do work without internet then yes you could set them up to access via VPN.
 
Top