this post was submitted on 09 Sep 2023
891 points (99.3% liked)

Technology

60071 readers
3571 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 203 points 1 year ago (6 children)

Cameras connected to the public internet are such a bad idea.

[–] [email protected] 62 points 1 year ago (2 children)
[–] [email protected] 27 points 1 year ago (1 children)

Wait, isn't every camera public? - NSA

[–] [email protected] 18 points 1 year ago (1 children)

Pretty much, yes. - Shodan user

[–] [email protected] 12 points 1 year ago

Agreed! -CCP

Wyze cameras phone home to China unfortunately.

[–] [email protected] 45 points 1 year ago (1 children)

There used to be a website with a map and you could see all these open unsecured cameras they'd found around the world. Mostly by searching Google for the page name they all had.

Some of them seemed intentional, like traffic cams, cameras on the roof looking out over the city, etc, but there were so many fat men sat around watching TV in their underpants, random families in the kitchen, and so on.

[–] [email protected] 22 points 1 year ago (2 children)
[–] [email protected] 8 points 1 year ago

Funny that the website shedding light on insecure cameras is, itself, insecurely serving the public over http.

[–] [email protected] 7 points 1 year ago

Well. At least in Finland all cams are deliberately public.

Nobody watching TV drunk in their underpants. Thank god.

[–] [email protected] 19 points 1 year ago* (last edited 1 year ago) (1 children)

It would be fine if the footage was end-to-end encrypted, meaning you need to transfer the encryption/decryption keys from device (e.g. a phone) to camera, and then manually between all devices that should have access to the decrypted footage.

Camera would only ever send out encrypted footage, and thus it would be insufficient to have access to the cloud account if you want to view the footage - you would need both access to the account (to obtain the encrypted data) and the decryption key (to actually decrypt it). The decryption key must never reach any 3rd party servers and can only be manually transferred between devices that should have access.

There are still possible attack vectors, like malicious firmware updates, or the viewer client app updates, but those are very difficult to exploit, and pretty much exist in most "secure" software today (including from companies like Google, Apple, Meta, etc.). They could be mitigated by hardware design (do the encryption in hardware, camera's software never has access to decrypted footage) and open source viewer clients that the user controls, but I would consider a camera sufficiently secure (for non-sensitive locations) without those.

[–] [email protected] 5 points 1 year ago (4 children)

How would I encrypt an rtsp stream so I can port forward it and then how to I unencrypt that stream for use on a local server?

[–] [email protected] 5 points 1 year ago

I guess you wouldn't. Use a different protocol, one that supports the security you need.

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago)

Encrypted VPN between each side. IPSEC over GRE using 1024-bit AES encryption is more than enough.

Honestly though, if someones cracking IPSEC with any encryption against a random person then that's already leagues more than any script kiddie is capable of and professional hackers don't have the motive.

[–] [email protected] 4 points 1 year ago

Just set up a VPN and transmit the video over that network. That's the easy method.

[–] [email protected] 1 points 1 year ago

"how would I do something that is impossible because I think I'm making a clever point"

use a different protocol

[–] [email protected] 10 points 1 year ago (1 children)

It is a bad idea. On one hand, we have the mean to make them quite secure. There is no such thing as an unbreakable encryption, but with proper key management and using decent enough algorithms we can totally do something that puts your camera out of reach of most thing that are not nation-scale organisations. On the other hand, it's mildly more inconvenient than "installing an app and entering your email", as it might require stuff like doing a tiny little bit of setting up.

So, the unsecure/"trust the service" way it is.

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (2 children)

What's the alternative to putting them on the pUbLic InTeRnEt? I pay my ISP $2000 per month for my own private commercial circuit? It's not a bad idea because there is no reasonable alternative. Risk mitigation is the key, as you seem to be aware.

[–] [email protected] 4 points 1 year ago

There's certainly a middle ground between IOT cameras sending a constant stream out to an internet server and a completely private circuit.

First, let's put the NVR inside the network so that we aren't constantly broadcasting to the internet.

