EEVblog Electronics Community Forum
General => General Technical Chat => Topic started by: soldar on January 29, 2019, 08:34:37 pm
-
For about six years now I have been using several cheap IP cams bought on eBay direct from China. I can see them on my LAN but only with an old version of Internet Explorer. It seems like they need some plugin or activeX or whatever and I cannot get them to work in Firefox.
I have an IP recorder and it records the video over LAN without problem.
If I want to see the cameras over the Internet I need to also use IE and I go to website xmeye.net, log in to my account, and have access to all my devices. That website I believe is in China and sometimes is slow or non-responsive.
Also it seems DNS servers in different countries have different IP addresses for that same site name. Sometimes only http works, sometimes only https, sometimes https gives certificate error.... it is all a big PITA. All this is getting more and more complicated and will soon be unsustainable.
The cameras supposedly support and comply with ONVIF (https://en.wikipedia.org/wiki/ONVIF) which is a standard for these things.
I think the xmeye site only puts in touch the devices with the viewer. The cameras log in and that site knows their IPs. When I log in it tell my application where to find the cams and then the connection is direct with the cameras and not through that server. I know of that site because it came with the cams when I bought them.
First question: How and where can I find a similar site that will allow me to see my cameras? Preferably not located in China. I suppose I might have to configure the cameras to log in to somewhere else. I would have to look into that. I assume this is something relatively common and there must be other sites.
Second question: How can I see the cameras on my computer not using Internet Explorer? Ideally I would like to use Firefox so that I can use it also with Linux.
-
I have been looking into this and it seems it all might be a lot more proprietary than I thought at first.
In the camera configuration I see no place to change the cloud server so I assume it must be hard coded. First bad sign.
Then I see these cameras have vulnerabilities and have been hacked.
Millions of Xiongmai Video Surveillance Devices Can be Hacked via Cloud Feature (XMEye P2P Cloud) (https://sec-consult.com/en/blog/2018/10/millions-of-xiongmai-video-surveillance-devices-can-be-hacked-via-cloud-feature-xmeye-p2p-cloud/)
I guess one way to deal with the problem (besides setting them all on fire) would be to isolate them from the Internet with a firewall. Then I could only access them from the Internet if I VPN into the LAN.
I need to think about this.
-
Keep in mind that these often send your video streams out over the internet in the clear. Also they often have the same hardcoded root password for busybox across all devices. I wouldn't trust them as far as I can throw them!
-
As you've discovered, these cameras have everything hardcoded into the firmware itself and the exact system they use is proprietary. Most of them run a modded ancient version of Linux and a pile of binary only executables. No source is available. You'll need to redirect it in your router or mod the firmware if you did want to redirect their cloud connection.
I'd strongly suggest isolating the cameras from the rest of your network and from the internet if you can. The security of the firmware is usually very bad as shown in that article and you don't want a remote vulnerability to allow attackers into your LAN. The same applies to these cheap IP recorders as they're not known for having good security either.
I'd also suggest uninstalling that ActiveX plugin or limiting usage of IE for only accessing your cameras. Some of the plugins allow access to your local filesystem and have the usual remote execution flaws. They don't have any restrictions on which sites they can be loaded on either. Chances of anything exploiting it are probably slim but still best to be safe.
Isolating them to a separate VLAN which has no internet access, setting up a VPN for remote access and using a mobile app for your IP recorder for remote viewing are the best options IMO if you want to keep these cameras.
-
I suggest you think twice connecting such cameras to internet. In most of them security is nonexistent.
https://www.youtube.com/channel/UCz06YC8mlKkDHlqwiG4HDbw/videos (https://www.youtube.com/channel/UCz06YC8mlKkDHlqwiG4HDbw/videos)
Some of them have built in speaker speakers, example:
https://youtu.be/YeoH69pkvBs (https://youtu.be/YeoH69pkvBs)
-
I was given a Tenvis rotating camera to test.
I put back to factory defaults.
I had it on for a couple of hours and then it started to move.
I checked the firewall and it was making outgoing connections with some traffic despite not finding anything in settings to indicate a remote recording and to turn it off.