Surprised so many people are OK with WPA2-PSK

aristobrat

IPCT Contributor
Joined
Dec 5, 2016
Messages
2,801
Reaction score
2,774
You're in a tough spot, IMO. I don't think there's much chance you can have a wireless camera a couple of hundred feet away from your AP and not have it negatively impact the performance of your WiFi network. Also, as @fenderman alluded to, there best cameras out there (in terms of image quality, especially in low light) generally don't have a wifi-version, at least not when it comes to the Hikvision/Dahua professional market models that most folks here use.

If you will have line-of-sight between the camera and the building that has your server room in it, I'd take a look at Ubuiqiti's airMAX NanoStation PTP solution. It uses its own RF protocol (airMAX) between the two units, so no neighbors snooping. On the remote end, you can get a model with a secondary PoE port, allowing you to make any virtually any wired PoE camera wireless (like @fenderman was saying). On the building end, use a cheaper model without the secondary port. This solution doesn't use your existing WiFi at all, so it shouldn't impact it.

With a solution like that, you're free to use just about any camera you want. If low-light image quality is something your'e going after, check out the Dahua/Hik models that use the 4MP 1/1.8" image sensor, they're generally the best bang for the buck (especially if you can find OEM versions of the models from @EMPIRETECANDY or this forum's store).
 
Last edited:

windguy

Pulling my weight
Joined
Sep 25, 2019
Messages
217
Reaction score
149
Location
Pacific Coast
Doesn't the addition of a MAC address table provide another layer of security for the wireless router?
I always thought it did but I'm sure you're going to shoot bullets in that notion rather quickly.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,853
Reaction score
4,346
Location
Scotland
Seems pretty wild to me that a "security camera" wouldn't have the most secure methods of communication available to it
It's well understood, especially here in ipcamtalk, that 'security cameras' (actually surveillance cameras) have been subject to very little design thinking aimed at security hardening them, as demonstrated by the rich set of security vulnerabilities they exhibit.

But methinks you are trolling a bit, or maybe hosting a crypto exchange.
 

PiIot

n3wb
Joined
Mar 30, 2020
Messages
13
Reaction score
6
Location
Washington
Doesn't the addition of a MAC address table provide another layer of security for the wireless router?
I always thought it did but I'm sure you're going to shoot bullets in that notion rather quickly.
No, MAC addresses are easily spoofed
 

PiIot

n3wb
Joined
Mar 30, 2020
Messages
13
Reaction score
6
Location
Washington
It's well understood, especially here in ipcamtalk, that 'security cameras' (actually surveillance cameras) have been subject to very little design thinking aimed at security hardening them, as demonstrated by the rich set of security vulnerabilities they exhibit.

But methinks you are trolling a bit, or maybe hosting a crypto exchange.
Not trolling, I'm new here. Vulnerabilities of the hardware/firmware have never really worried me much as I can completely segregate the cams in their own VLAN and block all network access to/from them. I think an ethernet based cam using an rpi as a wifi bridge is the best option.
 

windguy

Pulling my weight
Joined
Sep 25, 2019
Messages
217
Reaction score
149
Location
Pacific Coast
No, MAC addresses are easily spoofed
Figured you were going to gun that one down pretty quickly. Wow!
So the scenario is that your neighbor is going to first crack your WPA2 Pass Phrase and then spoof a MAC address to gain access to your network. That's interesting.
 

PiIot

n3wb
Joined
Mar 30, 2020
Messages
13
Reaction score
6
Location
Washington
Figured you were going to gun that one down pretty quickly. Wow!
So the scenario is that your neighbor is going to first crack your WPA2 Pass Phrase and then spoof a MAC address to gain access to your network. That's interesting.
Right. If someone is able to crack your WPA2psk network, they're definitely going to have the tools to spoof a MAC.
 

pov2

Getting the hang of it
Joined
Sep 7, 2018
Messages
231
Reaction score
41
Location
Canada
I guess I don't have as big of an issue with putting wifi devices like thermostats on the wpa2-psk ssid/vlan and segregating them off other than MQTT or TLS ports. How much access/damage could someone do if they got into your thermostat?
The question was about getting into the network, not thermostats etc.
 

IP_man

n3wb
Joined
Feb 1, 2020
Messages
16
Reaction score
16
Location
Canada
Howdy,

I generally try to use the right tool for the job. Sometimes this means plunking down more $'s.

