41

My parents have a vacation home out in the country and are looking to setup a home surveillance system for remote viewing. I've heard that there can be serious vulnerabilities in these products. What are some guidelines I could use to help evaluate these products?

I have a software development background, so I'm comfortable with technical answers, but I'm certainly not a professional as far as system administration or network configuration. My parents are looking to spend under $300, though they can spend more if that's unrealistically low for a well protected system, so my financial resources to perform a security evaluation myself are limited.

D.W.
  • 98,420
  • 30
  • 267
  • 572
mercurial
  • 898
  • 1
  • 9
  • 17
  • 1
    Are you technical? What resources do you have do an evaluation? – schroeder Dec 28 '15 at 19:16
  • read also the answers to this related question : http://security.stackexchange.com/questions/79642/is-it-bad-to-have-cameras-using-a-static-ip-address – Ant Dec 29 '15 at 13:26
  • 1
    $300 is very low to get a good security system. I just spent around 1300 bucks for mine. – JonH Dec 29 '15 at 20:17

4 Answers4

37

Like most embedded hardware (routers, etc), their firmware often sucks, and unless you have unlimited time I'm afraid there is no way to thoroughly check every single camera out there. And even if you do find one that's currently secure, what guarantees that you'll get updates for vulnerabilities that will be discovered in the future ?

Instead, I suggest just creating your own IP cameras by using USB webcams (or cheap/insecure IP cameras) and connecting them to a Linux/BSD computer that will actually handle all the authentication/security and then rebroadcast the camera's video feed (preferably over something secure like HTTPS). That way the internet-facing part of your home-made "camera" can be updated and hardened just like any computer, and behind it you are free to put any camera you want, including the cheapest garbage since it won't be exposed to the Internet anyway.

Finally consider putting the camera system on a separate network air-gapped from the Internet - I know it doesn't apply in your case but I'd still like to mention it - the requirement for physical access is a pretty good security measure, as someone who wants to spy on you now has to physically break into your home rather than being thousands of miles away. If off-site recording is required, video could be encrypted and then streamed outside of the air-gap via a one-way Ethernet cable with the key kept securely, so that the data leaving the air-gap is meaningless unless the correct key is provided.

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • 9
    If you go down this route, I would highly recommend using a Raspberry Pi (or a clone). I've built a single IP camera with housing, power over unused UTP, two stage PSU and over 40m worth of CAT5 for under $100. It is currently running Debian Jessie, so its pretty secure I think. – Aron Dec 29 '15 at 06:48
  • I don't feel the cost of setting up and maintaining a Linux system (plus UPS) is a reasonable trade off for the increase in security given that the location being monitored is not secure. What is the worse that can happen if someone sees the web camera? Reasonable measures can be used with off the shelf IP cameras that make more sense. Use a custom port. Have the camera home position be pointing at a wall when you're there. Be sure not to use simple passwords. Etc. – simpleuser Dec 29 '15 at 10:06
  • 5
    @user1663987 the problem isn't only about someone seeing the camera, there is also the much bigger problem of someone using it as a pivot to compromise other parts of the network or just commit illegal activities (you don't need much hardware resources to run a spambot or proxy). – André Borie Dec 29 '15 at 12:30
  • 8
    I would also like to add, stay away from wireless cameras. As someone who has a few tools at their disposal can deauthenticate wireless devices on WPA/WPA2 networks with relative ease. This can/will disconnect everything from a wireless access point indefinitely. So your best bet is to go with wired systems. I'm not sure if the same method does apply to WEP, but if your using WEP, a home break-in may be the least of your problems. ;) – Lektonic Dec 29 '15 at 14:21
  • @Andre Boie they run fixed firmware with limited storage, I do not feel that is a considerable threat & haven't read about that as a common attack vector. How much other networking exists at the *vacation* home? If a lavish vacation home, then OP should be investing in real security. A well installed alarm and 1 or 2 cameras mounted out of the way are enough to warn & allow capturing photos of any break-in. A complicated custom installation with usb cameras is less robust, and a full Linux server can be more vulnerable and provide a hacker with much more horsepower if they do get in. – simpleuser Dec 29 '15 at 19:01
  • 2
    @user1663987 again, you do not need much storage nor RAM to run a spambot, proxy or basic C&C server (IRC). I respect your opinion but I strongly disagree with it - even if there's no risk to your own network, you shouldn't be leaving vulnerable devices just to avoid them being compromised and attacking other hosts on the Internet. – André Borie Dec 29 '15 at 19:11
  • @Andre Borie I agree with you in spirit, but have not seen them being as big of a danger as you suggest, and the amount of effort to implement a custom, complex, Linux host based solution far outweighs the risk in this case. I claim reasonable tradeoffs can be made with reasonable safety, using better ip cameras. – simpleuser Dec 29 '15 at 19:42
  • @Gamerb Generally, thieves that rob peoples homes don't have even the very basic info-sec knowledge you're talking about. It's unlikely the OP's parents have anything worth stealing to attract anyone beyond an idiot with a crowbar. Real theft is mostly one of opportunity, not a sophisticated cat-burglar who cases the joint weeks ahead of time like in the movies. – Steve Sether Dec 29 '15 at 20:14
  • 1
    @user1663987 the problem is that I don't know of any "better" IP cameras. Even the more expensive devices use the same garbage firmware as their less expensive counterparts. – André Borie Dec 29 '15 at 20:41
  • OP can use a router redeployed with dd-wrt, wifi off and run a VPN. No need for "linux management", it can be all web based mgmt on the router. (ignore the linux inside dd-wrt, please). – Andrew Philips Dec 29 '15 at 21:17
  • @AndrewPhilips well adding a web interface greatly increases the attack surface so I would recommend actually doing all the administration via SSH and the command line, though Open/DD-WRT's web interface is still light-years ahead of most camera's ones. – André Borie Dec 29 '15 at 22:45
  • @AndréBorie, trying to balance between your points re: reduced attack surface and others' desire to simplify operations. Agreed that CLI w/ SSH (or VPN) is best. Somehow, router&dd-wrt feels simpler than RPI+linux. Also, router has the built in ports, so you get a pretty good WAN & ~4 LAN switch for a firmware upgrade. *And*, OP can always graduate to CLI from HTML when ready. – Andrew Philips Dec 29 '15 at 22:51
  • 2
    @AndréBorie +1 for the poor firmware. I've had to work with a brand new DVR in mid 2015, that only worked with IE6. In the end user took it back for refund. – Criggie Dec 30 '15 at 01:46
11

