Friday, August 8, 2014
Home Q-SEE Video Surveillance -- NOT SECURE
Q-SEE Video Surveillance -- NOT SECUREQ-SEE Video Surveillance: http://www.q-see.com/
Home Depot Rejecting Reviews?
That's right. I've submitted two legitimate, rule-following reviews on the Home Depot web site, warning customers not to purchase the Q-SEE video surveillance system on account that it does not protect your private logon session. Each review was rejected, then I found others who experienced the same and had their negative reviews rejected.
"They refuse to post negative reviews, therefore intentionally distorting the suitability of their products."
If you are buying this system because you are security minded, and you intend take advantage of being able to view your cameras remotely, then DO NOT BUY! Your username and password are broadcast over the internet in PLAIN TEXT. Anyone can intercept your session, either with spyware, or man-in-the-middle, and can capture your authentication and take control of your Q-SEE Video Surveillance System. Then, already having the ability to view your secured area, they could have the ability to upload their own firmware, and potentially own YOUR ENTIRE NETWORK.
I first noticed that logging in to the system through a browser is not encrypted with an SSL certificate. This bothered me a little, but I assumed since the browser is really just loading an embedded client (the WebClient) that traffic was being piped through a special port (6036) and probably it was encrypted. You are instructed to open this port on your router during setup. Later, after becoming more suspicious of the lack of security, that strangely the phone app pre-inserts my username and password, even when installing the app on a new device, I decided to run WireShark and inspect the network packets during logon. The captured packets clearly reveal that your username and password are broadcast in the open with no encryption.
Given the growing threat of cyber-crime, the Q-See system you may be considering to buy on the pretense it should help ensure your security, and protect your valuables and loved ones, is actually making it worse.
If you already own a system like this, consider accessing it ONLY through a VPN.