Various kikvision cams.
Does having my ip camera send out an email for alerts “ expose” it to internet to be hacked?
Does having my ip camera send out an email for alerts “ expose” it to internet to be hacked?
Does having my ip camera send out an email for alerts “ expose” it to internet to be hacked?
- Thread starter Mike4030
- Start date
No more than your phone or computer sending emails to internet.
SouthernYankee
IPCT Contributor
if you camera has direct access to the internet, you have increased your risk to getting hacked. Cameras have very poor security and are very seldom upgraded for security issues.
I use my own email server, it is not to difficult to setup your email server.
So having it send emails is providing direct access to internet.
Similar to if ports were forwarded?
In my opinion, email server setup on linux is still a nightmare of command line and configuration file busywork. I've been using hMailServer on Windows instead. It has limitations, but it is a GUI app, so that helps.
Spam filters are the biggest problem though. Not your spam filters, but everyone else's. If you want to send mail to other people's addresses, you have to set up SPF and DKIM and DMARC or else there's a high chance your email will be automatically sent to spam or not delivered at all. Even having done all this, when I moved to another part of the country 6 months ago, I found out that some major email domains (such as yahoo and gmail) refuse email that is sent by an SMTP server at an IP address they believe to be residential. I had to set up an account at sendgrid to get around this, and now I'm limited in the number of outgoing emails per day unless I pay money. Kind of defeats the purpose of running your own email server in my opinion.
Spam filters are the biggest problem though. Not your spam filters, but everyone else's. If you want to send mail to other people's addresses, you have to set up SPF and DKIM and DMARC or else there's a high chance your email will be automatically sent to spam or not delivered at all. Even having done all this, when I moved to another part of the country 6 months ago, I found out that some major email domains (such as yahoo and gmail) refuse email that is sent by an SMTP server at an IP address they believe to be residential. I had to set up an account at sendgrid to get around this, and now I'm limited in the number of outgoing emails per day unless I pay money. Kind of defeats the purpose of running your own email server in my opinion.
My plan would be to only use it for camera emails and keep my current setup for regular emails.
Thanks I’ll look into this also.
Thanks I’ll look into this also.
It is not the same.
You have a firewall between your LAN and internet that is discarding unwanted traffic from internet to all LAN devices until you opened ports.
Opening connection from inside the LAN to internet it is a bit different but all your devices it is doing that when browsing, sending/receiving emails or accessing stuff from LAN to internet.
Security risk from your LAN devices it is to call home to a Command Center establishing a connection this way CC will be able to access your LAN... traversing firewall because the port is opened by device inside LAN.
You can mitigate this only by blocking specific devices in LAN to communicate outside LAN and for this you need a firewall or L2 switch that can drop connection from specified devices by IP or MAC.
Exactly how I am using my email server and also help me to integrate all my cameras in Home Assistant - IoT with the help of this script.
Last edited:
So am I worrying about the emails from camera for nothing or is it something I should take care of.
Emails sent by camera outside LAN are not a problem.
Just be sure you don't open ports from firewall to cameras to be able to see them from internet or to any other devices inside LAN.
Just be sure you don't open ports from firewall to cameras to be able to see them from internet or to any other devices inside LAN.
Mike A.
Known around here
- May 6, 2017
- 4,170
- 6,992
Sending email itself isn't a concern. That your cams can access the Internet to do that exposes your system to at least potentially a little more risk. i.e., If they can send out that traffic out, then they can send out other traffic and make connections that can be answered from an outside system and that responding traffic will be passed back through since the connection was initiated internally.
At a practical level, you're likely OK. But as best practice it's better, as others said above, to isolate the cams from the Internet and the rest of your network to the extent that you can and run such traffic through other more trusted local servers.
Most of what you'll see are unauthorized attempts to do things (coded into the firmware) like accessing a list of DNS servers or phone home to pass information or attempt to connect to a P2P network. That can happen even in cases where they should not be doing so given settings. Potentially at least, that could include much more malicious behavior. These aren't just cameras. They're effectively very capable little linux black boxes with camera functions that you're dropping inside of your network. And they're full of various vulnerabilities and rarely updated by most. So not as bad as exposing them directly to the world through port forwarding but better to isolate them.
At a practical level, you're likely OK. But as best practice it's better, as others said above, to isolate the cams from the Internet and the rest of your network to the extent that you can and run such traffic through other more trusted local servers.
Most of what you'll see are unauthorized attempts to do things (coded into the firmware) like accessing a list of DNS servers or phone home to pass information or attempt to connect to a P2P network. That can happen even in cases where they should not be doing so given settings. Potentially at least, that could include much more malicious behavior. These aren't just cameras. They're effectively very capable little linux black boxes with camera functions that you're dropping inside of your network. And they're full of various vulnerabilities and rarely updated by most. So not as bad as exposing them directly to the world through port forwarding but better to isolate them.
Do you know for sure that's all they are doing? Have you taken a packet capture to make sure? What about other P2P or UPNP settings? Do you have those buttoned up?
I guess I don’t know for sure. Didn’t do packet capture. I turned off those settings in the configuration.
Cameras will phone home - it differs from manufacturer to manufacturer. The only way to know for sure is to remove all Internet capability. There are many articles out there regarding some of the not so nice things the camera manufacturers do under the covers. Things like embedded root credentials, settings in the GUI that don't really turn thing "off"....etc.
I am concerned about that. I think my easiest and better option is to connect cameras to blue iris and then use blue iris to handle the email sending and time synchronization settings.
That's definitely a better choice. You can search here for tips on setting up the NetTime Synch tool. Let your cameras get their time via your BI machine, the rest of the machines on your network too for that matter. All my devices talk to my NTP server internally for time.