Lots of people are projecting their geopolitical views onto this video. I want to state CLEARLY the intended messages of this video: 1) The NDAA does not apply to private citizens, but the SEA could if the FCC revokes certifications as they have hinted at. 2) Every internet connected camera or device has a chance of being compromised regardless of its country of origin. Whether the 2017 backdoors were accidental or purposeful is not anything that can be proven and is largely unimportant. Blindly trusting a device based on some trust of that county's government is not a cybersecurity best practice and should not be done. 3) If cybersecurity best practices are followed the risks can be reduced to nearly zero regardless of a device's country of origin. 4) This is not a pro-China video, this is a pro-cybersecurity and anti complacency video.

The definition of a backdoor provided in this video is incorrect. Backdoors are usually not accidental in nature. "A backdoor is a typically covert method of bypassing normal authentication or encryption"

I do agree that the government should just significantly increase their network security and have specific standards met for government buildings and business partners. But I also believe that the Chinese government would utilize their cameras buggy firmware as a surveillance strategy even if it wasn't initially designed for that purpose.

I don't know how or when the definition of a backdoor evolved into "accidental" but that did not used to be the case. They were always intentional and "installed" by someone who had full access to the source software..... at least when that term was first used. Vulnerabilities and exploits are unintentional and due to sloppy programing and "external" malicious actors. Now if the government is basing their actions upon an old de-facto use of the term backdoor then I can see why they are so excited. If this is however just an exploit of a vulnerability then that is also a problem, one of misinformation. Imagine a naive advisor using the wrong term to describe a vulnerably/exploit...hmmmm That said, my 75 year old mother has more tech smarts than any US politician. They have no idea what they are doing or signing when it comes to security, privacy or tech in general. And anything used by the DoD should be manufactured in the US and be FIPS certified.

Backdoor is vulnerability by design. If it isn't intentional, it isn't backdoor.

Backdoors are not accidental. Programmers use them while testing during the coding process. Now, a programmer may have forgotten to remove it, but it is just as likely it was left there on purpose. Your choice whether it was the actual government doing it, or a programmer looking for a way to extort or sell access later. Either way, of course they are gonna say it was unintentional and harmless.

I previously owned a security system made up of HIK Vision cameras, they worked fine for the first two years, that is until HIKVison would not permit me to updates unless they ( Hikvision ) had access to my contacts and photos on my iphone. I removed the camera setup entirely from my home.

If the government is doing it for our protection, it's probably going to cost us. If they're doing for their protection, it certainly will.

I do generally agree with everything you said.. I would like to point out some items you skipped over. 1. Legal liability. If there is a breach as a result of "sloppy" programming. We have far more action available to us if it's a US company. Good luck going after a Chinese company! 2. We, as Americans, have gotten too complacent in the purchasing "cheaper" good while complaining about US manufacturering jobs. Can't have it both ways.

When it comes to security vulnerabilities and backdoor exploits; it doesn’t matter if they were caused by malice or incompetence, the end result is the same.

I love that last reference to economic motivations because I found that the UNV brand I had never heard of is literally hundreds of dollars, and within NDAA regulation however, the same features on Dahua or HikVision would only be around $80. That is the first thing I noticed about this NDAA business. All the "authorized" camera manufacturers are literally four times the price they should be since they can market to government and large entities and demand a premium because they are not on the blocked list.

Not to nitpick, but imo the initial statement that a "backdoor" is accidential doesn't seem to fit with the common usage of the term. Being able to bypass authentication/authorization could be because of e.g. a remote code execution vulnerability, os command injection vulnerability, insecure direct object reference vulnerability, ... The idea of the backdoor is that it's an _intentionally_ installed feature to bypass the auth'n/auth'z flow put in place for regular users and hidden from those same users. Like a override code for a hotel safe, but with more effort done to hide it; or a mathematical shortcut in an encryption algorithm that would allow LEA to decrypt secured communications. That being said, the crux of the US banning CN tech is based more on political motives than technological evidence of backdoors. And of course, keep cameras offline and locally managed

Yeah, we recently found out Wyze knew about a security flaw that they took 3 years to fix.

1:17 in my opinion these back doors were not put in on purpose. So this statement was made based on feelings not facts. Are you that naïve to think that “back door” was just accidentally put there? You sound like a spokesperson for the Chinese government.

Wow, dude! Loved your straightforward and no BS explainer.

Good explanation, but disagree with your definition of 'backdoor'. Some backdoors are put there purposefully so the developer can bypass authentication for testing or other purposes.

Your definition of a backdoor is incorrect. Them being intentional is the whole reason why they are called backdoors instead of something else. So if the exploits are unintentional then they should have a different name. Being Chinese companies I could see these being intentional, but I could also see them being mischaracterized as backdoors as well.

I can't believe our legislators are making laws about something they are totally ignorant about. Without mentioning specifics, the same thing applies to a current very high profile topic affecting 100s of millions of Americans. Every time I talk to people about security cams I stress to not use the EZ install method and to NOT give the camera access to the internet. I do the same with any IoT device. Staying local is where it's at!

If we step back and look at the all the damage US govt has done to the top Chinese companies at this point (even after 9 month of your vid), it is very clear these are not security related concerns, simply political but also pushing out the competitions. The open market concept was a great idea when US was ahead of everyone, but once other countries starting to catch up, the US will close every door to block the competition instead of improving themselves.

9 months late to this convo, but i love how a government organization sees limits on their power and scope as loopholes that need to be closed…every time I see this i hear Cartman from South Park “I do what i want!, Respect my authariti

First thanks for your great videos. They are usually well informed. However in this case you may be lacking some cybersecurity background. There are assumptions you’re making that are wrong or lack data, examples: - the vulnerability is unintentional. Btw: backdoor is a malevolent vulnerability set on purpose. Many backdoors are disguised as unintentional vulnerabilities. The cybersecurity community works with intelligence and law forces. An assessment is not only based on technical analysis - cameras should be disconnected from internet. That’s the theory but really isolated networks are incredibly hard and expensive to set. Attackers are very good at bridging these isolated networks with 1/internet compromising firewalls for standard isolation, 2/ hardware to bypass vnet, 3/ radio waves or similar to breach air gaped networks etc. At the same time, most corporations are not implementing a good enough security. The standard practice is to assume breach: no network is safe - the government is focusing on cameras when there is more important things to do. it is part of a global approach. Take a look at the executive order for cybersecurity to see what’s being done regarding supply chain risks. It is good to challenge these regulations as they can easily hurt our liberties, but please ask yourself if your opinion is based on facts or biases. 😁 Anyway, that is tu he only time I disagreed with one of your videos, they are great! Thanks!

All software have vulnerabilities, it is simply unavoidable. The questions should be: 1- Will the manufacturer issue software updates that address the discovered vulnerabilities until the product retires? 2- has the customer enough controls in place to prevent possible exploits or at least to detect and respond to those if they materialise?

