Do your IP cameras put your privacy at risk?

IP Cameras are getting increasingly smart, easy to use and affordable.

They are convenient security add-ons but they also have potential to be exactly the opposite!

Are you the only one watching your cameras?

I bought my first IP Camera because of a dodgy wireless alarm system which speciality was to send false alarms when I was far away from home. I've replaced the alarm system since but my (budget) IP camera collection has multiplied in the meantime.
The convenience of being able to watch my home for anywhere was counterbalanced by their lack of protection against uninvited viewers.
A godsent for wannabe burglars wishing to plan their visit!




Protocols
Every protocol open to the WWW adds a collection of potential threats in the form of published and well documented weaknesses.

HTTP and FTP: These are the most common ones, and everything that travels through them, like the user login, is readable like an open book. Some high-end models support SSL v3 encryption, (which is now obsolete due to its vulnerability) and I haven't seen any of them implementing TLS 1.x, but maybe there are, likely far over a reasonable budget.

Beyond the weakness of these protocols, the web interfaces have their own bugs, like the directory traversal vulnerability that made Foscam famous in an embarrassing way. Many recent P2P/Cloud models have dropped the web interface in favor of mobile apps, basically trading a weakness for another.

UPnP: this protocol is what makes modern IP cameras easy to configure for external access, doing the port forwarding job for you. It is again not secure and was never meant to be. It's initial purpose is to make devices communication easier inside a residential network. Nevertheless, in return of the plug-and-play convenience, P2P (Peer-to-Peer) cameras and many other Cloud-connected gadgets leverage the UPnP flaws to traverse the firewall and freely share all sorts of information with the outside world, way more than what's strickly needed to function and toward a larger audience than expected!
Check out this excellent article from krebsonsecurity.com.
More reading on UPnP in this article from How-To Geek covers and this other one.

RTSP: The Real Time Streaming Protocol. Another insecure channel that sometimes relies on HTTP (rtsp://user:password@ipcamURL:port/0/) authentication mechanism.
That weak protection no longer exist in modern cloud cameras that dropped the HTTP protocol.

Securing your budget IP Cameras
For those sharing already their private life on FB with the entire world, chances are that having their private data sniffed away from their residential network is not a big concern as long as the thingy plugs in and links to the mobile phone painlessly.

But you are reading this, so that's not you!

Surface Reduction
What follows is no rocket science, nor the ultimate guide to network security, but rather some words of wisdom and common sense.
Sharing anything outside your LAN creates potential intrusion opportunities, but it is at least possible to reduce the attack surface by reducing the number of servers by eliminating the non-secure ones.

...but just don't bin all your IP Cameras yet!

Instead, consider (1) grouping them behind one, secured NVR (Network Video Recorder) and (2) allow only this server to speak, in a secure manner, with the outside world.

1). The NVR could be:
- a PC with an adequate software like iSpyConnect, webcamXP or ZoneMinder for instance.

- a NAS (Network Attached Storage) with a Surveillance Software (Synology, QNAP, ...). This is my preferred solution because they do many other things than managing the cameras and are ideal ideal for always-on servers with their typical low electricity usage (~30W with 2xHDD for a DS216),
There's a catch however: these NAS often manage 2 cameras for free and require to purchase a license for additional units.
- a dedicated NVR box that supports encryption. There are inexpensive solutions available like the Foscam FN3004H.
- a Raspberry Pi and some DIY.

Note: As part of this centralisation process, you should assign static IP addresses to your cameras.

2). Once all the IP cameras streams can be retrieved by the NVR server, make sure that only this server can be accessed from the Internet. FTP, Email, UPnP options should be disabled in each camera, as the NVR server will be in charge for all this now.
Don't trust your cameras for not trying to call home anyway and take some time to spy on them.
The router's log is the easiest way to check for unwanted traffic but you (nerds out there!) could also sniff the network (with Wireshark) to find out.
Rogue cameras need to be restricted by the use of packet filter, firewall, or access control rules, all depends on the features provided by your router.

Take the test to see how secure is your network on GRC's ShieldsUp!

VPN: A cost effective method ...when it works...
A VPN (L2TP/IPSec, PPTP, SSTP, OpenVPN) server allows you to reach your LAN from outside through a secure tunnel. Once connected, you can access all the LAN elements by their internal IP as if you were present locally.
VPN service is sometimes included in the router, or can be installed on a NAS. VPN clients are freely available for all platforms (PC, Android, iPhone,  linux, ...).
The success of such implementation depends on several factors that are not always in your control (router not implementing VPN pass through, ISP blocking VPN traffic, ...).
OpenVPN remains the best choice in terms of performance and security, followed shortly by SSTP. Stay away from PPTP.