Welcome!
Important information
-- Spectre and Meltdown vulnerabilities
-- Change in MX sources

News
-- MX Linux on social media: here
-- Mepis support still here

Current releases
-- MX-17.1 Final release info here
-- antiX-17 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

[SOLVED] Are PoE surveillance cameras ("CCTV") really unsafe? Are USB, Firewire better?

Feel free to talk about anything and everything in this board. Just don't post offensive topics that are meant to cause trouble with other members or are derogatory towards people of different genders, race, color, minors (this includes nudity and sex), politics or religion. Let's try to keep peace among the community and for visitors.

No spam on this or any other forums please! If you post advertisements on these forums, your account may be deleted.

Do not copy and paste entire or even up to half of someone else's words or articles into posts. Post only a few sentences or a paragraph and make sure to include a link back to original words or article. Otherwise it's copyright infringement.

You can talk about other distros here, but no MX bashing. You can email the developers of MX if you just want to say you dislike or hate MX.
Message
Author
User avatar
MX-16_fan
Forum Regular
Forum Regular
Posts: 958
Joined: Mon Feb 13, 2017 12:09 pm

[SOLVED] Are PoE surveillance cameras ("CCTV") really unsafe? Are USB, Firewire better?

#1 Post by MX-16_fan » Sat Aug 18, 2018 9:21 am

EDIT:

* Changed second part of heading from "Is USB better?" to "Are USB, Firewire better?"
* Added question relating to Firewire as III) in this original posting.




There have been many discussions about security leaks in Wi-Fi based surveillance cameras. The main (but not the only) problem seems to be that when you connect them directly to an internet-connected Wireless Access Point, you cannot control whether they phone home, or whether they are being intruded via internet, or both.

Currently there seem to be no Wi-Fi surveillance cameras on the market that are based both on open source hardware and on internal Free/Libre Open Source Software (FLOSS).

While I fully understand that the above-mentioned points can lead to little trust in Wi-Fi connected surveillance cameras in general, I don't yet fully understand why some people warn you against Power over Ethernet (PoE) connected cameras, too.

I)
When you connect a PoE camera to a PC, and the latter does the recording job, how could the camera ever find its own way into the internet?

I guess if there is no such way, there's no security issue, however bad the PoE camera's built-in software may be. Correct?

II)
Talking about this, my second question would be whether cameras connected by USB would be any "cleaner" from a dogmatic point of view. (Assuming that USB cable length would be sufficient for your purposes.)

III)
Finally: Would Firewire cameras be safer than PoE cameras, and would they, from a security-oriented point of view, be as good as USB cameras? (I added some own research as posting #7, cf. https://forum.mxlinux.org/viewtopic.php ... 44#p459044).


I'd greatly appreciate any answer.

Personally I don't like video surveillance very much. However, it seems as if while there may be more restrictions against exaggerated and/or intransparent use in the future, you probably won't 100% remove neither private nor business video surveillance / alarm systems from everyday life any more.

So if used at all, IMHO only the safest possible, meaning fully user-controllable, components and architectures should be used.


Greetings, Joe
Last edited by MX-16_fan on Sat Sep 08, 2018 3:35 pm, edited 5 times in total.

clicktician
Forum Regular
Forum Regular
Posts: 211
Joined: Sat May 02, 2015 4:35 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?

#2 Post by clicktician » Sat Aug 18, 2018 12:33 pm

I have no experience with these surveillance cameras, so I may be over simplifying the problem.

To prevent the camera or any device from accessing the WAN, configure its MAC on your router's MAC Address Filtering tab. Allow access on the LAN, and deny on the WAN. Your camera will be able to communicate with your local server, but the router will drop any packets it tries to send or receive on the WAN regardless if it is connected via CAT or WiFi. This, of course, will neuter your camera's features that may let you view footage remotely or store it in the cloud. It will also prevent it from receiving software updates.

If your router doesn't seem to have MAC Address Filtering, look for a Security tab with Parental Controls. Set the camera up like the MAC address of a kid's PC that can't access the WAN during certain hours. Then make those hours 24/7.
Last edited by clicktician on Sat Aug 18, 2018 2:06 pm, edited 1 time in total.
Son, someday all this will belong to your ex wife.

User avatar
timkb4cq
Forum Veteran
Forum Veteran
Posts: 4473
Joined: Wed Jul 12, 2006 4:05 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?

#3 Post by timkb4cq » Sat Aug 18, 2018 12:42 pm

POE (Power over Ethernet) cameras have to connect to the network stack to transmit the data into your PC. They get an IP address on your lan. It is certainly possible to firewall that adequately but I wouldn't trust the vendor supplied software to do so.

So, yes, a USB connected camera is more secure.
MSI 970A-G43 MB, AMD FX-6300 (six core), 16GB RAM, GeForce 730, Samsung 850 EVO 250GB SSD, Seagate Barracuda XT 3TB

clicktician
Forum Regular
Forum Regular
Posts: 211
Joined: Sat May 02, 2015 4:35 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?

#4 Post by clicktician » Sat Aug 18, 2018 1:44 pm

timkb4cq wrote:
Sat Aug 18, 2018 12:42 pm
I wouldn't trust the vendor supplied software to do so.
So, yes, a USB connected camera is more secure.
Also, if the USB camera is proxied by some proprietary vendor software (very likely), the camera will masquerade as your PC's MAC in the WAN. One trick is to use netstat to see what domain the vendor's program is connecting to, and add that to your /etc/hosts file with a 127.0.0.1 IP. Sometimes short-circuiting the DNS this way is enough to prevent a connection without globally stopping it on other machines on your LAN.
Son, someday all this will belong to your ex wife.

User avatar
timkb4cq
Forum Veteran
Forum Veteran
Posts: 4473
Joined: Wed Jul 12, 2006 4:05 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?