Rob... this seems more like a political position essay. And some information you gave is incorrect/misleading, *and* you didn't provide references for your sources. First is when you gave your definition of "backdoor exploit," saying that it is an accidental software vulnerability. Why "accidental"? Certainly non-accidental backdoors can be crafted into software, so the definition is misleading. Indeed, if the security vulnerability was accidental, it would be more of a security hole than a door, the latter being something intentionally created (not accidental). If you have specific sources for backdoors being accidental, show your work (references). I'll start with the Wikipedia entry on "Backdoor (computing)." [NOTE: I'd provide a link, but as you said in the end of your video, KZbin may automatically delete my comment if links are included, so in case that's true, let's not tempt fate] You do point out that "in my opinion" that these exploits don't appear to be put there on purpose. However, you don't indicate that qualification in your graphic. Furthermore, you say this its a myth for backdoors to be intentionally written into code, but that's just not true, since backdoors obviously *can* be intentionally written. Whether or not they were in the case of these two camera brands isn't the point; you're backing up your stated opinion using flawed logic. This is disingenuous. If there really is sloppy programming (in your opinion), why not just show us how you arrived at that conclusion? Are you disassembling the firmware to analyze the security vulnerability in question? That would be interesting if that's the case, and would be much more compelling. Show, don't tell. Next, you list several "myths." Who is making the claims (myths) that you are then debunking? Were they claimed by someone in our government or someone with a public platform? Or are they a conglomoration of what you feel other people are thinking, so essentially these are strawman positions? Example: "Every camera with a backdoor can be accessed by hackers." Another error is saying that to use a backdoor exploits that the hacker would need to have access to the camera's web interface. Why? There's no reason a backdoor couldn't be installed that uses any of the myriad of other protocols (other than HTTP or HTTPS) in order to connect, or even some custom protocol custom made for this purpose. Maybe you were being specific about these *particular* backdoors (on these particular cameras); if so, you weren't sufficiently clear on that. As such, you give the impression that web access is a universal trait required for any backdoor exploit, which isn't the case and would be better that idea isn't spread. It would be like saying someone can't get something from the store if they don't own a car, but not acknowledging that there are many ways around that limitation (walking, taking a bike, calling Uber, having something delivered, etc). You *are* correct that the camera has to have access outside its own network in order for the vulnerability to manifest itself. So if it is a myth that the NDAA applies to private citizens and companies (you say it does not), then what's the point of the video? You seem concerned about this legislation. Moving on, you go on about how these cameras aren't part of the "communications supply chain" (as outlined in the NDAA), without even defining what "communications supply chain" is. If you know, tell us, and why the cameras aren't part of it. If you don't know what it is, how can you determine if the cameras aren't or can't be involved? And you point out that the cameras don't have wireless radios and therefore don't fall under the FCC's jurisdiction. But you don't describe what the FCC's jurisdiction is. For clarification, here is their mandate: "The Federal Communications Commission regulates interstate and international communications by radio, television, wire, satellite and cable in all 50 states, the District of Columbia and U.S. territories." (taken from the FCC's "What We Do" webpage). The FCC isn't limited to wireless communication, so hard to see your point on how they don't have jurisdiction. It would seem they do. At 5:46 in, you suggest this results in "kickbacks to lawmakers." I don't know if this is true... or not. You probably don't know either. If you do, share that important info with us as well, but if not, it falls into the realm of conspiracy thinking and isn't worthy for your channel. You do make a good point that any device can have security vulnerabilities and how devices are connected impacts how much of a threat they pose. It goes on to say security cameras shouldn't be connected to the network, or if they are, they should be blocked from the Internet using a firewall and then accessed remotely over a VPN. But then you go on to compare (rather than contrast) other unrelated security breaches by Ubiquiti and Axis. After your string of unsupported and loosely-sourced claims, you passively-agressivly finish by positing a government cover-up based on the previous erroneous claims. Given how prone a large chunk of our population is to misinformation, this seems out-of-character for a data-driven KZbin channel. Making analysis based on false logic leads to bad results.

was it back door is a hard-coded password in the firmware, it didn't get there by accident. As for acquiring network access to the camera, almost all camera companies encourage connecting cameras to the internet advertising remote access features

My husband (an electrician) has a work connection who used to install security systems professionally. He recommended Dahua to us. Should we consider another brand now?

Funny of those people in comment thought they are so important that China will waste their time spying on them...while the other hand happily using youtube, google, twitter under 5 eyes "govern"🤣

They going to ban wyze as well? If I'm not mistaken it took 3 years for a serious security flaw to be corrected.

Great points made. Thank you.

What a relief to know I don't have to worry abut backdoors on my devices, as long as those backdoors were unintentionally set

For one, U.S. law makers do consult outside subject matter expertise and security experts within federal government before passing these sweeping laws. Both private sector and government experts showed how it is technically possible for Chinese intelligence agencies who have deep penetrations in the U.S. to use these cameras with what you call “accidental backdoors.” There is no such thing as private sector in China. All tech companies are required by law to submit access to China’s authoritarian regime. Why rely on security technology monopoly from a country like China? I rather pay more for equipment produced domestically or from none adversary states. Europe is learning the hard how unreliable it was to trust business relationships with Russia. U.S. gov shouldn’t wait till the day comes where China says no security cam imports into the U.S.

