Question Are aliexpress chinese wifi security cameras safe ?

[psaez84]

Hi

I'm trying to install some security cameras on my home. These cameras are WIFI cameras compatibles with Tuya (a protocol/app) that connects to wifi and uses "Tuya Smart" google play app to send you videos and images, in real time and of motions detected.

I'm wondering if they are safe or can a hacker connect to the cameras and see live video from the cameras.

I ask this because some years ago, I remember that I read an article about a hacker website that had a list of IPs that were associated to wifi cameras inside homes and that anyone can connect to them and see videos from other homes. Even from babies sleeping...

Please can someone confirm me if these chinese cameras are safe or easily hackeable?

Is the same that If I purchase some decent wifi camera like "Amazon Blink" security cameras? These cameras are also WIFI and uses an app to see the videos/images. Or maybe are less hackeable if the cameras are from an amazon company that if they are from a chinese random company?

Thanks

 

[bill001g]

I don't think there are any cameras that are safe....well maybe some of the really expensive ones that large corporations use.

You have to remember one of the most common cameras that is hacked are RING and that is supported by a major company.

You have many problems with hacking and cameras.

First many have extremely poor firmware support. Many never get software updates. Many use the same chips and some of the exploits are in the drivers from the chip manufactures. So the camera itself might be from some larger non china company but they are using a processor or image chip from a china vendor that supplies a faulty driver. There have been rumor might be on purpose on orders of the government in china, this is why huawei got banned on the cell equipment provider in the USA.

You next problem is a lot of these cameras use the internet and some servers on the internet for configuration and storage. Many will not run at all without a internet connection. The largest issue is people that buy these type of cameras want everything for "free". They do not want to pay for the storage space on the internet server. Because this is very costly to provide many of these companies do a poor job of securing the servers. So someone can hack the servers and then use that to gain access to your cameras and video.

Then you have wifi. Many of these cameras only run on wifi and since they have no way to hook up say a keyboard and monitor to configure them they use insecure methods of connecting to a network. WPS for example. This is not as large a issue since someone would have to be fairly close to the camera to hack the wifi signals but many of these camera manufactures are trading ease of configuration for security.

In general you want your cameras on a completely separate network from your actual devices and have no internet access at all. You then don't care as much if the cameras are from china or not.

Problem is most people are too lazy to learn how to setup something like this. They just want some magic thing they can use their phone to setup and they don't seem to care if it can be hacked.

 

[Ralston18]

I will "start" the discussion with respect to that cited "list of IPs".

Very likely that that list was simply the default IP addresses and configuration settings (including admin login and password).

Those default settings are commonly known. However, the end user/admin should be changing those settings immediately when the camera is installed.

And many home networks use the same network IP addresses as they are the "private" address ranges used by thousands of small networks. Including my own network being in the public address space 192.168.1.1.

FYI:

https://www.lifewire.com/what-is-a-...thin a specific,is used for the communication.

And yes the "private" vs "public" terminology is a bit confusing. What you do not want to reveal in the IP address provided to your router (or modem/router if combined).

The security lies in changing login names and using strong passwords. Actually applies to any network devices - not just cameras.

However, if camera (or any other network device) has been hacked etc. then preventing or guarding against such things can easily become a long discussion in itself.

Will, at this point, defer to other comments and suggestions.

 

[psaez84]

I will "start" the discussion with respect to that cited "list of IPs".

Very likely that that list was simply the default IP addresses and configuration settings (including admin login and password).

Those default settings are commonly known. However, the end user/admin should be changing those settings immediately when the camera is installed.

And many home networks use the same network IP addresses as they are the "private" address ranges used by thousands of small networks. Including my own network being in the public address space 192.168.1.1.

FYI:

https://www.lifewire.com/what-is-a-private-ip-address-2625970#:~:text=The hardware within a specific,is used for the communication.

And yes the "private" vs "public" terminology is a bit confusing. What you do not want to reveal in the IP address provided to your router (or modem/router if combined).

The security lies in changing login names and using strong passwords. Actually applies to any network devices - not just cameras.

However, if camera (or any other network device) has been hacked etc. then preventing or guarding against such things can easily become a long discussion in itself.

Will, at this point, defer to other comments and suggestions.

I don't think there are any cameras that are safe....well maybe some of the really expensive ones that large corporations use.

You have to remember one of the most common cameras that is hacked are RING and that is supported by a major company.

You have many problems with hacking and cameras.

First many have extremely poor firmware support. Many never get software updates. Many use the same chips and some of the exploits are in the drivers from the chip manufactures. So the camera itself might be from some larger non china company but they are using a processor or image chip from a china vendor that supplies a faulty driver. There have been rumor might be on purpose on orders of the government in china, this is why huawei got banned on the cell equipment provider in the USA.

You next problem is a lot of these cameras use the internet and some servers on the internet for configuration and storage. Many will not run at all without a internet connection. The largest issue is people that buy these type of cameras want everything for "free". They do not want to pay for the storage space on the internet server. Because this is very costly to provide many of these companies do a poor job of securing the servers. So someone can hack the servers and then use that to gain access to your cameras and video.

Then you have wifi. Many of these cameras only run on wifi and since they have no way to hook up say a keyboard and monitor to configure them they use insecure methods of connecting to a network. WPS for example. This is not as large a issue since someone would have to be fairly close to the camera to hack the wifi signals but many of these camera manufactures are trading ease of configuration for security.

In general you want your cameras on a completely separate network from your actual devices and have no internet access at all. You then don't care as much if the cameras are from china or not.

Problem is most people are too lazy to learn how to setup something like this. They just want some magic thing they can use their phone to setup and they don't seem to care if it can be hacked.

Hi

in this case, these aliexpress cameras connect to tuya smart app, so in the manual doesn't specify nothing about an url to enter and an user and password. Do you think that there are a url to enter? how to disscover it?

The only way to see the images explained on the manual is using the TUYA SMART app registering and adding the camera. Do you think that there is another way?

 

[USAFRet]

or are they safe because they can only be connected from tuya smart app?

Tuya may be the China threat that beats Russia’s ransomware attacks

This one company alone soon may control hundreds of millions of “smart” devices enabled by 5G, sending data to China.

thehill.com

Tuya security concerns in the news

Before I even start, no, I don’t care if some analyst in Beijing knows that I just turned on my holiday lights. With that said, I’m curious about the community’s feelings regarding some of the pretty alarming nuggets floating around in the news lately. From what I’ve seen the HA community is...

community.home-assistant.io

"Tuya-powered devices “had at least one network connection to servers based in China … failed basic security checks … provided complete visibility into private images to anyone in the network … [and] are woefully insecure and sending data to China.” In other words, Tuya may well be funneling the information picked up on home security cameras and connected health devices — just to name two examples — back to Beijing."

Cheap Internet of Things gadgets betray you even after you toss them in the trash | TechCrunch

You may think that the worst you'll risk by buying a bargain-bin smart bulb or security camera will be a bit of extra trouble setting it up or a lack of settings. But it's not just while they're plugged in that these slapdash gadgets are a security risk — even from the garbage can, they can...

techcrunch.com

“In my research, I have targeted four different devices : LIFX, XIAOMI, TUYA and WIZ (not published yet, very unkind people). Same devices, same vulnerabilities, and even sometimes exactly same code inside.”