I've been thinking about just getting off the shelf system like Hivision IP camera and NVR, then run it on a separate network disconnected from internet. It shouldn't be much more expensive, but still I'd probably disassemble cameras to make sure there is no wifi of other means to leak data.
I use a bunch of cheap ip cameras of various brands: foscam, crenova, etc. They all have telnet backdoors, which is actually pretty convenient for me.
I keep mine on a separate lan which can't connect to the internet or the other more-trusted lan. The average grandpa connecting these things to the internet is screwed though.
IP cameras in general are little, proprietary computers that you shouldn't trust with internet access. Put them on an isolated network and access them through a more trusted(FOSS) NVR.
I'm with you in considering any software in the cameras as a threat, that's why you keep the cameras isolate from the internet. I've audited a few cheap chinese ones and they were indeed filled with vulnerabilities and unknown services running in high ports.
The idea that you can't effectively isolate them network wise is just a stretch.
I'm not convinced off-site backups are enough to protect against burglars destroying the footage. There are many options available to them to prevent the camera from functioning.
1) In the case of WiFi cameras, sending of deauth packets or signal jamming the 2.4/5ghz spectrum.
2) Damaging of fibre/copper cables which might be out of view of the camera.
3) Turning off power to the property although this might draw attention.
Given the sheer popularity of WiFi cameras, I can't see it being too long before a device capable of spamming deauth packets becomes a common part of the burglars toolset. esp8266's with the appropriate firmware can already be found on ebay for less than £10.
Not sure what I would recommend for non-technical people but if you are a bit tech savvy, rolling your own is very robust nowadays. Buy cameras that don't need to be setup using an app (I prefer DHCP/Ethernet with web console), block them from going out at the firewall level, stop all services like mDNS/uPnP on the cams, install Blue Iris or BlueCherry DVR on a $500 laptop with 8TB USB drive, install the iOS/Android apps on your phone, open the right firewall ports, and now you can remotely monitor and watch your house from anywhere, safely.
I have 30 days of footage for 16 cameras recording to a 4TB HDD. The entire setup cost me around $3k over 7 years (cameras were more expensive in 2013).
There is absolutely no way I will ever trust a camera that needs me enter my home wifi password using an app, which then sends the plaintext password to a .cn domain to generate a QR code that the camera scans to configure itself (looking at you MECO Wifi IP cams). Way too many people around the world are falling for these cheap cams.
I spent over a decade working on security cameras and various NVR related applications. Hard wired cameras are more secure, BUT, if someone can get access to your network cable, it's not hard to inject packets and DOS out most UDP-based cameras.
Most large sites put their cameras on segregated networks, so it might not even be obvious to folks for a while.
And this is why my reolink cameras are on a subnet without access to the internet. The only thing it can reach is my home assistant and open source NVR.
My security system is pretty basic but super reliable and isolated/safe overall.
I use BlueIris for the NVR software (it is cheap) and I buy various cheap IP cameras that support OnVIF (almost all try to phone home, some directly to china IPs). But what I do is I put all the cameras on an isolated LAN that does not have access to the internet. My BlueIris server has two NIC's one for the video lan and the other for my data network. BlueIris has a static IP and is locked down as well to what it can access externally.
Two ways you can make BlueIris work outside your home, use a VPN on your mobile device (absolute safest), or use their free DDNS to point to your box. Their system seems fairly decent, and I've done both methods. I also log all the requests on both LANs and check them every so often to see what is happening.
It seriously doesn't cost much to set this up, especially for just a couple of cameras.
Put the cameras behind firewalls, only allow access to them from the NVR, and only on the port(s) the NVR needs. No reason the entire internal network should have direct access to them.
Fortunately you normally only need to access the NVR from the Internet, not the cameras.
You can put the NVR behind a VPN as well, but one trustworthy enough to skip the VPN is much more convenient.
Plug: I'm developing a secure, reliable Free Software NVR, in Rust. Functionality is very limited now: embarrassingly, no motion detection yet, no live view, and a very "written by a backend engineer" UI. But it's slowly improving. I'd welcome help! https://github.com/scottlamb/moonfire-nvr
Or buying cheap, no-brand or upstart brand cameras with cloud capabilities.
I had a heck of a time finding a proper POE recording DVR camera system for my mom's house without online or cloud bullshit, but still I isolated it on the network to not take any chances of UPnP port opening or dial-home crap.
The only system I would trust would be one that laid out their security model, source to their apps, and had a self-hosted server DVR option. The captological signals of 99.9% of security system websites do not instill confidence in my mind.
A popular DIY setup: Hikvision cameras & Blue Iris software
Hikvision cameras have the benefit of not being wireless and using Power over Ethernet for people who don't mind running some cable. I think that has a lot of value over a bunch of cameras killing your wifi. Off the shelf cheap routers do poor with a ton of wifi cameras it seems.
Blue Iris can send you mobile alerts without a subscription. All videos are stored locally & it's very configurable.
You could upload alert photos/videos to a cloud provider for cheap off-site hosting if you choose. That way if the bad people destroy your PC you still have video unless they take out your internet. One could setup limited backup internet with a mobile company for this case &/or for when your internet goes out in general. This of course applies equally to Nest/Ring etc.
---
Honestly I'm surprised Ring/Nest/etc still charge for storing video footage. At this point I would have figured they would have found one of countless ways to monopolize off the video footage. Most average people seem to be fine with their data being sold if it provides them some value.
I' also wondering when the first services will start to pop up that provide a marketplace for video footage.
Yeah, at this point wifi cameras are cheap enough there's not really a reason not to just put a real one up instead of this. 15-30 years ago this might have been a good strategy though. Back then any sort of network enabled camera was kinda pricey, as well as the system to run it.
There are plenty of cheap-ish commodity cameras that use ONVIF to stream video over a LAN. That by itself doesn't guarantee that they aren't also exfiltrating the data somewhere, but you can put them on a firewalled VLAN.
Off topic, I have a synology NAS, what is a good camera that only communicates within my lan and doesn't reach out to any servers on internet?
We need to setup a camera for insurance purpose in my mum's house in France after multiple burglaries but I absolutely do not want to give access to a third party.
reply