I think one topic that's a bit lightly touched on is firewalling the cameras. I love the nvr solution but if you're utilizing a poe switch that's a bit harder. One thing to look at isn't just access inbound to the camera (from the internet to the camera) but outbound as well. I noticed that my reolink cameras were reaching out to an aws ip address in China. So block outbound connections assuming you aren't using a company's cloud service

It is called "Closed Circuit Television" for a very specific reason...

The NDAA is passed every year. It's part of the authorization for the military budget and it frequently has riders that make little sense. The first NDAA that Obama signed actually had an amendment that more or less suspended habeus corpus when the case involved national security. Petitioning government entities to learn how to properly utilize an air gap is probably the right answer, but probably also a fool's errand.

Thanks for clearing up the differences between the acts, however, I think you might have only lightly covered the cybersecurity aspects from certain angles and one that you missed what east-west attacks, this is becoming more common these days and even if you lock the cameras down fully internally if they do try these types of attacks you are still fully open (unless they are fully segmented off). I personally do not like cameras etc coming out of China these days due to the rules that any data stored on the provider's cloud sites by law can be requested by the Chinese government, in no one I'm I saying they are doing this but to have the power is enough to turn me off their cloud storage options. I 100% agree it isn't just these 2 brands and can happen to any network-connected device

Question: Blue Iris allows access to camera recordings through mobile app. Isn't that a security issue as well? Also, would love it if you made a video on how to access Blue Iris from mobile using their app. I am having a hell of a time with it.

The real question is if this ban came into effect because the US does that for equipment sold from the US. Look up Greek Cellphone Caper to see how state actors can infiltrate networks.

If you're allowing internet devices running unknown code to use the internet, you're doing it wrong and deserve what you get. None of my cameras are allowed internet access. They even have additional features to not use passwords for communication. I mean come on.

I went to College in the late 70’s. I majored in Computer Programming. Whenever we wrote any program, we were always taught to write in a Back Door to each program in order to make any changes whatsoever! It makes me laugh every time I hear someone say, “Oh, someone hacked into the program and made it rob some Bank, or steal someone’s identity🐂!

How long have you worked for China?

Excellent. Good to hear all your thoughts in this video.

No it isnt. I have multiple HIKvision cameras that have issues. When you remove them from your normal LAN and put them on a VLAN with outside internet access it fixes the problem. Most recently I purchased a second HIKvision mini dome and installed it on my mailbox. I got it working and went on vacation. The mini POE switch does not work with VLANs and since I use a mesh AP on the mailbox to boost signal to my front yard those two cameras stay on the main LAN and require to get manually blocked from internet access. I forgot this right after I installed the second one. Suddenly, I lost connection with it on my NVR and when I typed it my home IP address it went to the camera's log in page. IE it bypassed the firewall to allow someone else to log in and do it on port 80 on my home IP. The password I set no longer worked nor the default. I remembered that a couple of years ago when I installed the other I had a similar issue but not it exposing the login screen from my WAN IP. I also remember multiple log file issues that showed suspicious activity on the device. I never had those issues on the airgaped VLAN. Anyone that uses UBNT equipment knows that it does not just let people log into your stuff from port 80 on the WAN side. So in short yes it was probably sloppy programming. This is probably sloppy programming that the chinese government would take advantage of. If you have good security practices this shouldnt be an issue. At the end of the day do I care of some hacker in China looks at cars going up and down my street? My concern is that it could be used as a sort of proxy to access the rest of my network. So good security choices are a good idea. That being said I think it is perfectly within the rights of the US government to ban the use of these cameras on US military bases or in sensitive areas. When I say sensitive areas I mean a military base or congressmen's office and not a park or city street like NY tried to ban CCW permit holders from.

Your coverage really should have included that a backdoor, by definition, is an intentionally-placed security vulnerability, whether placed by the manufacturer or by a bad actor after compromising the device via a different vulnerability. A vulnerability that allows remote access, but wasn't placed there intentionally by anyone, is just a remote access vulnerability -- not a backdoor.

