I wouldn’t necessarily say that cheap camera’s become compromised within minutes. However, the support surrounding them is significantly less than ones that are more expensive, or come from a reputable company. Devices from sketchy rebranding companies (I.E. foscam) are a lot more vulnerable because they receive less frequent firmware updates, if any, than those from reputable companies. Also because support is lacking, they’ve designed back doors in the firmware on cheap consumer based devices to be able to very quickly reset the username/passwords remotely in the even that the user forgets it. Also almost any camera purchased from a Chinese company will come with a backdoor already installed.
This isn’t to say they are bad camera’s. If one isn’t majorly concerned with privacy these camera’s work great and are simple to connect to and view remotely. Otherwise, if your concerned with the possibility of the video stream passing through a remote servers, then they should be 100% firewalled off and network seperated by vlan ect and a relay-type software like Zoneminder should be properly installed, and properly secured. No matter what, however the firmware should ALWAYS be updated promptly on any device connected to the internet. PERIOD! Old software vulnerabilities can be used to compromise the device, then in turn give attackers uninhibited access behind your firewall (router) and access to any device connected to your network!
Read the device instructions, configure it properly, know how to update the firmware on your devices, buy from a reputable US or EU based company, and follow what they recommend in order to secure your devices and network.
No matter camera or IoT device. Throw them in a vlan without access to hass. Then you can buy a cheap camera an not worry about backdoors, of course you’d have firewall to deny all outgoing conections from the IoT-vlan
Cams act as servers that create site the serves video feed. rtsp://camip/video1 for example.
Cam does not need START web connection to outside device for feed to be accessible since cam is webserver.
Hass connects to cam page rtsp://camip/video1 and START stream video. Any device that connect this IP can access video feed
Not sure if this is get/post or whatever but I think method is clear
So with this, you can block cam from starting g outgoing connection but still any video still available. Same is true for other iot(like broadlink switch) since HA make get request to http://deviceip/status (for example to get state or change ON/OFF.
MQTT not work in this case since device must send data to MQTT server. Also not work for alexa or other hub based device since device connect to outside 3rd party server
But you’re sure you cam doesn’t have internet access? Have you configered your router in a way that the ethernet slot that the cameras plug in into does not have internet access? (I don’t think that usually available on standard routers).
The cameras do not need any port forward/open ports to access internet, they live their own life and can access internet as long as they are connected to a router.
Do you use trusted network in hass?
To be clear, your camera could have access TO the internet even if you don’t have access to it from the outside. The traffic is two way.
Most of the standard brand-name router have big exploits .even new unit still on shelf. If you feel network is compromised. Reset everything, reinstall software where possible on everything, rebuild LAN before connect internet. Basically expect that everything is compromised
hmm, you might be right that my cam has internet acces.
but the cam needs an open port to show himself on the internet.
the firmware on its own is just a program that doesnt change or do anything but provide me with a webpage.
that can only change (and be compromised) if you can reach the cam.
like i said earlier, not even the app that comes with the cam can reach it when i am not on my own lan.
@tmjpugh
yeah of course i can reinstall al my PC’s, reinstall al firmware on cams and reset my router to default, etc.
and i would if i had any kind of suspicion that it was neccesary.
but someone with the intention to get into my lan that way and who wanted to do real harm and keep in my lan and who would install stuff in my lan, wouldnt start by playing with my lights and probably wouldnt even go into my HA page manually.
that just wouldnt make any sense. so i am 99.999% sure that it is unneccesary to do so.
nope. if i would do that then there would be no use for opening my HA up to the internet in my eyes.
the only network i trust is my own. so then i just can close my proxyserver (which i did in this case anyway )and stop accessing HA from the outside.
Trusted network does have nothing to do with external access? It’s just a way of letting certain local ip access hass without password. Only a fool would set an external ip as “trusted”
Can’t really figure out what security flaws you may have.
I limit it to nginx setup, a IoT-device got hacked or no hack (I know you are 100% sure, but there are always a first time code breaks).
thats about what i came up too.
and because it must be that HA just started spontaniously flipping input booleans with variable delays, and that stopped happening as soon (on the second) as i closed down nginx and my router, i cant get my head to believe that its a code hickup.
i still think there is a weakness in HA somewhere, but thats just a gut feeling i guess.
even if my nginx wasnt setup correctly (and that must be so, because else i must find some logging) they still needed to go passed the HA password.
i probably never will find out why or what (ubless it happens to others and there are traces left) and HA is changing its way from logging in, so i hope that will make it more secure. untill then i stick with VPN for my mobile and tablet.
didnt know that trusted network was ment that way, but i wouldnt use it anyway
I apologize if I have offended, this was not my intention, however. I stand firm on what was stated and do not base my statements on fiction. A simple google and some short reads from major US and Chinese newspapers will confirm my statement, or more technical reads form numerous network security sites will state the same thing…
I was simply stating the importance of firmware and software updates, and how vulnerable cameras are that are not made in the us or eu. And passing on security advice and knowledge.
In the middle of refactoring auth system, I found that emulated_hue is problematic component, it starts up a HTTP server without any security settings, and its default config exposes all devices under those domain
switch
light
group
input_boolean
media_player
fan
So if you use this component, and you misconfigured router or proxy, you basically open your home to the world.
If anyone follows this thread, please aware that issue, and try to NOT use this component. This component should not be part of HA IMO. If it is useful to some user, it should be running in its own sandbox serve HTTP to Alex or Google Home, and call HA through HA’s official Websocket API or REST API.
or the default config of emulated_hue is binding the UPnP (SSDP) listener to the multicast address (239.255.255.250), so it could be discovered by others
