It’s pretty shocking but most IP cameras can be accessed with nothing more than their serial number. Here’s a somewhat recent DefCon talk about it: https://m.youtube.com/watch?v=Z_gKEF76oMM
I use Reolink cameras, in the admin interface there’s an option called UID. Turning that off (theoretically) disables the backdoor. I have my cameras and NVR (which is actually just a python script on an old laptop that uses ffmpeg to capture streams) on their own airgapped lan so I don’t have to worry about blackhats or the ccp using backdoors to watch my kids.
Well, most IP cameras cannot be accessed this way when you look at the global pool of IP cameras. However many on them on Amazon, particularly from OEM companies like Reolink that are more of a custom relabeller vs. a real camera manufacturer have all kinds of backdoor access methods.
Best practice is to put your IP cameras on a separate isolated network, connected to a dual-NIC recorder/PC running trusted software (eg: not some random DVR/NVR on Amazon) for recording and viewing. This is not a perfect solution, but it at least takes you far away from the path-of-least-resistance pool of devices with weak cybersecurity that are prone to various exploits.
Yes, of course. Though most people who understand that are already doing things to mitigate exposing these devices to open internet access. My comment was targeted more towards anyone who might not have considered the risks, or might not be comfortable with virtual segmentation vs. physical segmentation.
And this is why my reolink cameras are on a subnet without access to the internet. The only thing it can reach is my home assistant and open source NVR.
Best practice is to remember that intelligence means optimizing for some state of the world. If you have a "smart" product, it may not be optimizing for your preferred state of the world. Most commonly, it's not even optimizing for its manufacturer or vendor's preferred state of the world, because we don't truly know how to design a specific intelligence yet.
Our best efforts are just kind of putting in some objectives and hoping they don't get goodharted too badly.
I use Reolink cameras, in the admin interface there’s an option called UID. Turning that off (theoretically) disables the backdoor. I have my cameras and NVR (which is actually just a python script on an old laptop that uses ffmpeg to capture streams) on their own airgapped lan so I don’t have to worry about blackhats or the ccp using backdoors to watch my kids.