The Ubiquiti “hack” was essentially fake though, it was an extortion scheme by an ex-employee

If you operate a camera system, you should always have it air gapped. You should only be able to view video in the designated space where the NVR and other pieces are, or in security offices on dedicated computers attached only to your air gapped network. Cameras cannot "call home" without an internet connection!

Wait I only just now noticed that you're using a greenscreen. Seriously impressive editing job

This is a far more serious and complex issue than this video tries to make out. Take it with a grain of 🧂.

100% agree that the government should be using security best practices, and that other manufacturers' cameras are not free from defects either. I think the context matters a lot here. This isn't a mom & pop hardware store or an individual's home. This is the US Government. Whether or not the camera is accessible to the internet is largely irrelevant. I think it is safe to assume that a nation state actor is motivated enough and can get access to the same network as these cameras. They can phish a user who has access, they can pivot from a vulnerable externally accessible system, they can pay someone for access, they can splice into the network cable of a camera at the perimeter or running between sites, they can use the default Wifi as a bridge into the wired network, etc. At that point, we really need the cameras to be secure on their own. Defense in depth is important here. We don't want an outside actor to be able to access the video feeds, disable the camera, provide fake feeds from the camera, or use the camera for furthering access into the network. Supply chain attacks are also a very real threat here too. Regardless of whether or not the backdoor was intentional, the manufacturer's country of origin is important here. Again, the context, that this is to protect the US Government, is important to consider.

i love this youtuber.. "naaah the govt wouldnt ...." lololol

There is no way to know what installing an app on your phone can compromise, let alone connecting a cheap camera to your wireless router.

As a certified cyber professional in the defense industry, you are far to gracious and naive about how these “bugs”. As for the incompetence of the administration’s exec order solely on the fcc, it you expect effectiveness from this administration, you will only see smoke and mirrors.

Good video and thanks for putting it together. One note, definition of backdoor is incorrect. It is not necessarily accidental. It could be purposeful and still be a backdoor.

America is going the wrong way on so many things.... there is an urgence for a better education.

Good video Rob... These cameras outperform most, that is why the government was using them. I'd like to add to this mix. The often-overlooked router information. Change that admin password and learn your router.!!! Any company can be listening/watching, stealing all your info, it's up to each person to minimize the vulnerability.

I've been trying to avoid Chinese electronics for the past year. Any suggestions for 4k surveillance designed in the US or EU???

Dude, backdoor exploits, NO matter how "accidental" they seem have been utilized historically (not always) by their own creators for whatever gain in wealth they could plan for. Your first "myth"... Seems kind of forced. You being a tech dude should know full damn well that not all companies have their customers best interests at heart. Also if you can log into a web based account to view a camera as a user, I'm damn sure it's quite simple for a hacker to get into it. They've been viewing people's webcams for decades. By they I mean anyone with the knowhow and interest or reason to. If SECURITY is the main interest here? ANY kind of exploit is worthy of caution. I do not know you or your channel well so my first impression not even two minutes in is "this guy is bought".

I have all Hikvision cams. They have to actually get to it first., good luck!!

What alternative is their? I mean Hikvision is as good as it gets, the closest competition is probably Uniview

Back door access is not an accident, out clawing Chinese tech is a good idea

ok let's make a few things straight. the backdoor is on the chipset level. and yes, this is a threat because you cannot block it unless it's not connected to the internet. it's just like using P2P, but on a much more exposed way to the attacker. this threat is real, i am in the industry and i know first hand what i'm talking about. it's very wrong by you to spread wrong information to your listeners before you understand the entire picture. P2P doesn't need access to nothing, not your IP, not the GUI. it simply registers the moment it's online. i strongly recommend for you to retract this wrong information on this video because it's just not fair for the people that relay on your advice.

I personally will avoid Hikvision and Dahua cameras for ethical reasons. Both companies have active contracts in Xinjang to opress the local Uyghur population which has been labled a geocide by many governments. Cameras should (regardless of vendor) always be isolated from the rest of the network, either via VLANs or airgapping them but unfortunately these measures aren't always used.

