So good to see someone who understands these. Most Electricians/Data cabliers/Handyman and even Security companies will just wack these in and let them go without turning off all the features. (As you have shown) These days its all about getting that footage onto your iphone via "the cloud". CCTV needs to be kept inhouse and well away from the web. -Another great video! Thankyou.
@@TallPaulTech I hear 'cloud' as 'somebody elses computer.' It's a horror-show of vulnerabilities. Just waiting for a hack on our stuff - and a knee-jerk back to on-prem - where stuff is safer.
Love your vids man, even with my basic ish understanding of networking you always explain in a way that makes sense and gives me a more broad range of knowledge for stuff you can do with networking, cheers from NZ.
Follow the money and the companies they believe are “trusted” providers, Suddenly axis and motofalure camera sales go through the roof. Hikvision kit works well but like all vendors you need to seperate your networks.
allowing dns outbound, even via your own dns server could still allow it to make seemingly innocent dns requests outbound to exflitrate some information outbound. Going even more tinfoil hat, they could pass the password out via an encoded dns request by crafting a specific dns response that triggers a hidden piece of code inside the camera for example - so it all looks innocent, but they could wake up functions via specific dns responses.
I've had a good run with Reolink which are ONVIF compatible (most models) and first thing I did was disable DDNS and UPnP. Have a macOS Mojave VM just for SecuritySpy which is an amazing bit of software for CCTV.
Most people don't have the knowledge and skills to do PEN testing, security hardening, VLANs, etc., on their home network. Eufy's cameras uploaded video and photos to the cloud without consent, and their cameras were accessible externally with encryption or authentication. When I put my cameras in they will be ethernet only, no cloud or restricted to connect only to that address, no remote access to the cameras, perhaps just use a synology or qnap and do it yourself.
We had hundreds of these cameras - on a completely separate VRF, on a completely separate firewall zones - nothing available to any camera. We monitor the firewall zone constantly. Nothing gets transmitted, let alone try to get through.
I'd be more worried about an attack vector from the HikVision mobile app (even if connecting behind a VPN) or the iVMS remote software (that requires administrator rights to run!) - than the actual cameras themselves.
Great video! Anything IoT device that comes out of China should be a concern for anyone. Its too bad that home wifi access points/routers don't all have the ability to separate IoT devices with vlans. Btw, I love hikvision cameras, and have many of them.
I stopped using POE cameras. I was getting a lot of interference around 144MHz range. I had the interference on 4 different brands. I unplugged the cameras from the NVR and the noise went away. I even tried Cat6 shielded cable and didn’t make a difference. Move to HD analog cameras and no more interference.
I’ve just started playing with Frigate also using 1 of 5 HiLook/Hikvision cameras and it is very good. Waiting for the price of the Coral tpu to come down again, before I add more cameras to HA. The config file gives me a headache though 🙄
For a home locking down their outbound access is probably enough. If you’re at the level of nation state espionage you need to start physically inspecting hardware for transmitters etc that could exfiltrate data locally to an asset nearby, internet or no internet. The kind of crafty shit you can do with a big enough incentive and the ability to manufacture hardware is limitless. Any cameras I have inside are physically disconnected from power when at home.
Every security camera is made in China. Problem I have with Hikvision they continue to hang on to using IE11 with active X both have been discontinued years ago. The larger HD cameras were amazing quality the interface was terrible. Downloading video clips didn't work just failed to download had to do all kinds of work arounds. IE11 running as an extension then that quit working also. I moved on to amcrest cameras just lot easier to work with.
UK Gov and the UK NHS were still using some Windows XP and Windows NT machines with no password and some with Pa55w0rd$ as the password as recent as 2021, these stopped being updated by Microsoft when gods dog was a pup, the only reason I can see for this is if they have some software that is XP only, but why this is not running on VM's within a secure envoiroment is beyond me, who is running their systems? Mickey Mouse?
Besides the obvious national security threat of the CCP installing undocumented features, there are a lot of grey market cameras out there with questionable firmware. For instance I have the Chinese region hikvision cameras which were modified after coming out of the factory to have English menu's, these cameras were then flipped on ebay for a low price and they arrived on my door step. Who knows what else the firmware does? The fact is I don't care, they are on a isolated vlan/subnet and my NVR can pull an RTSP steam. I think the threat these cameras present to large campuses and enterprise networks is, in the absence of NAC on the access layer and with huge firewall rulesets, who knows if that camera/cameras are is really isolated? Did they get plugged into the right vlan? will they stay on the right vlan? Did the 'SNR Network engineer' do his job properly?
That's the annoying thing though... those big places should know how to do networks right with at least a zoned off VLAN. You did make me laugh at the 'senior network engineer' bit though... you obviously know my opinion of many of them
So good to see someone who understands these. Most Electricians/Data cabliers/Handyman and even Security companies will just wack these in and let them go without turning off all the features. (As you have shown) These days its all about getting that footage onto your iphone via "the cloud". CCTV needs to be kept inhouse and well away from the web. -Another great video! Thankyou.
Me and Mr 'Cloud' often come to blows
@@TallPaulTech I hear 'cloud' as 'somebody elses computer.' It's a horror-show of vulnerabilities. Just waiting for a hack on our stuff - and a knee-jerk back to on-prem - where stuff is safer.
Love your vids man, even with my basic ish understanding of networking you always explain in a way that makes sense and gives me a more broad range of knowledge for stuff you can do with networking, cheers from NZ.
Cheers
Just found this channel and am loving it. You don't explain EVERYTHING but rather expect the viewer to have some network and Linux knowledge.
