Closing up the holes of “security” cameras

I recently had the good fortune of my smartphone dying just as another “security” camera arrived for me to test. I was debating about how to go about it for this one, as it appeared, like most I’ve seen, to require an app to set up. That’s why I prefer to call them “surveillance” cameras: China, where most of the cameras are made, may well be surveilling you if you use them—whether via the app you use to set it up, or the camera’s factory-installed firmware.

Today I found a Reddit thread on reviewing security cameras that had a helpful suggestion to evaluate a camera: using an ONVIF app like Onvier.

I decide to look for a similar desktop app for Windows, and found there’s one called ODM, or ONVIF Device Manager, at Sourceforge.

Finally, I looked in some reviews for a particular camera I found on Amazon and noticed some cautionary comments with good advice (emphasis added):

After setup, I run a packet capture on the device to see who it is trying to connect to. This device was trying to connect to amcrestview.com which is hosted on Amazon. I found no other external connection attempts.

All of the IP cameras I have owned called home in some way. This is true of cameras that have no cloud features. The Chinese cameras tend to reach out to China, which I don’t like. There are many, many of examples of IoT devices being hacked and sending all your data somewhere and spying on the unsuspecting. I protect against this by ensuring that my IoT devices cannot connect outbound to the internet and by using Geo-IP to blacklist addresses hosted in most foreign countries. Amcrest devices periodically connect to the Amazon cloud. I’m not a fan of that either, but it’s what you have to do if you want the cloud features such as mobile app for remote management and viewing. There are ways to get remote management and viewing without using their cloud, but it requires network configuration that most people can’t accomplish. Review page on Amazon

Standard babycams want you to use your phone and their intrusive app to log into the built-in Wireless Access Point in the babycam. Then you log the babycam into your home network, then you access the company’s servers, then you open an account, and eventually, if you’re lucky, you can see your camera on your network. But only by punching a hole in your local network so that all of China can see your camera, too. My friends, there’s a better way.

I used a spare power wart to power the camera since my configuration won’t allow for Power Over Ethernet. I accessed the camera over my wired network and set it up with no problems. Then I attached the wired RJ45 network port to an Iogear wireless dongle (which turns wired devices into wireless devices under your complete control, available here on Amazon). Of course, in my router I blacklisted the MAC addresses for both the camera and the wireless dongle from accessing the internet, so that they’re restricted to my LAN only. Voilà – I now have a superb babycam that will never be a network security risk, and our friends in the CCP will never spy on my sleeping granddaughter. Review page on Amazon

Amcrest is an American company but these cameras are made by companies in China that often are closely tied to the Chinese government. So I would advise using a firewall to prevent the cameras from accessing the internet. And use an NVR or NVR software like blue iris to view the video from cameras. Review page on Amazon

For my part, I have two surveillance cameras that can be used totally offline without ever using an app or connecting to a network. One of them doesn’t have any wireless or ethernet built in, and the other’s wireless can be turned off with a hardware switch putting it into a standalone mode. But that means you have to physically go to the camera to retrieve footage, and if someone steals the camera, you’re out of luck.

So I think advice like that above–using independent apps not provided by the camera seller or manufacturer, and doing as much as possible to cut off all of their access to anything outside of your home network–is a good start.

Leave a Reply

Your email address will not be published. Required fields are marked *