Home Security Cameras and Privacy Concerns

[drdm]

Hello guys,
I recently decided that I need to install a security camera at a certain place at my house and I started looking trough the options.
As far as I understood there are 2 main ones - a smart IP camera that connects to LAN/Wi-Fi and is controlled by an app or an analog solution with a DVR.
The DVR solution is not really an option for me, because it is too expensive and too complex and I need just one camera. That leaves me with the smart option.
After some research I put my finger on a TP-Link Tapo C320WS: https://www.tp-link.com/en/home-networking/cloud-camera/tapo-c320ws/
It looks cool, it has a lot of features and overall I think it will do the job.
There is however one concern, that I have: This camera records everything and streams it trough the web so it can be viewed from anywhere. But
I have no idea trough what king of server does this signal go. Does the camera act as a server itself? How secure is the whole thing overall?
It has an option for an SD card, but I not sure if it can operate on it alone. Every time I see the word cloud I tend to get suspicious.
I may sound paranoid, but in my mind, every time I click "I accept the terms and conditions." on some app, I accept the fact the my data is not private anymore.
Are there any simpler (not smart) alternatives with a comparable price? Has anyone had experience
with such cameras?
I hope my questions aren't too vague.
Cheers!

[Berni]

In 99% of cases the server is in the cloud.

Forwarding ports trough the LAN is too complicated for users. So instead these cameras connect out to the cloud servers where they wait for the application to connect. It does vary if the videos get stored on the cameras SD card or on the servers, but in either case the manufacturer can see everything the camera captured.

If you are concerned with privacy having your own DVR is the way to go. This means that you store the video on there locally and you have full control in what software you run on it. There are also cameras that will only record to a SD card with no internet connectivity. You can fit a lot of video on a SD card and the camera just keep recording in an endless loop, when something happens you pull the card out and check.

[drdm]

Great answer!
Now I only need to find such a "dumb" camera, because it seems they are a bit hard to find. The market is flooded with "smart" ones!
Any recommendations on that front? 

[tom66]

ANNKE make some good DVRs, I have one of their 4 channel ones.  When I bought it, it was about £50 GBP which included 2x 720p bullet cameras.  HDD was an extra £40 if you want storage.  Still working OK, but the bullet cameras died somehow...possibly my fault as I added a battery to it for backup power.  Replacement camera (960x1080 "1080p-Lite") was not too much though.

These cameras use analog signalling for the video, it is essentially a modified non-interlaced PAL-type composite signal with a chrominance burst of 12MHz at the start of each line and up to 1080 lines.   I believe it's called HD-CVI.  Anyway, the benefit is all the video goes down a coax, no need for Cat5 etc.   Commands can also be sent to the cameras to adjust image over the same connection.  They do need a separate 12V power supply though, but most cable kits include these into a single run of cable with a Y-breakout at either end.

[onesixright]

I was in the same boat. I basically trust no-one when it comes to camea's. There are obviously privacy concern, but camera's can also be an "attack vector" to get in your network.

I solved it as follows:

- Window 10 (Lenovo M720Q) box with Blue Iris (=CCTV server) 
- All TCP/IP camera's (wired) (could be wifi if they would do WPA2)
- All camera's are on its on (CCTV) VLAN (which can not connect to the internet). Since its on it own VLAN, even my normal LAN can not access the camera's directly.
- (on demand) VPN connection to my WAN, which can connect to the BI server. So outside my LAN I can access the camera's on my phone.

Hope this can help you.

[dietert1]

We started with two Full HD POE IP cameras and used a POE switch and an application on a notebook to run them. Half a year later we bought a Hikvision digital recorder and two more cameras. The recorder supports POE and is connected to our private network by cables (DSL subcriber line). I managed to configure the recorder as server and using a cheap DNS alias we can inspect the recorder from the web. It has a true hard disk and is running more than 1500 days now, mostly unattended. Although the cameras support motion detection, we use continuous recording and it keeps the last week on disk with complete coverage.

Regards, Dieter

[Bicurico]

I own several Tapo products and for the price they are pretty good.

They are compatible with Google Home and you get an app that controls cameras, lights and plugs of the Tapo series.

The video is ONLY stored on the MicroSD card which you have to buy and insert yourself. This has a drawback: if you get robbed and robbers steal the camera, they will take all the footage with them.

Tapo offers a paid subscription to have the video stored on a cloud, also. I have not used this.

The main issue, in my opinion, is that if you get hacked (aka somone steals your login and password), the attacker can see what is going on.

This, however, applies to any video surveillance: once you are recorded naked on video, the footage can be stolen and used against you. The only secure way is to not record video in the first place.

