These cameras are extremely suspicious -- just follow the money. I bought some cheap Chinese cameras in 2020 that by default send the video stream to a Chinese server, which you can watch with an app on your phone. The cameras were about $40 on Amazon, so my guess is the manufacturer was getting paid maybe $15-20 for them.
Bandwidth to and from China is not that cheap, and you could be running this stream 24x7. The streaming service still works 4 years later even though the company whose name is on the camera has vanished.
So, who is paying the server/bandwidth bill? The camera is too cheap to afford indefinitely providing this service, so you can only presume that you're paying in another way. Probably there is some third party in China that the camera manufacturer makes a deal with. The camera manufacturer may even be getting paid to pick a particular provider.
Something worth keeping in mind is that Chinese factories that makes things like IP cameras don't typically have their own (significant) R&D departments and instead work from examples provided by the makers of the chipsets. Sometimes there will be another company involved that provide an "IoT ecosystem" (Tuya is a major player here: https://www.tuya.com/solution/hardware/ip-camera ).
So it's not necessarily surprising that the backend still works even if the manufacturer (Amazon brands are not typically the factory themselves, for practical reasons frequently changing "brand names" are used) is no longer present.
Since the topic of the article is about reverse engineering, I think it is extremely important to remember this. R&D time is very expensive. As people predominantly in CS, we should be aware of this, as this is typically how we are classified. And I think everyone innately knows how much more difficult it is to create something from scratch, the help you get just by having a reference, and how much easier it is to copy (or modify) when you have the thing in your hands (or source).
And it is worth noting that prices are vastly different in China. Labor is much cheaper and licenses aren't respected. The cost of living is cheaper to a smaller profit margin goes a much longer way. As tfa mentions, there are identical cameras sold by different manufacturers. It is unclear if this is typical reskinning or designs being taken. Both significantly reduce the cost of things. I have no idea how much hosting costs in China.
A lot of them the stream is just a relay to create a connection between you and the camera via Upnp or something similar. They aren't actually footing a bill for all the bandwidth.
That may be the case for live viewing, but those that record longer term generally do it to a server out there. I have some from a company called Yi that I now refuse to use: they used to support local recording to SD card instead but that broke and the support answer seems to be “use the remote recording”, the remote recording only supports a short time window unless you pay a subscription, and they started flooding the ap with adverts if you don't pay for the sub in any case. The streams are non-standard so the cameras require custom firmware to make work with open source solutions, so I've just bought some better cameras that are said to work out of the box. Now I just need to get around to setting them up…
I bought one on AliExpress for just under 18 EUR. Mine works similarly, that it streams to some server in the cloud. I knew this, and only connected it for testing a little bit and made sure to not put my face or any of my documents etc in view of the camera.
The company behind the one I bought does seem to have a slightly better business model though. With them you can use it free to see live or you can pay them a monthly fee for recordings.
As for me my plan is to put it on a LAN without internet access and figure out how to get the video locally.
I use a Raspberry Pi to run a Tailscale subnet router on the LAN. I installed some cheap IP cams but blocked all Internet access so they can only access my LAN. With the Tailscale subnet router I can still get remote access to the camera streams from my phone.
Make sure to also specify a domestic NTP server - it may refuse to work until the time is synced, and most of the cheap cameras I looked at sync time with China by default.
A network of always on, always connected IP cameras with synchronized time and position is a perfect supplement to reconnaissance satellites. My neighbours buy and install them all over the place and it infuriates me, as their only buying criterion is "cheap". I'm investigating ways to permanently disable or cook these cameras over WiFi frequencies.
This may come as a surprise, but it's not just hackers (or China) that you need to worry about. I've worked at a couple of FAANGs (risk, privacy, compliance) and was shocked by the lack of internal guardrails. Here's Amazon Ring settling with the FTC - company's own employees were watching customer video feeds for entertainment:
I use Nest cameras at home instead of ring because based on work at Google I expect there to be strong internal guardrails relative to Ring (also heard about their lax standards), but happy to hear anecdata from (ex-)Nest engineers about potential issues.
I would love to hear from ex-Nest engineers as well about internal access. As for hackers, I remember seeing multiple Nest hacking incidents in the press a few years ago, but it appears they've hardened the system since then:
Since someone mentioned 'declouding' here, my startup (well, scaleup now) makes a few privacy-first, autonomous (no cloud) video security products - on-prem video security hub, relays for automation, cameras.
I was also getting sick of cloud-based 'smart' cameras that ping random servers in China, so we made our own 'dumb' cameras that are fast (Uniview hardware with our firmware inside).
If anyone here is interested, I will happily share more info. Always interested in product feedback.
This is exactly what I've been looking for. There's plenty of cheap RTSP and ONVIF compliant cameras coming out of china, but I trust them exactly 0%. I also don't trust us-based companies with remote access via their services. So I'm learning how to partition my home network to not allow the cameras on a vlan to not access the outside world.
