>But the average consumer won't realize, especially when the installation and network failure aren't temporally adjacent, that the camera is the cause of the problem.
In theory the user could be presented with a "here is why you've been blocked" explanation when they try to browse any site. They could then (probably) figure out what is the offending device, take it off the network, then click "please let me back on the internet, the bad device has been removed". (Somewhat similar to how the MX blacklists work at present).
Rather than play whack-a-mole with filters, it's simpler to put mystery-meat devices on a separate VLAN+subnet that doesn't route. Firewall will keep the camera from accessing the internet, but does nothing to protect other hosts on the LAN.
The cloud thing can be disabled from their web UI or the HTTP API, but between all of the knock-offs out there (of any brand), and the eventual end of firmware updates, it's best not to trust any of this stuff.
I think I might setup future networks to block all incoming AND outgoing connections by default, and then only open the ones I know or want (and perhaps even some of them “for a time” when clicked).
You can firewall their devices. I used to do that to my dad's cloud-based cameras back when I was in highschool. He never figured it out. Always assumed it was the ISP's fault.
> Another solution is to run a proxy on your computer that filters out garbage.
That's what I was thinking; a proxy server that can run on a pi. Plug it into the wall, configure wifi, connect to it, and bam - instant safety. (Assuming you trust the code.)
This comment shows the disconnect between many comments I read on this forum[0] and the real world, frankly.
Whenever Apple or Samsung release an update for their smartphones, I have a to help family members click through dialogs to install them. How are they supposed to assess and implement security for an IP camera they bought at a department store?
How would they do it anyway? Is the expectation that they fire up Wireshark, identify traffic flows to and from their device, then configure the firewall on their consumer-grade router to limit this traffic?
[0] previously read just '... disconnect between this forum ...'
> Is there a way to make it "think" it is connected to internet?
You actually want the opposite, to make it think it's not connected to the internet. In other words, a network connection blockers such as Little Snitch.
Similarly, a single bad device on my network would block the whole of my network from the internet. It's another sort of denial of service attack.
We need IPv6 and have devices either access the internet with their own IP address or not access it at all. This solution, then, would only impact bad actor devices, not your other (non-compromised) devices. Still, not easy.
I guess if the relationship we have with our devices is full-on adversarial and yet still need them, they should be put on a dedicated subnet with a default deny rule in place.
I guess, at this point, the other commenter's solution of "just stop using those things" may be the best.
That's the equivalent of people having to manage blacklists for ad blocking - it doesn't work for most people because it's too much work or too difficult.
Just like uBlock solves it by making an accessible plugin and a manages blacklist, I hope someone will launch a simple appliance for home use that will manage this. The router/firewall UI would just need to provide simple switches for blocking various manufacturers' data collection.
And of course it's fine to block connections you don't recognize, or to whitelist connections in the first place. But I maintain that within a network of devices you own, the solution to untrustworthy devices on your network is to use more trustworthy devices, not to weaken internet standards for everyone else.
My ISP-supplied router tries to ping back to some “AI driven wifi analytics” bullshit every 30 seconds. I put in a custom block for that. My TV would also probably love to phone home if I connected it to wifi to use the applications on it.
The value is not just that I can block at the network level rather than the application/device level, it’s also that I can see what random connected devices that aren’t general computing devices are trying to do. If they have hard-programmed DNS servers, blocking 53 for any device besides my Adguard server quickly solves that.
In theory the user could be presented with a "here is why you've been blocked" explanation when they try to browse any site. They could then (probably) figure out what is the offending device, take it off the network, then click "please let me back on the internet, the bad device has been removed". (Somewhat similar to how the MX blacklists work at present).
reply