IP camera solution

[lunar]

Having experience in this field, I will give my two cents. Others have already touched on some points here.

First off, WIFI and cameras generally don't mix. This is not recommended. You can do it, but you shouldn't. Standard 802.3 POE is ideal. Be careful, some devices don't follow the standard and run passive POE (12 or 24 volts). Same goes for ONVIF. If you want to avoid vendor lock-in you should get cameras that A) Use ONVIF and / or B) publish the camera stream RTSP paths in the user manual. This means no Nest cameras that will be unusable in 5-10 years.

1) What I do is have the camera recording server on its own private LAN, but it also has access to the main LAN. Cameras are put in the private LAN that has no internet access. This obviates the need for #5. Assume all small embedded computers (cameras in this case) are backdoored. Do not give them internet access. Even if they aren't (backdoored), they aren't upgradeable, and are vulnerable to being exploited.
2) It is accessible on the LAN. See #1. Setup a VPN if you need remote access.
3/4) I personally use Zoneminder but there are other options. I would recommend you also look into Kerberos.io, iSpy, and Bluecherry DVR (not necessarily in that order). For 1 or 2 cameras, you can use an RPI. For more cameras, you will want an x86 motherboard. For large deployments, a modern x86 server motherboard.

I don't recommend building your own camera. Most people in home security want a tool, not a project. This is especially relevant if it is an outdoor camera.

A question like this is best asked on a CCTV forum.

GNU\Linux experience helps in a project like this, as you will have a better understanding of the IT infrastructure / requirements.

[soldar]

I had a quick look at Zoneminder (Linux only) and the installation seems more complicated than I am willing to go. My Linux Mint system could not install it without much trouble. Maybe I will try again some other day. Still, it does not inspire much confidence that the PPA is maintained by single guy out of his kitchen.

Onvif Device Tool (Linux only) works very well for me in that it will discover Onvif devices connected to the network and will log in and give you all sorts of info. It manages to log into my cameras and get the video stream even though I have not given it the camera password. I guess the cameras have backdoor passwords. This is mainly a diagnostic tool and does not record. It is the best tool I have for setting things up.

Different programs seem to encounter different problems. I have successfully used iSpy (Windows) in the past and I found it useful but right now I cannot get it to connect to my test camera even when I give it the IP address and all the parameters. Something is wrong. A good thing about iSpy is that it can use local USB webcams as well as IP cameras.

BTW, I tried installing this Firefox add-on to view the camera directly in the browser but it will not work for me. I would be interested if someone can help me get it to work,

For 24/7 use I recommend a stand-alone network video recorder. It is more stable, more independent and uses much less power. I do not want to have the NVR running on a computer that I am also using for other things.

I have had many people ask me about surveillance cameras in real life. Many only have the vaguest of ideas of what they want and as soon as I ask them a few questions they drop the whole thing. You are not just "buying a camera"; you need to know what you want first. Do you want to monitor and record the outside of your house? Or the bedroom and living room? Do you need or want audio? What are the lighting conditions?

It is one thing if you just want to be able to see the front yard from your computer in the back of the house while you are working. No real security so you can set it up with wifi as it does not matter really if it loses the connection now and then.

A very different situation is if you want reliable 24/7 monitoring and recording of a camera.

And what turns most people back is telling them they need to install power and Ethernet at each camera location. I have wifi cameras which I can use for tests to best locate cameras but any real security system should not use wifi.

[akis]

Thanks for taking the effort to post some great comments and ideas. WiFi easily hacked. External camera taken down to gain entry to network. Sounds like a scene from Mission Impossible.

As this system is intended for my usually vacated summer house, I will not install ethernet cabling. Instead I will place a few cameras here and there, on table tops, powered by the nearest mains socket.

For the NVR/laptop I am trying to understand why not use SSDs instead of special spinning disks for continuous writing.

[Jeroen3]

I can recommend you Dahua camera's. They are remarkably well made for their price and origin. They even have some fancy dynamic contrast and HDR-like features that increase visibility in shots where there is dark and light, or bright sunlight.
I've installed these cheap additional camera's at my parents, one Dahua dome camera for the driveway with POE, and a wireless bullet camera for the backyard.

DH-IPC-HDBW1320EP-028B
DH-IPC-HFW1235SP-W-028B
Both try not to access the internet by themselves. Any backdoors I am not aware, but it is your duty to make sure the internet can't reach them over your WiFi.

There are a foscam I didn't pick, but see for yourself in the attachment. Guess the foscam. This is about 60 days uptime.

Wireless really isn't intended for this. You need constant 4 Mbit throughput for one good 10 fps 3 megapixel camera.
If you do not have better than -65 dbBm, the 802.11 rate goes down and the airtime goes up. This really loads your WiFi, and you should use a separate radio. Or you have to reduce video quality, that makes the entire purpose of the camera questionable.
You should also use a separate SSID/WPA so any normal WiFi clients cannot intentionally malform the camera packets.

