foto1
Siamang Apes, Western Plains Zoo, Dubbo
foto1
Lake Mulwala, Yarrawonga.
foto1
Milford Sound, New Zealand
foto1
Church of the Good Shephard, NZ
foto1
Lake Burley Griffin, Canberra
Jobs I have done: Gardener, Warehouseman, Programmer, Computer sales, Computer Administrator, Systems Programmer, Office Automation, IT Team Leader, IT Communications Specialist, IT Infrastructure Director, Operating Systems Specialist, Open Source Specialist, Applications Development Director, Theologian, Lecturer, Minister, Business Man, Handy Man, Teacher and many other jobs and interests on the way. Read More...

Paul's E-Portfolio

I would fain grow old learning many things... --Plato

I purchased this camera to do some projects I have been planning for a while such as doing some timelapse photography - specifically the transformation of meal worms to beetles - and setting up a web cam ie one that sends pictures to a website - watching my new chooks. I use Linux exclusively in my environment which produced the first set of challenges.

Setup

There are a number of very good tutorials about setting this camera up using Linux. It, like many small technical objects includes an http stack that allows you to control, setup and view what the camera is looking at. However nothing I did worked with this camera. I figured out that:

  • It was configured to use DHCP - previous models had been hard coded with a static IP address.
  • If it didn't get a DHCP response then it fell back to the static IP that everyone talks about 192.168.1.239
  • It is not listening on port 81.

In the end I was forced to run windows and use their setup tool. For some unknown reason these cameras now have the http stack listening on port 7777. Go figure.

Security

There are some security issues reported with this camera: https://platis.solutions/blog/2014/07/21/tenvis-jpt3815w-camera-gets-firmware-update-to-1-1-0-8-still-a-threat-to-your-privacy/ My camera is reporting that it is the 2014 model. The following security issues are still in place:

 

<url of camera>/snapshot.cgi still returns a current snapshot without requiring authentication.
 <url of camera>/get_params.cgi  still returns a whole heap of wifi and other settings but with the encryption key replaced by "0000". This also doesn't require authentication.
 <url of camera>//vjpeg.v  still returns an mjpeg stream of what the camera is looking at and doesn't require authentication.

 

Security issues should always be considered in context. My risk analysis says that even though I would like them not to be there they are manageable for my uses. Firstly I plan to post this stuff on the web anyway and to do it in a highly controlled manner. I will not be exposing the camera directly to the internet but it will be sitting behind a very good firewall. Any snaps will be taken from the camera and then pushed to the website. So for these three exploits to be relevant, the hacker would need to circumvent my firewall. If they managed that I would be in a world of pain and would not be worried about them snarfing some pictures of my chooks or meal worms.