40

I am about to move in a new house, and I would like to install some security cameras.

The contractor told me that in order for me to check the videos recorded by the cameras in real time when I am away I'll need to have a static IP address.

Are there problems with it? Is it less secure?

I am not a billionaire or famous so it is unlikely there will be targeted attacks. On the other hand it would be my home network and it'll happen that I'll input my bank credentials sooner or later, so I want it to be safe.

Braiam
  • 177
  • 15
Ant
  • 673
  • 1
  • 5
  • 12
  • it's worth noting that you should check with your isp... some isps do not offer static ips – user3334690 Jan 20 '15 at 22:00
  • 1
    I don't use static IPs, I just have my system periodically connect to my website and I can find my home IP from there. – Nathan Goings Jan 21 '15 at 01:30
  • 4
    There are too many other answers, I'll just say that you should use a real VPN instead of port forwarding to your camera. – Mike Pennington Jan 21 '15 at 02:44
  • 29
    Your security shouldn't rely on the IP being secret. And I suggest not having your cameras directly exposed to the Internet (as most of them are rarely updated and have security flaws) and instead use a Linux server that records all the camera's video feeds and only that server should be exposed (which will be secure assuming you know how to administer and secure a server). –  Jan 21 '15 at 03:03
  • 2
    I do have IP cameras at home; I use [Axis](https://www.axis.com/) cameras set to HTTPS only with an internally generated certificate and long random non-default passwords, behind a [pfSense](https://www.pfsense.org/) firewall which allows only certificate based [OpenVPN](https://openvpn.net/index.php/open-source.html) sessions that also have a pre-shared tls-auth ta.key to access the camera. Both the AXIS cameras and pfSense get regular updates. The pre-shared tls-auth [helped protect me from Heartbleed](https://community.openvpn.net/openvpn/wiki/heartbleed) until I updated software & certs. – Anti-weakpasswords Jan 21 '15 at 03:21
  • That's unclear if the IP is directly accessible from Internet, you should add a note about that. – A.L Jan 21 '15 at 11:23

9 Answers9

53

Static or dynamic IP is a non-issue.

But since you brought up cameras, you should know that many IP cameras have VERY poor security. Many of these cameras have a known bad firmware in them that allows unauthenticated download of the entire memory of the device via simply going to /proc/kcore, without the need to authenticate. This allows anyone to obtain the password for your camera.

http://www.tripwire.com/state-of-security/vulnerability-management/vulnerability-who-is-watching-your-ip-camera/

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • 5
    Well, that's just one of many many wide spread security vulnerabilities. But yeah, upvoted. – David Mulder Jan 20 '15 at 23:02
  • 1
    Just one, but requiring a static IP address virtually guarantees they will expect ports to be forwarded to their recording hardware. I would expect the security of whatever is listening to be somewhere between horrible and nonexistent, and there's no way you could convince me to open up a port directly to it from anywhere in the outside world. – Stephen Touset Jan 20 '15 at 23:10
  • 1
    @DavidMulder True. It's just important to the question because the asker didn't consider the security of the device in the first place. Consumers generally aren't aware of the insecurity of products they buy, and expect them to not have gaping holes in them. – Steve Sether Jan 20 '15 at 23:27
  • I used to have port-knocking + requiring an SSH session to get through my firewall. Fun times! – Nathan Goings Jan 21 '15 at 01:32
  • 2
    Before buying any IP camera, check the vendor's support section for firmware updates! Then check the vendor's support section for firmware update to devices two or three years old... that's a reasonable indicator of what support your new device might have in 2017 to 2018! – Anti-weakpasswords Jan 21 '15 at 03:23
  • @SteveSether Sad that the assumption is wrong. There's a [TED talk](http://www.ted.com/talks/avi_rubin_all_your_devices_can_be_hacked?language=en#) out there about hacking into devices wirelessly. Things like hacking your pacemaker to mess with your heart rhythm or your car and disabling the brakes. – jpmc26 Jan 21 '15 at 09:56
  • 2
    @jpmc26 Yes. The embedded industry is about where the PC industry was 20 years ago. Little or no security design. – Steve Sether Jan 21 '15 at 15:15
  • thank you for the link. I'll definetely check it before taking a decision! :) – Ant Jan 22 '15 at 13:02
42

I would consider another contractor, since that statement doesn't precisely increase my trust in his knowledge/skill.

The correct way of setting up a security camera system so you are able to check them when you are away is to have port forwarding on your router exclusively for VPN or HTTP/TLS mapped to the machine recording data from the cameras. This will work with a static IP or with DynDNS. If you use e.g. a Diskstation to do the recording (like I do at home) then you get DynDNS as well as the surveillance software (with a limited number of licenses, 4 in my case) for free already.