I have a total of 9 Tapo cameras on three premises, along with two lights and two plugs. I would not like to miss the surveillance and home automation. Especially for the little investment requires vs. the functionality.

The most important aspect is that you start by thinking what your goal is and if you want to expand the system. Tapo is not the only brand around and the dumbest thing to do is to mix products from different manufacturers.

Forgot to mention that Tapo products connect mainly through WIFI, which in my case was ideal, as I had not to worry about cables, apart from mains.

Regards,
Vitor

[Cerebus]

If you've got something that will act as a file server then the Hikvision IP cameras can be set up to stream to that and go nowhere near "the cloud". I believe the same to be true for a lot of the more reputable inexpensive Chinese brands. If you need more control, look for cameras that support the ONVI* standard (Hikvision do) and hunt down free/open software to manage them via ONVI.

I'm just at the stage of investigating this stuff myself to pick out a PoE IP camera to experiment with interfacing to Home Assistant.

*Open Network Video Interface

[fordem]

Analogue cameras with a DVR are "older technology", they are being replaced by "ip cameras", cameras that use ethernet cabling and ip protocols to send their data to whatever device you choose.

Depending on the camera you choose, you can store the video on an internal SD card, and have the camera act as a server, no cloud necessary, most ip camera manufacturers offer some sort of cloud service which makes it easier for the "non-network-savvy" individuals to set the camera up and access it remotely, but you don't have to use these cloud offerings if you don't want to.

I ran a Hikvision ip camera with no storage for several years, it was nothing more than a way to see who was outside my front gate without getting up from my desk.

[LaserSteve]

WD makes a family of hard drives called "purple" for security DVRs. Highly recommend you spend the extra 25% for them.  The reasonably secure Linux used in the low end DVR doesn't do much in the way of wear leveling. Its worth it to get a tougher drive.

Steve

[fordem]

Isn't wear leveling specific to solid stated drives?  There are surveillance specific hard drives, but as far as I know the differences between a surveillance drive and desktop drive is that the surveillance drive is built to withstand the 24/7 constant use of a surveillance system, as compared to a desktop drive which gets intermittent use - read a file, idle, write the modified file.

I find the "WD purples" overpriced, surveillance hard drives (both magnetic and solid state) are available from other manufacturers with similar capacities at more attractive pricing - I'm running Seagate SkyHawks.

[drdm]

Thank you all for the great answers!
I have an old PC that I don't use, so I think I will go with the idea of an IP camera and setting up a server myself.
Other option is to expand the project to cover the whole yard and go with the good old DVR.

[Bicurico]

Old PC as a video surveillance Server seems a bad idea to me.
Will you be using a safe and updated OS?
What is the power consumption of the old PC vs dedicated surveillance hardware?

[tom66]

Agreed.  My DVR pulls about 5 watts including HDD.  Every camera an additional 2 watts when IR is on, 0.5 watts when IR is off.  So you would be racking up a big power bill.  At 30c/kWh a PC using 60W continuously will cost you $157 per year in electricity alone, so even if you had to buy a $100 DVR you'd be cost neutral by year's end.

[onesixright]

Old PC as a video surveillance Server seems a bad idea to me.
Will you be using a safe and updated OS?
What is the power consumption of the old PC vs dedicated surveillance hardware?

How old is old?

The added functionality you're getting is so much better. For example: running BI with DeepStack (https://www.deepstack.cc | AI object recognising) beats a lot of false notifications. Using the built in motion detection of most camera's is not great (to say the least). I had them trigger on basically every thing, cloud (shadows), trees, etc.  The Deepstack makes it so much better, I nearly removed all false positives.

An I5 under full load runs ~ 50 watts. Just make sure you use SSD's.

Since the sensitivy of the data, I would always make sure you shield that PC or NVR in proper fashion. Nothing is safe.

Just my 2 cents.

[Halcyon]

If you're thinking of using your own hosted solution, consider whether or not your cameras and the NVR machine actually needs internet access. If you're happy keeping it all local, set everything up in their own VLAN and block internet traffic to/from it.

[jonpaul]

Assume any consumer camera connected to the cloud can and  will steal all your videos and info and send the IP address, video stream, location info etc  to:

1/ Your local/state/federal or other government for legal and surveillance .... Check the EULA...and cases of criminal prosecutions based on government stolen videos.

In USA Letter agencies....NSA, CIA, DIA, FBI
UK GCHQ
France DGSE, DGSI, ANSSI

etc.

