Dahua and internet: What are the shades of grey?

[Perimeter]

I understand: If I set up my cameras and NVR seperate from the internet, I am safe from attacks through the internet on that cam network. But then, I didn't get a cam network to be safe from the internet in the first place.
So I would like to use the cams to check if all is well. This requires some communication. So my question is, what are the shades of grey available? Or is it all or nothing?
Is there a security difference between getting push messages or emails compared to being able to access the camera directly?

When I travel, I would like to be able to access the cameras. So for that time, I would like to allow some communication. What are my options, aside from creating a VPN? Is there anything in between isolation and running the full blown app on the phone?

I found this post, which indicates that there may different risk levels though I don't understand what he is talking about.

Potential vulnerability in NVR

They have probably got in via the backdoor and that is why they logins look to be local. We had someone here about 6 months ago with a similar issue with a Hikvision NVR and they thought they were being attempted to be hacked by someone within their house that they didn't give access to. It...

ipcamtalk.com

 

[Perimeter]

I need to move ahead.
I want to connect NVR, my PC and some remote camera locations using powerlan adapters.
I have two options:

Plan A: Set them on an entirely different subnet. Don't let them touch the router. This would require two seperate powerlan networks. PC access over second nic. To some here, this is the prefered way to do it. Powerlan bandwidth will suffer from this.

Plan B: Set all cams and NVR to static IPs in the router subnet and block those IPs for internet access in the router. Once I learn more about security, I could relax the restrictions. Needs only one powerlan network and less adapters.

What risks do I run with plan B?

 

[samplenhold]

There is a difference between 'checking the cameras' and 'checking the NVR'.

I don't have an NVR, I use a PC running Blue Iris. My cams are on a separate subnet than the rest of my home LAN. The BI PC has two NICs, one for the IP Cam LAN, one for the rest of the LAN that is connected to the internet. I can connect to that BI PC from outside of my home LAN using ZeroTier as a VPN of sorts. I can use the BI App on my iPhone, I can use UI3 from my laptop in my RV or even use RDP from that same laptop in my RV. This gets me to the BI PC and allows me to use all of the options of BI remotely. No need to actually log into a specific cam.

Most NVRs have remote viewing apps that you can use. I have no real idea on that as I have never used an NVR.

 

[Flintstone61]

I think you could use Zero Tier One to connect to the NVR with it's App, with better security than using nothing.
I'm not the authority on that, but I am using it now since I went to 5G Internet service.

 

[Perimeter]

Atm, there is no phone involved. I just wonder if I can put them safely on the main net, if I deny them internet access in the router? Or do I have to consider other problems too?

 

[Perimeter]

I have read around several threads and links. But I don't understand enough to figure this out on my own yet.

I don't see any open ports in my router BUT obviously, I can monitor the consumer grade wifi cams in the house through the manufacturers phone apps. What does this mean? Does the router have a hidden UPnP? Or is this kind of access not the kind I am warned about?
Obviously, the consumer cams go and seek their respective clouds and stream stuff to my phone. I didn't forward any ports, in fact I didn't change anything with my router.

I would like to install the Dahua IP-cam & NVR network now. For practical purposes, I would like to put them on the main network, so they can be accessed from all PCs in the house. At the same time, I would unleash the entire internet restriction filters my router offers on every dahua cam. I will not open any ports in the router and turn Upnp off in each cam and NCR. Is that enough to be reasonably safe?

 

[wittaj]

I have read around several threads and links. But I don't understand enough to figure this out on my own yet.

I don't see any open ports in my router BUT obviously, I can monitor the consumer grade wifi cams in the house through the manufacturers phone apps. What does this mean? Does the router have a hidden UPnP? Or is this kind of access not the kind I am warned about?
Obviously, the consumer cams go and seek their respective clouds and stream stuff to my phone. I didn't forward any ports, in fact I didn't change anything with my router.

I would like to install the Dahua IP-cam & NVR network now. For practical purposes, I would like to put them on the main network, so they can be accessed from all PCs in the house. At the same time, I would unleash the entire internet restriction filters my router offers on every dahua cam. I will not open any ports in the router and turn Upnp off in each cam and NCR. Is that enough to be reasonably safe?

That is the kinds of access you are worried about.

