I am no network expert, but it seems something is missing from your suggested defenses against potential malware. Maybe you can help me understand?
Suppose my brand-new camera is added to my network. I isolate it to its own vlan. And that "camera vlan" has no internet access. I understand that part, and so far, so good.
But now I need to "configure" the camera. When I try to configure it, the plug-in gets involved, seeking permission to install and operate on my PC that is configuring the camera. My impression is that once (or if) I grant access to that plug-in, I have bypassed the protections to isolate the camera and surrendered any effort toward security except blind belief the plug-in is hopefully safe. Once I allow it to operate by clicking "allow", the plug-in obtains access to my PC which does have network access and which does have internet access. And I have no knowledge of what the plug-in does, or does not do, thereafter. So, once the plug-in is enabled, the potential for a security compromise is complete. At least if there is any malware load in the plug-in.
Can you help? What is missing from my knowledge about whether I properly understand what happens after you click "allow" to the plug in? Thanks!
Would you blindly accept a USB drive from a stranger and plug it in to your computer? Even though you don't download or install anything from it, just the fact it is plugged in with access to your computer can result in a behind the scenes loading of something bad.
Or what about all those
reports of someone plugging their phone into a public charger and unbeknownst to them malware or something else bad is introduced to their phone. Those people were not downloading anything or even logging in to the charger, just the fact it was plugged in to charge their phone was enough to dump malware or viruses or other stuff the system didn't block.
Same with accessing the camera via a computer. Once you have "logged" in to the camera, it could be downloading something bad even without a plug-in. Plus
these devices are also notoriously known for having backdoor vulnerabilities. So even without a plug-in, it doesn't mean there are not backdoor exploits.
Let's face it, by logging into a camera via a web browser, you are giving your computer and that device even more access to your computer than simply browsing some random website on the web. And maybe that random website is doing something bad behind the scenes putting crap on your computer. Same with a camera. One would hope anti-virus would stop it, but in some instances it doesn't. Like people going to porno sites or some other website simply looking up information and their browser will automatically download malicious files without them needing to take an action.
Once you access the camera via a computer that has internet access, even without a plugin, if the firmware is designed to try to ping the outside regardless of what you set up in the camera, it is going to try. Or if it has an attack vector that has exploited a vulnerability of a web-browser, it will.
As I mentioned, someone here thru sniffing showed that their camera, even though they had it on a different subnet and had the gateway and DNS servers point back to the camera, the camera was still trying to access a 192.168.1.xx subnet (default camera subnet) and had his home LAN been on 192.168.1.xx then it would be accessing the internet without his knowledge. It probably wasn't for nefarious actions and probably just some sloppy coding, or it could have been an intentional backdoor to allow the manufacturer access to the camera in the event someone screwed it up. Who really knows.
So it is a good extra step to not have the home LAN on the same subnet as the default IP addresses of the camera in the event an intentional backdoor or just sloppy coding allows the camera to still try accessing the default IP subnet, which for many cameras is the 192.168.1.xx subnet.
Like everything in life, it comes down to risk, mitigating risk, and accepting some level of risk.
Many people port forward or use P2P and never have a problem (or they don't know it), but that doesn't mean most of us here will employ those options.
Many people use cloud based cameras and are never hacked, but that doesn't mean most of us here will employ those types of cameras.
Many people use these types of cameras connected to their router and download all the required plug-ins and never have a problem, but that doesn't mean most of us here will employ those types of cameras.
So we try to mitigate that risk as much as possible, but recognizing that there is still a risk, even if remote or small.
So in my case, my cameras are all on a completely separate system - I do not use a VLAN for my cameras as we have seen those have been
hacked too or someone figured out how to
VLAN hop on a VLAN router and now the cameras are accessing the internet.
I have an old laptop that doesn't even have built-in wifi and never touches the internet or even my own internal network and that is the computer I use to set the cameras up by plugging the camera into a POE injector and plugging that camera into the laptop and making all the changes. If I download the plug-in, it only impacts that computer. But I am quirky and after I am done, I reset the computer LOL. Again, this computer never touches my network and doesn't have internet access.
I run
Blue Iris as my VMS system, so I run it as a dual NIC - one card for internet and one card for the cameras. The computer is only pulling the video and ONVIF feeds from the camera NIC.
Is it 100% foolproof? No - no VMS system is unless it is completely physically cut off from anything else.
Could a bad actor figure out how to NIC hop like they have been able to figure out how to VLAN hop? Sure. Is it likely?
Could my computer have a
motherboard with a backdoor vulnerability or some other peripheral with a backdoor that completely defeats my entire attempt to mitigate problems - sure.
But was is the option at that point - no computer or mobile device?
So you have to decide what level of risk you are willing to accept.
