basic home network security ... would you put an IP camera up?

dalearyous

[H]ard|Gawd
Joined
Jun 21, 2008
Messages
1,922
in the past i have always gone with a non network camera/baby monitor for all the obvious reasons. but they are expensive and my son broke it. so now i am tempted to get a cheaper network camera. all my network security experience involves very expensive appliances and hardware in a medium to large size business setting. i have no idea how secure/insecure my home network is.

so, other than the obvious stuff like changing default settings, using good passwords, keeping everything up to date, maybe turning off wifi broadcast, not allowing management of router from public IP, what else should i be looking for and testing? is the camera the weak link? should i create a separate wireless network for the camera and keep internet traffic from being allowed to and from it? or do mac address filtering?

i have always tried to keep my home setup simple because i deal with this crap at work all day and just want my home stuff to work and be super simple.
 

klank

Killer of Killer NIC Threadz
Joined
Aug 22, 2011
Messages
2,177
Don't ever use a Wi-Fi "security" camera. It destroys the Wi-Fi spectrum(s), speeds will tank and IMO opens up another attack vector for your network.

A hardwired camera like HIKvision, Dahula, etc. is perfectly fine. If you are worried about the device calling home or being hacked just limit access in and out with your firewall and/or don't put a gateway/dns server when you setup the unit.
 
Joined
Apr 28, 2006
Messages
632
I agree with Klank. Make sure the camera firmware is up to date, password protect the camera with a good password. I personally only allow access to it from the outside via VPN.
 

dalearyous

[H]ard|Gawd
Joined
Jun 21, 2008
Messages
1,922
yep. wil do all of these. pretty sure it won't be wifi, i have a drop in the room it needs to go in.
 

piker28

Limp Gawd
Joined
Aug 2, 2007
Messages
183
I already have 3 cameras connected to blue iris dvr software. All my cameras are external so no fear of someone really gaining access but they are locked down all the same.
 

Phantum

[H]ard|Gawd
Joined
Jul 25, 2001
Messages
1,716
I built 4 cameras myself recently using Raspberry Pi's and the available camera module, no sound but all the wife and I wanted was a video feed anyway. I bought all the components (including cases and stands/mounts) through a vendor we use at work so I got a business discount on top of a quantity discount. Worked out to about $50 a unit I think. Cron jobs, scripts and motion.conf tweaks handle video and still picture capturing which drop the content on shares mounted via NFS on my storage server.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
Why not give them a static IP, then set a firewall rule that blocks all internet bound traffic from that IP? That way you can only access the device from your internal network, and won't have to worry about being spied on.
 

J-Will

[H]ard|Gawd
Joined
Jan 10, 2009
Messages
1,728
Why not give them a static IP, then set a firewall rule that blocks all internet bound traffic from that IP? That way you can only access the device from your internal network, and won't have to worry about being spied on.
or externally via your NVR (Blue Iris or whatnot)
 

Lunas

[H]F Junkie
Joined
Jul 22, 2001
Messages
10,003
Yeah I would unless i had wireless issues like my house being made of lead and nothing getting through the walls... If that were the case i would do wired...
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
This site seemed to have some good suggestions: IP Cameras and IP CCTV » Blog Archive Your First Home Security System - Part 1: IP Camera Types

Personally, I do not like wireless or wifi camera solutions. They do have some nice features, but I am ultimately a bit wary of how secure they are. I would much rather have a dedicated closed wired network for my cameras and surveillance. If you wanted to use wireless, you could perhaps use a separate wireless network for it running on a separate channel and/or frequency from your normal house wireless.
 

Lunas

[H]F Junkie
Joined
Jul 22, 2001
Messages
10,003
This site seemed to have some good suggestions: IP Cameras and IP CCTV » Blog Archive Your First Home Security System - Part 1: IP Camera Types

Personally, I do not like wireless or wifi camera solutions. They do have some nice features, but I am ultimately a bit wary of how secure they are. I would much rather have a dedicated closed wired network for my cameras and surveillance. If you wanted to use wireless, you could perhaps use a separate wireless network for it running on a separate channel and/or frequency from your normal house wireless.
Unless your bruce wayne and have people who would kidnap or murder you i would not worry as much about the security of the cameras if you were worried about someone getting in and watching you that is another thing.
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
Unless your bruce wayne and have people who would kidnap or murder you i would not worry as much about the security of the cameras if you were worried about someone getting in and watching you that is another thing.

