So good to see someone who understands these. Most Electricians/Data cabliers/Handyman and even Security companies will just wack these in and let them go without turning off all the features. (As you have shown) These days its all about getting that footage onto your iphone via "the cloud". CCTV needs to be kept inhouse and well away from the web. -Another great video! Thankyou.

@TallPaulTech

Жыл бұрын

Me and Mr 'Cloud' often come to blows

@tcpnetworks

Жыл бұрын

@@TallPaulTech I hear 'cloud' as 'somebody elses computer.' It's a horror-show of vulnerabilities. Just waiting for a hack on our stuff - and a knee-jerk back to on-prem - where stuff is safer.

Love your vids man, even with my basic ish understanding of networking you always explain in a way that makes sense and gives me a more broad range of knowledge for stuff you can do with networking, cheers from NZ.

@TallPaulTech

Жыл бұрын

Cheers

Follow the money and the companies they believe are “trusted” providers, Suddenly axis and motofalure camera sales go through the roof. Hikvision kit works well but like all vendors you need to seperate your networks.

Just found this channel and am loving it. You don't explain EVERYTHING but rather expect the viewer to have some network and Linux knowledge.

@TallPaulTech

Жыл бұрын

I'm not here to lick stamps or fuck spiders!

Most people don't have the knowledge and skills to do PEN testing, security hardening, VLANs, etc., on their home network. Eufy's cameras uploaded video and photos to the cloud without consent, and their cameras were accessible externally with encryption or authentication. When I put my cameras in they will be ethernet only, no cloud or restricted to connect only to that address, no remote access to the cameras, perhaps just use a synology or qnap and do it yourself.

So, time to contact government departments and offer to buy their scrapped cameras for 2c on the dollar

allowing dns outbound, even via your own dns server could still allow it to make seemingly innocent dns requests outbound to exflitrate some information outbound. Going even more tinfoil hat, they could pass the password out via an encoded dns request by crafting a specific dns response that triggers a hidden piece of code inside the camera for example - so it all looks innocent, but they could wake up functions via specific dns responses.

@TallPaulTech

Жыл бұрын

I'm going to guess that you've also heard of iodine ;)

I've had a good run with Reolink which are ONVIF compatible (most models) and first thing I did was disable DDNS and UPnP. Have a macOS Mojave VM just for SecuritySpy which is an amazing bit of software for CCTV.

@TallPaulTech

Жыл бұрын

KZread held that comment of yours for review... for some reason that nobody will ever know. What are they scared of?!

We had hundreds of these cameras - on a completely separate VRF, on a completely separate firewall zones - nothing available to any camera. We monitor the firewall zone constantly. Nothing gets transmitted, let alone try to get through.

@TallPaulTech

Жыл бұрын

Perfect

@netbootdisk

Жыл бұрын

Same here. 100's of cameras across multiple sites. Zero attempts on firewall logs.

@tcpnetworks

Жыл бұрын

@@TallPaulTech Still have to pull the buggers out though.... Avigilon cams are now the norm.

@tcpnetworks

Жыл бұрын

@@TallPaulTech Yet - still changing them to Avigilon.

I stopped using POE cameras. I was getting a lot of interference around 144MHz range. I had the interference on 4 different brands. I unplugged the cameras from the NVR and the noise went away. I even tried Cat6 shielded cable and didn’t make a difference. Move to HD analog cameras and no more interference.

Great video! Anything IoT device that comes out of China should be a concern for anyone. Its too bad that home wifi access points/routers don't all have the ability to separate IoT devices with vlans. Btw, I love hikvision cameras, and have many of them.

Every security camera is made in China. Problem I have with Hikvision they continue to hang on to using IE11 with active X both have been discontinued years ago. The larger HD cameras were amazing quality the interface was terrible. Downloading video clips didn't work just failed to download had to do all kinds of work arounds. IE11 running as an extension then that quit working also. I moved on to amcrest cameras just lot easier to work with.

I'd be more worried about an attack vector from the HikVision mobile app (even if connecting behind a VPN) or the iVMS remote software (that requires administrator rights to run!) - than the actual cameras themselves.

@TallPaulTech

Жыл бұрын

That's a bloody good point. That's why I don't tend to use phone apps... or a phone much at all

Look into using Frigate

@TallPaulTech

Жыл бұрын

Holy shit, that looks alright. I might just have to do that

@LesterBurnham_au

Жыл бұрын

I’ve just started playing with Frigate also using 1 of 5 HiLook/Hikvision cameras and it is very good. Waiting for the price of the Coral tpu to come down again, before I add more cameras to HA. The config file gives me a headache though 🙄

U can use SADP tool to find the ip address from the camera

For a home locking down their outbound access is probably enough. If you’re at the level of nation state espionage you need to start physically inspecting hardware for transmitters etc that could exfiltrate data locally to an asset nearby, internet or no internet. The kind of crafty shit you can do with a big enough incentive and the ability to manufacture hardware is limitless. Any cameras I have inside are physically disconnected from power when at home.

nice video, i need to go over ip tables again :>

@TallPaulTech

Жыл бұрын

Go straight to nftables, not iptables

how did you enable ntp server on your router? might have missed that in your previous videos.

@TallPaulTech

Жыл бұрын

I never did a video on that. Maybe one day

can we do same for waze cam???

Usually the main risk is IT departments that don't install security updates on cameras

It looks like all governments in the world happily delegated their obligations to China 🙂

UK Gov and the UK NHS were still using some Windows XP and Windows NT machines with no password and some with Pa55w0rd$ as the password as recent as 2021, these stopped being updated by Microsoft when gods dog was a pup, the only reason I can see for this is if they have some software that is XP only, but why this is not running on VM's within a secure envoiroment is beyond me, who is running their systems? Mickey Mouse?

@TallPaulTech

Жыл бұрын

Exactly! ..and see my other video I just did on this.

i prefer having separate VLAN on OpenWrt this device, just for this purpose, also without outside access.

Cześć, Paul. Skąd masz ten diagram?

@TallPaulTech

Жыл бұрын

Nie pamietam. To bylo dawno

@dw8673

Жыл бұрын

@@TallPaulTech Rozumiem, dzięki. Lubię Twoje filmy. Tak trzymaj :⁠-⁠)

most TVs have more sus network traffic than this thing

Nice Rode microphone I see.

Besides the obvious national security threat of the CCP installing undocumented features, there are a lot of grey market cameras out there with questionable firmware. For instance I have the Chinese region hikvision cameras which were modified after coming out of the factory to have English menu's, these cameras were then flipped on ebay for a low price and they arrived on my door step. Who knows what else the firmware does? The fact is I don't care, they are on a isolated vlan/subnet and my NVR can pull an RTSP steam. I think the threat these cameras present to large campuses and enterprise networks is, in the absence of NAC on the access layer and with huge firewall rulesets, who knows if that camera/cameras are is really isolated? Did they get plugged into the right vlan? will they stay on the right vlan? Did the 'SNR Network engineer' do his job properly?

@TallPaulTech

Жыл бұрын

That's the annoying thing though... those big places should know how to do networks right with at least a zoned off VLAN. You did make me laugh at the 'senior network engineer' bit though... you obviously know my opinion of many of them

😂sky news… fear mongering.