Are Chinese cameras secure?

[mikefamig]

Does it concern anyone that the US government has removed Hikvision cameras from it's embassies:
 
https://ipvm.com/reports/hik-removed-embassy
 
Mike.

 

[wuench]

A friend of mine gave me a chinese cam he couldn't get working with his software.   I put it  a sniffer on  it and sure enough the first thing it did was  reach out to some chinese address.  So if you set it up make sure you check it for and block outbound traffic.    

 

[mikefamig]

How is that done? Can it be done in the router or is it done in anti-virus software? Both?
 
Mike.

 

[mikefamig]

Also if I block outgoing traffic will I still be able to view the camera from outside the firewall?

 

[batwater]

Also if I block outgoing traffic will I still be able to view the camera from outside the firewall?

 
If you use something like Blue Iris or some other camera NVR then no it's not an issue, you set your firewall up to port forward the Blue Iris server and you are done. 

 

[mikefamig]

If you use something like Blue Iris or some other camera NVR then no it's not an issue, you set your firewall up to port forward the Blue Iris server and you are done. 

OK so then I should be able to just delete the gateway address from the cameras and access them with BI?

 

[batwater]

OK so then I should be able to just delete the gateway address from the cameras and access them with BI?

 
I'm not sure I understand your statement about deleting the gateway address from the camera but yes you would access the cameras via Blue Iris instead of going directly to each camera. 

 

[mikefamig]

I'm not sure I understand your statement about deleting the gateway address from the camera but yes you would access the cameras via Blue Iris instead of going directly to each camera. 

The camera needs the gateway address and dns servers to get out and address anything outside the LAN and I read that you can simply delete the gateway address in the camera to defeat outgoing traffic.
 
Mike.

 

[pete_c]

Many utilize Chinese DNS/NTP entries by default which you can change.  Some have WAN IPs embedded in the firmware which you cannot remove rather just block on your firewall.
 
That said there has been chit chat about the purchase of these cameras from a domestic versus international vendor and these are supposed to have clean firmware on them.
 
What is mentioned above is not to let the camera access the internet via any open ports on your firewall and redirect the output to the BI software program.  Here you would proactively firewall block the IP on your camera on the firewall and use BI to view your camera from the internet.

 

[mikefamig]

I think I understand now
 
I see in my router where I can block a "service". It looks like you just give it a custom name and a port number and the router blocks all traffic on that port. Assign that port to the camera and done.
 
Mike.

 

[mikefamig]

Regarding suspicious firmware -
 
Here is the camera that I bought on Ebay. The seller assured me that it is US firmware and able to take firmware upgrades but who knows.
 
https://www.ebay.com/itm/Hikvision-DS-2CD2142FWD-IWS-4MP-WDR-WIFI-IR-POE-IP-surveillance-Camera-outside/162175455757?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2057872.m2749.l2649
 
I like that this cam is so versatile. It is indoor/outdoor,wired or wifi and 128GB onboard sd card and a bargain. I figured it is a good cam to learn on.
 
Mike.

 

[mikefamig]

I forgot to mention it is also powered by external 12v source (wall wart in this case) of POE.

 

[batwater]

The camera needs the gateway address and dns servers to get out and address anything outside the LAN and I read that you can simply delete the gateway address in the camera to defeat outgoing traffic.
 
Mike.

 
Ah, understood was missing the context.  The gateway and DNS settings on all of my devices point to my router, this is how it should be. The router then controls what DNS is utilized.  In my case I've switched over to CloudFlare's 1.1.1.1 and 1.0.0.1  This is another reason to have your own router for your network as opposed to relying on the device given to you by the internet provider.  You can control what DNS is used.

 

[tmbrown97]

Technically, yes - removing the gateway address should effectively prevent the camera from knowing how to get outside of the LAN - so only BI could talk to it, but it couldn't call home.  Home routers don't make it easy to do allow/deny rules the same was as business routers would - but an allow to the RTSP port and a Deny everything else would be the ideal way to go.  A lot of people even like to do separate VLANs for these devices with questionable firmware.

 

[pete_c]

This is one of the many reasons I switched over to using PFSense many years ago and before that used Smoothwall.
 
DNS hijacking
 
DNS hijacking or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

These modifications may be made for malicious purposes such as phishing, or for self-serving purposes by Internet service providers (ISPs) and public/router-based online DNS server providers to direct users' web traffic to the ISP's own web servers where advertisements can be served, statistics collected, or other purposes of the ISP; and by DNS service providers to block access to selected domains as a form of censorship.
 
Today on the Comcast all in one box (modem, router, firewall, switch and WAP) Comcast allows for public WLAN access (with CC account) to one radio built in to their combo boxes.  These days you cannot change that.
 
Today I am using a global Geoblocking PFSense plugin from Maxmind. 
 
Works great.