Then let's not allow direct access to the cameras from the internet. Instead, we connect to the NVR via a VPN.

You keep control of all the recording and storage infrastructure, and you don't place your trust in these corporations that have been found over and over again to be lying or overstating their security stance.

[–] [email protected] 1 points 1 year ago

It's a bad idea because of the de-facto "requirement" that people want everything available everywhere with zero setup, causing cheap, completely insecure solution to become the norm. Just don't use "cloud-based, app-enabled zero-config ultra easy trust me bro I know what I'm doing" camera and get proper stuff that allows you to control what goes where and use decent encryption.

[–] [email protected] 6 points 1 year ago (2 children)
[–] [email protected] 16 points 1 year ago (1 children)

A local NVR, like Frigate or Blue Iris.

[–] [email protected] 8 points 1 year ago (3 children)

I like to check cameras while not being home.

[–] [email protected] 16 points 1 year ago (1 children)

Setup a VPN server on your local network so you can connect in remotely.

[–] [email protected] 18 points 1 year ago (3 children)

This is far beyond the capabilities of the average user.

[–] [email protected] 10 points 1 year ago

Many routers nowadays have VPNs built in.

[–] [email protected] 6 points 1 year ago

If this is beyond the capabilities of a user, maybe that user shouldn’t set up remotely accessible cameras either

[–] [email protected] 6 points 1 year ago

I would say it's about as difficult as golfing. Try doing it a few times & maybe you'll hit the ball. Keep at it & you can play the game on a course. Is there a learning curve? Yes, of course. Is it worth it? Yes, of course. Only you get the upside of the effort so nobody is going to do it for you. I mean, unless you pay handsomely for it. In the end...do whatever you feel is appropriate, but getting things that only benefit you w/o effort isn't the world we live in.

[–] [email protected] 4 points 1 year ago (1 children)

Lorex has a companion app you can use to view your camera feeds, but all of the data stays on the NVR

[–] [email protected] 1 points 1 year ago

I use NightOwl which is a dvr connected to the network. While accessing I'm really just accessing my own dvr... Right?

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Go with Unifi then. They're pretty much the only network equipment company with good software. The NVR (the computer that records/stores the camera feeds) can be used with or without internet access. If you know how to setup a VPN, you can connect to it without giving it internet access. If you don't know/want to do that, you can use their free web portal to access it remotely.

Cloud key G2 (NVR) is ~$200 and includes a 1tb HDD, G3 Flex cameras are ~$80 each. If you want to save some money, you can skip the cloudkey and install the software on an existing computer on your network.

All you need for wiring is to pass a single ethernet cable to wherever you want to place the cameras since they use PoE (power over ethernet). You'll also need a PoE adapter for each camera if you don't have a router that supports PoE. They also sell really awesome routers and switches with PoE, but if you're new to PoE be careful and do your research because it can permanently damage incompatible equipment. The older EdgeRouters are an incredible value, but the PoE variants use a non-standard and more dangerous PoE implementation than the newer ones. The EdgeRouter X SFP w/ included power adapter does work fine with G3 Flex cameras though, since that's exactly the setup I have (I don't think it'll work with the Cloudkey G2 tho).

...also yes, I'm a bit of a fanboy.

[–] [email protected] 9 points 1 year ago

A camera not connected to the public internet.

[–] [email protected] 5 points 1 year ago (1 children)

I’d argue that it’s more convenient to have clouds connect for recording and storage purposes but so many cameras come with SD cards built in now that the cloud storage isn’t even really an advantage anymore either.

[–] [email protected] 13 points 1 year ago (1 children)

A security camera with only local storage has a pretty obvious flaw that the incriminating footage can be more easily stolen and/or destroyed by the perpetrator.

[–] [email protected] 1 points 1 year ago (1 children)

DVR doesn't take up much space in the safe. And the heat produced helps keep humidity down.

[–] [email protected] -1 points 1 year ago

Sure, but that's not a comparable alternative to the convenience of a turnkey, cloud solution. There's a reason they're so popular.