Be careful if you activate PTP on your NVR

observant1

observant1

Getting comfortable
Dec 2, 2018
466
857
alabama
It's very troublesome with cloud security. I'm no specialist, and there's a great deal of info in the WIKI on securing your camera system. Even if it's not 100% correct it may be just enough to get skipped over if or when a ddos attack happens using your cameras. It may even be worse with all the smart home gadgets.

Believe me when i say just because it's easy and stuff, be carefull. If I knew more I'd give simple reasons....but I've been down some rabbit holes that scare the shit out of me. Not because of my "simple home" but because so many like the convience of "smart home" gadgets which can include camera systems.
 
  • Like
Reactions: sejohnny
I have a total of 8 Dahua NVRs that I manage or help with that are/have been on Dahua P2P since at least last July.

Three are on a firewall appliance that allows me to see all network flows in and out.

Beyond the handshake with the P2P server and the keep alive ping, not a single inbound attempt has been made that I am aware of

I wish my Samsung TV was as safe...
 
  • Like
Reactions: samplenhold and observant1
I also have p2p activated on my dahua nvr. I need to work on a better firewall/DNS.
Some rabit hole i went down about ptp server locations and crap just made me think about it.

I rarely check my cam system thru a public network but like the ability to do so. I get no notifications except from my doorbell if pushed.


I do have a nice hard wired home alarm system with 4glte monitoring in attic, so if someone broke in hopefully the sirens blasting would make them leave before they stole my liquor hidden on the countertop beside the shot glass. :idk:
 
  • Like
Reactions: bigredfish
bigredfish said:
I have a total of 8 Dahua NVRs that I manage or help with that are/have been on Dahua P2P since at least last July.

Three are on a firewall appliance that allows me to see all network flows in and out.

Beyond the handshake with the P2P server and the keep alive ping, not a single inbound attempt has been made that I am aware of

I wish my Samsung TV was as safe...
Click to expand...
How are you running these firewall appliances? Or rather what are they exactly, I don't know much about that I would be interested to know more.
 
I’ve settled on the Firewalla appliance. Mostly because they are extremely flexible and easy to use. I don’t have packet level control per se, but quite powerful.

The Purple is quite enough for home or small office

Firewalla: Cybersecurity Firewall For Your Family and Business

Firewalla is an all-in-one intelligent Firewall that connects to your router and secures all of your digital things. It can protect your family and business from cyber threats, block ads, control kids' internet usage, and even protects you when you are out on public Wifi. There is no Monthly Fee.
firewalla.com firewalla.com
 
The purple, not the SE or cheaper. Certain features you will eventually want drop off below purple

firewalla.com

Firewalla Purple: Gigabit Cyber Security Firewall & Router with WiFi Protecting Your Family and Business (Ships Worldwide)

Powered by The Firewalla Security Stack For a Better Network Smart Traffic Management Easy to Install Simple to Use Sophisticated Security and Networking Features at Your Fingertips Powerful Hardware Gigabit Performance for Now and the Future Short-range and low-power Wi-Fi, perfect for light...
firewalla.com firewalla.com
 
observant1 said:
I do have a nice hard wired home alarm system with 4glte monitoring in attic, so if someone broke in hopefully the sirens blasting would make them leave before they stole my liquor hidden on the countertop beside the shot glass. :idk:
Click to expand...

Be forewarned.... bigredfish was a very proficient cat burglar before he retired and his specialty was fine whiskeys and liquors found in adjoining states....:rolleyes::winktongue:
 
