Evaluating the security of home security cameras

Like most embedded hardware (routers, etc), their firmware often sucks, and unless you have unlimited time I'm afraid there is no way to thoroughly check every single camera out there. And even if you do find one that's currently secure, what guarantees that you'll get updates for vulnerabilities that will be discovered in the future ?

Instead, I suggest just creating your own IP cameras by using USB webcams (or cheap/insecure IP cameras) and connecting them to a Linux/BSD computer that will actually handle all the authentication/security and then rebroadcast the camera's video feed (preferably over something secure like HTTPS). That way the internet-facing part of your home-made "camera" can be updated and hardened just like any computer, and behind it you are free to put any camera you want, including the cheapest garbage since it won't be exposed to the Internet anyway.

Finally consider putting the camera system on a separate network air-gapped from the Internet - I know it doesn't apply in your case but I'd still like to mention it - the requirement for physical access is a pretty good security measure, as someone who wants to spy on you now has to physically break into your home rather than being thousands of miles away. If off-site recording is required, video could be encrypted and then streamed outside of the air-gap via a one-way Ethernet cable with the key kept securely, so that the data leaving the air-gap is meaningless unless the correct key is provided.


This started off as a comment on Andre's answer, but it got a bit long.

USB is fine as long as none of the cameras are more than 16 foot from the host :)

Since you need to run power out to the cameras anyway, just run a wired ethernet connection to the LAN (or use POE if you can find cameras which support it). On an un-routed subnet, most of the inherent security vulnerabilities just go away.

That then leaves the problem of the server software which will need to offload the data in real time (or near enough). After all, the server itself is an easily reset item.

You now have the capability to record exactly what the burglars do. Wouldn't it make more sense to think about how you might use the capability to deter any burglars? Some tools (e.g. zoneminder) have x10 integration (turn on lights).


EDIT - Modified this answer slightly (now three parts)

Low Budget Version

Pick up a used router (laying around the house?), install dd-wrt on it and turn off the WiFi. Bingo, ready made 4 port switch. You won't get PoE for the cameras, but, if needed, that's easily rectified (pun intended) with a PoE adapter or just wall warts. Run a VPN on the dd-wrt router, put it in the main router's DMZ (or port forward) and you're good to go. No Linux management, if you really don't want it. Cameras are isolated from the home network and protected from the inter-webs.

You might go pretty far by picking up used network and camera hardware on the cheap. Raspberry PIs are wonderful devices, too, and can help run a network.

High Budget Version

My current setup for comparison purposes. I currently own five Axis cameras for my home security system, powered by a Cisco PoE switch and fronted by a Cisco router. Much more than your parents want to spend. However, I think the model is good for you to consider as a reach. I engineered this set up myself with no prior network (IT) experience. It was a learning moment, for sure.

Network Protection

The biggest concern you'll have is the one you're already worried about, hacks from the Internet. This is best solved with a three pronged approach.

First, the better the hardware facing the Internet, the more secure it will be.

Second, harden whatever you've got facing the Internet and sitting inside (change all default passwords, close unneeded ports, run a VPN rather than UPnP, if you can). Isolate systems from users, if possible (i.e., if you have a switch, put the cameras on a vlan).

Third, scan your hardened network with nmap from the outside and use www.grc.com from the inside. GRC is a great starting point. Use nmap from the inside, too, to see what ports you've left open internally that might create future problems.