This started off as a comment on Andre's answer, but it got a bit long.

USB is fine as long as none of the cameras are more than 16 foot from the host :)

Since you need to run power out to the cameras anyway, just run a wired ethernet connection to the LAN (or use POE if you can find cameras which support it). On an un-routed subnet, most of the inherent security vulnerabilities just go away.

That then leaves the problem of the server software which will need to offload the data in real time (or near enough). After all, the server itself is an easily reset item.

You now have the capability to record exactly what the burglars do. Wouldn't it make more sense to think about how you might use the capability to deter any burglars? Some tools (e.g. zoneminder) have x10 integration (turn on lights).

symcbean
  • 18,278
  • 39
  • 73
  • 1
    USB cable max length can be mitigated if you put the host computer together with the camera; something possible by using some small computer like a Raspberry Pi or equivalent hardware. – André Borie Dec 29 '15 at 01:25
  • It is also possible to get active USB extenders. I recently bought some to do video streaming and I can have the cameras at least 50 feet (15 meters) from the computer – Eric Johnson Dec 30 '15 at 01:24
  • USB can have issues with the number of isochronous streams on the bus. Characterised by "one camera works fine and the other is bad/not working" but each camera works fine by itself. This can be mitigated by using a USB controller per camera, or these days network cameras are getting cheaper. – Criggie Dec 30 '15 at 01:43
  • @AndréBorie Raspberry Pi with one USB camera is workable, and the Pi with a PiCam works at lower resolutions+higher framerates OR high res and low frame rates. Sadly you can't have both high framerates and high resolution from a picam on a pi. – Criggie Dec 30 '15 at 01:44
9

EDIT - Modified this answer slightly (now three parts)

Low Budget Version

Pick up a used router (laying around the house?), install dd-wrt on it and turn off the WiFi. Bingo, ready made 4 port switch. You won't get PoE for the cameras, but, if needed, that's easily rectified (pun intended) with a PoE adapter or just wall warts. Run a VPN on the dd-wrt router, put it in the main router's DMZ (or port forward) and you're good to go. No Linux management, if you really don't want it. Cameras are isolated from the home network and protected from the inter-webs.

You might go pretty far by picking up used network and camera hardware on the cheap. Raspberry PIs are wonderful devices, too, and can help run a network.

High Budget Version

My current setup for comparison purposes. I currently own five Axis cameras for my home security system, powered by a Cisco PoE switch and fronted by a Cisco router. Much more than your parents want to spend. However, I think the model is good for you to consider as a reach. I engineered this set up myself with no prior network (IT) experience. It was a learning moment, for sure.

Network Protection

The biggest concern you'll have is the one you're already worried about, hacks from the Internet. This is best solved with a three pronged approach.

First, the better the hardware facing the Internet, the more secure it will be.

Second, harden whatever you've got facing the Internet and sitting inside (change all default passwords, close unneeded ports, run a VPN rather than UPnP, if you can). Isolate systems from users, if possible (i.e., if you have a switch, put the cameras on a vlan).

Third, scan your hardened network with nmap from the outside and use www.grc.com from the inside. GRC is a great starting point. Use nmap from the inside, too, to see what ports you've left open internally that might create future problems.

Andrew Philips
  • 1,411
  • 8
  • 10
  • 1
    Although one is not supposed to sollicit product recommendations, but I would endorse axis cameras. – symcbean Dec 29 '15 at 17:28
  • My apologies for violating the product endorsement policy. Comment here if I should re-write without them. Please take this as listing for comparison purposes and not a suggestion to buy the above equipment. – Andrew Philips Dec 29 '15 at 20:59
1

There are a few things to do to protect your home security system:

  1. As another poster said, setting up your own Linux server (Raspberry Pi is a good solution) and IP-connected cameras is the best way but the vulnerability is going to come in the cameras themselves.
  2. Make sure you’re not using the default password. This way, even if you’re discovered, it’ll be harder to break in. Especially change any root passwords, where possible.
  3. Incapsula has a Mirai vulnerability scanner, which scans your IP to see what may be at risk. https://www.incapsula.com/mirai-scanner.html
  4. Use a Web Application Firewall (WAF) to put your device behind
  5. Disable any unnecessary remote connections.
  6. Run the most up-to-date firmware to ensure discovered security vulnerabilities are patched. But realize that there are many unpatched vulnerabilities that remain. This is something that we are less likely to do for devices than our own home/work computer.
  7. Reboot and make sure everything still works.

In the wake of Mirai and other botnets, understand that your device is at risk even if you personally aren’t a target.

White Hat
  • 39
  • 2