[SOLVED] Are PoE surveillance cameras ("CCTV") really unsafe? Are USB, Firewire better?
[SOLVED] Are PoE surveillance cameras ("CCTV") really unsafe? Are USB, Firewire better?
EDIT:
* Changed second part of heading from "Is USB better?" to "Are USB, Firewire better?"
* Added question relating to Firewire as III) in this original posting.
There have been many discussions about security leaks in Wi-Fi based surveillance cameras. The main (but not the only) problem seems to be that when you connect them directly to an internet-connected Wireless Access Point, you cannot control whether they phone home, or whether they are being intruded via internet, or both.
Currently there seem to be no Wi-Fi surveillance cameras on the market that are based both on open source hardware and on internal Free/Libre Open Source Software (FLOSS).
While I fully understand that the above-mentioned points can lead to little trust in Wi-Fi connected surveillance cameras in general, I don't yet fully understand why some people warn you against Power over Ethernet (PoE) connected cameras, too.
I)
When you connect a PoE camera to a PC, and the latter does the recording job, how could the camera ever find its own way into the internet?
I guess if there is no such way, there's no security issue, however bad the PoE camera's built-in software may be. Correct?
II)
Talking about this, my second question would be whether cameras connected by USB would be any "cleaner" from a dogmatic point of view. (Assuming that USB cable length would be sufficient for your purposes.)
III)
Finally: Would Firewire cameras be safer than PoE cameras, and would they, from a security-oriented point of view, be as good as USB cameras? (I added some own research as posting #7, cf. https://forum.mxlinux.org/viewtopic.php ... 44#p459044).
I'd greatly appreciate any answer.
Personally I don't like video surveillance very much. However, it seems as if while there may be more restrictions against exaggerated and/or intransparent use in the future, you probably won't 100% remove neither private nor business video surveillance / alarm systems from everyday life any more.
So if used at all, IMHO only the safest possible, meaning fully user-controllable, components and architectures should be used.
Greetings, Joe
* Changed second part of heading from "Is USB better?" to "Are USB, Firewire better?"
* Added question relating to Firewire as III) in this original posting.
There have been many discussions about security leaks in Wi-Fi based surveillance cameras. The main (but not the only) problem seems to be that when you connect them directly to an internet-connected Wireless Access Point, you cannot control whether they phone home, or whether they are being intruded via internet, or both.
Currently there seem to be no Wi-Fi surveillance cameras on the market that are based both on open source hardware and on internal Free/Libre Open Source Software (FLOSS).
While I fully understand that the above-mentioned points can lead to little trust in Wi-Fi connected surveillance cameras in general, I don't yet fully understand why some people warn you against Power over Ethernet (PoE) connected cameras, too.
I)
When you connect a PoE camera to a PC, and the latter does the recording job, how could the camera ever find its own way into the internet?
I guess if there is no such way, there's no security issue, however bad the PoE camera's built-in software may be. Correct?
II)
Talking about this, my second question would be whether cameras connected by USB would be any "cleaner" from a dogmatic point of view. (Assuming that USB cable length would be sufficient for your purposes.)
III)
Finally: Would Firewire cameras be safer than PoE cameras, and would they, from a security-oriented point of view, be as good as USB cameras? (I added some own research as posting #7, cf. https://forum.mxlinux.org/viewtopic.php ... 44#p459044).
I'd greatly appreciate any answer.
Personally I don't like video surveillance very much. However, it seems as if while there may be more restrictions against exaggerated and/or intransparent use in the future, you probably won't 100% remove neither private nor business video surveillance / alarm systems from everyday life any more.
So if used at all, IMHO only the safest possible, meaning fully user-controllable, components and architectures should be used.
Greetings, Joe
Last edited by MX-16_fan on Sat Sep 08, 2018 3:35 pm, edited 5 times in total.
-
- Posts: 136
- Joined: Sat May 02, 2015 4:35 pm
Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?
I have no experience with these surveillance cameras, so I may be over simplifying the problem.