Never, never ever, expose an IP camera to the internet. This is an open invitation not only for people like the Russians who set up insecam half a year ago to mock you so on their website as well as all kinds of perverts and of course burglars.
You also risk being exploited and having malware (maybe botnet control software?) installed inside your home network. From there they'll attack the other computers which will see the traffic coming from a "trusted" source. Almost all IP cameras have cheap, default-to-insecure firmware, some do not even support basic encryption. Firmware is updated rarely, if ever, and not necessarily to account for security issues. The cameras in my home are susceptible to Heartbleed (although this is publicly known for almost one year). There's nothing to do about it, other than not letting anyone access them. The documentation doesn't even mention it, but they're demonstrably exploitable.

You might allow the cameras to make an outgoing connection to upload files to an external server when alarm triggers, which makes stealing or destroying your server at home futile. But never allow incoming connections whatsoever.

Personally, I wouldn't even allow a camera to make outgoing connections, seeing how virtually all IP cameras and their firmware are produced in China (and those that aren't are made in the USA, which is just as bad).
Government-supported espionage and in particular industrial espionage is a big business, and how could you do it better than by requiring a covert channel built into every camera that your prospective targets will readily place where there's something important? Of course you said that you are not an important person (...but who is really unimportant enough so nobody would care watching? Why is the NSA reading your mails then?). Not being the prime target doesn't mean that the backdoor is not built into your camera anyway, which could be used and abused by pretty much anyone.
Anyone, that includes burglars who can conveniently check whether someone is home. Don't make their lives easier than it needs to be.

Update:
Meanwhile, my statement about risking botnet software being installed on your IP cameras is no longer a mere possibility. The above statement which maybe sounded a tidbit paranoid turned out being outright prophetic (October 2016 attack on Dyn).
Therefore: No direct internet access for presumably insecure devices, never, not ever.

Damon
  • 5,001
  • 1
  • 19
  • 26
  • this has been the most helpful answer! Thank you for taking the time to write it down :) – Ant Jan 22 '15 at 11:50
  • "Why is the NSA reading your mails then" - The NSA is reading your mail to find out whether you are really unimportant. In times when every American citizen, let alone a foreigner, could easily convert to be a terrorist, they want to be better safe than sorry. And because the resources are not enough to check out everyone, they skip checks on those they already know to be terrorists - like these two brothers in Paris. – Alexander Jan 23 '15 at 08:28
21

The only difference between the static IP address your technician is referring to and a dynamic, changing address in this situation is that one never changes, and the other does (how frequently depends on many factors).

There is nothing inherently more or less secure about either one. Both are a means to identify you and your home network on the Internet.

willc
  • 652
  • 3
  • 9
  • Yes I was aware of that. But are there any additional vulnerabilities to it? – Ant Jan 20 '15 at 18:50
  • 1
    Nope! It's like your house address. A good security system will ward off intruders, regardless of whether or not you know the address. – Ohnana Jan 20 '15 at 19:00
  • 16
    A lot like a house address. And if you're paranoid and move often, sleeping on friend's couches and hotels, an assassin looking for you may not find you easily. But a random burglar can break in at random anyway. – Zan Lynx Jan 20 '15 at 21:00
  • 6
    @ZanLynx - do you mind if I steal that analogy? I really love it - there's a LOT more random burglars (and script kiddies) than there are professional assassins (and APT groups). – Anti-weakpasswords Jan 21 '15 at 03:24
  • 1
    @ZanLynx My brain read ahead the second sentence to say "And bedbugs will follow you wherever you go"... – Michael Jan 21 '15 at 17:28
7

Not really...

Dynamic and static address have different advantages/inconvenients.

Static

  • Vulnerable to data mining as you always use the same address.
  • Great to host a server (like viewing the content of your security camera remotely)
  • Bad to troll on forums as you can easily be blocked

Dynamic

  • Less vulnerable to data mining as you often change your IP address
  • Not as great to host a server (can make it more difficult to connect or you can share the IP with another server that is sending a lot of spam which might get you a bad name)
  • Good to troll on forums as it's harder to block you

The only thing relevant to security is data mining. Is it a big deal for you?

Usually, your ISP will decide if you will have a static or dynamic address. Based on what you want, hope for the best.

Gudradain
  • 6,921
  • 2
  • 26
  • 43
  • 5
    Note that even "dynamic" addresses are usually fairly static. For example, mine has only changed four times in the past decade. – Mark Jan 20 '15 at 22:02
  • @Mark raises a good point; you'd have to stay off your ISP until after your DHCP lease expired to really have a decent shot at getting a new one. – Anti-weakpasswords Jan 21 '15 at 03:26
7

For a typical residential user, static vs. dynamic IP doesn't matter much from a security point of view. Just like how the address of your residence is pretty static. You don't change that address all the time (unless you move of course). It only matters if someone wants to specifically target you, and they know your address. A typical user should not have to worry about that happening with their IP. Other than that, threats will be random. It doesn't matter whether your IP is static or dynamic, just that you have one at all.

