This comment shows the disconnect between many comments I read on this forum[0] and the real world, frankly.
Whenever Apple or Samsung release an update for their smartphones, I have a to help family members click through dialogs to install them. How are they supposed to assess and implement security for an IP camera they bought at a department store?
How would they do it anyway? Is the expectation that they fire up Wireshark, identify traffic flows to and from their device, then configure the firewall on their consumer-grade router to limit this traffic?
[0] previously read just '... disconnect between this forum ...'
Agreed, but. Most just bug you about 'updates' ad nausem until you have a moment of weakness and punch it in. At least some will autoconnect to open wifi. Sure YOURS is locked down, but what about your neighbors? Just 'turning it "off"' is not enough for even casual security.
You can firewall their devices. I used to do that to my dad's cloud-based cameras back when I was in highschool. He never figured it out. Always assumed it was the ISP's fault.
My guess is you're young and have had few jobs (if any), so business problems are out. Therefore, you are looking at consumer-focused products, and consumer products are typically of the vitamin variety rather than medication. I would probably look at your parents, siblings, and friends to see what they complain about.
Edit: Woops! I HN-stalked you and realized my assumption was horribly wrong. Sorry. I bet you solve problems in your life all the time using tools most people can't use (i.e. grep). Here's a problem you might solve:
How to determine and deal with all the phones, tablets, computers, dvd players, and TVs on your home network 'dialing home' and pushing data you might or might not want pushed? In other words, a cheap firewall/IDS/IPS that is easy to use without overwhelming a laymen with things they don't understand.
You can't trust the devices themselves to tell you that, so the best approach is to put them behind a (hardware) firewall that protects both ways, not just from external connections but also to prevent devices to call home if their behavior is unclear.
Rather than play whack-a-mole with filters, it's simpler to put mystery-meat devices on a separate VLAN+subnet that doesn't route. Firewall will keep the camera from accessing the internet, but does nothing to protect other hosts on the LAN.
The cloud thing can be disabled from their web UI or the HTTP API, but between all of the knock-offs out there (of any brand), and the eventual end of firmware updates, it's best not to trust any of this stuff.
I have a couple of IoT VLANs that devices gets sorted into by my level of percieved trust. Things like AppleTV and Sonos goes into the trusted one, things like Printers, various chinese IoT like Aquara sensors, Eufy cameras and more are put into the untrusted one. Trusted devices have static DHCP assigned IPs, as well as printers (for AirPrint and mDNS)
Everything in the untrusted VLAN is blocked by MAC address in the firewall in the outbound direction.
I keep a (surprisingly small) spreadsheet of all my firewall rules, so migrating to a new firewall is a matter of spending 30 minutes setting up the 50 or so lines from the spreadsheet, of which most are rules for allowing inter VLAN traffic, i.e. allow AirPlay reverse connections from AirPlay capabale devices.
I should add that i run Eufy cameras in Homekit mode, so they only need access to talk to a HomeKit bridge/hub (AppleTV/HomePod), and only need internet access for firmware updates.
>But the average consumer won't realize, especially when the installation and network failure aren't temporally adjacent, that the camera is the cause of the problem.
In theory the user could be presented with a "here is why you've been blocked" explanation when they try to browse any site. They could then (probably) figure out what is the offending device, take it off the network, then click "please let me back on the internet, the bad device has been removed". (Somewhat similar to how the MX blacklists work at present).
I got a Wansview camera and assigned it a static IP and just don't allow any traffic not originating from the chromecasts or tablet -- it's nice because all the TVs do picture in picture with the baby camera.
Still pretty weird seeing the constant log entries trying to reach a couple servers - I've been doing traffic capture since I'd like to see what it's trying to do. One is obviously the plug-n-play stuff, but it's crazy that those packets apparently get broadcast outside the network (? - I haven't really looked into how that PnP IP/port is handled but it's getting caught at my firewall).
I have a separate VLAN for things like security cameras with perhaps-dodgy firmware, and a firewall rule that drops connections that devices on that VLAN try to establish. They have no business connecting anywhere, when I want to see what they see I'll ask them.
Not the OP but an example of such a setup would be connecting your ios device to a router that has firewall rules to only allow UDP port 51820 (ie. wireguard) to go through. That way if there's any traffic leakage from your ios device, nothing will get out because of the firewall on your router.
If you want to go after the simple stuff then blocking significant outbound traffic at the ISP level from a home user account until they agree it's something they want to do is the most straightforward solution. No need to change much infrastructure, no need to test devices, and no need to have costly manufacturing processes. You could even let specific traffic through (Facebook live streaming, online gaming services, etc).
The right way to do this is set up a VLAN that can't get out to the Internet and is segregated from your own devices except via inbound connections from a Firewall. I've done this with cheap Chinese IP Cams and much other IOT garbage that has either been reverse engineered and/or presents some form of local network access.
I agree that segmenting VLANs and stuff aren’t accessible to average people, but there are accessible alternatives. I recently upgraded to Google WiFi pucks after babysitting a ubiquiti installation for almost half a decade, and you can “disable internet” on devices without disabling LAN. You’d have to trust the device to be friendly on the LAN but it’s good balance for consumers. After Eufys whole security meltdown I updated a bunch of IOT junk to lose internet access. I saw a lot of tech site’s recommend this, and it’s definitely “easy enough for the parents to do”.
Yeah I have to agree with this. If you're savvy enough to setup your own close-looped surveillance system then you're savvy enough to check if the camera is pinging home to a China-based server. And if it is then just block all WAN connections from that IP.
I keep sounding like a broken record. This is not for your "average user" but I use two methods to block all data transmissions for applications that doesn't make sense to have internet connections (e.g. a selfie app):
a) The device's App-Data settings. I keep most boxes unchecked. I don't understand why CamScanner (legit super useful app) needs internet connection when I just email myself all the scans, and not using the cloud-options. Only Email needs internet connection on that scenario.
b) NoRoot Firewall, I either recognize the IP or the domain name, or I check on ipaddress.com the IP, and then I end up global-blocking the whole block of that IP and be done with it.
In this world you have to go with Security in mind. Default state is block-everything, and only allow the truly needed/useful (to me, not the app developer) connections to go through.
I certainly don't want ingress from the public Internet to devices on my home network in the general case
This is ultimately an operating system issue. For most of the history of the web, we've used NAT routers and firewalls as a fig leaf over the operating system issue. What is it? Operating systems are extremely promiscuous about listening for traffic on a multitude of ports. Operating systems are promiscuous about including a vast number of daemons running in the background handling a variety of tasks. Operating systems are promiscuous about running a bunch of daemons that phone home all the time.
All of this stuff is completely opaque to the user. All of it occurs on a default opt-out basis. All of it requires an extraordinary amount of knowledge for the user to feasibly withdraw consent. This is the operating system problem.
In another world, I can envision computers running operating systems which are totally transparent and easily understood by their users. All running services would be opt-in and users would be fully aware of exactly what's happening on their machines. That would be the world where end-to-end internet connectivity is highly desirable.
Whenever Apple or Samsung release an update for their smartphones, I have a to help family members click through dialogs to install them. How are they supposed to assess and implement security for an IP camera they bought at a department store?
How would they do it anyway? Is the expectation that they fire up Wireshark, identify traffic flows to and from their device, then configure the firewall on their consumer-grade router to limit this traffic?
[0] previously read just '... disconnect between this forum ...'
reply