Basics about network protocols and security issues

[dereisbaer 0]

First I want to say hello.

 

I have a few ip-cameras (from longse) and a nvr for testing, which support onvif and many other protocols. I have changed the default password and all cameras and the nvr are working perfectly in the network.

 

To view the camera via browser I need my new password. To add the camera to the nvr I need the password, too.

 

But now I have installed Xeoma on my PC and Android phone to test this nvr-software. After starting the programm it will find all cameras in the network without any password. I can view the streams and record all of them without authorization. I think this has something to to with the RTSP/RTP protocol. but I'm not sure. I can't find any hint.

 

As I have to less knowledge about the basic function of the different protocols, I cant explain myself how this is possible.

 

So my question is. Has this anything to do with a specific protocol (maybe other protocol) and how can this be avoided? If I open an access to my network from the outside to this cameras can everyone view the stream with a software like Xeoma without authorization? Or has the problem something to do with the firmware of the cameras and they can't be installed secure in a network.

 

I hope my case is clear enough. If I can find something about this already anywhere else I would be happy about some keywords to search the net. All I have found until now, did not give me an answer to this question. But maybe I don't have the right keywords for searching.

 

Thank you very much for any help!

Momo

[alex_davidoff 0]

First. It is necessary to ensure that the nvr settings recovery record not only access to a web browser and recovery record and access to cameras streams (if there is such a setting). As it is often a tick "to restrict rtsp access". Authentication setting for rtsp protocol. If there is no such a tick (or is disabled for the authorization of the protocol), then via rtsp protocol can receive the stream from the cameras and without a password.

Secondly, you need to make sure that the password is not too simple (like admin / admin) because usually Xeoma for the convenience of users itself can choose such passwords.

[dereisbaer 0]

Hello thank you very much.

 

At the NVR I don't have such settings. At the CMS (Herospeed) from the cameras I don't have anything like this, too.

 

But I have tried to stream the video via RTSP with VLC, whiteout password. It doesn't work. I have to log in first or put the username & password in the stream-address. (rtsp://user:pw@x.x.x.137:80)

So I think there is no problem with the security of the rtsp stream.

(For the RTP Stream it didn't work with or whiteout password with the same port. - I don't have different port settings at the CMS from the camera. So if RTP works with a different port I can try this, too.)

 

Password for the camera is no standard password.

 

So the questions are: How it is possible that Xeoma still gets access to the camera? Are there other ways to view a stream of network cameras? An even more important what can I do, that no one else can view the stream if I want to open my network to view the streams via mobile phone?