2/ Foreign governments  and enemies such as  Russia, China, Iran for cyber war and other purposes

3/ Your Camera manufacturer and its cloud  website host for monetization

"You have no privacy anyway..get over it! "

 Scott McNealy, CEO Sun Microsystems 1999

_________

For security cams in a critical area, we used USA made Pelco PoE  HD full motion cams  wired Ethernet LAN

Highly recommended: https://www.pelco.com/products/cameras/

We used a dedicated NAS with 16 TB records. Most NAS  have fine camera apps.

The NAS is airgapped from the net or a powerful firewall used to isolate.

Just my experience,

Jon

[Bicurico]

While I generically agree with you, I think that "Assume any consumer cam oconnected to the NET will steal all your videos and info and send the IP adress, video stream, location info etc" is a bit excessive.

Recording all footage 24/7/365 of all consumer cameras in the world would generate huge data, plus you would notice the external access to your cameras by looking at the router data rate.

But yes, I do believe that agencies (US or China) could access the camera if they wanted or needed it.

On the other hand: "they" could enter your router/network/VLAN as well. Who knows what backdoors are left in the firmware of your router, access point or network card. Heck, even your computer's BIOS or chipset might have some low-level door open.

If we go on with maximum paranoid level, then we should realize that those same agencies can access our mobile phones remotely, including camera and mic.

Considering how many phones and consumer surveillance cameras are being sold and used, I think that automated large scale monitoring is not feasible due to the amaount of bandwidth, storage and CPU power required. Hence I do not worry too much. But when I want privacy, I make sure to switch cameras off.

By the way: with new electricity meters employed by the energy providers, the new feature to make remote readings for billings, can and will be used to monitor what you are doing. They could even measure what TV channel you are watching, considering that different luminosities have a relationship to the power consumption of the TV. Officially this is to best serve you and make extrapolation for power generation.

It is no coincidence that goverments and secret labs/agencies use special shielded rooms.

So, coming back to topic: if you are not too paranoid, a consumer camera for 30£/€/$ will do the job easy, convinient and cheap. The more paranoid you get with privacy and security, the more money your solution will cost and still you can never be 100% sure that "big brother is not watching you".

The best privacy is to not have any camera, as I already said.

Cheers,
Vitor

[jonpaul]

Victor, 100% agree.

Most phones , computers tablets have embedded HW/FW/SW backdoors.

Storage of Penta-Exa bytes of  data is no longer an  issue.

So Scott Mcnealy's aphorism is even more valid.

The Pelco cams cost $1000 each x 6 and the QNAP/Synergy 6-8 bay NSA perhaps 400-800 plus the HDD/SSD.

System mentioned was perhaps $10K total.

Jon

[dietert1]

German police is right now trying to ban Tesla cars from entering certain government facilities due to safety concerns. Those cars with their built in video cameras might be used to watch and obtain intelligence where nobody is supposed to watch..

Regards, Dieter

[Cerebus]

Storage of Penta-Exa bytes of  data is no longer an  issue.

Moving it over consumer broadband/mobile data connections is still an issue. When you're talking about video cameras you're talking about 4 to 25 megabits per second, per camera, after compression. People notice that kind of drain on their resources. Plus anyone with a decent firewall at home would spot it almost immediately. Secret government surveillance tends to try to be exactly that, secret, so they don't do things that would make it immediately obvious to a large group of people.

There's sensible caution and skepticism about what governments will/do do with our data regardless of the strict legalities of doing so, and then there's wearing a tin foil hat.

[SiliconWizard]

With surveillance cameras, think of your own privacy, sure, but also think of the privacy of others.
Is it going to run at all times or only when you are away and nobody's supposed to be there?
I would hope it's not the former, but if you really want that for some reason, please inform your visitors. That would be common uh... courtesy.

[Berni]

Storage of Penta-Exa bytes of  data is no longer an  issue.

Moving it over consumer broadband/mobile data connections is still an issue. When you're talking about video cameras you're talking about 4 to 25 megabits per second, per camera, after compression. People notice that kind of drain on their resources. Plus anyone with a decent firewall at home would spot it almost immediately. Secret government surveillance tends to try to be exactly that, secret, so they don't do things that would make it immediately obvious to a large group of people.

There's sensible caution and skepticism about what governments will/do do with our data regardless of the strict legalities of doing so, and then there's wearing a tin foil hat.

Security camera footage is much much more compressible than your typical youtube video. Most of the time nothing is happening so you don't need to save much frame data if every frame is near identical. To save even more space cameras typically do motion detection locally, so it might be only recording for a handful of minutes per day in a quiet area. They know people have crappy internet so they have to work around it in order to avoid unhappy costumers when videos are garbled or missing in the phone app.

