By default, your cameras are isolated from the internet because the NVR acts as a firewall of sorts. Your LAN may be a subnet of 192.x.x.x while the NVR puts all the cameras on the 10.x.x.x subnet, which means only the NVR can be accessed, not the cameras.
Now there is a distinction in what "access" means - being able to see your camera feeds from the camera is different than actually being able to access the camera.
If one wants to view cameras remotely, they have a few options - port forward, P2P, or hosting a VPN like OpenVPN or using something like Tailscale or Wireguard.
Any system on the internet can be hacked.
Hackers don't care about your camera feed. Hackers use a vulnerable device (NVR or computer or camera or any other IoT) that has ZERO protection on it to get into your LAN and either scrape it for bank info or use your ISP as a bot for DDoS attacks. Your antivirus software and router firewall do not block this crap because you gave an open door directly to your system to bypass these measures.
That is why many of us don't have the Alexa, don't connect smart TVs to our internet, etc.
But many that do have those types of things VLAN them off so they cannot talk to other stuff on the LAN. Doesn't prevent a bot from taking over that specific device to DDoS, but at least it prevents them from scraping your data.
The only way to completely prevent it is to not allow the device to connect to anything and truly be a CCTV system.
But that is unrealistic to most.
Most here will agree that port forwarding directly to your NVR is the least safe. Although the great internet has many articles that state it is OK lol.
Then there is a debate as to if P2P or OpenVPN or something like ZeroTier, Wireguard or TailScale is the next safer option.
Arguments are made both ways.
P2P you are relying on the NVR manufacturer's servers to not be hacked. You have zero control over those. Dahua has recently been shutting down the older P2P servers that were more easily hacked. Many here have confidence in the newest line of P2P security features.
Same with ZeroTier and the like. You are relying on someone else's servers to make that connection. Anytime you are relying on someone else, it can be
hacked.
OpenVPN is hosted locally, either native to the router or installed on a computer.
In theory you have the most control over this since it is all in your house.
But it relies on opensource coding that can be
hacked as well.
You are relying on your computer and router to be up to date and not allow bad actors in. But that is the same regardless of the solution you are using. At least the computer gets more frequent security updates than an NVR. But Windows is the most common OS that more actors are trying to exploit it than say an NVR.
So you take extra steps like the
firewall device @bigredfish has that allows you to monitor everything.
Many of us with BI use Pushover to send notifications that go out to the Pushover email or API servers - in this event all they have access to is your images and not your entire system. You should be able to setup an NVR with the Pushover email option.
Take steps to further minimize access to stuff.
Regardless of which platform you use to access your stuff remotely, have it be isolated from the rest of the system so that the entire system isn't compromised.
Set up procedures that lets you know whenever something connects or logs in to your device. Doesn't necessarily prevent the backdoor exploit, but take any steps possible to eliminate those risks.
Or just say F it and use port forward blindly like most of society. At the end of the day, most don't get hacked. It just sucks if you are one of them that do.
Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks. Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services...
ipcamtalk.com
The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video feeds, they want an always on linux box with decent internet connectivity that can be used to attack targets on the internet.. they want to turn your camera into a weapon of mass destruction.
What is a VPN? Its a Virtual Private Network, it provides you with full access to your...
