[SOLVED] Are PoE surveillance cameras ("CCTV") really unsafe? Are USB, Firewire better?

For interesting topics. But remember this is a Linux Forum. Do not post offensive topics that are meant to cause trouble with other members or are derogatory towards people of different genders, race, color, minors (this includes nudity and sex), politics or religion. Let's try to keep peace among the community and for visitors.

No spam on this or any other forums please! If you post advertisements on these forums, your account may be deleted.

Do not copy and paste entire or even up to half of someone else's words or articles into posts. Post only a few sentences or a paragraph and make sure to include a link back to original words or article. Otherwise it's copyright infringement.

You can talk about other distros here, but no MX bashing. You can email the developers of MX if you just want to say you dislike or hate MX.
Message
Author
User avatar
MX-16_fan
Posts: 331
Joined: Mon Feb 13, 2017 12:09 pm

[SOLVED] Are PoE surveillance cameras ("CCTV") really unsafe? Are USB, Firewire better?

#1 Post by MX-16_fan »

EDIT:

* Changed second part of heading from "Is USB better?" to "Are USB, Firewire better?"
* Added question relating to Firewire as III) in this original posting.




There have been many discussions about security leaks in Wi-Fi based surveillance cameras. The main (but not the only) problem seems to be that when you connect them directly to an internet-connected Wireless Access Point, you cannot control whether they phone home, or whether they are being intruded via internet, or both.

Currently there seem to be no Wi-Fi surveillance cameras on the market that are based both on open source hardware and on internal Free/Libre Open Source Software (FLOSS).

While I fully understand that the above-mentioned points can lead to little trust in Wi-Fi connected surveillance cameras in general, I don't yet fully understand why some people warn you against Power over Ethernet (PoE) connected cameras, too.

I)
When you connect a PoE camera to a PC, and the latter does the recording job, how could the camera ever find its own way into the internet?

I guess if there is no such way, there's no security issue, however bad the PoE camera's built-in software may be. Correct?

II)
Talking about this, my second question would be whether cameras connected by USB would be any "cleaner" from a dogmatic point of view. (Assuming that USB cable length would be sufficient for your purposes.)

III)
Finally: Would Firewire cameras be safer than PoE cameras, and would they, from a security-oriented point of view, be as good as USB cameras? (I added some own research as posting #7, cf. https://forum.mxlinux.org/viewtopic.php ... 44#p459044).


I'd greatly appreciate any answer.

Personally I don't like video surveillance very much. However, it seems as if while there may be more restrictions against exaggerated and/or intransparent use in the future, you probably won't 100% remove neither private nor business video surveillance / alarm systems from everyday life any more.

So if used at all, IMHO only the safest possible, meaning fully user-controllable, components and architectures should be used.


Greetings, Joe
Last edited by MX-16_fan on Sat Sep 08, 2018 3:35 pm, edited 5 times in total.

clicktician
Posts: 136
Joined: Sat May 02, 2015 4:35 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?

#2 Post by clicktician »

I have no experience with these surveillance cameras, so I may be over simplifying the problem.

To prevent the camera or any device from accessing the WAN, configure its MAC on your router's MAC Address Filtering tab. Allow access on the LAN, and deny on the WAN. Your camera will be able to communicate with your local server, but the router will drop any packets it tries to send or receive on the WAN regardless if it is connected via CAT or WiFi. This, of course, will neuter your camera's features that may let you view footage remotely or store it in the cloud. It will also prevent it from receiving software updates.

If your router doesn't seem to have MAC Address Filtering, look for a Security tab with Parental Controls. Set the camera up like the MAC address of a kid's PC that can't access the WAN during certain hours. Then make those hours 24/7.
Last edited by clicktician on Sat Aug 18, 2018 2:06 pm, edited 1 time in total.
Son, someday all this will belong to your ex wife.

User avatar
timkb4cq
Developer
Posts: 3186
Joined: Wed Jul 12, 2006 4:05 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?

#3 Post by timkb4cq »

POE (Power over Ethernet) cameras have to connect to the network stack to transmit the data into your PC. They get an IP address on your lan. It is certainly possible to firewall that adequately but I wouldn't trust the vendor supplied software to do so.

So, yes, a USB connected camera is more secure.
HP Pavillion TP01, AMD Ryzen 3 5300G (quad core), Crucial 500GB SSD, Toshiba 6TB 7200rpm
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB

clicktician
Posts: 136
Joined: Sat May 02, 2015 4:35 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?

#4 Post by clicktician »

timkb4cq wrote: Sat Aug 18, 2018 12:42 pm I wouldn't trust the vendor supplied software to do so.
So, yes, a USB connected camera is more secure.
Also, if the USB camera is proxied by some proprietary vendor software (very likely), the camera will masquerade as your PC's MAC in the WAN. One trick is to use netstat to see what domain the vendor's program is connecting to, and add that to your /etc/hosts file with a 127.0.0.1 IP. Sometimes short-circuiting the DNS this way is enough to prevent a connection without globally stopping it on other machines on your LAN.
Son, someday all this will belong to your ex wife.

User avatar
timkb4cq
Developer
Posts: 3186
Joined: Wed Jul 12, 2006 4:05 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?

