Dahua camera phoning home to China

Discussion in 'Dahua' started by user54t45t, Aug 27, 2018.

Share This Page

  1. user54t45t

    user54t45t n3wb

    Joined:
    Aug 27, 2018
    Messages:
    4
    Likes Received:
    0
    Location:
    Australia
    noticed my IP camera was reaching out to some China based IPs, so dropped those outbound packets (60k packets in less than a day). Should I set my hair on fire? Currently the camera is still on my LAN, just blocked from reaching out. No idea what it was doing :(
     
  2. J Sigmo

    J Sigmo Known around here

    Joined:
    Feb 5, 2018
    Messages:
    667
    Likes Received:
    643
    You'll get a lot of advice on this subject.

    Most of us block all of our cameras and any NVRs from directly accessing the internet or actually, anything beyond our LANs.

    You are wise to be aware of this and to take the proper measures to mitigate these vulnerabilities. Good for you!
     
  3. john-ipvm

    john-ipvm Known around here

    Joined:
    Oct 15, 2015
    Messages:
    207
    Likes Received:
    299
    Even if Dahua (or Hikvision or whomever) first sent the traffic to Australia or the USA or the EU, they could always forward it back to China, such is the nature of the public Internet.

    As @J Sigmo notes above, best to block all outbound unless you really trust the provider.
     
    looney2ns, fenderman and J Sigmo like this.
  4. Pneuma

    Pneuma n3wb

    Joined:
    Oct 24, 2017
    Messages:
    10
    Likes Received:
    4
    Agree, security cameras, not just Dahua, are well known to have backdoors. I use my router to give each IP camera a static IP address and I block those IPs from access the outside world.
     
    J Sigmo likes this.
  5. awsum140

    awsum140 Known around here

    Joined:
    Nov 14, 2017
    Messages:
    1,283
    Likes Received:
    1,115
    Location:
    Southern NJ
    I use static IPs and block the IPs on the router On the cameras, bogus DNS and default gateway addresses and shut off everything I possibly can that even might look like it would access the internet.
     
    J Sigmo likes this.
  6. wpiman

    wpiman Young grasshopper

    Joined:
    Jul 16, 2018
    Messages:
    32
    Likes Received:
    8
    Location:
    massachusetts
    Huh. I have an EdgeRouter and was just monitoring the IP for my Dahua. Noticed it was getting maybe a small packet every couple of seconds. Set up a rule to block it. Dropped maybe a couple thousand this hour.

    I suspect they might be NTP packets. Once I get a chance: I will try to check it.
     
  7. awsum140

    awsum140 Known around here

    Joined:
    Nov 14, 2017
    Messages:
    1,283
    Likes Received:
    1,115
    Location:
    Southern NJ
    If it's NTP it'll be port 123. Set up a local NTP server.
     
  8. Xeddog

    Xeddog Getting the hang of it

    Joined:
    Apr 27, 2017
    Messages:
    136
    Likes Received:
    57
    Set your hair on fire and make sure you post the video of it.
     
    user54t45t, giomania and awsum140 like this.
  9. wpiman

    wpiman Young grasshopper

    Joined:
    Jul 16, 2018
    Messages:
    32
    Likes Received:
    8
    Location:
    massachusetts
    Huh, I just learned that my router has NTP server on by default.

    mike@ubuntu18:~$ ntpdate -q -s time.nist.gov
    server 129.6.15.28, stratum 1, offset 0.001920, delay 0.04875
    mike@ubuntu18:~$ ntpdate -q -s 192.168.0.1
    server 192.168.0.1, stratum 2, offset 0.002806, delay 0.02609
     
  10. user54t45t

    user54t45t n3wb

    Joined:
    Aug 27, 2018
    Messages:
    4
    Likes Received:
    0
    Location:
    Australia
    creating a VLAN for all Chinese IP Cameras...
    -no internet access
    -no access outside known destination ports to my router
     
  11. sbex55

    sbex55 n3wb

    Joined:
    Aug 24, 2018
    Messages:
    6
    Likes Received:
    6
    Location:
    New York
    Newbie here ... could someone point me to a good primer on how to setup a VLAN for my cameras along with disabling internet acesss? I am using the Blue Iris mobile app to access my cameras remotely.

    Thanks for the help!
     
  12. DLONG2

    DLONG2 Getting comfortable

    Joined:
    May 17, 2017
    Messages:
    335
    Likes Received:
    92
    Have you segmented the cameras into their own VLAN yet?

    With a Ubiquiti USG router, it's easy to block any LAN device from reaching the internet, and having a VLAN isn't even needed just for blocking internet access. The blocking is accomplished by simply adding a rule on WAN_OUT.

    Go to the Settings, then Routing & Firewall, then Firewall, then Groups.
    Create a new group, with perhaps a name such as 'Cameras'.
    Type: 'Address'.
    Add in each of the static IP's of all your cameras (and any other device you wish to block from reaching the internet).
    Save the group.

    Then go to the Rules. Then click on 'WAN OUT'.
    Create a new rule. Give it a name, such as 'Block_Cameras'.
    Enable it.
    Rule applied: Before predefined rules.
    Action: Drop.
    Protocol: All.
    In my case, I enabled logging.
    IPsec: Don't match.

    In the SOURCE section:
    Type = Address/Port Group.
    Address Group: 'Cameras'.
    Since you don't want a destination, just leave that section alone.
    Save the rule.

    Now any device listed in the Camera group will be blocked from calling home. You can test it by adding in the IP address of your Blue Iris PC, and after saving the change to the group, wait a minute for the USG to act on the rule, and try to access a web page from the Blue Iris PC. When assured the rule is working well, go back and remove the PC's IP from the group, or leave it; as I guess it doesn't matter. In my case, I want the PC to get updates, etc.
     
