So good to see someone who understands these. Most Electricians/Data cabliers/Handyman and even Security companies will just wack these in and let them go without turning off all the features. (As you have shown) These days its all about getting that footage onto your iphone via "the cloud". CCTV needs to be kept inhouse and well away from the web. -Another great video! Thankyou.
@@TallPaulTech I hear 'cloud' as 'somebody elses computer.' It's a horror-show of vulnerabilities. Just waiting for a hack on our stuff - and a knee-jerk back to on-prem - where stuff is safer.
Love your vids man, even with my basic ish understanding of networking you always explain in a way that makes sense and gives me a more broad range of knowledge for stuff you can do with networking, cheers from NZ.
Follow the money and the companies they believe are “trusted” providers, Suddenly axis and motofalure camera sales go through the roof. Hikvision kit works well but like all vendors you need to seperate your networks.
Most people don't have the knowledge and skills to do PEN testing, security hardening, VLANs, etc., on their home network. Eufy's cameras uploaded video and photos to the cloud without consent, and their cameras were accessible externally with encryption or authentication. When I put my cameras in they will be ethernet only, no cloud or restricted to connect only to that address, no remote access to the cameras, perhaps just use a synology or qnap and do it yourself.
allowing dns outbound, even via your own dns server could still allow it to make seemingly innocent dns requests outbound to exflitrate some information outbound. Going even more tinfoil hat, they could pass the password out via an encoded dns request by crafting a specific dns response that triggers a hidden piece of code inside the camera for example - so it all looks innocent, but they could wake up functions via specific dns responses.
I've had a good run with Reolink which are ONVIF compatible (most models) and first thing I did was disable DDNS and UPnP. Have a macOS Mojave VM just for SecuritySpy which is an amazing bit of software for CCTV.
We had hundreds of these cameras - on a completely separate VRF, on a completely separate firewall zones - nothing available to any camera. We monitor the firewall zone constantly. Nothing gets transmitted, let alone try to get through.
I stopped using POE cameras. I was getting a lot of interference around 144MHz range. I had the interference on 4 different brands. I unplugged the cameras from the NVR and the noise went away. I even tried Cat6 shielded cable and didn’t make a difference. Move to HD analog cameras and no more interference.
Every security camera is made in China. Problem I have with Hikvision they continue to hang on to using IE11 with active X both have been discontinued years ago. The larger HD cameras were amazing quality the interface was terrible. Downloading video clips didn't work just failed to download had to do all kinds of work arounds. IE11 running as an extension then that quit working also. I moved on to amcrest cameras just lot easier to work with.
I'd be more worried about an attack vector from the HikVision mobile app (even if connecting behind a VPN) or the iVMS remote software (that requires administrator rights to run!) - than the actual cameras themselves.
Great video! Anything IoT device that comes out of China should be a concern for anyone. Its too bad that home wifi access points/routers don't all have the ability to separate IoT devices with vlans. Btw, I love hikvision cameras, and have many of them.
I’ve just started playing with Frigate also using 1 of 5 HiLook/Hikvision cameras and it is very good. Waiting for the price of the Coral tpu to come down again, before I add more cameras to HA. The config file gives me a headache though 🙄
For a home locking down their outbound access is probably enough. If you’re at the level of nation state espionage you need to start physically inspecting hardware for transmitters etc that could exfiltrate data locally to an asset nearby, internet or no internet. The kind of crafty shit you can do with a big enough incentive and the ability to manufacture hardware is limitless. Any cameras I have inside are physically disconnected from power when at home.
UK Gov and the UK NHS were still using some Windows XP and Windows NT machines with no password and some with Pa55w0rd$ as the password as recent as 2021, these stopped being updated by Microsoft when gods dog was a pup, the only reason I can see for this is if they have some software that is XP only, but why this is not running on VM's within a secure envoiroment is beyond me, who is running their systems? Mickey Mouse?
Besides the obvious national security threat of the CCP installing undocumented features, there are a lot of grey market cameras out there with questionable firmware. For instance I have the Chinese region hikvision cameras which were modified after coming out of the factory to have English menu's, these cameras were then flipped on ebay for a low price and they arrived on my door step. Who knows what else the firmware does? The fact is I don't care, they are on a isolated vlan/subnet and my NVR can pull an RTSP steam. I think the threat these cameras present to large campuses and enterprise networks is, in the absence of NAC on the access layer and with huge firewall rulesets, who knows if that camera/cameras are is really isolated? Did they get plugged into the right vlan? will they stay on the right vlan? Did the 'SNR Network engineer' do his job properly?
That's the annoying thing though... those big places should know how to do networks right with at least a zoned off VLAN. You did make me laugh at the 'senior network engineer' bit though... you obviously know my opinion of many of them
