On the safe side. Which IP camera brands?
  • I believe there are many devices on the market that once plugged into our LANs could test/map our LANs and 'call home'. Or perhaps execute spy code directly from within their devices on our LANs.

    Is there any software or modem or method that could prevent this? I'm already using an extra Apple router to separate our cellular modem from our LAN so that anything that makes contact with the modem would not be able to scan our LAN.

    Which camera brands would people consider to be safer in this regard?

  • Hi Gregory,

    Though I've never heard of cameras that execute malicious code, it's certainly possible in theory, and some cameras are certainly better from a security point of view than others.

    If you stick to well-known manufacturers you should be safe (e.g. Axis, Canon, Dahua, Hikvision, Vivotek, Lilin, Samsung, Sony, Sunba etc.).

    I would not recommend going for cheap no-name cameras (often shipped directly from China), as you never really know what you are getting.

    Many routers will also allow adding firewall rules that block devices on your network from making connections to the Internet, or else you can set up the camera's IP configuration manually without a DNS server or router address, so that the camera will only be able to make connections within the LAN.
  • Most of the problems with connected devices are security vulnerabilities exploited by hackers and governments. Keep your firmware up to date. Make sure your OS is current with security patches. I'm not a big fan of Apple routers but keep them up to date also. I find Little Snitch indispensable to monitor unwanted connection attempts. My paranoia level is pretty high. I could go on and on. I have tape over all my built in isight cameras lol. Good luck.
  • Most of these cameras are running Linux and poorly secured web applications. The best approach is to:

    1. Buy from a reputable brand. Reputable brand, in my opinion, is one that provides timely software updates to their products to resolve security problems. In my experience, Dahua and Hikvision do NOT release software updates in a timely manner. Nor are they easy to find.

    2. Keep the camera up to date.

    3. Use a unique password for each camera.

    4. Network access to the camera should be restricted as much as possible. Keep them off the internet, as they are fully functioning Linux systems with a network stack. That means they can participate in a botnet, at the very least. Some cameras allow you to restrict IP access to one system, such as your SecuritySpy system.

    (Note: I own Dahua and Hikvision cameras. They are not secure, and thus kept on a separate network. I'm going to purchase a Ubiquiti camera and try it out. Ubiquiti does a good job of keeping their software products up to date.)
  • I would add: disable the UPnP feature on cameras to keep them from opening a hole/listening port on the router. Only allow Internet access to the video feeds via an app like securityspy and make sure that access is https protected.
  • FYI-Ubiquiti cameras are not onvif compatible. Only there latest version of their cameras 'G3' work with SS via "Manual configuration". Check out some other forums before you buy.

  • After reading Ben's "10 Recommended IP Cameras 2017", I purchased two HIKVision cameras; DS-2CD2442FWD-IW 2.8mm and 4mm. very nice! especially for the price; only HK$500 per camera here in Hong Kong (through taobao.com). the resolution and night vision is impressive.

    They're connected to our LAN via PoE cables (super convenient). I was using DHCP with the Apple Airport setting the IP to an allocated IP, but that allowed the camera to see the DNS IP, so I've just switched the camera to manual IP settings and removed the DNS values.

    UPnP is turned off, as is wifi, DDNS and all forms of SNMP.

    And they are set to only receive communications from the IP address for the Mac running SecuritySpy.

    Probably about as good as I'm going to get it.

    I plan on getting another of Ben's recommendations; the Zavio B6330, even though having motorised zoom without panning seems a little weird to me :)

  • our cameras and the PoE Injector are now connected to my Mac's second ethernet port on a separate subnet. they now have no access to our main LAN or the internet :)

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!