See An attacker has my IP address;So what?

If you are running a camera, dynamic IP may have some advantage. If someone finds the IP, they can at least try to access the camera, and could share the IP with other people. A dynamic IP will change, meaning they would have to find it again.

Also, there are ways to access your home network even if it has a dynamic IP. Of course this means other people could use the method to access it as well.

fooot
  • 249
  • 3
  • 6
3

Your security issues will be the following, depending on your own risk assessment.

  1. A network camera, especially an external one would give me hard wired access to you network if i remove it from the wall and plug my laptop in or even my Raspberry Pi WiFi router

  2. At the router you will either need to forward ports to each camera and/or DVR.

    Any ports that are open are possible access points into a network.

  3. Hardware, possible exploits flaws etc in the camera.

jamie
  • 31
  • 1
  • 1
    While these points are valid, the question is specifically about the possible security issues of connecting the camera to a static IP address. – S.L. Barth Sep 01 '15 at 08:00
1

Even though you personally may not be a target, hackers might still want to break in either for fun or to pool your IP-connected device and make it part of a larger botnet attack. Many hackers are reaching security cameras and pooling them together as part of the Mirai botnet.

Users can scan if their IP (including the cameras) and network is infected with the Mirai botnet: https://www.incapsula.com/mirai-scanner.html

It’s also a good idea to change your password, put your network behind a WAF (Web Application Firewall) and make sure your DNS also has protection (see the recent DDoS attack against Dyn, for example).

White Hat
  • 39
  • 2
1

It is not essential that you use static IP addresses. You could use a combination of dynamic IP addresses, port forwarding in your router, and a service such as dyndns.org (which gives you a static address that redirects to your dynamic address, which you have to update anytime your dynamic address changes. That update can occur manually, or many routers have built-in functionality to automatically contact dyndns and update your address anytime it changes). dyndns.org isn't the only site that provides this service, it's just the one I'm familiar with.

Even if you are using a static address for the cameras, you might need a tool like dyndns if your internet connection itself is dynamic, otherwise you won't know the IP address to connect to when you aren't at home.

All that said, from a security standpoint, there is no difference between static and dynamic addresses. As other people have pointed out, regardless of your IP address, you should take others steps to secure the cameras, such as keeping the firmware up

1

The main reason you want a static IP is so that you have a way to reach your cameras when you are away. Picture this, if you had to call someone but didn't have their phone number or it had been changed with no forwarding number to call, how would you reach them? The static IP gives you that same number all time. That said there are other ways to connect from the outside by using some sort of DDNS system.

Since you are going to be using an IP security camera I would recommend a Synology NAS, they have a DDNS system that works quite well and comes with the cost of the NAS purchase and there is no monthly check-in that you need to do with some of the free DDNS services. Additionally you can point the camera to record on the NAS, so you get lots of storage and easy expansion and they even have their own app you can use to access the recordings.

That said you will want to put the NAS behind a router and you can port forward to the NAS. A Netgear WNDR 3700 is rather cost effective and will do the job, the nice thing about that router is that the ports all show up as stealth, even when they are open to port forwarding. So if someone scans your router from the internet they won't even know is it there. If you don't know how to do port forwarding, the Synology NAS can be connected with your custom quick connect code that you set up for yourself.

In the past these NAS devices have been pretty good, they have a compatibility list you should check out, then purchase a camera from that list to work with the NAS, the only thing I will warn you about, the recent DS1815 is somewhat loud when the hard drives are active and it might be that is true with the other models of 2015, so keep that in mind when deciding to get the NAS and where you want to place it. I use WD Red HDDs and they work great, since you will be recording video, it might be a good idea to go with the WD RED Pro hard drives, they are faster and reportedly quieter.

Once you are all set up don't roll out updates automatically, monitor when an update comes out, it will tell you in the web management interface, I think you can set up the NAS to email you as well for that, then check the Synology forum to see what other users have for experiences with the update and you can even ask questions of others to see if they have a certain webcam and NAS and if they were good with the update. Not every update Synology rolls out is perfect, but as long as you are careful you should be pretty smooth sailing with the NAS.

I will paste a link to the site and you can decide for yourself. https://www.synology.com/en-us/products/DS1815+

schroeder
  • 123,438
  • 55
  • 284
  • 319
Frank R
  • 201
  • 1
  • 2