Amcrest AD410 - how to make it more secure?

[apple_pennywise]

I'm a new Amcrest AD410 doorbell camera owner. I've had it installed for two weeks, and it's working well. Amcrest's surveillance camera products are not new to me, but doorbell cam - yes. During the AD410 installation, I learned that I needed the Amcrest Smart Home mobile app in order to configure the doorbell cam, which is fine and I did that. I later realized that I could access my doorbell camera and its live view via the Smart Home app while I'm outside of my home, and this raises security concerns. Correct me if I'm wrong - is my AD410 sending live view data to Amcrest and back to the Smart Home app on my cellphone? The app is pretty cool because I can answer any doorbell rings (via 2-way talk and live view) anywhere even outside of my home, but if this feature is at the expense of my privacy and network security, I'm more than happy to stop using this app. Can someone please explain how the AD410 and the Smart Home app actually communicate? How do you all configure your AD410 such that you're comfortable with privacy and network security?

 

[David L]

Anytime you are on someone else's Cloud you have an opened up your network. If two way talk is important to you than using their App is most likely your only option. If not, there are many ways to secure your network. General Rule is not allow ANY Cameras access to the Internet. Right away that raises the question of remote access. What most here do is access their Cameras or a Web Server (Blue Iris for example), via a VPN. Not a VPN service like ExpressVPN or NordVPN, etc., but a local private VPN by running a VPN Server locally. This can be done via most SOHO Routers now a days, or on a Raspberry Pi, or via pfSense or OPNSense routers. Once setup you can use OpenVPN or Wireguard from your phone/tablet to access your home network through an encrypted tunnel.

We have great WIKI pages here for info on the above...

IP Cam Talk Wiki

Thank you for viewing our wiki! If you would like to contribute, please [URL='https://ipcamtalk.com/misc/contact']contact us[/URL]...

ipcamtalk.com

Cliff Notes is always a great place to start, check out How to Secure your Network and the VPN info...

HTH

 

[GaryOkie]

Amcrest mobile SmartHome app uses P2P protocol to remotely connect through their Amazon AWS-hosted servers. Amcrest is a US owned company, so your trust with P2P lies with them and their ability to keep their firmware secure to any known exploits. (Amcrest's firmware and hardware is sourced from Dahua and is tweaked somewhat, but still, it's origins are largely from China).

Reolink has a good explanation of P2P here - What Is IP Camera P2P & How Does a P2P Camera Work - Reolink Blog They, like Amcrest, have had P2P vulnerabilities in past IP camera models. Haven't heard of any exploits involving their doorbells.

There are alternatives for more secure access, but they are nowhere near as simple as P2P, especially if 2-way talk is needed. Home Automation hubs, like Home Assistant, can provide secure remote connectivity to access cameras locally. It's quite a bit of effort to get the doorbell completely local along with 2-way talk capability, but it's possible. As an example:

 

[apple_pennywise]

Thank you gentlemen, thank for explaining.

@GaryOkie: I was doing some google research on the ad410 and remember seeing you on the home assistant forum. Do you by any chance know how to address this?

New AD410 Doorbell! - Page 5 - Amcrest Forum

I read this thread and learned that the ad410 will try to communicate with several Amcrest cloud servers hosted on AWS. I followed the instructions to block the ad410 from going out to the internet at the router level. As soon as I did that, the ring led on the doorbell kept on flashing green, indicating that it cannot connect to the internet. The blinking green led is annoying, and I'm trying to turn it off. Some folks on that thread said the annoying blinking green led can be turned off using API codes, but i'm not too confident if those API codes would brick the ad410.

 

[GaryOkie]

@apple_pennywise - I've run these and dozens of other direct API commands to tweak both the AD110 & AD410 without any problem. In fact, I find it safer to use the API than other non-SmartHome software to configure settings due to them sometimes changing more than you expected and messing up the video. When this happens, it's best to just do a factory reset, and all is good. I've not heard of anyone bricking an AD410 with the API.

Enabling the VSP_PaaS.Online=true config manually tricks the AD410 into thinking it is online when it's not, thus avoiding the blinking ring light. However, the AD410 does some sort of health check back to AWS and discovers it can't connect, so it reverts to VSP_PaaS.Online=false along with the blinking light. To get around this, some have set up a scheduled process to run every 24 hours to reset the online config no matter what state it is in.

One guy goes a lot further and actually queries the online state every 2 minutes and if found to be offline, resets it. That's a bit more complicated and probably not necessary unless you find the health check happens more often that 24 hours. It's apparently not entirely predictable.

 

[apple_pennywise]

@GaryOkie

I finally tried the VSP_PaaS.Online=true API command on my AD410, and it works. It has been six days and the ring led is still solid green. it hasn't reverted back to flashing green. So weird. Let see if this state will hold through next week.

Now, I need to do more research to integrate AD410 to my Home Assistant. I have HA Core (the docker version), so I'm very well aware that any integration will require some coding. I will reach out if I need further assistance. Thank you

 

[shred86]

I've noticed the time between setting VSP_PaaS.Online to true and reverting back to false varies. I've gone weeks without it reverting and sometimes just a couple hours. My work around was creating a RESTful binary sensor in Home Assistant which checks every 30 seconds (default for binary sensors) on the status of VSP_PaaS.Online. Using that binary sensor, I then created an automation that if it's unavailable, to execute a shell command to set the status back to true. It's been working well for several months now. I do have another unrelated issue where the AD410 doorbell events randomly stop working after some period of time but I think it's something related to running both the Dahua integration for Home Assistant and Amcrest plugin for Scrypted at the same time.

Here's my binary sensor and shell command in the configuration.yaml:

binary_sensor:
  - platform: rest
    resource: http://doorbell_ip_address/cgi-bin/configManager.cgi?action=getConfig&name=VSP_PaaS.Online
    username: amcrest_username
    password: amcrest_password
    authentication: digest
    name: Amcrest Doorbell Online Status
    device_class: connectivity
    value_template: >
      {% if value %}
        {{ value.split('=')[-1] }}
      {% else %}
        unavailable
      {% endif %}

shell_command:
  doorbell_online_light: "curl -u amcrest_username:amcrest_password -X GET --digest 'http://doorbell_ip_address/cgi-bin/configManager.cgi?action=setConfig&VSP_PaaS.Online=true'"

Here's the automation:

alias: Set Amcrest status online
description: Set Amcrest doorbell to online if status is offline
trigger:
  - platform: state
    entity_id:
      - binary_sensor.amcrest_doorbell_online_status
    to: "off"
    for:
      hours: 0
      minutes: 0
      seconds: 0
condition: []
action:
  - service: shell_command.doorbell_online_light
    data: {}
mode: single