Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)Port forwarding for CCTV.... or not
RunningMan

8953 posts

Uber Geek


#281002 24-Jan-2021 21:39
Send private message

Another example (TVNZ) of the risks of directly exposing CCTV and similar devices to the internet. In this case, cameras viewed due to default passwords. This piece focussed on ensuring you didn't use the default password, but it would be better to not have inherently insecure devices like CCTV systems exposed to the internet in the first place.

Filter this topic showing only the reply marked as answer Create new topic
michaelmurfy
meow
13240 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2641282 24-Jan-2021 23:35
Send private message

It’s not just default passwords - many of these cameras are just simply not good with security and streams are not password protected. That is essentially what all the cameras on https://www.insecam.org are.

Ring / Eufy / Arlo do solve a problem here with creating a secure system that requires no port forwards and can even work behind CG-NAT successfully. The problem is people want security systems for as cheap as possible and pick up those $20 cameras that forward ports to itself using UPnP and get themselves pwned.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.



sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #2641330 25-Jan-2021 08:29
Send private message

The simple answer is no, typically speaking you should never ever create a port forward for a CCTV system unless you're capable of whitelisting this to specific IP range(s) that are necessary. Having said this it's an incredibly common thing, with large security companies out there who have zero idea of networking still configuring systems like this.

 

There have been a myriad of hacks on CCTV equipment in recent years due to the poor security of many. Yes things have got a lot better secuerity wise from many big vendors, but that's still no reason to change. All it takes is a single loophole to be found and you're history since most people aren't upgrading equipment regularly. With many people still buying cheap insecure equipment or things such as hacked Dahua cameras that can never be upgraded, it opens up lots of nasty possibilities.

 

I don't think most people understand the risks of creating even a single port forward on their network (regardless of what it is for - not just CCTV) in that it's allowing anybody else on the Internet access to the inside of your network.

 

Many cameras on sites such as insecam are not just default passwords, they are also cameras that have things such as ONVIF RTSP streams that don't require authentication so all that is needed to view the camera is the correct URL.

 

 

gareth41
742 posts

Ultimate Geek


  #2641338 25-Jan-2021 08:46
Send private message

These security companies with zero networking knowledge are also setting up Ubiquiti links across carparks etc... and between building etc... using DFS channels, overriding settings on the device which keep it RSM compliant, and setting output power to full just to cover 100m with full line of sight



dt

dt
1152 posts

Uber Geek
Inactive user


  #2641395 25-Jan-2021 09:31
Send private message

gareth41:

 

These security companies with zero networking knowledge are also setting up Ubiquiti links across carparks etc... and between building etc... using DFS channels, overriding settings on the device which keep it RSM compliant, and setting output power to full just to cover 100m with full line of sight

 

 

 

 

amazes me how many of these devices I see out in the wild these days, they're everywhere in Auckland. 

raytaylor
4014 posts

Uber Geek

Trusted

  #2642709 27-Jan-2021 00:03
Send private message

A port forward to a camera or dvr will just mean you're mining someones bitcoin, slowly. 

 

All the chinese brands seem to have backdoor admin access, though the exception seems to be hikvision which has built a pretty good reputation, and their cloud access system works okay so you dont need to do a port forward.  




Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

MarkM536
309 posts

Ultimate Geek


  #2642713 27-Jan-2021 00:50
Send private message

Consumer garbage is constantly contacting to a company server. Trouble is privacy and trust.

 

Google Nest has had a hack where people got other peoples camera streams and Ring has had similar.

 

 

 

Devices connected to the internet are a hazard, but they'll be people oblivious.

LostBoy
30 posts

Geek


  #2642786 27-Jan-2021 07:20
Send private message

Agree with the above posts, I wouldn't recommend exposing it.

 

A better alternative is a decent VPN connection, or something like https://tailscale.com/ 

 

 

 

Do note that these implementations will take a bit more work than simply forwarding ports, but will be far more secure if configured correctly.

 
 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #2642789 27-Jan-2021 07:32
Send private message

raytaylor:

 

A port forward to a camera or dvr will just mean your mining someones bitcoin, slowly. 

 

All the chinese brands seem to have backdoor admin access, though the exception seems to be hikvision which has built a pretty good reputation, and their cloud access system works okay so you dont need to do a port forward.  

 

 

Hikvision have had just as many security holes as Dahua historically. Some have been pretty bad.

 

The main issue is that a lot of systems out there would never be upgraded, so even if a security exploit was found in the future with a patch there is no guarantee people will apply it.

 

The Cloud / P2P access model used by Hikvision and Dahua isn't perfect (and certainly could never be deemed to be 100% secure) but is at least a step up from a port forward.

 

 

gareth41
742 posts

Ultimate Geek


  #2642803 27-Jan-2021 08:33
Send private message

If you really do have to forward ports, you could atleast lock those ports down to only specific ip addresses or ranges.  The problem is your average consumer grade "modem" isn't going to have this functionality, you need proper router like a Mikrotik.  Eg locking down the ports to Vodafone's 4G ip range.  This wont make things 100% secure, but will significantly reduce the risk of being hacked.

Filter this topic showing only the reply marked as answer Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright