I'd be interested to know if these type of cheap cameras are safe to use after fixing / replacing the default firmware or does the hardware itself have some kind of backdoors to allow easy exploits even if the firmware is updated.
It's common practise to put these devices on their own VLAN that is completely isolated from network access, except for the controller device (NVR, etc).
I'd consider these items completely and utterly unfit for purpose, even these from branded manufacturers.
Well, AFAIK, the so-called Cloud cameras that don't require (nor support) an NVR must be allowed to call-home, whether for setup or regular functioning. They don't do anything inside the LAN. That way they can be easily watched from anywhere, as they don't require open ports on the router, and can work even behind CGNAT. The obvious downside is the video is sent to the company's servers, and given how cheap the device is and how expensive storing and streaming video is, you can bet they're monetizing it somehow...
https://i.imgur.com/jZYxETN.png
I returned it to the store for a refund. No way such a thing is going anywhere near my network or my home.
Also, it seems the manufacturer Cylan has not learnt anything, as new models also have gaping holes: https://github.com/offensive-security/exploitdb/blob/8cbfa5d...
Shenzhen Cylan Technology Co.,Ltd - https://www.crunchbase.com/organization/shenzhen-cylan-techn...
The offending camera: http://www.jfgou.com/camera/camera-wifi2/
A teardown: http://sirlagz.net/2017/11/20/reject-shop-special-home-secur...