Phil Dreizen

fortune
May 15, 2013, 3:58 am
 
< I couldn't resist making a fortune page! >
 -----------------------------------------
   \
    \
        .--.
       |o_o |
       |:_/ |
      //   \ \
     (|     | )
    /'\_   _/`\
    \___)=(___/

tags: fortune, linux, unix
Why secure an IPcam?
May 14, 2013, 8:21 pm

My girlfriend and I wanted a *secure* ip camera to watch her pet tortoise. Unfortunately, it's very difficult to find any cameras that are affordable that also can handle SSL encyrption - cameras with SSL functionality seem to be very expensive.

So I decided to use a Foscam FI8910W, which is an adequate and cheap ipcam - but has no SSL support - and use a Raspberry Pi to run an apache web server which would act as an SSL reverse proxy to the camera. The ipcamera would be restricted to the LAN only, but the raspi, which also lives in the LAN, would be accessable from anywhere. All access to the apache web server is SSL encrypted, so in turn, all access to camera outside the LAN is also encrypted.

People seem to ask, "why bother making the camera secure?" so often, I decided it was worth spending some time answering. I think an example is in order here: start by googling for allintitle: "Network Camera NetworkCamera" and look around. There are lots of search terms that find insecure cameras you can try. (This is a case where starting a page or two into the results will be better than starting from page 1.)

ipcameras have microphones, so anyone listening in can eavesdrop, and the direction the camera is pointing at can be controlled remotely via the web. So, someone getting access to the camera who shouldn't can see (and hear) more than just a pet you're keeping an eye on. And the password protection cameras without SSL encryption provides lend a false sense of security. The passwords are sent over the network in plaintext, so anyone with the right tools (a packet sniffer like wireshark) can see your password.

For this post, I'm not going to go into exact detail on how I set this up. (I may do that in a future post). But here are some pointers. First, you may need some help setting up the Foscam. I recommend looking at Linux compatible Foscam Wireless Netcams. Then you're going to need to set up the apache webserver. There's already a post that does go into some detail about setting up apache specifically for a Foscam here: Securing Foscam IP camera access over SSL with Apache reverse proxying. More detail on setting SSL on Debian, is useful for anyone running Raspbian on their Raspberry Pi, which there is a very good chance you are.

Finally, I should mention an annoying snafu I bumped into. The OTHER purpose of the Raspi I was using for this project is to be a XBMC Media Center, and so it is running Raspbmc. Raspbmc comes with iptables set up to drop all traffic outside the LAN. So you'll have to open up whatever port you have apache listening on by modifying:

/etc/network/if-up.d/secure-rmc

You'll have to add a rule like:

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

That will open the raspberry pi to the world. Well, once you configure your router to port forward to your raspberry pi anyway.

So...now I wonder...should I make a detailed tutorial?