If the camera stores footage in the cloud then it is going to be barfing loads of data into the internet anyway, if you don't see a lot of traffic from it means your camera is broken. If the footage is sent from the camera on demand (Like when you open your browser or phone app) then they could still store the footage as it flows to the server and is forwarded onto your phone. Heck they could even pack in other footage you didn't request since they are sending a big pile of data anyway. They could also pack in spinets of data in keep alive packets that it sends to the server so that they can notify you if your camera went offline. This was one of the ways they caught cheaters on WordOfWarcraft, the game would grab random parts of its RAM area and tack it onto some genuine data packets, the server would then reassemble it slowly over time and a detection algorithm was run over it to find anomalies and ban the cheaters.

It is not just about the government scraping data together (well in places like China it is a big deal tho) but it is about trusting the company running the service. Lots of companies have questionable security practices and suffer being hacked into all the time. Once the servers of such an always online IoT appliance are hacked they could even potentially push out a malicious firmware to them, effectively from the inside infiltrating millions of networks around the world (Okay sure you have VLANs.. good for you, most people don't as they don't even know how to open ports on a router)

[Cerebus]

The context was Jon-Paul's remarks about deliberate "embedded HW/FW/SW backdoors". You don't hack a whole nation's private security cameras without someone noticing.

[Kleinstein]

The context was Jon-Paul's remarks about deliberate "embedded HW/FW/SW backdoors". You don't hack a whole nation's private security cameras without someone noticing.

Backdoors (or poorly secured service access) and severe security flaws do exist in common products. As there is normally not much probing is done they do det unnoticed for quite some time. About the worst contenders here are DSL modems and similar. They kind of need a regular fix for bugs comming up on a more or less regular basis and they are at a vulnerable spot. A camera is ideally used behind some kind of firewall that isolates it from most attacks.

[TomKatt]

There appears to be 2 fundamental uses for security cameras - DVR type setups for archival recording and "Live" broadcasting for remote observation.

If remote access is not required, a reasonable level of security can be achieved via segregated networking etc as someone mentioned earlier.

If remote access IS required, all bets are off and you have to decide whether the risk of having your camera accessed by others is a priority.  You can take steps to minimize rogue access, but you cannot fully prevent it.

We have 2 cameras set up for remote observation of our dogs while we are at work.  If anyone hacked into my feed they'd just get bored.  And if they want to watch me come out of the bathroom in a towel, thanks for making me feel better about myself lol.

[Berni]

The context was Jon-Paul's remarks about deliberate "embedded HW/FW/SW backdoors". You don't hack a whole nation's private security cameras without someone noticing.

The S in IOT stands for Security.

It is usually more along the lines of unintentional security holes due to bugs. There are many software layers that build the functionality of these products. Often some of these layers contain exploitable bugs or are just configured to work with each other in a bad way that causes problems.

To make things worse these things often run very old versions of these software layers. It might run a very old linux kernel because that's what they had running on the SoC they use (as its likely a old chip that they could get dirt cheep) that then runs various software stacks that might not be fully up to date to begin with (as they might be reusing old code from previous cameras) that is then left running in the camera for many years and never updated.

As a result bugs get found here and there, make it out into the wild and eventually a bad actor will use those to exploit the devices since they ware never updated to fix them.

[Miyuki]

Exactly, most of those "smart home" devices are like a good swiss cheese
If customers are not interested in security why would the manufacturer invest its money in any fixes
And most of the firmware is done by a swarm of third world programmers who have no idea or interest in what they are doing (just have to do it cheaply)
People will even happily accept EULA with sh%ts like all data can be used for whatever reason, just no one cares or reads it.
Just look what things like Alexa do with all it hears, people do not care about their privacy

And that huge hole in your network it provides all attackers, it just exposes all the internal network
I do not even want to know how big a portion of those devices are in some kind of botnet

[Red Squirrel]

I would never install anything that requires cloud or an app, it's not future proof and it's basically a black box that you have no control over, not to mention, the privacy issue.  Unfortunately it's getting harder and harder to find normal locally managed cameras now days.

It seems lot of tech is going in that direction now too and I hate it.

[Miyuki]

I would never install anything that requires cloud or an app, it's not future proof and it's basically a black box that you have no control over, not to mention, the privacy issue.  Unfortunately it's getting harder and harder to find normal locally managed cameras now days.

It seems lot of tech is going in that direction now too and I hate it.

Because app and cloud is so cool.
I now work on one product, not cloud-based, but have a local wifi connection.
I recommended them a simple web config interface (that will conveniently work on any platform) and what was the response.
We need and fancy looking app  to set password and a few values