Considering how easy it is to get in to many WiFi cameras, I tend to disagree.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
This site seemed to have some good suggestions: IP Cameras and IP CCTV » Blog Archive Your First Home Security System - Part 1: IP Camera Types

Personally, I do not like wireless or wifi camera solutions. They do have some nice features, but I am ultimately a bit wary of how secure they are. I would much rather have a dedicated closed wired network for my cameras and surveillance. If you wanted to use wireless, you could perhaps use a separate wireless network for it running on a separate channel and/or frequency from your normal house wireless.


Why? What is different between wireless and wired in this aspect? It's not like they can use wifi to connect directly to the camera, the camera only uses wifi to connect to the router (At least mine do). If you block all internet bound traffic to/from that IP, the camera cannot call home, it cannot be used in DDOS attacks, and no one from the outside can spy on you. So it's just as secure as wired, assuming you are using WPA2 with a good password. And they should only be using bandwidth when you are actually connected to the device (Unless you have external software always recording), but even then it's still a pretty shitty 480p stream that takes very little BW. Anything N or later shouldn't even have issues running a few 1080p cameras either.
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
Why? What is different between wireless and wired in this aspect? It's not like they can use wifi to connect directly to the camera, the camera only uses wifi to connect to the router (At least mine do). If you block all internet bound traffic to/from that IP, the camera cannot call home, it cannot be used in DDOS attacks, and no one from the outside can spy on you. So it's just as secure as wired, assuming you are using WPA2 with a good password. And they should only be using bandwidth when you are actually connected to the device (Unless you have external software always recording), but even then it's still a pretty shitty 480p stream that takes very little BW. Anything N or later shouldn't even have issues running a few 1080p cameras either.

Wireless can be snatched out of the air by proximity. Wired cannot. That is a pretty significant difference. Why would I use a camera for a DDOS attack. I would use the camera to see what you see, to spy on things, to gain information, and/or to shut the camera down. Since your WiFi router is broadcasting wireless, it is far more susceptible to hacking than an Ethernet installation, especially when that Ethernet installation is on a closed network not accessible to the outside.
 

Lunas

[H]F Junkie
Joined
Jul 22, 2001
Messages
10,003
Considering how easy it is to get in to many WiFi cameras, I tend to disagree.
that is easy just run the cameras on a VPN or something like that normally compainies operate the security network isolated from the regular network albeit it is done in software the security is typically kept isolated from the data network so if one is compromised the other is not.
 
D

Deleted member 93354

Guest
in the past i have always gone with a non network camera/baby monitor for all the obvious reasons. but they are expensive and my son broke it. so now i am tempted to get a cheaper network camera. all my network security experience involves very expensive appliances and hardware in a medium to large size business setting. i have no idea how secure/insecure my home network is.

so, other than the obvious stuff like changing default settings, using good passwords, keeping everything up to date, maybe turning off wifi broadcast, not allowing management of router from public IP, what else should i be looking for and testing? is the camera the weak link? should i create a separate wireless network for the camera and keep internet traffic from being allowed to and from it? or do mac address filtering?

i have always tried to keep my home setup simple because i deal with this crap at work all day and just want my home stuff to work and be super simple.

Wired using POE (Power over Ethernet is always preferable) However if you don't have an Ethernet port handy, most Wireless IP cameras have been fixed far as security wise. Even my 6 year old wireless camera was fixed firmware wise 2 years after EOL (Trendnet). A lot of them are based on the same technology with a version of embedded linux. (Just like a lot of WRT wireless routers have broadcom chips in them) Just remember to change the admin password right away. Keeping internet traffic away from the camera though will be difficult without an active switch. If you want to secure it through your router, you'll need to handle it through the port forwarding and firewall rules. That can be complicated if you don't know what you are doing.