  • Haha
Reactions: bigredfish
observant1 said:
Some rabit hole i went down about ptp server locations and crap just made me think about it.
Click to expand...
P2P is neither inherently secure or inherently insecure. It's all up to the quality of its implementation and the trustworthiness of whoever is able to see your data. Since P2P requires contact with a server somewhere, whoever has access to that server could misuse the information passing through it. You're therefore at the mercy of whoever built and maintains the P2P you're using, just as you're at the mercy of whoever controls the OS you're using, the browser, the CPU chip, the BIOS, and so forth. In past years the camera manufacturers have built a well deserved reputation for lousy data security. At least some have significantly cleaned up their act on this the past few years. Does the dahua P2P software have holes or intentional bad behavior? Same question for the servers? I don't know, and the best I can ask is if any problems have actually happened. There's a parallel with Blue Iris. Its preferred remote access mechanism is port forwarding, considered at least here as riskier than P2P. While in theory it's easy to hack, AFAIK, there have been no known cases that it has actually happened. The widely considered safest remote access mechanism on the forum, a VPN, requires an open port! Other trusted options like wiregard and tailscale use P2P! Which gets me back to it's all about the quality of the implementation and the trustworthiness of other people.
 
  • Like
Reactions: samplenhold, TonyR and bigredfish
What's the benefit of having P2P enabled in the first place? I have always disabled mine
 
Arjun said:
What's the benefit of having P2P enabled in the first place? I have always disabled mine
Click to expand...

If one wants to view cameras remotely, they have a few options - port forward, P2P, or hosting a VPN like OpenVPN or using something like Tailscale or Wireguard.

Any system on the internet can be hacked.

Hackers don't care about your camera feed. Hackers use a vulnerable device (NVR or camera or any other IoT) that has ZERO protection on it to get into your LAN and either scrape it for bank info or use your ISP as a bot for DDoS attacks. Your antivirus software and router firewall do not block this crap because you gave an open door directly to your system to bypass these measures.

That is why many of us don't have the Alexa, don't connect smart TVs to our internet, etc.

But many that do have those types of things VLAN them off so they cannot talk to other stuff on the LAN. Doesn't prevent a bot from taking over that specific device to DDoS, but at least it prevents them from scraping your data.

The only way to completely prevent it is to not allow the device to connect to anything and truly be a CCTV system.

But that is unrealistic to most.

Most here will agree that port forwarding directly to your NVR is the least safe. Although the great internet has many articles that state it is OK lol.

Then there is a debate as to if P2P or OpenVPN or something like ZeroTier, Wireguard or TailScale is the next safer option.

Arguments are made both ways.

P2P you are relying on the NVR manufacturer's servers to not be hacked. You have zero control over those. Dahua has recently been shutting down the older P2P servers that were more easily hacked. Many here have confidence in the newest line of P2P security features.

Same with ZeroTier and the like. You are relying on someone else's servers to make that connection. Anytime you are relying on someone else, it can be hacked.

OpenVPN is hosted locally, either native to the router or installed on a computer.

In theory you have the most control over this since it is all in your house.

But it relies on opensource coding that can be hacked as well.

You are relying on your computer and router to be up to date and not allow bad actors in. But that is the same regardless of the solution you are using. At least the computer gets more frequent security updates than an NVR. But Windows is the most common OS that more actors are trying to exploit it than say an NVR.

So you take extra steps like the firewall device @bigredfish has that allows you to monitor everything.

Many of us with BI use Pushover to send notifications that go out to the Pushover email or API servers - in this event all they have access to is your images and not your entire system. You should be able to setup an NVR with the Pushover email option.

Take steps to further minimize access to stuff.

Regardless of which platform you use to access your stuff remotely, have it be isolated from the rest of the system so that the entire system isn't compromised.

Set up procedures that lets you know whenever something connects or logs in to your device. Doesn't necessarily prevent the backdoor exploit, but take any steps possible to eliminate those risks.

Or just say F it and use port forward blindly like most of society. At the end of the day, most don't get hacked. It just sucks if you are one of them that do.
 
  • Like
Reactions: Arjun
bigredfish said:
Dahua P2P switched to AWS servers last year fyi
Click to expand...
So instead of dahua spying on us, amazon can, and they have a lot more experience at it! Maybe ads will start popping up when viewing cameras remotely?
 
  • Haha
Reactions: Arjun
You must log in or register to reply here.
Top Bottom