BTW, I tried installing this Firefox add-on to view the camera directly in the browser but it will not work for me. I would be interested if someone can help me get it to work,

You still need a VM with an old version of Internet Explorer (that never updates) to configure/view basically any cheap IP camera, due to plugins or Java, but when you see that Axis asks for their stuff. You will accept that.

[soldar]

BTW, I tried installing this Firefox add-on to view the camera directly in the browser but it will not work for me. I would be interested if someone can help me get it to work,

You still need a VM with an old version of Internet Explorer (that never updates) to configure/view basically any cheap IP camera, due to plugins or Java, but when you see that Axis asks for their stuff. You will accept that.

Well, it is a Linux machine so no IE there. I do not see how or why IE would be needed to view what is basically a standard video stream.

I found another way of doing it because, in Linux, Mint Media Player and VLC media player will both play the streaming video directly. Any of them will open the camera video stream with the correct parameters in the address:

Code: [Select]

rtsp://192.168.42.143:554/user=admin_password=neZ3wSSM_channel=1_stream=0.sdp?real_stream That allows me to have a real time video window on the desktop although it will not record.

[soldar]

As this system is intended for my usually vacated summer house, I will not install ethernet cabling. Instead I will place a few cameras here and there, on table tops, powered by the nearest mains socket.

If the house is empty it would make more sense to just lay some ethernet cable and collect it away when you return. As has been said, wifi might not be able to carry the load and is extremely easy to disrupt. It would take anyone less than a minute to stand outside a house and cripple all wifi communications.

I am not quite sure of your aim. You want to record how many months and how many cameras?

Your aim is just to have a recording of the break-in? Not to prevent it? Because you might find that the first thing they steal is the cameras and the computer or recorder.

You can get cameras that record in their own built-in memory card.

Indoors with blinds closed you could have a motion detection alarm but outside or with open windows that will not work.

If you are looking to be notified in case of a break-in I would suggest you use a PIR motion detector that sends you a notification over the internet. Much simpler, much cheaper, much more reliable.

For the NVR/laptop I am trying to understand why not use SSDs instead of special spinning disks for continuous writing.

I do not see where anybody said not to use SSD. The thing with using a computer is that the chances of it crashing or hanging are much greater than a dedicated recorder. In case of power out a recorder will start up with no problem. You can get a computer to do that but a dedicated recorder is always going to work better and will probably pay for itself just in energy savings.

[akis]

ieGeek cameras arrived today. https://www.amazon.co.uk/gp/product/B07JZCYKVC

Now to make them work, connected them to the Ethernet and they got an IP address from the router.

I downloaded an NVR Windows server, "iSpy". It claims it can connect to most cameras on the market. Well, it cannot connect to the ieGeeks... No auto-detection, nothing.

I downloaded ONVIF Device Manager - it immediately saw my camera and connected to it. I got a live feed and can pan/tilt! I also installed VLC, again, no issues at all "seeing" the camera. it seems "iSpy" is being retarded.

So onwards for the next Windows NVR server...
 

[akis]

" The thing with using a computer is that the chances of it crashing or hanging are much greater than a dedicated recorder. "

Yes but before I buy any more hardware I would like to experiment a bit first, to learn what it is that I need.

[soldar]

it seems "iSpy" is being retarded.

You know, I could swear it worked well for me in the past but now I am running into the same problems you are. I'll see if I can find some notes.

Yes but before I buy any more hardware I would like to experiment a bit first, to learn what it is that I need.

Very good idea.

[Red Squirrel]

Nothing wrong with using a computer but make sure it's dedicated, ex: a server in a rack, tucked away in a secure place of the house.  Not just a laptop lying on a table that also gets used for web surfing.   A VM works too but then you're putting lot of strain on your NAS/SAN, a dedicated box with it's own raid is probably more ideal but a VM for testing is fine.

[akis]

I just returned a couple of ieGeek cameras: no onboard web server, PC application does not work, you got to do everything on the phone. They do support ONVIF but only for video and pan/tilt, not for configuration. However video was very clear in light and in dark and the camera panned and tilted quickly and quietly. I think it is the firmware/software that lets these cameras down.

Onwards looking for a better camera.

[ptricks]

Depending on how secure you want to be I wouldn't recommend wifi  or any type of wireless for security. I don't even recommend installing home security systems that are not wired to the sensors after seeing  how easy it is to buy a  wide spectrum jamming device that essentially disrupts everything from wireless door sensors to wifi.
Wired is definitely more work, especially in home security systems, but it is definitely more reliable and very hard to circumvent if done correctly.
For external POE devices you can get inline devices that will detect if a device is removed from the network and trigger alarms should someone tamper with an external cable.

[soldar]

I just returned a couple of ieGeek cameras: no onboard web server, PC application does not work, you got to do everything on the phone. They do support ONVIF but only for video and pan/tilt, not for configuration. However video was very clear in light and in dark and the camera panned and tilted quickly and quietly. I think it is the firmware/software that lets these cameras down.

I find this very surprising. Are you sure? What model?

My cameras are old, the cheapest of the cheap, and all have better capabilities. I suspect you might have missed something. What model camera?

[akis]

ieGeek / Sricam

http://www.sricam.com/product/id/66e005d40593482ca14957fe87562952.html

It is geared towards using from a phone from users that do not have PCs and/or do not know how to set up local control and recording, that is why it is lacking an onboard web server and the proprietary PC application is a joke (does not work).

I was hoping to get a camera that would support a "standard" protocol for control, video and monitoring so it could be used from third party / open-source apps.

I have now bought 2 Foscams to try, https://www.amazon.co.uk/gp/product/B07RP9JKCD

Will let you know how they fare.

[Red Squirrel]

I just returned a couple of ieGeek cameras: no onboard web server, PC application does not work, you got to do everything on the phone. They do support ONVIF but only for video and pan/tilt, not for configuration. However video was very clear in light and in dark and the camera panned and tilted quickly and quietly. I think it is the firmware/software that lets these cameras down.

Onwards looking for a better camera.

That's the frustrating part of home security cameras now, so many proprietary gimmicks that have to be tied to a phone.  I hate this trend of everything relying on a phone and app... and an account. 

I have not fully researched myself yet, but this one looks decent: https://www.memoryexpress.com/Products/MX72802

[soldar]

That's the frustrating part of home security cameras now, so many proprietary gimmicks that have to be tied to a phone.  I hate this trend of everything relying on a phone and app... and an account. 

They are different products for different markets. If you don't do your research and, as a result, buy the wrong product for your needs that does not mean there is anything wrong with the product. Many people like the convenience of plugging in the camera and having the camera app on their phone.

It is not only with security cameras but with everything else many people are moving away from computers and only use their phones even if it means giving up capabilities.

I have not fully researched myself yet, but this one looks decent: https://www.memoryexpress.com/Products/MX72802

It better be good. That's about ten times the price I have paid for any of my similar 720p cams.

[akis]

While waiting for the new cams to arrive, I am using a VirtualBox to install and test and experiment with NVR software.

I installed iSpy which looks to be absolutely great, unfortunately to use its Web Server capability you must take out a subscription (even though the web server is running on your server...).

Would you be able to suggest an open-source NVR that does not need paid subscription? I do not need any DDNS, or remote servers, I can host everything on my premises, I mostly need the NVR stuff (alerts, motion detection, emails, recording, compressing, etc).

[soldar]

I installed iSpy which looks to be absolutely great, unfortunately to use its Web Server capability you must take out a subscription (even though the web server is running on your server...).

The reason for this has been explained. Internet servers help establish the direct connection between both end points.

Would you be able to suggest an open-source NVR that does not need paid subscription?

The cameras I am using use free servers in China (xmeye.net). As I said, they are full of vulnerabilities. Of course, I do not need that if I am accessing from the same LAN so, as has been suggested, you can VPN into your LAN and then you do not need any external servers to set up the connection.

Most people want to buy something they can use out of the box and only a tiny minority would want to design a more complex system.

All these IP addresses are usually hard coded in the firmware so I do not think it is easy to alter or adapt. You can just isolate the LAN from the internet and then VPN into the LAN.

[NiHaoMike]

The reason for this has been explained. Internet servers help establish the direct connection between both end points.

That's what dynamic DNS does, and there are many free dynamic DNS services out there. It also apparently could be done using Tor and eliminate the use of the cloud altogether, which, to my understanding, does not even involve the scarce exit nodes since both ends would be inside the Tor network.

[Mr. Scram]

That's the frustrating part of home security cameras now, so many proprietary gimmicks that have to be tied to a phone.  I hate this trend of everything relying on a phone and app... and an account. 

I have not fully researched myself yet, but this one looks decent: https://www.memoryexpress.com/Products/MX72802

It's gotten so bad manufacturers don't even inform you about requiring an account any more. You have to buy a product to find out you're required to go through their servers to begin using it. It's annoying this is true even for products that don't inherently require external network access.

[Red Squirrel]

That's the frustrating part of home security cameras now, so many proprietary gimmicks that have to be tied to a phone.  I hate this trend of everything relying on a phone and app... and an account. 

I have not fully researched myself yet, but this one looks decent: https://www.memoryexpress.com/Products/MX72802

It's gotten so bad manufacturers don't even inform you about requiring an account any more. You have to buy a product to find out you're required to go through their servers to begin using it. It's annoying this is true even for products that don't inherently require external network access.

That's the thing that annoys me too.  Had to go through all that just to be able to use my DJI Phantom drone.  Same with my Gopro.  Heck the other day I saw a blutooth hair straightener!  not that I need that myself just saw an article on one that of course had a security flaw.   This whole connected BS is getting out of hand.

[soldar]

This whole connected BS is getting out of hand.

A couple months ago my wife was gifted some device which monitors physical activity and other such stuff, I forget the name (ETA: Fitbit), and she asked me to find out how to use it. I looked it up and found out the first thing it requires is a "free" account. We both agreed to pass on it.  I don't think we want to insult anybody by re-gifting it.

[soldar]

All the cameras that I bought cheaply on eBay were made by XiongMai and have the vulnerabilities disclosed.

There is a second hidden account with the username and password combo of default/tluafed

I tried it and it works. It is hidden and cannot be deleted. Just one of the many vulnerabilities.

https://www.zdnet.com/article/over-nine-million-cameras-and-dvrs-open-to-apts-botnet-herders-and-voyeurs/

Over nine million cameras and DVRs open to APTs, botnet herders, and voyeurs

Millions of security cameras, DVRs, and NVRs contain vulnerabilities that can allow a remote attacker to take over devices with little effort, security researchers have revealed today.

All vulnerable devices have been manufactured by Hangzhou Xiongmai Technology Co., Ltd. (Xiongmai hereinafter), a Chinese company based in the city of Hangzhou.

But end users won't be able to tell that they're using a hackable device because the company doesn't sell any products with its name on them, but ships all equipment as white label products on which other companies put their logo on top.

Security researchers from EU-based SEC Consult say they've identified over 100 companies that buy and re-brand Xiongmai devices as their own.

https://www.helpnetsecurity.com/2018/10/10/vulnerable-xiongmai-cameras/

9 million Xiongmai cameras, DVRs wide open to attack

SEC Consult researchers have issued a warning about a handful of critical vulnerabilities they discovered in video surveillance equipment by Chinese manufacturer Hangzhou Xiongmai Technology.

The discovered vulnerabilities include a default admin password (i.e., no password, and no requirement to set one in the initial setup phase), insecure default credentials for a hardcoded “default” account, multiple unencrypted communication channels, and a failure to check the integrity of firmware updates, which are not signed.

The IDs that allow users to connect to the company’s “XMEye P2P Cloud” and interact with their devices are easily derived from the MAC address of the device, the researchers added, and the connection to the cloud server provider (which is enabled by default) is not encrypted. There is also no information on who runs those servers and where they are located.

And finally, to top it all, they found that the P2P Cloud feature bypasses firewalls and allows remote connections into private networks.

Xiongmai-manufactured devices were among those that were conscripted into Mirai IoT botnets in 2016, as they offered high-privileged shell access over TCP ports 23 and 9527 using hard-coded credentials.

Xiongmai eventually fixed those vulnerabilities, the researchers say, but they have yet to do so with this latest batch, despite them sharing the information with the company back in March 2018.

With these vulnerabilities unpatched, attackers could find and target exposed devices to perform a wide variety of attacks.

They can spy on users of Xiongmai surveillance products, even listen in on conversations and interact with victims when the devices have a two-way audio intercom. They can “zombify” the devices and make them part of botnets. They can deliver malicious firmware to them. They can gain an initial foothold into a targeted local network.

Nest cam hacked! Family verbally abused through in-home camera
https://youtu.be/qkkIhxEEXGI?t=1

[akis]

OK, but if we assume that all cameras are small computers, running a mini-OS (or maybe, not so "mini"), and this OS is infested with security backdoors and compromises. So we need to have these cameras on a quarantined LAN, or somehow prevent them from accessing the internet.

My latest cameras are the Foscam R2M. They are very good. But the casual approach of the Chinese manufacturers towards security is astounding. I do not know where to start giving examples. In my latest exchange I asked them to allow their web-client application to work in "user" mode rather than requiring "admin" which results in security degradation. Their reply was, verbatim, "It is convenient without admin access but it is  safe with the admin access and you can also set up your own username and password of VMS. "

Translating this he/she probably means

1) "It is inconvenient without admin access"
convenience over security

2) "set your own password of VMS". (VMS is their NVR own application).
It is the damned VMS I am mostly worried about! Asking the wolf to guard the sheep...

They really have no idea about security; they are not malicious, they are like what we were like in the 80s...

[madires]

OK, but if we assume that all cameras are small computers, running a mini-OS (or maybe, not so "mini"), and this OS is infested with security backdoors and compromises. So we need to have these cameras on a quarantined LAN, or somehow prevent them from accessing the internet.

Exactly! Not just IP cams. Put everything IoT in a dedicated LAN segment with a FW. Remote access only via VPN. And stay away from the cloud. It's a security nightmare and we've seen too many cases of e-junk caused by the shutdown of the corresponding cloud services.