To prevent the camera or any device from accessing the WAN, configure its MAC on your router's MAC Address Filtering tab. Allow access on the LAN, and deny on the WAN. Your camera will be able to communicate with your local server, but the router will drop any packets it tries to send or receive on the WAN regardless if it is connected via CAT or WiFi. This, of course, will neuter your camera's features that may let you view footage remotely or store it in the cloud. It will also prevent it from receiving software updates.
If your router doesn't seem to have MAC Address Filtering, look for a Security tab with Parental Controls. Set the camera up like the MAC address of a kid's PC that can't access the WAN during certain hours. Then make those hours 24/7.
To prevent the camera or any device from accessing the WAN, configure its MAC on your router's MAC Address Filtering tab. Allow access on the LAN, and deny on the WAN. Your camera will be able to communicate with your local server, but the router will drop any packets it tries to send or receive on the WAN regardless if it is connected via CAT or WiFi. This, of course, will neuter your camera's features that may let you view footage remotely or store it in the cloud. It will also prevent it from receiving software updates.
If your router doesn't seem to have MAC Address Filtering, look for a Security tab with Parental Controls. Set the camera up like the MAC address of a kid's PC that can't access the WAN during certain hours. Then make those hours 24/7.
Last edited by clicktician on Sat Aug 18, 2018 2:06 pm, edited 1 time in total.
Son, someday all this will belong to your ex wife.
Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?
POE (Power over Ethernet) cameras have to connect to the network stack to transmit the data into your PC. They get an IP address on your lan. It is certainly possible to firewall that adequately but I wouldn't trust the vendor supplied software to do so.
So, yes, a USB connected camera is more secure.
So, yes, a USB connected camera is more secure.
HP Pavillion TP01, AMD Ryzen 3 5300G (quad core), Crucial 500GB SSD, Toshiba 6TB 7200rpm
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB
-
- Posts: 136
- Joined: Sat May 02, 2015 4:35 pm
Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?
Also, if the USB camera is proxied by some proprietary vendor software (very likely), the camera will masquerade as your PC's MAC in the WAN. One trick is to use netstat to see what domain the vendor's program is connecting to, and add that to your /etc/hosts file with a 127.0.0.1 IP. Sometimes short-circuiting the DNS this way is enough to prevent a connection without globally stopping it on other machines on your LAN.
Son, someday all this will belong to your ex wife.
Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?
In Linux most USB cameras are natively supported by V4L which doesn't supply a route to the network, and there are a number of open source programs to record and/or view that don't involve the network.
HP Pavillion TP01, AMD Ryzen 3 5300G (quad core), Crucial 500GB SSD, Toshiba 6TB 7200rpm
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB
Re: Are PoE surveillance cameras ("CCTV") really unsafe? Is USB better?
@timkb4cq,
@clicktician:
P.S.: I'm asking this specifically since Linux Firewire integration appears to be more complex than USB implementation, and seems to have potential connections to the network stack.
For example, the firewire-net driver by default ships with standard Linux kernels. (At least it doesn't seem to be loaded by default. Maybe we could ask to have it removed from Liquorix? I guess there might be some package-based way of adding it if needed.)
Apart from that, kernel.org mentions some technology named DVTS ("Digital Video Transport System, a collection of utilities ... to send DV data over an IP network", which you can "use ... , for example, with ethernet to overcome the current limitations with 1394 cable length" - see https://ieee1394.wiki.kernel.org/index. ... ities#DVTS). Don't know if that ships with the default MX-17.1, however. And I don't know whether this alone establishes any direct connection to the network stack. Does anyone know?
On the other hand, Linux USB integration provides optional bridges to Ethernet, too. See, for example, the usbnet driver in combination with cdc_ether (cf. https://github.com/torvalds/linux/blob/ ... dc_ether.c), based on the USB Gadget API for Linux (https://www.kernel.org/doc/html/v4.16/d ... adget.html). As with Firewire, those bridges seem to optional, i.e. you have to actively do something as superuser in order to activate them.
