"Don't buy cheap Chinese-made security cameras, because their security may just be terrible"

Dodutils

Pulling my weight
Joined
Dec 10, 2016
Messages
441
Reaction score
151
Foscam Security Cameras Full of Security Flaws

Foscam here, but how many other Chinese manufacturers have similar problems?
Many cameras have such flaws (but also well known cameras have flaws that are still undercover and kept undercover on purpose to avoid vendors to patch them) but for those flaws listed they are "usable" only if you open their access port (HTTP and/or RTSP and/or FTP, and/or Telnet...) directly from Internet access and this is a main security issue by itself.

But you also have well known brand cameras that are old and no more supported by the vendor, with security flaws discovered "recently" that will never be fixed, the same with your Android Phone if it's a bit old or any other computing/electronic things.

Those low cost chinese cameras are cheap partly because the guys do not spend too much time/resources/money into security implementation, but you have workaround with VPN or Reverse Proxy but still... security flaws are discovered every day including OpenVPN for example but they are fixed very quickly.

So the main word is never expose a camera directly on Internet.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
13,242
Reaction score
4,547
Location
Scotland
Both had a some kind of backdoor but those are fixed now and hopefully not new were added.
Unfortunately, not for those whose cameras are not updateable, and not for those who know nothing about this.
In other words, not for most people.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
10,272
Reaction score
8,124
Location
USA
Yup. Fixing a problem in firmware is one thing, but if 99.99% of affected devices never update, then what?
 

Cljs

Young grasshopper
Joined
May 21, 2014
Messages
43
Reaction score
19
Those low cost chinese cameras are cheap partly because the guys do not spend too much time/resources/money into security implementation...
Reading in the article about all the ways the cameras are compromised, the problem seems to go beyond a simple failure to try hard enough to make them secure, I get the sense that the manufacturers are deliberately building backdoors in.

Is that overly paranoid?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
13,242
Reaction score
4,547
Location
Scotland
And if they don't use P2P, which to many users seems like like an attractive option.
But the reality is that the average user thinks that port forwarding is a great facility providing something they want. And they are ignorant of the risks.
 

nbstl68

Getting comfortable
Joined
Dec 15, 2015
Messages
1,222
Reaction score
226
...
So the main word is never expose a camera directly on Internet.
So, does "never expose a camera directly on Internet" mean then you have no way to ever view them remotely?

When everyone talks about bad "Chinese" cameras...are there any other kind? Meaning is there any camera made. at any price in the U.S. or some other country you would trust? I assumed pretty much all cameras, and their respective firmware were made in china or other foreign country.

And when everyone talks of "Cheap" Chinese cameras, most of the models people love here, Hick and Dahua, really fall into that price category.

So is the answer just to lock cameras down to home and only view at home and miss out on a lot of the functionality?

Is there a simpler solution to just be able to safeguard the important stuff in your computer \ network where you may have private or financial information and who cares if someone somehow can view the garage or back door to the yard?
 

Dodutils

Pulling my weight
Joined
Dec 10, 2016
Messages
441
Reaction score
151
So, does "never expose a camera directly on Internet" mean then you have no way to ever view them remotely?

When everyone talks about bad "Chinese" cameras...are there any other kind? Meaning is there any camera made. at any price in the U.S. or some other country you would trust? I assumed pretty much all cameras, and their respective firmware were made in china or other foreign country.

And when everyone talks of "Cheap" Chinese cameras, most of the models people love here, Hick and Dahua, really fall into that price category.

So is the answer just to lock cameras down to home and only view at home and miss out on a lot of the functionality?

Is there a simpler solution to just be able to safeguard the important stuff in your computer \ network where you may have private or financial information and who cares if someone somehow can view the garage or back door to the yard?
Dahua and Hikvision is not what I qualify as "cheap" cameras they are rather expensive for Chinese products. What I call "cheap" is rather all those Top-201, Digoo M1Q... there are tons of such cams that cost nothing but which have nearly no security.

And whenever you have for example RTSP protocol with login/password (some of those cheap cams may not have any password at all !) RTSP is not encrypted and those cheap cams do not do SecureRTSP.

When I say "never expose directly" this do not mean the are not accessible as I also said "access it thru a VPN".

And for those P2P feature, they are so easy but nobody knows exactly what is behind, who own the central servers, do the login informations go thru or do they store them ? you can ask any cheap vendor they will not answer you because often they do not own the P2P servers but have an agreement with P2P hosters.
 
