235
Matt Brown Digs Deep Into an IP Camera's Firmware — and Finds a Hard-Coded Root Password (www.hackster.io)
submitted 2 months ago by imPastaSyndrome@lemm.ee to c/privacy@lemmy.world
16 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[-] corroded@lemmy.world 51 points 2 months ago

This is one of several reasons why I keep all my cameras and any other IoT devices on a separate VLAN that has no access to the internet and no access to the rest of my home network. The only bridge is my DVR server, but that's something I can't get around.

Before it was set up this way, I saw a huge amount of requests on my DNS server from the cameras, each one resolving the manufacturer's domain name. It was probably innocuous, but why take the risk? There is absolutely no reason whatsoever that a security camera needs access to anything.

[-] e0qdk@reddthat.com 16 points 2 months ago

There is absolutely no reason whatsoever that a security camera needs access to anything.

NTP is useful to correct clock drift, but otherwise, I'd agree.

[-] kn33@lemmy.world 7 points 2 months ago* (last edited 2 months ago)

That's true, but you could run NTP on the NVR or something. Or just whitelist the NTP server.

[-] haulyard@lemmy.world 4 points 2 months ago

Serious question here as I’ve been debating moving all smart home stuff to either its own vlan (never done this before) or a different wireless network. I’ve got some POE cams that run through Scryoted on my nas to get into homekit. Is this all possible if the NAS is on a different network? Would I then have to move all my HomeKit hub devices (Apple TV, HomePod mini, etc) then also have to move?

[-] TexMexBazooka@lemm.ee 4 points 2 months ago* (last edited 2 months ago)

So, the way you would do this is creating separate VLANs, then using firewall rules to filter what communication is allowed between them.

In my home for example, I use a few smart devices that are controlled over the LAN from your phone. Think like a chrome cast. I would rather those devices be on my IoT network than my main, but they break if devices from my primary network can’t find them.

So I allow only those specific devices to communicate across my VLANs, with other devices (cameras, lights, etc) being dropped at the firewall.

That’s the basics and can be accomplished with any semi-decent router/firewall. If you have any more specific questions regarding what hardware you have available shoot me a message and we can talk through it

[-] sep@lemmy.world 1 points 2 months ago

Depends a bit on the device. But dor many it should be possible if you run a mdns repeater / proxy on the firewall.

[-] TexMexBazooka@lemm.ee 1 points 2 months ago

That’s way over complicating things for what ip is trying to accomplish

[-] Fillicia@sh.itjust.works 2 points 2 months ago

Depending what's you router you can usually open communication between different VLAN for specific ip/port. So let's say your camera use rtsp to send video data to your NVR you could allow for port 554 to be opened between your camera ip and the NVR.

This means that even if someone has access to your camera they couldn't do an ssh (port 22) or http/https (80/443) requests to your internal network.

For PoE cams installed outside, creating a separate VLAN is an absolute must. Otherwise anyone could use the Ethernet cable to access your network and steal your data.

load more comments (10 replies)
this post was submitted on 26 Jul 2024
235 points (99.6% liked)

Privacy

4027 readers
7 users here now

A community for Lemmy users interested in privacy

Rules:

  1. Be civil
  2. No spam posting
  3. Keep posts on-topic
  4. No trolling

founded 1 year ago
MODERATORS
iopq@lemmy.world