So unless I got something wrong, Firewire is as good as USB, apart from the risk of DMA attacks, which, however, would require that some evildoer gets physical access to your machine (cf. https://en.wikipedia.org/wiki/IEEE_1394#Security_issues). Correct?
By the way, if using Firewire at all in MX-17.1, according to kernel.org, raw1394 and ohci1394 should be avoided, and "the replacement drivers firewire-core (which allows finer-grained access control due to separate device files per FireWire node) and firewire-ohci (which filters physical DMA)" should be used instead (https://ieee1394.wiki.kernel.org/index. ... ed_user.3F, https://ieee1394.wiki.kernel.org/index. ... raw1394.3F) (hope I got this right). The downside might be that firewire-core opens a path into firewire-net, something that raw1394 and ohci1394 don't do - correct?
Greetings, Joe
@clicktician:
P.S.: I'm asking this specifically since Linux Firewire integration appears to be more complex than USB implementation, and seems to have potential connections to the network stack.
For example, the firewire-net driver by default ships with standard Linux kernels. (At least it doesn't seem to be loaded by default. Maybe we could ask to have it removed from Liquorix? I guess there might be some package-based way of adding it if needed.)
Apart from that, kernel.org mentions some technology named DVTS ("Digital Video Transport System, a collection of utilities ... to send DV data over an IP network", which you can "use ... , for example, with ethernet to overcome the current limitations with 1394 cable length" - see https://ieee1394.wiki.kernel.org/index. ... ities#DVTS). Don't know if that ships with the default MX-17.1, however. And I don't know whether this alone establishes any direct connection to the network stack. Does anyone know?
On the other hand, Linux USB integration provides optional bridges to Ethernet, too. See, for example, the usbnet driver in combination with cdc_ether (cf. https://github.com/torvalds/linux/blob/ ... dc_ether.c), based on the USB Gadget API for Linux (https://www.kernel.org/doc/html/v4.16/d ... adget.html). As with Firewire, those bridges seem to optional, i.e. you have to actively do something as superuser in order to activate them.
So unless I got something wrong, Firewire is as good as USB, apart from the risk of DMA attacks, which, however, would require that some evildoer gets physical access to your machine (cf. https://en.wikipedia.org/wiki/IEEE_1394#Security_issues). Correct?
By the way, if using Firewire at all in MX-17.1, according to kernel.org, raw1394 and ohci1394 should be avoided, and "the replacement drivers firewire-core (which allows finer-grained access control due to separate device files per FireWire node) and firewire-ohci (which filters physical DMA)" should be used instead (https://ieee1394.wiki.kernel.org/index. ... ed_user.3F, https://ieee1394.wiki.kernel.org/index. ... raw1394.3F) (hope I got this right). The downside might be that firewire-core opens a path into firewire-net, something that raw1394 and ohci1394 don't do - correct?
Greetings, Joe
Re: Are PoE surveillance cameras ("CCTV") really unsafe? Are USB, Firewire better?
I have never used Firewire but looking from a distance at the specs the ability of devices on the firewire port to operate peer to peer without supervision from the computer as well as the ability to map their memory over firewire leads me to believe there are potentially more ways a firewire camera could be compromised.
Having basically no information on any particular implementations, I haven't a clue whether that potential has actually been realized or how a camera could be hardened against it.
Or in short:
¯\_(ツ)_/¯
Having basically no information on any particular implementations, I haven't a clue whether that potential has actually been realized or how a camera could be hardened against it.
Or in short:
¯\_(ツ)_/¯
HP Pavillion TP01, AMD Ryzen 3 5300G (quad core), Crucial 500GB SSD, Toshiba 6TB 7200rpm
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB
Re: Are PoE surveillance cameras ("CCTV") really unsafe? Are USB, Firewire better?
Yup! That way some light shows through the basket while hiding the equally large store of ignorance that keeps it it company.
HP Pavillion TP01, AMD Ryzen 3 5300G (quad core), Crucial 500GB SSD, Toshiba 6TB 7200rpm
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB