Scene to block / "disable" IP cameras

I was searching the forums today for something that could “disable” IP cameras, specifically as a way to prevent photos or video feeds from interior cameras (like the one in my living room, say) being processed by the Vera or uploading to MCV servers when my family is home. While I found several people suggesting putting the cameras on controllable switches, this seems to me to have at least two big drawbacks: A) most of my PT cameras auto-center when powered up, ignoring whatever the previous state was and B) it’s not particularly affordable, especially if you have more than one or two cameras.

So, having spent a bit of time hacking on the PingSensor plugin, I figured I could whip something up that would fit the bill, and having succeeded at creating a pretty minimal scene to accomplish what I want (along with some moderate CLI work on my Vera3), I figured I would share with the community. Mind you this is pretty basic (I can already see room for improvement), so if you’re closer to the paranoid side of the information security spectrum, this won’t really fit the bill. As you will see, this all makes use of Vera’s already running firewall.

1. Set up and include a new chain (I called mine interior_cams; if you’d prefer something else, just be sure to replace it as appropriate in your iptables commands). I did this from the command line by ssh’ing into my Vera3, though apparently this can also be done via the DD-WRT interface. Once logged in to the vera, we want to edit the /etc/firewall.user file, and include the following

iptables -N interior_cams
iptables -I OUTPUT -j interior_cams

The first line creates a new chain; the second places a “pointer” to the new chain at the beginning of the OUTPUT chain, so that all traffic leaving the Vera is passed through the new chain. Doing it this way provides a separate chain that we can manipulate without potentially mucking up the built-in default set of firewall rules, nor will (reasonable) changes to the default firewall rules interfere with our setup.

2. Activate the new chain. You can either reboot your Vera, which will cause the firewall to be reloaded, or if you’re at the command line already, you can just execute the two iptables commands above directly from there. You can verify that these are in place by running “iptables -L” from the command-line (you’ll probably have to scroll back a bit). If it worked you should see two things, though quite a few lines apart. First, near the top of the command line output, you should see:

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
interior_cams  all  --  anywhere             anywhere

There will be more lines right below this, but that’s how it should start.
Then, farther down, you should see a section that looks like:

Chain interior_cams (1 references)
target     prot opt source               destination         

If you don’t see these two things, you may want to doublecheck that you got the text in /etc/firewall.user correct and/or reboot your Vera to ensure the firewall is really getting restarted.

3. Create a new scene in Vera (I named mine “Block Interior Cameras”). Don’t bother with any devices, triggers, or schedules, and instead click on the Luup tab. In the Code textblock include the following:

os.execute("iptables -F interior_cams")
os.execute("iptables -I interior_cams -d {your camera's IP address} -j REJECT")
os.execute("iptables -I interior_cams -d {your other camera's IP address} -j REJECT")

Add as many of the “-j REJECT” lines as you have cameras. Note that this assumes you have static (or statically-assigned DHCP) address configured for your IP cameras. Confirm your changes and click Save at the top right.

4. Test the new scene. I would do this by trying to view one of the cameras before running the scene, verify that you see an image, then run the scene by hand and reload the camera view, which should now return a 100x100 pixel image that says “Camera not responding.” I did this in Chromium by right clicking on the cam image displated on the device page, which pulls it up in a separate tab so that I can just hit reload as I’m testing.

5. Assuming this worked, now you need a way to see the camera again, which requires creating a new scene, which I called “Allow Interior Cameras”. Much like the previous scene we create in step 3, go right to the Luup tab, but this time, the only code we need to enter into the text box is:

os.execute("iptables -F interior_cams")

As before, confirm the changes and click Save.

6. Test the second scene. Just like before, but now run the “Allow Interior Cameras” scene. The “Camera not responding” image should go away and be replaced with the view from your camera.

Now, whenever you’re at home and don’t want Vera watching you, run the “Disable Interior Cameras” scene. Then when you leave (or whenever you want the cameras monitored again), you can run the "Allow Interior Cameras. Appropriate triggers are left as an exercise for the reader.

So there are the basic instructions, but I wanted to add some additional suggestions and commentary.

First, depending on your situation, you may want to ensure that the cameras are blocked whenever Vera powers up / restarts. If this is the case, you can add the “iptables -A interior_cams -d ip_address -j REJECT” lines that we put in our “Block” scene into the /etc/firewall/user file (be sure to put them after the first two rules, otherwise there is no such chain as interior_cams yet, and the actual REJECT rules won’t be applied). If this is your primary residence, it probably makes sense to do this. If it’s a rental or similar property, you probably want the cameras monitored by default, and shouldn’t bother with these step.

As mentioned above, this isn’t necessarily all that secure from someone who really wants to see things. After all, an MCV employee would only have to remove your iptables rules in order to re-enable visibility of the cameras. My guess is that most people who operate at the level of security (I won’t really call it paranoia) have already prevented MCV from accessing their Vera remotely, and for those that are a step down from that, I would recommend making use of the PingSensor plugin to alert you whenever an IP camera you’ve blocked becomes visible (and maybe invisible, so that you can confirm when it’s in the state you want it). This could potentially even be used as a trigger to re-enable the Block. I can still think of ways to fool the system while re-enabling the camera visibility (I won’t go into detail) but you’re at least raising the bar a little bit.

My first thoughts for improvement are:

  • Possibly reading in the IP addresses of your cameras from variables for the “Block” code so that you don’t have to hard-code them into the scene. Depending on your camera setup, this might require a way to distinguish between interior and exterior cameras (which seems do-able in theory)
  • Being able to Allow/Block cameras selectively/individually (from separate scenes, for instance). The first challenge here is that you’ll have to use DELETE (-D) iptables commands, and won’t be able to perform a FLUSH (-F) in either the Allow or Block code. This could quickly lead to challenges with managing the state of the firewall correctly (for instance, if you accidentally ran the same Block scene twice, a single run of the correspnding Allow scene might not remove both (I haven’t tested this, but the conjecture is based on my experience with Puppet and firewall control) ). In any case, this would lead to significantly more complicated code. Which brings us to…
  • Turning it into a plugin. Right now this is beyond my abilities (and time), but I’d be happy to work with someone else who wanted to make this happen. Otherwise, perhaps when my understanding of plugins improves I’ll take a stab at it.