Last edited:

nbstl68

Getting comfortable
Joined
Dec 15, 2015
Messages
1,222
Reaction score
226
OK so the whole VPN thing is the way to go then as I have read elsewhere. I thought you were suggesting even VPN may be a bad idea and was confused. Thanks.
I think $170 for the Dahua 5321 is pretty cheap considering the quality of the image...and yeah, top 201---maybe classify as Mondo-cheap-o".
 

Dodutils

Pulling my weight
Joined
Dec 10, 2016
Messages
441
Reaction score
151
OK so the whole VPN thing is the way to go then as I have read elsewhere. I thought you were suggesting even VPN may be a bad idea and was confused. Thanks.
I think $170 for the Dahua 5321 is pretty cheap considering the quality of the image...and yeah, top 201---maybe classify as Mondo-cheap-o".
Yes what I meant about VPN is that it is the secure way to do it, I only said that as for any server/protocol/computing/electronics, flaws are discovered time to time including for VPN software but they are fixed quickly because security is the heart of such product ;-)

And if you want to really secure your VPN to the max if you expose your entire local network with it (but you can restrict it to only one IP or very small subnet behind) then add your own cetificate and OneTime Password like Google Authenticator that is quite easy to implement in OpenVPN server (but it has no connection with "Google" it is only the name of the auth).
 

Mike A.

Getting comfortable
Joined
May 6, 2017
Messages
556
Reaction score
389
Mmmm.. It's not a problem if the cameras are not portforwarded.
Not really true. Not forwarding and/or blocking incoming ports just prevents unrequested incoming traffic. Unless you block/filter/isolate it in some way, then if it's on your network it can generate valid outgoing and two-way traffic in response all that it wants to just like any other local machine on your net. That includes simple annoying stuff like phoning home through at least potentially things like setting up tunnels, capturing local network traffic and forwarding it out, downloading and executing malware, attacks against remote and other local computers, altering its own firmware, etc., etc.
 

e007

Young grasshopper
Joined
Jun 2, 2017
Messages
72
Reaction score
15
Location
Rovaniemi, Finland
Not really true. Not forwarding and/or blocking incoming ports just prevents unrequested incoming traffic. Unless you block/filter/isolate it in some way, then if it's on your network it can generate valid outgoing and two-way traffic in response all that it wants to just like any other local machine on your net. That includes simple annoying stuff like phoning home through at least potentially things like setting up tunnels, capturing local network traffic and forwarding it out, downloading and executing malware, attacks against remote and other local computers, altering its own firmware, etc., etc.
Well, backdoors that connect to servers. I know that few of the chinese cameras have Malware already. I've read some article that was about chinese Ip camera that made suspicious traffic to a chinese Ip address. But if it's just something like hardcoded accounts it isn't a problem.
 

Dodutils

Pulling my weight
Joined
Dec 10, 2016
Messages
441
Reaction score
151
Well, backdoors that connect to servers. I know that few of the chinese cameras have Malware already. I've read some article that was about chinese Ip camera that made suspicious traffic to a chinese Ip address. But if it's just something like hardcoded accounts it isn't a problem.
The "suspicious" traffic is often produced by the P2P protocol that a lot of cams have today and as I said problem is that they all have their own P2P implementation, there is no standard RFC about it (or I may say a lot of P2P cams use the same P2P servers/protocol), it may also be the internal DynDNS-like system and yes some (but not that much) may come with real malware inside.
 

Mike A.

Getting comfortable
Joined
May 6, 2017
Messages
556
Reaction score
389
Well, backdoors that connect to servers. I know that few of the chinese cameras have Malware already. I've read some article that was about chinese Ip camera that made suspicious traffic to a chinese Ip address. But if it's just something like hardcoded accounts it isn't a problem.
Problem is that you don't really know what's in there. It's not "just a camera" as most people tend to think of it. Effectively, you're installing an unknown little Linux box inside your network and it can do most anything that any other computer can with whatever intentional or unintentional exploits/vulnerabilities that may come with it. People who would never do something stupid like clicking on potentially malicious links in an email won't even flinch at dropping a camera (or other similar device) into their network. At least potentially, they just installed a machine that can actively do the same thing all by itself unknown to them and whether they want it to or not. ; )

Granted there's some level of risk that you have to accept to do much of anything but just as a matter of principle and good practice you shouldn't trust any of these things whether they're cheap Chinese cams or otherwise. They all should be blocked both ways with limited reach into your network to the extent that you can and still have them be useful devices.
 
Top