We have HIK Vision cameras and the software is horrendously buggy

Sorry, but you can't just redefine the word backdoor. A vulnerability that allows access without credentials is not automatically called a backdoor! The term backdoor is only used if it is intentional or seems intentional.

I've worked with pretty much every product that's came out in the past 30-40 years? Hikvision/Dahua has decimated competition in this market because other companies couldn't compete with the cheap/free money that was being given to these companies from China. Hikvision was quite literally founded from subsidiaries of the Chinese government and have the controlling interest. CETHIK, the China Electronics Technology HIK Group was explicitly created by the PRC government to run "HIK"vision.

I have 2 hikvision and 2 armcrest and 2 loyrita cameras with a hikvision nvr. I have blocked internet access to all cameras except the nvr.

Everyone knows if someone calls himself a cyber security expert...means shit. The only real IT security people I would hear are the PENTESTERS, and my old boss literally said Chinese, Russian, and others leave backdoors and holes on PURPOSE. This KZbinr getting those Chinese checks.

In regards to the "BACKDOOR" he is not wrong and neither are you... BACKDOOR definition uses words like "typically and Most often" why? because backdoors are created everyday by software engineers without knowing it.

back doors are not accidental you’re just trying to save your reputation and career after this brand was exposed. Find something else to do with your life.

My school uses Hikvision and Ubiquiti lol

I have to some what side (somewhat) with the government of America here, a company with DIRECT ties as a state owned company for China is at best a bit of a security risk, at least on a governmental aspect. For personal and Commercial use I think people should do as they please. We as a society tend to be too reliant on other countries and others in general. Some level of self sufficiency would be nice to see. But I'm aware there aren't to many good USA brands. Also suggesting that everyone have there NVR not online is pretty outlandish and is something you'd only here from someone in networking IT department. A bit like how if you become a specialist in bacteria studies you become a germaphobe. You know to much about the industry so your actions become almost overly extreme and unrealistic. Realistically that suggestion is out of the realm for most users. The VPN approach is really the only realistic thing you said there imo. You would be hard pressed to find any REAL business, home, etc that doesn't have there NVR on a network as it is fundamental for the device to function as one would want. Granted all my cams are outside, and i'm not worried about them being hacked, I don't live in a big city either. Also VPNs are also not bullet proof nothing is. As for the reason the government did this I'm sure economics played a roll yah, or incompetence. Though I do believe some real justified fear of foreign espionage does exist and is valid to be concerned about. China is far from being a country I'd give a A+ Kindness not evil award too. Yes USA has a lot of corruption as well. Great video though.

I have a question: I'd like to add publically available traffic camera feeds to Lovelace. So I have no access to the physical device or configuration, but do have the raw feed URLs as standard BLOBs via M3U8 playlists. I could code something myself, but that would frankly suck, lol. I'm hoping there's already a solution I've just missed, being new to HA. Any thoughts?

now i know which cameras i'll buy for the next system..... yes it'll be one of these

It is unwise to assume that they are not deliberately participating in such actions. Furthermore, it is unrealistic to expect people to always follow the "best practices". Whenever there is a LAN port available, there will inevitably be individuals who will recklessly use it. It is important to decrease our dependence on China and manufacture goods domestically, even if it results in higher expenses.

The NDAA is not about security cameras. It is the defense spending authorization to identifies how the government spends money budgeted for defense. The only portion that affects cameras is section (889) which restricts the purchase of electronic equipment from companies where the majority owner is the Chinese government. I greatly impacts commerce in that ALL companies must attest that they do not use any known equipment from specific companies in the day to day interaction with government contracts to include just completing transactions for sales. All defense purchases require a statement with each receipt that they do not use these communication methods, including cameras. Otherwise the NDAA is about how we pay the military and equipment and supplies.

"accidental" backdoors.

I had 5 or 6 of these older Hikvision cameras. Hikvision killed all online features years ago. They posted notices of the issue on the online manuals. They are still in use at my old house and work great as CCTV. I bought more of them sense they were discounted and I could never connect the NVR to the net.