I'm not here to lick stamps or fuck spiders!
Follow the money and the companies they believe are “trusted” providers, Suddenly axis and motofalure camera sales go through the roof. Hikvision kit works well but like all vendors you need to seperate your networks.
allowing dns outbound, even via your own dns server could still allow it to make seemingly innocent dns requests outbound to exflitrate some information outbound. Going even more tinfoil hat, they could pass the password out via an encoded dns request by crafting a specific dns response that triggers a hidden piece of code inside the camera for example - so it all looks innocent, but they could wake up functions via specific dns responses.
I'm going to guess that you've also heard of iodine ;)
I've had a good run with Reolink which are ONVIF compatible (most models) and first thing I did was disable DDNS and UPnP. Have a macOS Mojave VM just for SecuritySpy which is an amazing bit of software for CCTV.
CZcams held that comment of yours for review... for some reason that nobody will ever know. What are they scared of?!
Most people don't have the knowledge and skills to do PEN testing, security hardening, VLANs, etc., on their home network. Eufy's cameras uploaded video and photos to the cloud without consent, and their cameras were accessible externally with encryption or authentication. When I put my cameras in they will be ethernet only, no cloud or restricted to connect only to that address, no remote access to the cameras, perhaps just use a synology or qnap and do it yourself.
We had hundreds of these cameras - on a completely separate VRF, on a completely separate firewall zones - nothing available to any camera. We monitor the firewall zone constantly. Nothing gets transmitted, let alone try to get through.
Perfect
Same here. 100's of cameras across multiple sites. Zero attempts on firewall logs.
@@TallPaulTech Still have to pull the buggers out though.... Avigilon cams are now the norm.
@@TallPaulTech Yet - still changing them to Avigilon.
So, time to contact government departments and offer to buy their scrapped cameras for 2c on the dollar
I'd be more worried about an attack vector from the HikVision mobile app (even if connecting behind a VPN) or the iVMS remote software (that requires administrator rights to run!) - than the actual cameras themselves.
That's a bloody good point. That's why I don't tend to use phone apps... or a phone much at all
U can use SADP tool to find the ip address from the camera
Great video! Anything IoT device that comes out of China should be a concern for anyone. Its too bad that home wifi access points/routers don't all have the ability to separate IoT devices with vlans. Btw, I love hikvision cameras, and have many of them.
I stopped using POE cameras. I was getting a lot of interference around 144MHz range. I had the interference on 4 different brands.
I unplugged the cameras from the NVR and the noise went away. I even tried Cat6 shielded cable and didn’t make a difference.
Move to HD analog cameras and no more interference.
Look into using Frigate
Holy shit, that looks alright. I might just have to do that
I’ve just started playing with Frigate also using 1 of 5 HiLook/Hikvision cameras and it is very good. Waiting for the price of the Coral tpu to come down again, before I add more cameras to HA. The config file gives me a headache though 🙄
can we do same for waze cam???
For a home locking down their outbound access is probably enough. If you’re at the level of nation state espionage you need to start physically inspecting hardware for transmitters etc that could exfiltrate data locally to an asset nearby, internet or no internet. The kind of crafty shit you can do with a big enough incentive and the ability to manufacture hardware is limitless. Any cameras I have inside are physically disconnected from power when at home.
nice video, i need to go over ip tables again :>
Go straight to nftables, not iptables
how did you enable ntp server on your router? might have missed that in your previous videos.
I never did a video on that. Maybe one day
Every security camera is made in China. Problem I have with Hikvision they continue to hang on to using IE11 with active X both have been discontinued years ago. The larger HD cameras were amazing quality the interface was terrible. Downloading video clips didn't work just failed to download had to do all kinds of work arounds. IE11 running as an extension then that quit working also. I moved on to amcrest cameras just lot easier to work with.
i prefer having separate VLAN on OpenWrt this device, just for this purpose, also without outside access.
Cześć, Paul. Skąd masz ten diagram?
Nie pamietam. To bylo dawno
@@TallPaulTech Rozumiem, dzięki. Lubię Twoje filmy. Tak trzymaj :-)
Usually the main risk is IT departments that don't install security updates on cameras
UK Gov and the UK NHS were still using some Windows XP and Windows NT machines with no password and some with Pa55w0rd$ as the password as recent as 2021, these stopped being updated by Microsoft when gods dog was a pup, the only reason I can see for this is if they have some software that is XP only, but why this is not running on VM's within a secure envoiroment is beyond me, who is running their systems? Mickey Mouse?
Exactly! ..and see my other video I just did on this.
It looks like all governments in the world happily delegated their obligations to China 🙂
Nice Rode microphone I see.
most TVs have more sus network traffic than this thing
Besides the obvious national security threat of the CCP installing undocumented features, there are a lot of grey market cameras out there with questionable firmware. For instance I have the Chinese region hikvision cameras which were modified after coming out of the factory to have English menu's, these cameras were then flipped on ebay for a low price and they arrived on my door step. Who knows what else the firmware does? The fact is I don't care, they are on a isolated vlan/subnet and my NVR can pull an RTSP steam. I think the threat these cameras present to large campuses and enterprise networks is, in the absence of NAC on the access layer and with huge firewall rulesets, who knows if that camera/cameras are is really isolated? Did they get plugged into the right vlan? will they stay on the right vlan? Did the 'SNR Network engineer' do his job properly?
That's the annoying thing though... those big places should know how to do networks right with at least a zoned off VLAN. You did make me laugh at the 'senior network engineer' bit though... you obviously know my opinion of many of them
😂sky news… fear mongering.