When you scanned the QR code, you have essentially opened up the front door allowing anyone that knows how to exploit that device to get in without being checked at the router. Once they access that device, they can deploy BOT attacks or look at any activity you are doing on the web.

Stay away from QR codes, Port Forward, P2P, UPnP.

 

[wittaj]

The P2P is how they are gaining access. There are lots of examples where the security devices (ironic isn't it) are not very secure from the internet and pass information unencrypted before the P2P handshake begins...

Millions of people around the world want the simplicity of Internet of Things (IoTs) to be easy to connect to their system and work. They do not want to deal with security. They wrongfully assume that because they bought it and all they have to do is scan a QR code, that all is good. A manufacturer also doesn't want to deal with endless phone calls from consumers asking how to set something up, so they make it easy.

So these companies create these QR codes/P2P and magically the new device can be seen on the consumers app. Consumer is happy. But, this device has opened up the system to gain easy access to your entire network.

I have a friend that falls under this "I just want to plug it in and scan a code and it works" mindset. Many years ago she bought a Foscam wifi camera to monitor her front door. She plugged it in and pointed it out a 2nd story window and downloaded the Foscam app and scanned the QR code and magically she could see her camera through the magic of P2P.

A few years later she bought a wifi printer and again, simply downloaded the app from the manufacturer and scanned the QR code and she could start printing.

One time in the middle of the night, she hears her printer printing a page. She thinks maybe she is dreaming or hearing things, so she thinks nothing of it and goes back to sleep. Next morning she gets up and indeed her printer did print something in the middle of the night and the printed page says I SEE YOU and a picture of her from her Foscam camera was below the text.

She changes her wifi password in case it was the peeping perv next door that she has caught looking at her from through her window and he guessed her password, which was password because she liked things simple.

Problem still persists. She goes into Foscam app and changes the password to the camera. Problem still persists. She gets a new router and sets up a stronger password for wifi and changed the passwords of all of her devices. Problem still persists. She gets rid of camera and printer.

At some point Foscam issues a security vulnerability and issued a firmware update. Basically the vulnerability was something like when logging into the camera with a web browser over HTTPS, the initial login to the P2P site is done using SSL. But then it establishes a connection to the HTTPS port again (for the media service) and sends all of its commands unencrypted. This means the username and passwords are being sent unencrypted. While this was a security vulnerability found in Foscam, I suspect it is in others as well. I suspect this is how my friend was hacked and someone was sending pictures of her taken from her Foscam camera to her wifi printer that she set up using the QR code.

Many articles on this site and out on the internet show how vulnerable these devices can be. I remember seeing an article of a webpage showing like 75,000 video streams around the world that were hacked into because of these vulnerabilities. I know there is an article someone on this forum where someone posted that many of these cameras do send passwords totally unencrypted and wide open easy to see for anyone knowing what they are doing.

Do not assume that because it is a name brand that they actually have good security on these cameras or any device for that matter. Think about the typical end-user that just wants simplicity to connect. And then think how a company would go about that to provide that simplicity. End result is to provide that simplicity, it comes at a cost and that cost is security vulnerabilities, which is ironic for security cameras. But if it can happen to Amazon/Ring (which is a fairly large company), it can happen to anyone, especially all the no-name brands being sold on Amazon.

For that reason, most of us here prevent our systems from having access to the internet.

 

[Perimeter]

Thanks for your time.
What happens when I scan a QR-code? The consumer cam has to go through the router. In the router, I see no ports opened or anything special. I understand the cam gets out, as it has access to the router from inside the net. But how do I get in with my phone from the outside? I can see this scenario: the cam program could make checks on the cloud server every few seconds to look for my requests and then stream out stuff on demand. For that to work, no access to my net from the outside would be needed, the camera would only have to be able to access the manufacturers server and upload data requests it finds there. If it doesn't work like this, then I wonder how I can get in from my phone. Do you know?

But lets look back on an NVR/Cam network. No camera has upnp on. No barcode was scanned. Internet acccess is forbidden for each involved IP address. No ports are forwarded. So no one should be able to get in and they should not be able to get out.

The remaining risk I see is stuff like SmartPSS. It could send stuff out and fetch stuff from outside. And in case the cams are on a separate net, it could still breach that separation, unless the PC is fully isolated as well. So I guess I would have to make sure smartPSS has no internet access either (firewall).