Given your long wireless reach, if you want any type of good quality, a wireless cam isn't going to cut it. Given your situation, I would use wireless gear to create a point-to-point, secure, connection. I use Ubiquiti gear. I use NanoBeam 5AC Gen2's, set up in a point-to-point configuration. I can push about 221 Mbps before the CPU is swamped. The radios sync at 655 Mbps. Once you have a wireless connection, connecting the endpoints to their respective gear is easy. You'll need a PoE on your wired cam. They're not that expensive.

HTH!
-pablo
 

pov2

Getting the hang of it
Joined
Sep 7, 2018
Messages
231
Reaction score
41
Location
Canada
As fenderman pointed out, it is easy and not terribly expensive to add your own wifi bridge,
I could not find a wifi bridge that supported 5 GHz and WPA2-Enterprise and didn't cost an arm and leg. Do you know of any inexpensive ones?
 
Last edited:

bp2008

Staff member
Joined
Mar 10, 2014
Messages
9,929
Reaction score
7,438
Location
USA
@pov2 Nope, I've never used WPA2-Enterprise and don't pay attention to it in spec sheets. As @Pilot mentioned, a raspberry pi could do the job. It won't be plug-and-play and it won't have the best antenna, but it does at least have dual-band wireless.
 

IP_man

n3wb
Joined
Feb 1, 2020
Messages
16
Reaction score
16
Location
Canada
I could not find a wifi bridge that supported 5 GHz and WPA2-Enterprise and didn't cost an arm and leg. Do you know of any inexpensive ones?
Hi,

See my response above ... each radio costs about 120 CAD. I don't know if that price-point works for you.

Cheers,
-pablo
 
Joined
Feb 26, 2017
Messages
2,800
Reaction score
1,277
Location
USA
I just noticed that in UniFi, CCMP Encryption is enabled by default and a new GTK key is created every hour, both can be used with WPA-Personal and WPA-Enterprise
 

megazone23

Getting the hang of it
Joined
Nov 21, 2019
Messages
61
Reaction score
60
Location
Los Angeles
Best case scenario, sure. Worst case scenario though? They crack it on the first attempt. I'd rather there be no scenario at all and have the network un-crackable using EAP-TLS. I also would not prefer to give visiting guests a 20+ character randomized special/number/uppercase/lowercase/whatever password.
There are a lot of coincidents to get the worse case scenario. There has to be a neighbor, who has the knowledge, who has the time, who has the interest....
I have more things to worry about in my life, probably easier to die in a car crash than having a nosy neighbor peeping on my cameras.
 

CCTVCam

Getting comfortable
Joined
Sep 25, 2017
Messages
678
Reaction score
367
Right. If someone is able to crack your WPA2psk network, they're definitely going to have the tools to spoof a MAC.
You must have one hell of a neighbour. I hope you've exercised your 2nd amendment rights because it sounds as if you're going to need them.
 

Sybertiger

Getting comfortable
Joined
Jun 30, 2018
Messages
911
Reaction score
958
Location
Orlando
I still don't get the demand for wireless cameras??? These devices need some sort of continuos power source, bringing the wired part back.. Anyway, (imo) wired is the safest route from nosy neighbours.
I think it's because some people happen to have a power outlet located approximately where they want to mount a camera so they take the easy way instead of the proper way. But, if they are going out of their way to run power for a WiFi cam then you are spot on.
 

Teeauu

n3wb
Joined
Apr 30, 2017
Messages
23
Reaction score
6
As others have said, buy a good quality camera (Dahua's are a favorite of mine) and then put good network gear up to support it. I have camera's all over my property as we have a number of show dogs and live in a secluded location and that is what I do. Ubiquiti AP's all over the place and they just work, I think I currently have 8 or 9 of them. Then if you want you can run WPA2-Enterprise. And to answer the question about why use wireless, I have cameras that are over 300 feet up a long wooded driveway. No way I'm going to pull fiber up there, way too many tree roots.
 

DavidDavid

Pulling my weight
Joined
Jan 29, 2017
Messages
588
Reaction score
239
Location
Ohio
You could try some Ethernet over power line adapters. Powerline networking. That way you get hardwired reliability without running new cat5 cables.
 
Top