Hello! Look at Wyze and even Ring in that time era! D-Link also had MANY cameras that they no longer updated and became "hackable". I had several D-link cameras and many of them were "attempted" hacks but my router's firewall blocked these! Granted I'm using a less than a 1 1/2year old router with a good firewall built-in with constant updates. Ring and other companies have since "updated" their security protocols since but, WYZE had a vulnerability for over 2 YEARS and never did ANYTHING about it and thus dis-continued the V1 cams! Not VERY happy with this lack of transparency on their part and have been replacing my WYZE cams with other brands as a result! WYZE is turning out to be a "SUCK-ASS" company with cheap "China" products and lack "security" that should be "basic" with any setup!

I work in software and even have some security and SSL related patents. These vulnerabilities are sometimes engineered to appear as a bug or negligence -- see the Go to Fail bug as an example. An insecure source code change tracking system only needs to inject a single line of code to completely break SSL in a subtle way. The US govt definitely knows more about this than you do. You should probably take this video down.

Your the greatest, lot fun hear, this help alot.. thxs

I see lots of people taking umbrage with the definition of 'backdoor'. But that aside... I get what you're saying about "This stuff isn't malicious' ( debatable, but.. okay) and that "people shouldn't hook these things up to the intarwebs) - naïve. MOST people are just buying something to hook up to their garage, or front door or whatever. MOST people want to be able to look their camera while they're away from home / at work, etc.. MOST people will just go to amazon or whatever and pick some cheap (hik) camera that works. And those camera's are uploadin' stuff to the cloud in *order* for them to use whatever app to view them. Be it Blink, Ring, some kind of Hik thing. So, they HAVE to be internet connected. "You shouldn't enable internet, you should put it behind a firewall, you should do [xyz]" - that's fine, for you or I. I have a segmented network, with stuff [here], stuff [there], stuff over on the other side. I don't want things talking to [here] or [there] or [internets]. But we're in a very small minority of people who understand that kind of stuff. And the simple facts are: 1) these devices DO have security holes - intentional or not 2) The companies producing them are beholden to the CCP 3) They CAN be used for malicious monitoring. Wether they *are* or not is immaterial. They CAN. It's not a long stretch then, to skip forward some years and discover that they *are*. Especially when you consider the state of the country which produces them and their treatment of their own citizens and their disposition to the West. Classic example: The drone use by 'amateurs' in Ukraine. In the recent war, it was discovered that a) UKraine drones were being disabled ( they have geolocation yo!) by the Chinese firm who produced them b) Ukraine drone info was then being sent to RU to pinpoint users who were using them for missile targetting. Here's an article from 2016 highlighting that 'China made drones [can] send stuff back to China": www.nytimes.com/2016/04/21/world/asia/dji-drones-china.html Now. this article 5 years ago complaining that drones send info to China, elicited responses like : 'So what? I mean, it's not like they're... [doing anything with it]. You're just being paranoid". But it's EVIDENT that.. when the situation demands, these things CAN be used for nefarious uses, not the least of which ( no source, I cannot be bothered) for cameras is facial recognition of chinese dissidents who reside in western countries for - social targetting. The fact that you're blissfully ignoring the political ( yes, I get that you said "I'm not very political these are the *technical facts*") is naïve. And you would be better served to recommend alternatives that AREN'T Chinese corps.

Explained very well. After 16 years in the military as a Director of Information Management (DOIM) and Chief Information Officer (CIO), our expiation of DAA and how it applies only to government organizations is spot on.