 

[Perimeter]

Do we have a thread on how consumer cams interact with the net? Because I just googled a while and found ... nothing.

Now I found something. OK, so P2P does not involve port forwarding.

 

[Perimeter]

The P2P is how they are gaining access. There are lots of examples where the security devices (ironic isn't it) are not very secure from the internet and pass information unencrypted before the P2P handshake begins...

From the resources here at ipcamtalk, the worst evil is to open ports. So D_DNS is out. Which would suggest that P2P should be the lesser evil?

I have tried to understand P2P from several pages in the net. From my understanding, it requires the cam to constantly check a cloud server, to see if it is supposed to take some user mandated action. Is that right so far?

If the user shows up on his phone, the server will establish a (direct) connection between the two. This connection can pass the router inbound, because it has been requested by the camera. The user just happens to be there this time though he likely sees this differently.

So if I understand you correctly, the camera's constant checks in the cloud might occur with unencrypted credentials? Certainly the user has to provide the pw at some point to get in. As the camera has to say her name every few seconds (and PW?), this may be enough info to fire up an intruder phone app to mimic the owner. So this intruder can now do all the things with your cam that you could. (unless you use the same password for your swiss bank account too)

Is this basically the line of attack I have to envision or am I totally off?

I think I had to authorize another app install with a verification phone call first. That would complicate matters, even if I had aquired the credentials.

So what about Dahua? Do they encrypt? What is known about their P2P remote access?

 

[SpacemanSpiff]

@Perimeter, I do not recall... is your router VPN server capable?

 

[Perimeter]

@Perimeter, I do not recall... is your router VPN server capable?

No, it isn't.

Edit: Found this. Reading...

Do any of you actually use Dahua P2P for external access to your cams?

It frightens me to think about using Dahua P2P. I turn p2p off and access the cams remotely with my WireGuard VPN. But I saw another thread mentioning using P2P which made me wonder, do any of you use it? Do you have any insight into how secure it might be?

ipcamtalk.com

 

[Jessie.slimer]

If your router doesn't do vpn, you can use a raspberry pi or an always on cpu in your network to set one up with openvpn. Or a new router with built in openvpn are a little over $100. Or ZeroTier.

 

[jarrow]

Do we have a thread on how consumer cams interact with the net? Because I just googled a while and found ... nothing.

Search for 'NAT hole punching'. It has the answers you want.

 

[tigerwillow1]

-The Dahua device contacts a server and registers its ID.
-The remote device contacts the server to ask if the Dahua device it's looking for is available.
-If there's a match, the server gives the two ends enough info to open a link via NAT hole punching.

In the best case, the server then gets out of the loop and hasn't spied or compromised security in any way. In reality, I'd guess that some do and some don't. When you scan the Dahua P2P QR code the best case is all it contains is the device serial number. I've just typed in the serial number when using Dahua P2P.

 

[Perimeter]

Thanks for info. Do you know what happens for push messages?

I gather you would vote for option 4?

And I assume you have watched what your cam does when you don't P2P? Like send postcards to china?

 

[SpacemanSpiff]

I gather you would vote for option 4?

I observed a plan A & B... not a 4, tho'

 

[Perimeter]

I observed a plan A & B... not a 4, tho'

Sorry man, I think I lured tigerwillow1 here from this thread:

Do any of you actually use Dahua P2P for external access to your cams?

Everything in life has a degree of risk that each person will accept or not. Some people can't feel alive unless they get their high from jumping out of a perfectly working plane. There are those who simply operate in an environment that is inherently dangerous like coal miner to taxi cab...

ipcamtalk.com

Option 4 is basically "use P2P on NVR".

 

[tigerwillow1]

I gather you would vote for option 4?

I've actually gone to an option #5, which probably won't do the job that most want to do. I enable remote access only when the house will be empty overnight. I started with option 4, P2P access to the NVR only. The performance was terrible, possibly due to my somewhat slow internet connection. What I'm doing now (option 5) is running smartPSS on a dedicated machine that's running only when I'm away overnight. I log into that box using Team Viewer, which gives me much better performance than the Dahua P2P. As a plus I can also monitor my solar electric system over this connection. All that is on the dedicated system is win 7, Team Viewer, smartPSS, and the solar system monitor app. I guess I could fire up IE on the dedicated system to access the NVR and camera interfaces, but haven't had the need to try.