Security and IP Cameras


While being a security device by vocation, an entry-level IP camera is rarely secure itself: the embedded server does not offer any way to encrypt your login and the data stream. Fortunately there are ways around it, as well as common sense practice to reduce the risks.



If you're willing to spend 300€+, there are IP cameras with embedded SSL on the market (Axis, Panasonic, ...), but if, like me, you preferred buying 6 cheap chinese ipcams instead for that price, you can only use plain, unencrypted HTTP. Thanks to this lack of security, the role your "security" device can be completely inverted by opening a wide open window inside your home. The dream of any potential burglar planning an on-site visit!

First: the obvious ... restrict the HTTP and FTP accounts to reduce potential damage.
The first thing for any unencrypted access to your LAN is to only use it with a dedicated combination of user name and password that is used nowhere else (not even for the FTP service), so to ensure that if your IP cam login is ever "sniffed" by a hacker, the intrusion will be confined to your camera, and won't extend to your NAS, or computer!
Furthermore, the role of the account used for accessing from the WAN should be limited to Visitor (access to fixed view only) or Operator (access to PTZ control), to prevent any intruder from tempering with the configuration and clearing the traces of his visit in the log (you should inspect the log regularly for hints of unusual access).

The FTP service account: this other login will be easily compromised if you use the same user/password as fort the HTTP server or if you upload picture to an FTP server on the Internet. So the same kind of precaution applies here: use another unique user/password set with limited access to the target server, so the potential hacker won't be able to use that account to pump all your data.



Next: consider solutions to prevent intrusions.

1. If you are only accessing your IP cameras from fixed external locations, consider setting up your home router to allow incoming HTTP and FTP requests from these fixed IP addresses only. This alone will greatly reduce the likelihood of an intrusion.


2. If you have a Network Access Server (or NAS), you may have a choice of options:
e.g., the Synology DiskStation range offers a Surveillance Station to control your cameras through its HTTPS access. In the case of Synology though, you need to purchase extra licences to control more than one camera.



3. Some NAS and routers, come with a VPN server, and this is your best free option.
While PPTP is slightly easier to set up,  OpenVPN is generally acknowledged as faster and more reliable.

To make it work with the outside world, you need to check that you router allows the VPN traffic to  pass through. This option is usually present in the user interface and needs to be enabled.

If a firewall is on, further set up is needed to allow traffic through the required ports.
Generally it is UDP 1194 for OpenVPN, and  TCP 1723 + GRE (Generic Routing Encapsulation, IP protocol ID 47) for PPTP.

Once your VPN connection is working, a tunnel is created between your remote client and your intranet at home (i.e. behind the NAT). 
As a result, every server in your LAN can be accessed just as if you were home.


Therefore, you will now use the intranet IP addresses of your cameras to connect to them, but you'll be the only one to watch!





Author:

Facebook Comment