If you are in the market for a decent IP camera with Night Vision, 2-way communication, motion sensor and PTZ controls, this Amcrest IPM-721S is a very good option. I own one and for the price it is very impressive!
Careful with this camera. Its triggered monitoring functionality works by uploading videos, unencrypted over the internet. If you look at traffic with something like Wireshark, you’ll see packets like
showing how the video is uploaded by ftp, with a clearly readable password. As recently as December, there was another security flaw, whereby an outsider could obtain access to a live feed. See this review on Amazon.
In truth, exploiting these flaws does require some sophistication, and the risk might be low, but you can buy cameras without such issues, so it’s not a risk you have to take.
It’s not a hard and fast rule, but you’re generally better off with cameras from better known brands, as they’ve been subject to greater scrutiny.
Yes, there were/are bugs but they have fixed some of these already, but making sure your system is secure is definitely an important aspect of any internet-facing device. I have not seen any passwords “in the clear” in my Wireshark traces, but my research was not exhaustive and I do not use FTP.
I agree with this sentiment, but I would point out that Amcrest is just a division of (and created by) Foscam, who are pretty well known:
I would also point out that the internet is full of security vulnerabilities for many IP cameras, including Foscam.
I am not trying to discount the warning… just pointing out that this is true for many “well known” brands.
I agree that it’s impossible to be completely safe, though I’d probably be more confident in a company that is strongly identified internet security or networking.
Foscam is fairly well known, though not as well known as, say Google or Netgear, who may not be perfect (especially the latter) but at least stand to lose billions when their reputation for security is damaged.
One interesting thing I learned investigating my (regretted) Amcrest purchase is that that they, like many other consumer camera brands, outsource cloud functionality to a company called Camcloud:
where this Dan Burkett guy turns out to be their CTO. I actually asked Camcloud for comment. To their credit, they responded quickly, but they were fairly unconcerned, noting that use of FTP for media upload is “very common.”
Later, I looked at Netgear Arlo, and noticed what looked like a live streaming link in a transmission from their servers
rtsp://vzwow....netgear.com:443/vzmodule/CAMERAID_123456?ingressToken=HEXSTUFF?cameraId=CAMERAIDso fa
where the CAMERAID was in fact that of my camera. I always got connection errors when trying to access the rtsp link, so there may have been some other authentication mechanism. Still, it was a bit disturbing, especially as there was no obvious reason why this information would need to be communicated from their servers to my local hub. Although they never acknowledged my report on an Arlo forum, the problem was fixed within 3 days, which may or may not have been coincidence.
Platron, can you go into more details about in which situations the camera might upload unencrypted? I have a few of these cameras now, (the 841 model with 1080p because the quality is very good, and so far they seem reliable).
When setting them up, I purposely did not use their app, and configured them over ethernet, did not create or enable any remote cloud monitoring, and did not open any ports for external viewing, choosing instead to always VPN into my network before viewing camera feeds from away from home. (And of course changed login/passwords/permissions for different features, including view-only logins…)
If not using cloud-monitoring, have you seen the cameras doing any other sketchy things on the network?
I didn’t analyze this configuration, but what you should probably do is look at your router connection log. You won’t be able to see the traffic contents, but really you don’t want to see any connections at all. If you didn’t open an ports (and have UPnP off) there certainly won’t be incoming connections, but there’s really nothing stopping the thing from phoning home. TBH, I’d set up iptables rules to keep them from making any outbound connections at all.