But then I need to figure out how to access the video streams.. from the network my computer is on that does have access to the outside world.
I'm a firmware engineer, so I haven't touched networking since my IT job in college.
Here's a setup that works. Get POE cameras. Get a powered switch with sufficient power to power the cameras. The cameras and the switch form their own subnet. Get a PC with two Ethernet jacks (or an Ethernet and a WIFI). Install NVR software, Blue Iris, iSpy, ZoneMinder, etc, on the PC to record and process the videos from the cameras. These softwares are all good with RTSP and ONVIF, with easy camera detection via port scanning. Connect the PC to the switch on one Ehternet jack and connect it to your general network with the other one (or WIFI). The cameras are running in their little isolated subnet. The NVR PC sits between the camera subnet and the general subnet. Access from outside reaches the NVR PC only, not the cameras. You can even open the WAN firewall to reach the PC's WIFI side to access the videos from Internet. Some of these NVR software can stream videos to outside phone apps or web apps.
Mine are ONVIF-discoverable and will expose RTSP (H264 and H265) URLs and a snapshot URL. As I mentioned, they are 'dumb' (video and snapshots are their main purpose), and it's the security hub that makes them smart. No cloud-based remote access, your data stays on your device.
If you decide to check it out, and feel free to ping me (email in profile). I am proud of these things, for the reasons you mentioned :)
If your cameras are PoE, you can use an NVR that doubles as a PoE switch and can create a separate network for the cameras. Some NVRs will also relay RTSP from them so it will be accessible on your LAN. Alternatively, adding static routes to devices will allow them to see the cameras locally.
Unfortunately, the NVR will probably have the same type of vulnerabilities as the cameras in question (they come from same manufacturers).
While I share your concerns about the security implications of sending video to the cloud, the way I see it if someone's burgling my house they're probably going to steal whatever I'm using for on-prem video storage while they're at it.
And while I could secure it in an impenetrable or hidden box - if I have such a box I can put all my valuables in the box, and feel peace of mind without needing any cameras.
These are good points. The main problem we're solving for people is real-time awareness and automation/prevention. The device monitors your cameras locally (no cloud), notifies you, and/or performs actions locally (play barkingdog.mp3, close gates, turn on the lights, etc) that act as a deterrent. Even if your uplink is down.
Now, if someone's broken in, that's a different problem. You want video evidence for investigative purposes. The device is small, energy efficient (10-20W typically) and can be easily hidden (provided you supply power and LAN ethernet to it). The storage is encrypted. And we'll be introducing an option for your own offsite backup (again, optional and not centralized).
I'm really interested to hear more about your work too! I've had a few situations where IP cameras would have been ideal, but I dropped the idea after examining a handful because the firmware is invariably too awful to contemplate running.
Reading your later replies, I gathered you took a standard camera but wrote clean new firmware for it. Is the SoC on these devices supported by mainline tf-a, u-boot and kernels, or are you stuck on ancient manufacturer ('BSP') kernel forks and so on? What does the userspace you've put together look like?
I've been looking for a camera to recommend for use with my open-source NVR. [1] This sounds promising, but I have a few questions.
* What's the status of Uniview? Are their cameras allowed in the US under the 2019 NDAA? still receiving FCC approvals since the Secure Equipment Act of 2021? Does Uniview participate in the Uyghur genocide?
* Do you have any models with large sensors, e.g. 1/1.8" or wider? I prefer good night performance if possible, which I believe requires each pixel to be physically somewhat large. There are a lot of many-megapixel cameras with 1/3" sensors out there, which aren't so great there.
* What's the pricing? Your camera page [2] has "contact us for info" instead of a price, and when that happens I usually assume it's too expensive for the DIY crowd and drop out.
1. Uniview [told me] they are NDAA compliant. Most (not all) of their NVRs and cameras are compliant. I was not aware of their involvement in the genocide, but I do see mentions of their facial recognition tech potentially being used. I don't know enough to comment.
This is their formal statement regarding their NDAA status:
2. we are now working in a new line that will have larger sensors, better low-light capabilities, better audio (2-way). We will publish more in Q4.
3. we've been working with professional installers primarily focusing on SMB, so our current 4MP (2.8mm and 4.0mm) cameras can be in $100-200 range depending on volume. 2MP cameras are sold in $80-130 range. With SMB, price hasn't been an issue. I understand this is not particularly useful for DIY, we're just preparing to start selling direct - and aiming to release cameras in $30-80 range.
You can ping me (contact info in profile) if you need more info, or how to evaluate risk-free. Just bear with me as we figure out the DIY route. :)
This is a great run down of the process to extract the firmware from these types of devices without desoldering the flash. I've done a fair amount of reverse engineering and a lot of devices have similar vulnerabilities.