#5 Post by timkb4cq » Sat Aug 18, 2018 2:17 pm

In Linux most USB cameras are natively supported by V4L which doesn't supply a route to the network, and there are a number of open source programs to record and/or view that don't involve the network.
MSI 970A-G43 MB, AMD FX-6300 (six core), 16GB RAM, GeForce 730, Samsung 850 EVO 250GB SSD, Seagate Barracuda XT 3TB

User avatar
MX-16_fan
Forum Regular
Forum Regular
Posts: 958
Joined: Mon Feb 13, 2017 12:09 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?

#6 Post by MX-16_fan » Tue Aug 28, 2018 12:51 pm

@timkb4cq:
timkb4cq wrote:
Sat Aug 18, 2018 12:42 pm
(...) So, yes, a USB connected camera is more secure.
Makes sense. Thanks a lot!

Talking about it, how is this with Firewire cameras?


Greetings, Joe

User avatar
MX-16_fan
Forum Regular
Forum Regular
Posts: 958
Joined: Mon Feb 13, 2017 12:09 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?

#7 Post by MX-16_fan » Wed Aug 29, 2018 6:37 am

@timkb4cq,
@clicktician:
MX-16_fan wrote:
Tue Aug 28, 2018 12:51 pm
@timkb4cq:
timkb4cq wrote:
Sat Aug 18, 2018 12:42 pm
(...) So, yes, a USB connected camera is more secure.
Makes sense. Thanks a lot!

Talking about it, how is this with Firewire cameras?


Greetings, Joe

P.S.: I'm asking this specifically since Linux Firewire integration appears to be more complex than USB implementation, and seems to have potential connections to the network stack.

For example, the firewire-net driver by default ships with standard Linux kernels. (At least it doesn't seem to be loaded by default. Maybe we could ask to have it removed from Liquorix? I guess there might be some package-based way of adding it if needed.)

Apart from that, kernel.org mentions some technology named DVTS ("Digital Video Transport System, a collection of utilities ... to send DV data over an IP network", which you can "use ... , for example, with ethernet to overcome the current limitations with 1394 cable length" - see https://ieee1394.wiki.kernel.org/index. ... ities#DVTS). Don't know if that ships with the default MX-17.1, however. And I don't know whether this alone establishes any direct connection to the network stack. Does anyone know?

On the other hand, Linux USB integration provides optional bridges to Ethernet, too. See, for example, the usbnet driver in combination with cdc_ether (cf. https://github.com/torvalds/linux/blob/ ... dc_ether.c), based on the USB Gadget API for Linux (https://www.kernel.org/doc/html/v4.16/d ... adget.html). As with Firewire, those bridges seem to optional, i.e. you have to actively do something as superuser in order to activate them.

So unless I got something wrong, Firewire is as good as USB, apart from the risk of DMA attacks, which, however, would require that some evildoer gets physical access to your machine (cf. https://en.wikipedia.org/wiki/IEEE_1394#Security_issues). Correct?

By the way, if using Firewire at all in MX-17.1, according to kernel.org, raw1394 and ohci1394 should be avoided, and "the replacement drivers firewire-core (which allows finer-grained access control due to separate device files per FireWire node) and firewire-ohci (which filters physical DMA)" should be used instead (https://ieee1394.wiki.kernel.org/index. ... ed_user.3F, https://ieee1394.wiki.kernel.org/index. ... raw1394.3F) (hope I got this right). The downside might be that firewire-core opens a path into firewire-net, something that raw1394 and ohci1394 don't do - correct?


Greetings, Joe

User avatar
timkb4cq
Forum Veteran
Forum Veteran
Posts: 4473
Joined: Wed Jul 12, 2006 4:05 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Are USB, Firewire better?

#8 Post by timkb4cq » Fri Sep 07, 2018 3:38 pm

I have never used Firewire but looking from a distance at the specs the ability of devices on the firewire port to operate peer to peer without supervision from the computer as well as the ability to map their memory over firewire leads me to believe there are potentially more ways a firewire camera could be compromised.
Having basically no information on any particular implementations, I haven't a clue whether that potential has actually been realized or how a camera could be hardened against it.
Or in short:
¯\_(ツ)_/¯
MSI 970A-G43 MB, AMD FX-6300 (six core), 16GB RAM, GeForce 730, Samsung 850 EVO 250GB SSD, Seagate Barracuda XT 3TB

User avatar
MX-16_fan
Forum Regular
Forum Regular
Posts: 958
Joined: Mon Feb 13, 2017 12:09 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Are USB, Firewire better?

#9 Post by MX-16_fan » Sat Sep 08, 2018 3:34 pm

@timkb4cq:
timkb4cq wrote:
Fri Sep 07, 2018 3:38 pm
(...) Or in short:
¯\_(ツ)_/¯
As usual, you are hiding your light under a bushel. Thanks for your assessment :number1:!


@all:

Thanks to everyone else also.

I'll mark this thread "SOLVED".


Greetings, and a great weekend to all of you,

Joe

User avatar
timkb4cq
Forum Veteran
Forum Veteran
Posts: 4473
Joined: Wed Jul 12, 2006 4:05 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Are USB, Firewire better?

#10 Post by timkb4cq » Sat Sep 08, 2018 3:55 pm

MX-16_fan wrote:
Sat Sep 08, 2018 3:34 pm
As usual, you are hiding your light under a bushel...
Yup! That way some light shows through the basket while hiding the equally large store of ignorance that keeps it it company. :p
Image
MSI 970A-G43 MB, AMD FX-6300 (six core), 16GB RAM, GeForce 730, Samsung 850 EVO 250GB SSD, Seagate Barracuda XT 3TB

Post Reply

Return to “General”