Extremely bad security is more than common than the vulnerabilities

I think you underestimate the extent of your technical knowledge and overestimate policymaker corruption. You made repeated suggestions policy makers were acting based on economic, not security interest, and yet you didn't offer the slightest thread of evidence about this. Corrupt political action does happen, and we know about it from investigative political reporting that actually ends up being fairly similar to how you knowledgeably described security considerations during this video, by using a strong general knowledge of the subject matter, explaining facts and describing best practices. Meanwhile your suggestions about policymakers acting on economic self-interest ended up just as poorly informed as the policy makers were on security matters. You have a useful, beneficial, even important role to play in this discussion as a security expert, yet this video ended up tainted by you drawing suggestions of corruption out of thin air in an utterly speculative fashion. If you really do think policy makers were acting on self-interest, then give us some of that investigative political reporting. Show us the conflict of interest. Show us they were told by their top cyber security experts that this wasn't an issue, but they made it one anyway. As it is now, the way policy makers attributed firmware errors by these tech companies to malice, you attributed these perceived policy errors by policy makers to malice in a way that is surprisingly similar and almost ironic.

Agree with everything you said, well done; however, I simply do not understand the Internet connectivity issue specifically with cameras. They are no less or more hackable than any other Internet capable device on your network and in fact because they are single use devices the attack surface is even easier to deal with than other types of network devices. With the logic of not allowing IP cameras to access the Internet you should extend that to include your streaming TC devices, Home Assistants, PC, Phones, Laptops ... etc... What am I missing that is unique and specific to cameras

The result of these disputed photos from a restaurant.

I still dont understand just make vlan for ip camera and isolate them from the whole network. and even the nvr should could be accessed through vpn not internet

Fascinating Video!! I guess its a bit like TikTok, in a way - since the move was made that government workers should not have it on government issued phones ect... I have no problem if the camera itself is Chinese made (especially since they are OEM, and if they ARE good), and am more concerned about the company that makes the surveillance NVR - perhaps they work in ways of safeguarding how the NVR handles any potential 'issues' with the cameras themselves by virtue f what's built into the NVR's Operating System? I have really been looking a 'Amcrest' as a solution - do you happen to know if they are an American Company? Just was curious! tThey seem international, and my searches kinda got lost in a blizzard of info so I wasn't quite sure.

Very interesting. As you said, do not allow security cameras access to the internet.

I've got hikvision I find them amazing not getting rid of them if the government paid me then I would.

oh gosh USA GOv paranoia, keep going forward that way!

Would remote/Push notifications work if your not connected to the VPN? A lot of people push the security or keeping the cameras segregated from your main LAN (wise) however blocking it from the internet does reduce its features massively. If someone breaks into the property you would want to get a live notification instead of just watching what happened after finding a smashed window.

So basically this is lame government employees CYA? They didn't do do diligence so have to blame others.. Not surprising government behavior

I use, almost exclusively, Dahua and Hikvision cameras. I will continue to use them, due to their high quality and price point. The fact that most people don't know the hundred or so brands that are OEM Dahua or Hikvision cameras is mind numbing as well.

Very interesting considering I’ve installed nothing but hikvision into government buildings and contractors for the militaries buildings. Rumors have been heard throughout the company I work for about the Chinese having a back door to such cameras, yet we still put them in? Never made sense to me

Great video and content. I appreciate the words of advice. I also have a VPN but I have never set up anything on it. That would be an interesting video. I am looking at Lorex cameras and Reolink. I want to get an NVR 8 cam system for outside but paused after reading about the ban concerned that their product Lorex might also get banned. What system would you recommend of that type? Thanks.

Ubiquiti one was fake and from the previous employee and NO customer data and access hit, just some source code was taken and UI is now sueing that previous employee for the extortion and damage to brand (cost them billions in stock sell off's)

This is why I have my cameras on its own VLAN and blackholed from the internet. And just for giggles monitor and log any and all traffic on it. Guess what... they don't reach out to the internet and only speak to the controller, lol. Maybe these politicians should spend their time and our money training on how to use Wireshark. Great information.

Wansview cameras have back doors. They can and do disable your camera after 30 days if you do not signup for the cloud app. I have their cameras at two differenct locations and they disabled cameras in both locations - remotely.

On the question of national security, I think it's important to remember, that in a "secure facility" Edward Snowden & others were able burn CDs & copy thumb drives.Something which shouldn't be possible if you want to keep secret records, secret.

This explains why all the brands internals all look similar.

What about the possibility of using satelite once the systems disconnected from the internet?