Port forwarding for CCTV.... or not

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Port forwarding for CCTV.... or not

RunningMan

8955 posts

Uber Geek

#281002 24-Jan-2021 21:39

Another example (TVNZ) of the risks of directly exposing CCTV and similar devices to the internet. In this case, cameras viewed due to default passwords. This piece focussed on ensuring you didn't use the default password, but it would be better to not have inherently insecure devices like CCTV systems exposed to the internet in the first place.

This is a filtered page: currently showing replies marked as answers. Click here to see full discussion.

michaelmurfy

meow
13244 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2641282 24-Jan-2021 23:35

It’s not just default passwords - many of these cameras are just simply not good with security and streams are not password protected. That is essentially what all the cameras on https://www.insecam.org are.

Ring / Eufy / Arlo do solve a problem here with creating a secure system that requires no port forwards and can even work behind CG-NAT successfully. The problem is people want security systems for as cheap as possible and pick up those $20 cameras that forward ports to itself using UPnP and get themselves pwned.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2641330 25-Jan-2021 08:29

The simple answer is no, typically speaking you should never ever create a port forward for a CCTV system unless you're capable of whitelisting this to specific IP range(s) that are necessary. Having said this it's an incredibly common thing, with large security companies out there who have zero idea of networking still configuring systems like this.

There have been a myriad of hacks on CCTV equipment in recent years due to the poor security of many. Yes things have got a lot better secuerity wise from many big vendors, but that's still no reason to change. All it takes is a single loophole to be found and you're history since most people aren't upgrading equipment regularly. With many people still buying cheap insecure equipment or things such as hacked Dahua cameras that can never be upgraded, it opens up lots of nasty possibilities.

I don't think most people understand the risks of creating even a single port forward on their network (regardless of what it is for - not just CCTV) in that it's allowing anybody else on the Internet access to the inside of your network.

Many cameras on sites such as insecam are not just default passwords, they are also cameras that have things such as ONVIF RTSP streams that don't require authentication so all that is needed to view the camera is the correct URL.