#5 Post by timkb4cq »

In Linux most USB cameras are natively supported by V4L which doesn't supply a route to the network, and there are a number of open source programs to record and/or view that don't involve the network.
HP Pavillion TP01, AMD Ryzen 3 5300G (quad core), Crucial 500GB SSD, Toshiba 6TB 7200rpm
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB

User avatar
MX-16_fan
Posts: 331
Joined: Mon Feb 13, 2017 12:09 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?

#6 Post by MX-16_fan »

@timkb4cq:
timkb4cq wrote: Sat Aug 18, 2018 12:42 pm (...) So, yes, a USB connected camera is more secure.
Makes sense. Thanks a lot!

Talking about it, how is this with Firewire cameras?


Greetings, Joe

User avatar
MX-16_fan
Posts: 331
Joined: Mon Feb 13, 2017 12:09 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?

#7 Post by MX-16_fan »

@timkb4cq,
@clicktician:
MX-16_fan wrote: Tue Aug 28, 2018 12:51 pm @timkb4cq:
timkb4cq wrote: Sat Aug 18, 2018 12:42 pm (...) So, yes, a USB connected camera is more secure.
Makes sense. Thanks a lot!

Talking about it, how is this with Firewire cameras?


Greetings, Joe

P.S.: I'm asking this specifically since Linux Firewire integration appears to be more complex than USB implementation, and seems to have potential connections to the network stack.

For example, the firewire-net driver by default ships with standard Linux kernels. (At least it doesn't seem to be loaded by default. Maybe we could ask to have it removed from Liquorix? I guess there might be some package-based way of adding it if needed.)

Apart from that, kernel.org mentions some technology named DVTS ("Digital Video Transport System, a collection of utilities ... to send DV data over an IP network", which you can "use ... , for example, with ethernet to overcome the current limitations with 1394 cable length" - see https://ieee1394.wiki.kernel.org/index. ... ities#DVTS). Don't know if that ships with the default MX-17.1, however. And I don't know whether this alone establishes any direct connection to the network stack. Does anyone know?

On the other hand, Linux USB integration provides optional bridges to Ethernet, too. See, for example, the usbnet driver in combination with cdc_ether (cf. https://github.com/torvalds/linux/blob/ ... dc_ether.c), based on the USB Gadget API for Linux (https://www.kernel.org/doc/html/v4.16/d ... adget.html). As with Firewire, those bridges seem to optional, i.e. you have to actively do something as superuser in order to activate them.

So unless I got something wrong, Firewire is as good as USB, apart from the risk of DMA attacks, which, however, would require that some evildoer gets physical access to your machine (cf. https://en.wikipedia.org/wiki/IEEE_1394#Security_issues). Correct?

By the way, if using Firewire at all in MX-17.1, according to kernel.org, raw1394 and ohci1394 should be avoided, and "the replacement drivers firewire-core (which allows finer-grained access control due to separate device files per FireWire node) and firewire-ohci (which filters physical DMA)" should be used instead (https://ieee1394.wiki.kernel.org/index. ... ed_user.3F, https://ieee1394.wiki.kernel.org/index. ... raw1394.3F) (hope I got this right). The downside might be that firewire-core opens a path into firewire-net, something that raw1394 and ohci1394 don't do - correct?


Greetings, Joe

User avatar
timkb4cq
Developer
Posts: 3186
Joined: Wed Jul 12, 2006 4:05 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Are USB, Firewire better?

#8 Post by timkb4cq »

I have never used Firewire but looking from a distance at the specs the ability of devices on the firewire port to operate peer to peer without supervision from the computer as well as the ability to map their memory over firewire leads me to believe there are potentially more ways a firewire camera could be compromised.
Having basically no information on any particular implementations, I haven't a clue whether that potential has actually been realized or how a camera could be hardened against it.
Or in short:
¯\_(ツ)_/¯
HP Pavillion TP01, AMD Ryzen 3 5300G (quad core), Crucial 500GB SSD, Toshiba 6TB 7200rpm
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB

User avatar
MX-16_fan
Posts: 331
Joined: Mon Feb 13, 2017 12:09 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Are USB, Firewire better?

#9 Post by MX-16_fan »

@timkb4cq:
timkb4cq wrote: Fri Sep 07, 2018 3:38 pm (...) Or in short:
¯\_(ツ)_/¯
As usual, you are hiding your light under a bushel. Thanks for your assessment :number1:!


@all:

Thanks to everyone else also.

I'll mark this thread "SOLVED".


Greetings, and a great weekend to all of you,

Joe

User avatar
timkb4cq
Developer
Posts: 3186
Joined: Wed Jul 12, 2006 4:05 pm

Re: Are PoE surveillance cameras ("CCTV") really unsafe? Are USB, Firewire better?

#10 Post by timkb4cq »

MX-16_fan wrote: Sat Sep 08, 2018 3:34 pm As usual, you are hiding your light under a bushel...
Yup! That way some light shows through the basket while hiding the equally large store of ignorance that keeps it it company. :p
Image
HP Pavillion TP01, AMD Ryzen 3 5300G (quad core), Crucial 500GB SSD, Toshiba 6TB 7200rpm
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB

Post Reply

Return to “General”