Amcrest wifi cameras

[dohat leku]

Guys

I don't have cameras permitted to talk to the internet but some of them are on WiFi and fearful of snooping. Have there been any vulnerabilities particular to bypassing the admin credentials and somebody able to see the live feed on the camera?

Thx

 

[TonyR]

I have not had that issue, but I use them with Blue Iris v5.
I would however, suggest you log into the cam's webGUI and insure that both uPNP and P2P are disabled.

 

[pov2]

some of them are on WiFi and fearful of snooping

If your WiFi uses WPA2 it would be very very hard to snoop.

 

[mikeynags]

It's not impossible to snoop on wifi. Wifi aside, there have been a couple of CVEs filed for vulnerabilities found with Amcrest cameras. Lookup CVE-2017-8229 and CVE2017-13719 for more info. More recently CVE-2019–3948 allowed you to be able to download audio and it back without login credentials for the camera. I tested that one out myself on the couple of Amcrest cameras that I still own. They were all vulnerable to that one.

 

[pov2]

It's not impossible to snoop on wifi.

Nothing is impossible. A virgin can give a birth. But has it happened more than once? Have you successfully snooped on someone's WPA2-AES/CCMP WiFi? Please do share.

Wifi aside, there have been a couple of CVEs filed for vulnerabilities found with Amcrest cameras. Lookup CVE-2017-8229 and CVE2017-13719 for more info. More recently CVE-2019–3948 allowed you to be able to download audio and it back without login credentials for the camera. I tested that one out myself on the couple of Amcrest cameras that I still own. They were all vulnerable to that one.

The CVE-2019-3948 lists for Amcrest IP2M-841B firmware V2.520.AC00.18.R which does not exists. V2.420.AC00.18.R does exist but with two different dates for the same firmware. Have you updated to the 12/18/19 version? Regardless of any of this, cameras should not be exposed to the internet. Then nothing of this is relevant unless of course someone breaks into your WPA2-AES/CCMP WiFi but that will be in the news.

 

[mikeynags]

Nothing is impossible. A virgin can give a birth. But has it happened more than once? Have you successfully snooped on someone's WPA2-AES/CCMP WiFi? Please do share.

The CVE-2019-3948 lists for Amcrest IP2M-841B firmware V2.520.AC00.18.R which does not exists. V2.420.AC00.18.R does exist but with two different dates for the same firmware. Have you updated to the 12/18/19 version? Regardless of any of this, cameras should not be exposed to the internet. Then nothing of this is relevant unless of course someone breaks into your WPA2-AES/CCMP WiFi but that will be in the news.

Yes - have done it before. My cams aren't exposed to the Internet and I'm still running V2.42 dated June 2017.

 

[Arjun]

I just updated mine to the latest 2019 firmware, and am able to get live view working in the web browser after all of these months, if not 2 years LOL

Yes - have done it before. My cams aren't exposed to the Internet and I'm still running V2.42 dated June 2017.

 

[dohat leku]

guys - I'm currently using PSK so going to change to WPA2. What's the best way of going about this without losing access to my camera on wifi? Should I create an additional SSID with WPA2 and then try to connect the camera to it. If it fails to connect, I'm guessing it'll revert back to the original SSID?

Thx

 

[pov2]

guys - I'm currently using PSK so going to change to WPA2. What's the best way of going about this without losing access to my camera on wifi? Should I create an additional SSID with WPA2 and then try to connect the camera to it. If it fails to connect, I'm guessing it'll revert back to the original SSID?

Thx

PSK is Pre Shared Key. Unless it's Enterprise, WPA2 does use PSK. Before anyone can answer your question it needs to be corrected. It's not clear what you are going to do. Maybe you meant you are using TKIP and you want to switch to CCMP?

 

[dohat leku]

I don't think the 841W supports any Enterprise wifi mode (TKIP, PEAP, EAP-FAST, etc). Correct me if I'm wrong

Hence my goal is to keep using PSK but force WPA2. Am I on the right path?

Also, what does the trusted sites mean and is it worth using it so it only communicates and takes requests from my Blue iris computer? Are there any IP filters which will allow the admin portal to be accessed only from a certain IP address?

 

[dohat leku]

Maybe even changing the default ONVIF port may help? What do you guys think?

 

[dohat leku]

sorry for the barage of questions here. I do remember configure static IP addresses on my camera but when I go to Network - TCP/IP, DHCP is selected. Is that a bug on the camera?

 

[TonyR]

sorry for the barage of questions here. I do remember configure static IP addresses on my camera but when I go to Network - TCP/IP, DHCP is selected. Is that a bug on the camera?

You did click on "Save" after setting to static IP, right? If so, you should get a popup response that your change was successful.

 

[dohat leku]

Yes I did. It's still using the same static address I set but there setting shows dynamic and a completely different address range too. My guess is that's for the wired part and wifi is static but doesn't show that under the wifi section

 

[pov2]

Did you update firmware to the latest?

 

[pov2]

I don't think the 841W supports any Enterprise wifi mode (TKIP, PEAP, EAP-FAST, etc). Correct me if I'm wrong

Hence my goal is to keep using PSK but force WPA2. Am I on the right path?

I did not suggest to use WPA2-Enterpise. Cameras don't support it. You wrote: "I'm currently using PSK so going to change to WPA2". Do you mean your are changing from PSK to WPA2? It doesn't make sense. I still don't understand what you are trying to do. Change from what to what?

 

[TonyR]

Yes I did. It's still using the same static address I set but there setting shows dynamic and a completely different address range too. My guess is that's for the wired part and wifi is static but doesn't show that under the wifi section

Yes, the wired Ethernet port and the wireless will have separate settings; I made both static and unique then selected "wired" as the "default", then "saved".

 

[dohat leku]

It's running latest firmware

I was using wpa1-psk and moved to wpa2-psk. As far as I understand, the personal wpa2 on the camera also requires a pre-shared key

Somehow under wifi section, I don't see any option for static or DHCP