Amcrest IP Camera on sale through 4/17/2016

If you are in the market for a decent IP camera with Night Vision, 2-way communication, motion sensor and PTZ controls, this Amcrest IPM-721S is a very good option. I own one and for the price it is very impressive!

On sale for $59.99 (25% Off) through 04/17.

2 Likes

How is the SmartThings integration?

Not good (or none) at the moment. I am creating a device type now and should be releasing it this weekend.

2 Likes

Careful with this camera. Its triggered monitoring functionality works by uploading videos, unencrypted over the internet. If you look at traffic with something like Wireshark, you’ll see packets like

3054    19.206767   ec2-54-81-2-137.compute-1.amazonaws.com 192.168.2.98    FTP 86  Response: 220 (vsFTPd 2.2.2)
3056    19.209820   192.168.2.98    ec2-54-81-2-137.compute-1.amazonaws.com FTP 81  Request: USER cam12345
3059    19.236939   192.168.2.98    ec2-54-81-2-137.compute-1.amazonaws.com FTP 83  Request: PASS 1a23456b
3074    19.416028   192.168.2.98    ec2-54-81-2-137.compute-1.amazonaws.com FTP 101 Request: stor 2016-1-2-03-04-05-AmcFtp.mp4

showing how the video is uploaded by ftp, with a clearly readable password. As recently as December, there was another security flaw, whereby an outsider could obtain access to a live feed. See this review on Amazon.

In truth, exploiting these flaws does require some sophistication, and the risk might be low, but you can buy cameras without such issues, so it’s not a risk you have to take.

It’s not a hard and fast rule, but you’re generally better off with cameras from better known brands, as they’ve been subject to greater scrutiny.

3 Likes

Yes, there were/are bugs but they have fixed some of these already, but making sure your system is secure is definitely an important aspect of any internet-facing device. I have not seen any passwords “in the clear” in my Wireshark traces, but my research was not exhaustive and I do not use FTP.

I agree with this sentiment, but I would point out that Amcrest is just a division of (and created by) Foscam, who are pretty well known:

I would also point out that the internet is full of security vulnerabilities for many IP cameras, including Foscam.

I am not trying to discount the warning… just pointing out that this is true for many “well known” brands.

I agree that it’s impossible to be completely safe, though I’d probably be more confident in a company that is strongly identified internet security or networking.

Foscam is fairly well known, though not as well known as, say Google or Netgear, who may not be perfect (especially the latter) but at least stand to lose billions when their reputation for security is damaged.

One interesting thing I learned investigating my (regretted) Amcrest purchase is that that they, like many other consumer camera brands, outsource cloud functionality to a company called Camcloud:

00d0   06 03 55 04 0a 13 08 43 61 6d 63 6c 6f 75 64 31  ..U....Camcloud1
00e0   11 30 0f 06 03 55 04 0b 13 08 43 61 6d 63 6c 6f  .0...U....Camclo
00f0   75 64 31 14 30 12 06 03 55 04 03 13 0b 44 61 6e  ud1.0...U....Dan
0100   20 42 75 72 6b 65 74 74 00 69 30 67 31 0b 30 09   Burkett.i0g1.0.

where this Dan Burkett guy turns out to be their CTO. I actually asked Camcloud for comment. To their credit, they responded quickly, but they were fairly unconcerned, noting that use of FTP for media upload is “very common.”

Later, I looked at Netgear Arlo, and noticed what looked like a live streaming link in a transmission from their servers

rtsp://vzwow....netgear.com:443/vzmodule/CAMERAID_123456?ingressToken=HEXSTUFF?cameraId=CAMERAIDso fa

where the CAMERAID was in fact that of my camera. I always got connection errors when trying to access the rtsp link, so there may have been some other authentication mechanism. Still, it was a bit disturbing, especially as there was no obvious reason why this information would need to be communicated from their servers to my local hub. Although they never acknowledged my report on an Arlo forum, the problem was fixed within 3 days, which may or may not have been coincidence.

1 Like

Platron, can you go into more details about in which situations the camera might upload unencrypted? I have a few of these cameras now, (the 841 model with 1080p because the quality is very good, and so far they seem reliable).

When setting them up, I purposely did not use their app, and configured them over ethernet, did not create or enable any remote cloud monitoring, and did not open any ports for external viewing, choosing instead to always VPN into my network before viewing camera feeds from away from home. (And of course changed login/passwords/permissions for different features, including view-only logins…)

If not using cloud-monitoring, have you seen the cameras doing any other sketchy things on the network?

I didn’t analyze this configuration, but what you should probably do is look at your router connection log. You won’t be able to see the traffic contents, but really you don’t want to see any connections at all. If you didn’t open an ports (and have UPnP off) there certainly won’t be incoming connections, but there’s really nothing stopping the thing from phoning home. TBH, I’d set up iptables rules to keep them from making any outbound connections at all.