I think more time needs to be spent looking into these commonly used, cheap IoT devices and educating consumers on the risks of using a poorly secured device on their network.
The upside of these vulnerabilities is that you can run your own code on these! 'Declouding' is great as it can extend the lifetime of these devices and make using them more private.
"This first difficulty was to find information about the camera. Despite having a company logo printed on its front, I could not find any information about this company on Google. I found several identical cameras being sold online, but under different brands, all of them seem to be Chinese names."
Why does this continue to surprise people? So much sketchy garbage coming out of China is sold under numerous "brands". Just look at a lot of computer stuff sold on Amazon.
I mean, there isn't much the cameras have to do. They need an SoC that can process relatively low resolution video and output it over a network. Anything complex is intended to be done through a cloud service to sell a subscription. Consumers don't want to pay for expensive cameras, so they use an OEM that has designed a super basic camera that is built in high volumes to make use of economies of scale.
I mean, what exactly do you need innovated? I have a bunch of these cheap cameras (firewalled to only be accessible via LAN of course) that are nearly 6 years old now. They stream 2K video reliably, my DVR records for me, they have excellent quality night-vision via infrared, and I can access them via VPN. What's to improve here?
Only thing I'd mention is that the old school "web server runs on camera" model is really dodgy when the average user just plugs it in, fires up a mobile app, and sees their camera - then assumes all is well.
So many security issues and exploits for those things. Hardcoded passwords, backdoors, and loads of exploits for gaining SSH or telnet access on very common models.
As much as I hate the current shift toward camera-remote server setups (and their inevitable subscription fees), I can't imagine expecting your average buyer at Amazon or Walmart to properly configure and lock those things down. At least if it only talks to Amazon or Google or whoever, you won't be able to find it in a port scan and pull an image using admin/admin or whatever.
So to avoid the risk of someone wardriving your neighborhood and hacking into your camera, it's better to...send all the data to China and trust them to protect it?
In all fairness (there are multiple precedents), a US-based provider won't protect your data (from internal employees) either. Any centralized video monitoring system is a ticking time bomb.
When I had my first child a decade ago, someone gifted me a PTZ camera that was viewable through a smartphone app.
I set it up, connected it to wifi, and it worked... for about 4 days. Resetting it didn't work. Called the company and they sent a replacement. Same thing happened.
I noticed that it had used UPnP to map a public port to itself. I never tried hitting it with anything, but I made the assumption that it was getting pwned. I threw it away.
That experience makes me agree with your assessment.
One piece of advice - when it comes to privacy and security, wired > wifi. I always recommend wiring (PoE). Jammers have recently become cheap and accessible, and burglars can now turn off whole neighborhoods.
A new-ish project for a replacement firmware for Ingenic based cameras is here https://thingino.com/ . The developers are super active and very responsive.
I love firmware projects. It's not just about the security. Manufacturer's own software is often clunky, slow, and sometimes requires browser plugins (!!!). The hardware is usually OK, it's the software that makes these products horrible.
One thing I have setup on my computer is a custom DNS server that routes traffic by default to 8.8.8.8 (Google) but allows me to route certain domains (ex. ones you want to sniff) to your own webserver. Half the time there isn't even proper SSL protocols in place, making it very easy to see what these devices are sending over.
Readit News
Bandwidth to and from China is not that cheap, and you could be running this stream 24x7. The streaming service still works 4 years later even though the company whose name is on the camera has vanished.
So, who is paying the server/bandwidth bill? The camera is too cheap to afford indefinitely providing this service, so you can only presume that you're paying in another way. Probably there is some third party in China that the camera manufacturer makes a deal with. The camera manufacturer may even be getting paid to pick a particular provider.
And it is worth noting that prices are vastly different in China. Labor is much cheaper and licenses aren't respected. The cost of living is cheaper to a smaller profit margin goes a much longer way. As tfa mentions, there are identical cameras sold by different manufacturers. It is unclear if this is typical reskinning or designs being taken. Both significantly reduce the cost of things. I have no idea how much hosting costs in China.
Cheap Chinese IP Cameras: never again.
The company behind the one I bought does seem to have a slightly better business model though. With them you can use it free to see live or you can pay them a monthly fee for recordings.
As for me my plan is to put it on a LAN without internet access and figure out how to get the video locally.
https://www.ftc.gov/enforcement/refunds/ring-refunds
Tesla's been caught doing similar things. The list goes on.
https://www.reuters.com/technology/tesla-workers-shared-sens...
https://techcrunch.com/2020/06/01/google-nest-advanced-prote...
I was also getting sick of cloud-based 'smart' cameras that ping random servers in China, so we made our own 'dumb' cameras that are fast (Uniview hardware with our firmware inside).
If anyone here is interested, I will happily share more info. Always interested in product feedback.