    Last edited: Dec 18, 2018
  13. AP514

    AP514 n3wb

    Joined:
    Dec 10, 2018
    Messages:
    5
    Likes Received:
    3
    Location:
    Texas
    Wow, this is some good stuff....
     
  14. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    693
    Likes Received:
    344
    Tip-of-the-day: it makes your life even more easier having an OpenVPN server running on the Ubiquity gear and make "simple" access rules on who can access what in your LAN (eg access to IPC vlan and not to NAS vlan etc)
     
  15. JRNAn30

    JRNAn30 n3wb

    Joined:
    Oct 24, 2015
    Messages:
    27
    Likes Received:
    13
  16. DLONG2

    DLONG2 Getting comfortable

    Joined:
    May 17, 2017
    Messages:
    335
    Likes Received:
    92
    Is there a primer on OpenVPN you could recommend? On my Note8 and iPhone, I just use the built-in VPN features to connect to the Radius server in the USG. There's this Tasker app on Android which can leverage OpenVPN which I'd like to explore.
     
  17. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    693
    Likes Received:
    344
    I found tons of inspirational stuff on OpenVPN on the Ubiquity forum. And your network situation might be a "bit" different than mine, so what I did, was harvest bits & pieces from other peoples tutorials, stool some great ideas, ditched some (seemingly less great) ideas. But by doing trial and error, you learn from your mistakes :)

    In general, my advice would be:
    - DRAW your network layout on paper. Don't start coding / configuration before you have an overview on what you want to implement. Keep in mind: networks do change overtime, you might run into an iterational process and have to start over from this important step. So keep your documentation for later reference, otherwise you find yourself in a situation like: why on earth did I configure vlan 9, clean it up and after a while discover that your smart TV can't play media files anymore. Also important: you have your Physical Diagram (which outlet goes to which room terminated on which switch/router/access point/...) and your Logical Diagram (which IP range, subnet, gateway, vlan number etc)
    - once you have your architectural design, you will be able to formulate your requirements:
    - if vlans are required: how many, how are they propageted --> this defines whether (or not) you'd require managed switches or unmanaged ones
    - if different subnets are required: how many, how are they "concentrated" --> this defines whether (or not) you'd require (additional) routing capabilities
    - in case you want to reach your inner network, OpenVPN is thé no-brainer solution. It runs on ample SOHO routers (eg ASUS) but also on the Ubiquity gear. With OpenVPN setup, you can then opt whether you land into a specific vlan, or can connect to restricted subnets.
    - in any case of aforementioned options, you'd think about "access restrictions". Everybody on this forum is already aware that blocking internet access TO IPC/NVR is mandatory (which means no port forwarding), however thinking about restricting access TO the internet might be a wise thing too. Exceptions can occur if you really want to have push notifications. Draw these access rules on paper (traffic_in versus traffic_out, by physical interface and/or logical interface (eg which IP can talk with another IP). And think broad: do you really want your Google Home device residing in the same network as your NAS with your family pictures? Same applies for your wifi-IOT-fridge? It's not a question whether they would do you harm NOW, it's more about in 3-4 years, when your fridge is out of warranty, didn't get any firmware update, and the *nix gets whacked and goes rogue on your network. Then you'll be happy to have it isolated in a vlan.​
    - then it's play time:
    - start configuration of your network gear. Do keep regular backups (and keep them in pairs: firmware file + configuration file). Many people only save the configuration file, but if version 4.39 has configuration features which 3.10 does not have, but if your systems breaks down, and you'll get a new device under warranty, but sitting on the factory default of 3.10, you can't just load the 4.39 firmware file. But maybe that firmware file doesn't exist anymore and sits on 5.59, you lack the intermediate 4.39 firmware file. So keep them both!
    - more specifically on OpenVPN: I tend to keep the OpenVPN client in "seamless" mode, which means that whenever my OpenVPN connection drops, even when 3g/4g or wifi still "work", no packets are sent over the air. I do not want to let slip any packets (because maybe my openvpn port is blocked on a public hotspot).​

    Tasker might help you in the last use case to see "if not connected to trusted wifi - connect openvpn", but in seamless mode, you don't actually need it.

    Hope this helps!
    CC
     
    Pneuma and DLONG2 like this.
  18. Jagradang

    Jagradang Getting the hang of it

    Joined:
    Aug 10, 2017
    Messages:
    92
    Likes Received:
    26
    I wanted to do the above also and block my cameras from all internet access. However, the biggest issue i found is if i do that and block everything then i can't get push notifications (gdmss) or emails for any alerts/triggered events. That would then invalidate the point of having the CCTV as i wouldn't know an event had occurred!! What makes it more fun is the fact that it uses standard smtp port (465) and push notifications use 443!!! So basically no point blocking anything on it if it can get out of port 443!
     
  19. SouthernYankee

    SouthernYankee IPCT Contributor

    Joined:
    Feb 15, 2018
    Messages:
    1,645
    Likes Received:
    895
    Location:
    Houston Tx
    At first i use an Asus router. There is parental controls that allow you to block by Mac address. I block all my cameras.

    I then went to a segerated network. I use two nic cards in my bi PC. One goes to the main route. The other connects to gigabyte switch whitch connects to 4 Poe switches that connect to the cameras. All cameras and thenic cards use static addresses. The cameras and the nic card are on a separate subnet.

    Jagrang
    The notifications should be coimg from the NVR or the vms ( blue iris)
     
  20. Jagradang

    Jagradang Getting the hang of it

    Joined:
    Aug 10, 2017
    Messages:
    92
    Likes Received:
    26
    I have a Dahua NVR, so yes they are coming from the NVR - which again is from the same manufacturer as the cams and from China. So I was just saying blocking the cams or the nvr are the same thing for me. If your using BI then the story is probably different.