Dahua NVR: Near Real-Time Notification Solution

Kevin Doe

Pulling my weight
Joined
Jan 24, 2021
Messages
117
Reaction score
100
Location
Ohio, USA
I thought I'd share my solution, and some things that I tried that didn't work out so well. Key requirements:

  • Near real-time notifications to my cell phone.
  • Reliable, works every time.
  • Works when my cell is not connected to my home Wifi network.
  • Notifications come through even when on "sleep" focus on my iPhone.

Things I tried, and why they didn't pan out:
  1. DMSS notifications. These were ultimately the closest to real-time, but also very unreliable. I'd estimate 1 second after an IVS rule was triggered. There were weeks where the notifications worked well, and followed by days where I'd get nothing. When disabling the P2P, no notifications when not connected to my home network. I was able to add the app to the allowed apps to notify me during "sleep" focus.
  2. SMTP email motivations, sent to my cell. Found the right email extensions to my cell phone to send SMS messages, and also MMS messages. SMS messages were somewhat quicker than MMS messages. I liked the MMS message because it contained a snapshot, but it took longer. At entitlement, I would guess 5 seconds after trigger. But there were times where the messages wouldn't come through for 30-60 minutes afterwards. Too unreliable. I also recieved "cleared" messages a few minutes later. That was annoying. I added a contact to my phone for the email address I used to send the emails, and then added that contact to the allowed contacts to me during "sleep" focus.

What I ended up doing:
  1. SMTP email notification to my personal email account. I setup a new gmail account to use just to send and receive the SMTP emails from the NVR.
  2. Added a the new email account as a second account to my gmail app. Of course you'll ask, why not just sent the emails to my personal email address. I'll explain here in a bit.
  3. Set the gmail app preferences to notify me with EVERY email to the new email address, and notify only for "important" emails on my personal account. This works really well. You have to train gmail on what is important, but it's very easy and works really well. I also changed the notification sound for the new email account. This way I know that it's an NVR notice.
  4. Added gmail to the list of apps allowed to notify me during "sleep" focus.
  5. In the new email account, setup filters such that the only emails that are sent to itself are kept, everything else automatically to the trash. This eliminates the possibility of a spam or junk email from waking me up in the middle of the night. Used the filter criteria of "doesn't have" an then listed "from: ________nvr@gmail.com", with the action of "delete it".
  6. In the new email account, setup filters such that the "cleared" emails are automatically sent to the trash. This eliminated a second email notification after every IVS rule trigger.
The result is emails coming directly to my phone (and/or Apple Watch) with about 2-4 seconds of triggering an IVS rule. They work reliably, on or off my wi-fi network. I also get a snapshot saved in my sent email folder of gmail, in event the NVR is damaged/stolen in an intrusion. I get woken up in event an IVS rule is triggered at night. I'm happy! Took a long time to get it all figured out, so thought I'd share.
 
Last edited:

bluebrush

n3wb
Joined
Nov 27, 2022
Messages
11
Reaction score
0
Location
London
What I ended up doing:
  1. SMTP email notification to my personal email account. I setup a new gmail account to use just to send and receive the SMTP emails from the NVR.
  2. Added a the new email account as a second account to my gmail app. Of course you'll ask, why not just sent the emails to my personal email address. I'll explain here in a bit.
  3. Set the gmail app preferences to notify me with EVERY email to the new email address, and notify only for "important" emails on my personal account. This works really well. You have to train gmail on what is important, but it's very easy and works really well. I also changed the notification sound for the new email account. This way I know that it's an NVR notice.
  4. Added gmail to the list of apps allowed to notify me during "sleep" focus.
  5. In the new email account, setup filters such that the only emails that are sent to itself are kept, everything else automatically to the trash. This eliminates the possibility of a spam or junk email from waking me up in the middle of the night. Used the filter criteria of "doesn't have" an then listed "from: ________nvr@gmail.com", with the action of "delete it".
  6. In the new email account, setup filters such that the "cleared" emails are automatically sent to the trash. This eliminated a second email notification after every IVS rule trigger.
The result is emails coming directly to my phone (and/or Apple Watch) with about 2-4 seconds of triggering an IVS rule. They work reliably, on or off my wi-fi network. I also get a snapshot saved in my sent email folder of gmail, in event the NVR is damaged/stolen in an intrusion. I get woken up in event an IVS rule is triggered at night. I'm happy! Took a long time to get it all figured out, so thought I'd share.
How do you set up the smtp email, while avoiding the common "no-nos" of no p2p/upnp/port forwarding? Does email come set up, outbound only?
 

awonson

Pulling my weight
Joined
Feb 7, 2020
Messages
138
Reaction score
112
Location
Australia
How do you set up the smtp email, while avoiding the common "no-nos" of no p2p/upnp/port forwarding? Does email come set up, outbound only?
@bluebrush , in the Dahua NVR, under the Network settings tab, you enter your email server, port, username and password. You will probably have to use an App Password (as opposed to your account password) to use GMail. My email server also uses an app password, rather than the account password. If you have blocked all outbound (and inbound!) ports from/to your cameras and NVR, you will need to open the required port for outbound email (eg 587 or 465). In my case that port is 587. It could also be 465. I do not have port forwarding or P2P - I open specific ports in my router for the email and iOS notifications and drop all other connections to and from the NVR and cameras.

Here are some instructions for GMail App Passwords: Sign in with App Passwords - Google Account Help
 

ludshed

Pulling my weight
Joined
Sep 14, 2022
Messages
253
Reaction score
243
Location
Us
You guys sure enjoy making things complicated!
About your stolen/damaged nvr scenario, I always put at least one sd card in one camera on customers systems for that reason.
 

Kevin Doe

Pulling my weight
Joined
Jan 24, 2021
Messages
117
Reaction score
100
Location
Ohio, USA
You guys sure enjoy making things complicated!
Is there a simpler way to accomplish reliable real-time notifications to your cell? This was the best I could do, but I'm all ears if there is a better way.
 

ludshed

Pulling my weight
Joined
Sep 14, 2022
Messages
253
Reaction score
243
Location
Us
Either engage p2p or forward a port. I’ve installed thousands of systems and never had a call from being hacked yet. Everyone seems obsessed with the illusion that security is real, it’s not. Doesn’t matter if it’s a computer, structure or a country.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
16,330
Reaction score
30,377
Location
USA
Either engage p2p or forward a port. I’ve installed thousands of systems and never had a call from being hacked yet. Everyone seems obsessed with the illusion that security is real, it’s not. Doesn’t matter if it’s a computer, structure or a country.
Or they haven't realized they are hacked LOL. We see several threads a month where someone has been hacked because of this. Here is a recent one:



Why run the risk of data thru another server if not needed or opening a port? Sure anything can be hacked, but let's not make it easy.

I understand that as an installer that you are going for quick and easy to avoid all the phone calls from the customer, but that doesn't make it safer. Your customer will only receive illegal login notifications in the log when someone tries to guess their password. If the attacked occurs via a backdoor they would never know.

And your comment about adding the SD card is true, but what if the perp takes the camera? The emailed pic will be pretty valuable then...

The above method or the Pushover app is just as simple to do as P2P without the risk.
 
Last edited:

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
16,330
Reaction score
30,377
Location
USA
The P2P is how they are gaining access. There are lots of examples where the security devices (ironic isn't it) are not very secure from the internet and pass information unencrypted before the P2P handshake begins...

Millions of people around the world want the simplicity of Internet of Things (IoTs) to be easy to connect to their system and work. They do not want to deal with security. They wrongfully assume that because they bought it and all they have to do is scan a QR code, that all is good. A manufacturer also doesn't want to deal with endless phone calls from consumers asking how to set something up, so they make it easy.

So these companies create these QR codes/P2P and magically the new device can be seen on the consumers app. Consumer is happy. But, this device has opened up the system to gain easy access to your entire network.

I have a friend that falls under this "I just want to plug it in and scan a code and it works" mindset. Many years ago she bought a Foscam wifi camera to monitor her front door. She plugged it in and pointed it out a 2nd story window and downloaded the Foscam app and scanned the QR code and magically she could see her camera through the magic of P2P.

A few years later she bought a wifi printer and again, simply downloaded the app from the manufacturer and scanned the QR code and she could start printing.

One time in the middle of the night, she hears her printer printing a page. She thinks maybe she is dreaming or hearing things, so she thinks nothing of it and goes back to sleep. Next morning she gets up and indeed her printer did print something in the middle of the night and the printed page says I SEE YOU and a picture of her from her Foscam camera was below the text.

She changes her wifi password in case it was the peeping perv next door that she has caught looking at her from through her window and he guessed her password, which was password because she liked things simple.:banghead:

Problem still persists. She goes into Foscam app and changes the password to the camera. Problem still persists. She gets a new router and sets up a stronger password for wifi and changed the passwords of all of her devices. Problem still persists. She gets rid of camera and printer.

At some point Foscam issues a security vulnerability and issued a firmware update. Based on chatter on forums, basically the vulnerability was something like when logging into the camera with a web browser over HTTPS, the initial login to the P2P site is done using SSL. But then it establishes a connection to the HTTPS port again (for the media service) and sends all of its commands unencrypted. This means the username and passwords are being sent unencrypted. While this was a security vulnerability found in Foscam, I suspect it is in others as well. I suspect this is how my friend was hacked and someone was sending pictures of her taken from her Foscam camera to her wifi printer that she set up using the QR code.

Many articles on this site and out on the internet show how vulnerable these devices can be. I remember seeing an article of a webpage showing like 75,000 video streams around the world that were hacked into because of these vulnerabilities. I know there is an article someone on this forum where someone posted that many of these cameras do send passwords totally unencrypted and wide open easy to see for anyone knowing what they are doing.

Do not assume that because it is a name brand that they actually have good security on these cameras or any device for that matter. Think about the typical end-user that just wants simplicity to connect. And then think how a company would go about that to provide that simplicity. End result is to provide that simplicity, it comes at a cost and that cost is security vulnerabilities, which is ironic for security cameras. But if it can happen to Amazon/Ring (which is a fairly large company), it can happen to anyone, especially all the no-name brands being sold on Amazon.

For that reason, most of us here prevent our systems from having access to the internet.
 
Top