But then I need to figure out how to access the video streams.. from the network my computer is on that does have access to the outside world.
I'm a firmware engineer, so I haven't touched networking since my IT job in college.
If you decide to check it out, and feel free to ping me (email in profile). I am proud of these things, for the reasons you mentioned :)
https://monitoreal.com/pro/monitoreal-camera/https://monitoreal.com/pro/security-assistant-spartan-i/https://monitoreal.com/pro/monitoreal-relay/
Unfortunately, the NVR will probably have the same type of vulnerabilities as the cameras in question (they come from same manufacturers).
Or, use something we've built :)
While I share your concerns about the security implications of sending video to the cloud, the way I see it if someone's burgling my house they're probably going to steal whatever I'm using for on-prem video storage while they're at it.
And while I could secure it in an impenetrable or hidden box - if I have such a box I can put all my valuables in the box, and feel peace of mind without needing any cameras.
Now, if someone's broken in, that's a different problem. You want video evidence for investigative purposes. The device is small, energy efficient (10-20W typically) and can be easily hidden (provided you supply power and LAN ethernet to it). The storage is encrypted. And we'll be introducing an option for your own offsite backup (again, optional and not centralized).
Interesting problem for sure.
My cat sometimes decides to gather his own food and not go inside for days. He does bother to check his teratory for intruders.
Shady figures and actual con men ringing my bell.
Missed deliveries real or lies.
Arguments with the significant other about who said what.
A drunk englishman sleeping in my garden and other truly hilarious footage.
Reading your later replies, I gathered you took a standard camera but wrote clean new firmware for it. Is the SoC on these devices supported by mainline tf-a, u-boot and kernels, or are you stuck on ancient manufacturer ('BSP') kernel forks and so on? What does the userspace you've put together look like?
* What's the status of Uniview? Are their cameras allowed in the US under the 2019 NDAA? still receiving FCC approvals since the Secure Equipment Act of 2021? Does Uniview participate in the Uyghur genocide?
* Do you have any models with large sensors, e.g. 1/1.8" or wider? I prefer good night performance if possible, which I believe requires each pixel to be physically somewhat large. There are a lot of many-megapixel cameras with 1/3" sensors out there, which aren't so great there.
* What's the pricing? Your camera page [2] has "contact us for info" instead of a price, and when that happens I usually assume it's too expensive for the DIY crowd and drop out.
[1] https://github.com/scottlamb/moonfire-nvr
[2] https://monitoreal.com/product/monitoreal-perimeter-cameras-...
This is their formal statement regarding their NDAA status:
https://www.uniview.com/us/About_Us/Legal_Notice/Notice/2020...
2. we are now working in a new line that will have larger sensors, better low-light capabilities, better audio (2-way). We will publish more in Q4.
3. we've been working with professional installers primarily focusing on SMB, so our current 4MP (2.8mm and 4.0mm) cameras can be in $100-200 range depending on volume. 2MP cameras are sold in $80-130 range. With SMB, price hasn't been an issue. I understand this is not particularly useful for DIY, we're just preparing to start selling direct - and aiming to release cameras in $30-80 range.
You can ping me (contact info in profile) if you need more info, or how to evaluate risk-free. Just bear with me as we figure out the DIY route. :)
I think more time needs to be spent looking into these commonly used, cheap IoT devices and educating consumers on the risks of using a poorly secured device on their network.
The upside of these vulnerabilities is that you can run your own code on these! 'Declouding' is great as it can extend the lifetime of these devices and make using them more private.
Why does this continue to surprise people? So much sketchy garbage coming out of China is sold under numerous "brands". Just look at a lot of computer stuff sold on Amazon.
Wyze camera (top seller on Amazon) is a Tianjin Hualai Technology camera https://www.hualaikeji.com/en/product
Roku just rolled our a similar cube-shaped cam (you can tell by the overall design).
There's very little real innovation happening in consumer cameras right now.
Deleted Comment
So many security issues and exploits for those things. Hardcoded passwords, backdoors, and loads of exploits for gaining SSH or telnet access on very common models.
As much as I hate the current shift toward camera-remote server setups (and their inevitable subscription fees), I can't imagine expecting your average buyer at Amazon or Walmart to properly configure and lock those things down. At least if it only talks to Amazon or Google or whoever, you won't be able to find it in a port scan and pull an image using admin/admin or whatever.
I set it up, connected it to wifi, and it worked... for about 4 days. Resetting it didn't work. Called the company and they sent a replacement. Same thing happened.
I noticed that it had used UPnP to map a public port to itself. I never tried hitting it with anything, but I made the assumption that it was getting pwned. I threw it away.
That experience makes me agree with your assessment.
[1] https://ktla.com/news/local-news/police-warn-of-thieves-usin... [2] https://www.usatoday.com/story/tech/columnist/komando/2024/0...