Are your home security cameras vulnerable to hacking? - CNET
https://www.cnet.com/home/security/stop-home-security-camera-hacking/
mmm hmmm...if they're WiFi and not hardwired, get an AP capable of doin SSID-to-VLAN mapping...put em on their own SSID, and dump em into their own VLAN segmented by firewall...then setup rules so you can get to them, but they can't get to you...
@opie
Doing that on DD-WRT is a bit of a cumbersome process, but it works. I hear Ubiquiti makes this quite simple.
For the average less-technical person who doesn't want to mess with manually creating bridges and iptables... Couldn't most people just use a new guest network? I think newer mass-market routers make that pretty easy, and if they are giving users a "network isolation" tick box, they have the firewall commands already set up behind the scenes, right?
yeah, the "guest network" feature is essentially a shortcut to that config...guest can only go out to the internet, not to the internal network
@opie
The big limitation I've seen is that they may be limited to only one guest network, so you have to toss all your IoT things there, instead of segmenting further. Better than the alternative, though.
yeah, marshnet has 5 SSIDs in the wireless mesh
@voltronic
And even some old routers, if you flash them.
@corlin
Yes, and that's what I have going with my DD-WRT routers / APs. Flashing routers is probably well outside the comfort zone of the average person who has home security cameras, though.
@voltronic
Good point.
Good new routers are getting cheap.
@voltronic Probably natively - which is why they're on their own separate WiFi network, that only send video to an in-home server (which then makes it available via secure protocols,) and cannot directly access the internet.
Oh, and all of them are on the exterior of the house, none inside where they could hear inside conversations.
@ehurtley
You're doing it much better than I am. I have a Wyze cam that's in the living room to monitor the dogs. It's on a separate VLAN, but otherwise I use their remote access app.
@voltronic I don't use Wyze's own app, I have their beta firmware with RTSP enabled, sending it to an in-house server, which has security I can control. (That server also runs HomeBridge to make the cameras appear in Apple's HomeKit ecosystem, which has known-decent security. That server (a Mac mini in a cabinet) acts as "bridge" for all my IOT devices. If I find something going wrong, I can just turn off that server until I can investigate, instead of dealing with multiple separate devices.)
@ehurtley
Oh, I'll have to check this out, thanks! It looks like they just added RTSP support in September.
@voltronic Ooh, is it no longer beta? It used to require loading a beta firmware (that I've been running for over a year now.)
@ehurtley
No it's still beta
Missed opportunity to educate here on what would be one of the best things you can do:
"Lakhani also suggested putting stand-alone security cameras on a network of their own."
Many people might read that and think it's recommend a separate *physical* network, and dismiss it because that's too complicated and expensive. What they are actually talking about is a VLAN, and newer routers are making that much easier than it used to be.