If you intend to use them for nighttime, make sure it has quite a few IR LEDs. Mine were pretty much dead after 3 years.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
Wireless can be snatched out of the air by proximity. Wired cannot. That is a pretty significant difference. Why would I use a camera for a DDOS attack. I would use the camera to see what you see, to spy on things, to gain information, and/or to shut the camera down. Since your WiFi router is broadcasting wireless, it is far more susceptible to hacking than an Ethernet installation, especially when that Ethernet installation is on a closed network not accessible to the outside.


So what if they can grab your encrypted packets out of the air? If you don't have good wifi security this is all a moot point anyway. But there is no risk of them being able to do anything with those packets they grabbed until someone breaks WPA2/AES encryption.

And I'm guessing you didn't read about the latest huge DDOS attack that was done by a large ammount of insecure/hacked IP cameras.... This was like 1-2 weeks ago.
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
So what if they can grab your encrypted packets out of the air? If you don't have good wifi security this is all a moot point anyway. But there is no risk of them being able to do anything with those packets they grabbed until someone breaks WPA2/AES encryption.

What century do you live in? Crackers can get through WPA2/AES in about 10 minutes these days...

And I'm guessing you didn't read about the latest huge DDOS attack that was done by a large ammount of insecure/hacked IP cameras.... This was like 1-2 weeks ago.

Yes, I did hear about it. No, it isn't my main concern, especially since I advocate against using cameras accessible to the outside.
 
D

Deleted member 93354

Guest
What century do you live in? Crackers can get through WPA2/AES in about 10 minutes these days...

If you are super worried about it, only authorize computers on your network based on MAC. Most wireless routers HAVE this feature. Problem solved.
 

klank

Killer of Killer NIC Threadz
Joined
Aug 22, 2011
Messages
2,177
If you are super worried about it, only authorize computers on your network based on MAC. Most wireless routers HAVE this feature. Problem solved.

Wrong. MAC filtering does nothing. MAC addresses are sent across the air in plain text. Spoofing the MAC is trivial.

Your only options are use a longer key, 802.1X/EAP or best of all use hardwired connections.
 
D

Deleted member 93354

Guest
Wrong. MAC filtering does nothing. MAC addresses are sent across the air in plain text. Spoofing the MAC is trivial.

Your only options are use a longer key, 802.1X/EAP or best of all use hardwired connections.

To break PSK2 you have to use a dictionary attack on the captured keys. If you don't have a dictionary password, then it's up to brute force.

Isn't the MAC sent encrypted PART OF PSK key handshake and the MAC accepted or rejected by the router? So it's encrypted in the first place. (This I could be wrong about). That said, if someone wants to hack your house back enough after apply latest camera firmware, changed camera admin password, mac tables, PSK and firewalls, I don't think access to a security cam is going to stop them one way or another.
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
Do you have any link for information on that claim ?

I am not going to do simple google searches for you that will give you the answer within a few seconds... Do your own research on the matter.
 

SvenBent

2[H]4U
Joined
Sep 13, 2008
Messages
3,310
I am not going to do simple google searches for you that will give you the answer within a few seconds... Do your own research on the matter.
I did make a google search and found nothing from outside breaking into WPA2/AES. There was something about authorized users aka people you already gave access to the WIFI (hole 169 i think it was called) that can snoop out some data. But that hardly the event we are debating when we are talking proximity attacks.

So again please. Do you have any link or information about the 10 minutes time to break WPA2/AES ?
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
To break PSK2 you have to use a dictionary attack on the captured keys. If you don't have a dictionary password, then it's up to brute force.

Isn't the MAC sent encrypted PART OF PSK key handshake and the MAC accepted or rejected by the router? So it's encrypted in the first place. (This I could be wrong about). That said, if someone wants to hack your house back enough after apply latest camera firmware, changed camera admin password, mac tables, PSK and firewalls, I don't think access to a security cam is going to stop them one way or another.

Negative, your MAC address is not encrypted. Basically all they have to do is sniff the traffic see which device is authenticated, boot it off the network, spoof that MAC and they are in.
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
I did make a google search and found nothing from outside breaking into WPA2/AES. There was something about authorized users aka people you already gave access to the WIFI (hole 169 i think it was called) that can snoop out some data. But that hardly the event we are debating when we are talking proximity attacks.

So again please. Do you have any link or information about the 10 minutes time to break WPA2/AES ?

Then you are terrible at searching as all I had to do was put in, "break WPA2/AES" and it gave me several immediate results with information on it. There are also many other ways to break through it, but I am not going to share with you hacking techniques. Do your own dirty work on it. It matters not to me if you do not believe me, I am merely giving advice based on my experience.
 

piker28

Limp Gawd
Joined
Aug 2, 2007
Messages
183
Despite the security aspect my main issue with wireless cameras is the performance. I noticed when I ran my foscam on max resolution it heavily bogged down my wireless. That was one camera, so imagine multiple cameras all streaming to the dvr at the same point. Cable is faster and easier in terms of setup, maintenance, and security. If you are looking for a simple who might be coming down my driveway then wireless is the way to go.
 

Lunas

[H]F Junkie
Joined
Jul 22, 2001
Messages
10,003
If someone wants in they will get in wired or wireless if someone is ready to sit outside your house for 10 minutes while he bruteforces your wifi password he has you targeted...

I have become partial to using sentences as passwords...

Like this "notgoingtogotothemarkettoday" it would be much better if I added numbers for some of the letters too but just the phrase should be secure enough for most people.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
If someone wants in they will get in wired or wireless if someone is ready to sit outside your house for 10 minutes while he bruteforces your wifi password he has you targeted...

I have become partial to using sentences as passwords...

Like this "notgoingtogotothemarkettoday" it would be much better if I added numbers for some of the letters too but just the phrase should be secure enough for most people.


They don't have to sit there, they send a fake packet to force your machine to disconnect, then capture the 4 handshake packets as your machine reconnects. Then they take those home and brute force them on a much better machine to get your password. But, it's either a dictionary attack or brute force, so something like a sentence (I do the same, 30 characters long) will be MUCH more difficult and take too long to be worth it.
 

Mackintire

2[H]4U
Joined
Jun 28, 2004
Messages
2,936
Don't ever use a Wi-Fi "security" camera. It destroys the Wi-Fi spectrum(s), speeds will tank and IMO opens up another attack vector for your network.

A hardwired camera like HIKvision, Dahula, etc. is perfectly fine. If you are worried about the device calling home or being hacked just limit access in and out with your firewall and/or don't put a gateway/dns server when you setup the unit.


That's one of the things MU-MIMO is supposed to resolve. Only problem is few wireless APs and even fewer clients support it. Once it becomes common speeds will tank significantly less.
 

DouglasteR

Limp Gawd
Joined
Jan 6, 2006
Messages
485
Do you want headaches ? Then by all means, go Wifi Camera.

If you just want something that will be always connected go for wired POE camera. Dont do DHCP for them, just manual ip in another Vlan. And call it a day.
 

Nenu

[H]ardened
Joined
Apr 28, 2007
Messages
20,075
Wireless connections are easily disabled by transmitting strong signals at the same frequencies.
A bit like putting cloth over the cameras and disabling the microphones.
Opportunists wouldnt do this, only those who well plan a break in, but if its clear you have valuables, you take a fair risk.
I wouldnt use wireless for security unless you also use another wired system.

You could detect a potential break in by monitoring the strength of wireless frequencies you use.
If there is a sudden increase, send an alert and monitor on your other system.
You need to be able to get there quick smart or hope for good enough recordings.
Remote access is not such a good idea as covered earlier.
Keep the system locked down.
 
D

Deleted member 93354

Guest
Do you want headaches ? Then by all means, go Wifi Camera.

I never had a headache. But I was running 802.11n network with one camera, and specified a data format that was widely compatible and didn't suck up bandwidth

What problems did you experience?
 

DouglasteR

Limp Gawd
Joined
Jan 6, 2006
Messages
485
I never had a headache. But I was running 802.11n network with one camera, and specified a data format that was widely compatible and didn't suck up bandwidth

What problems did you experience?

Like, almost all problems wifi can have ?

- Disconnects
- Random slowdowns (the fps of the camera would sink if not freeze)
- Reconnections for no apparent reason (signal was ok)

Granted, they were 4 cams at 54g, but i believe that n speeds would not fix this.
 

Ripskin

2[H]4U
Joined
Jan 15, 2004
Messages
2,463
I have two wireless Foscam's. They are on a static IP, on custom ports on my WPA2 wifi and password protected. I have them internally recording as well as syncing to my NAS for redundancy.
The basic snoop wouldnt have the easiest of times getting into them, but if someone wanted to I'm sure they would.

I would have loved to do wired PoE cam's, but the cost of the network equipment, cameras and time spent running the cables (I hope) through the walls and then repairing the walls was not something I had time for.

Depending on their locations and the conflicting networks in the area you can have some disconnects or latency on the wifi as signals compete. However I seem to have more issues with my neighbors signals than my cameras as if they are rebooting or offline everything seems to work well. Sadly I'm on the least used channel and my nearest neighbor (whomever) that is on the same channel is far enough away for most of my house that its not a huge deal.

If you have the time, and ability to set up wired I would go that route. However if you are looking for something affordable, easy to set up (even customize) and are not swamped in competing wireless signals a wireless system may be for you. If you are looking to put up a bunch of cameras, wifi is probably not going to work out so well unless you can customize each camera to not conflict with the rest of the set up.

I'm not a network genius but I know the basics, maybe a little more and overall I am happy with my set up as it stands right now. Someday a much better setup would be nice.
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
Use PoE wired cameras that are NOT cloud based. Set them up on a separate vlan. Don't touch wireless. Don't waste wireless spectrum for stuff that is stationary. Not to mention it will never be as secure as wired.

One attack vector with wired is physical, if someone gets to one of the cameras they could plug something else, but by putting the cams on a separate vlan that cannot access the rest of the network or the internet, it minimizes what can be done. Technically you can even have the DVR on the main vlan as the DVR only needs to connect to the cameras and not vise versa, so the camera vlan can pretty much have zero outgoing firewall rules and one incoming rule for the DVR's IP.

For fishing wires you can probably fish them within the overhang of the house. Might have to remove some soffit in some instances. You need to run power from a reliable (ex: UPS backed up) power source anyway, so it just makes sense to go with PoE wired.
 
Last edited:
D

Deleted member 93354

Guest
Use PoE wired cameras that are NOT cloud based. Set them up on a separate vlan. Don't touch wireless. Don't waste wireless spectrum for stuff that is stationary. Not to mention it will never be as secure as wired.

One attack vector with wired is physical, if someone gets to one of the cameras they could plug something else, but by putting the cams on a separate vlan that cannot access the rest of the network or the internet, it minimizes what can be done. Technically you can even have the DVR on the main vlan as the DVR only needs to connect to the cameras and not vise versa, so the camera vlan can pretty much have zero outgoing firewall rules and one incoming rule for the DVR's IP.

For fishing wires you can probably fish them within the overhang of the house. Might have to remove some soffit in some instances. You need to run power from a reliable (ex: UPS backed up) power source anyway, so it just makes sense to go with PoE wired.

I didn't realize we were wiring a home for Kim Kardashian.
 

Nenu

[H]ardened
Joined
Apr 28, 2007
Messages
20,075
Similar problems apply.
Thieves are thieves and security systems are very similar.
The complexity to get at the security systems and the determination of the thieves is what varies most.
If its simple to employ good tactics, it makes sense to do it.
 

ITGuy1024

n00b
Joined
Jan 22, 2016
Messages
53
I just put up four security cameras at my house. I voted for non-ip cameras connected back to an nvr with the power / video cables.

Doesn't hog up my network with extra traffic and if for some reason the network went down (AP / switch failure) I wouldn't lose the ability to record activity.
 
Top