Jump to content
C4 Forums | Control4

Avoid Luma NVR?

Dr. Venkman

By Dr. Venkman
in General Control4 Discussion

 Share

Recommended Posts

eggzlot Grand Master

eggzlot

Posted
Posted

I am in the camp of BI

You can get a used Dell Business PC for $400 or less that is likely well suited to run BI (and Composer Home Edition for someone like me who is mostly on a Mac).

You can use 1,000's of cameras.

You can integrate into C4 for free, or via a paid driver for more features

Their app is easy to use to get live feeds or recorded clips (it is a paid app per device, not per BI Account so be aware it can add up quickly)

I've had an Asus computer running for years with a 6TB Hard Drive running BI and it has been fine.  Now grant it I've now jinxed it so I'll be looking for a new PC but in all seriousness the computer has been up and running 24x7 for 5-6 years without a hiccup.  I have a script on there so when I lose power the PC will boot up and BI will launch automatically so I don't have to worry about power outages, etc.

It just plain old works and I am using cameras from 4 different manufactures around my house but they are all ONVIF work and flawlessly in BI.

Link to comment
Share on other sites

Andrew luecke Mentor

Andrew luecke

Posted
Posted

Just a heads up.. If you're not using the inbuilt ports on the NVR (especially if you aren't using events) my recommendation would be to ensure you're using a proper VLAN for cameras (so you need to also ensure you have a smart switch). 

The ports on most NVR's are isolated from the main network. But if they're not being used (if you're using the normal switch), someone could disconnect a camera and get internal network access, and potentially compromise the home security. 

Unrelated, but same thing about open networks. Never use them (even when hidden).

I'd also recommend against using Wifi Cameras (particularly if they don't have protected management frame support)

On more consideration is that PC's tend to consume a lot more power than NVR's (so long term, the costs could add up). Most people imho are still best off using standard NVR's

Link to comment
Share on other sites
GregCAMS Community Regular

GregCAMS

Posted
Posted

Kind of surprised to hear all of the issues with Luma.  I've had 13 of their cameras installed at residence (11 310 series, 1 PTZ, 1 DS2 integrated into Luma NVR).  I've had zero issues using the cameras on the Luma App.  They natively integrate with Josh.ai and have had zero issues with viewing the cameras thru their app or via the web portal.  The biggest issue has been with C4 iOS app and the cameras.  Since the most recent 2 OS updates and iOS updates, viewing the cameras within the C4 app crashes within 30-45 seconds of viewing them.  So I've just abandoned any hope for Snap getting that to work right even though they sell both Luma and C4.  Instead just use the Josh app and Luma directly for detailed playback or quick viewing.

Regardless of rebranding I'd not buy a Hikvision again.  Have had to replace the cameras and NVR from them twice in our retail store.  At top of year switching to Luma for those as well.  

Link to comment
Share on other sites
TundraSonic Rising Star

TundraSonic

Posted
Posted

Some good advice from @Andrew luecke. Two other reasons for separate net/vlan are to simply keep camera traffic away from other stuff and almost all cameras have a tendency to 'call home to mamma' so this allows them to be isolated from doing that.

I don't have a problem with WiFi cameras (or PL based cameras) and we have several of each that we deploy around the house when we're on holiday. You just have to understand the risks. 

Best recommendation for BI & SS are to have two ethernet ports on the host; one for the isolated camera network and the other facing the world/internet. This is what we've done. One port (10gb) is to the switch dedicated to just cameras. The other port (USB > 10gb) connects to our main switch for remote access and for WiFi and PL cameras on a surveillance vlan. FWIW, most of our cameras are Dahua.

Second best is a single ethernet port and all cameras on the vlan.

As to the power consumption, our Security Spy mac mini uses 11.2w according to IotaWatt. I don't know what our IC Realtime or Hik NVR's were but 11.2w doesn't leave a lot of room for savings. Even if it used 300w I'd consider the money well spent for the better capabilities and user interface.

Link to comment
Share on other sites
TundraSonic Rising Star

TundraSonic

Posted
Posted
10 hours ago, gregheard said:

Since the most recent 2 OS updates and iOS updates, viewing the cameras within the C4 app crashes within 30-45 seconds of viewing them.  So I've just abandoned any hope for Snap getting that to work right even though they sell both Luma and C4.  Instead just use the Josh app and Luma directly for detailed playback or quick viewing.  

At what point do we expect too much of C4? For me there's little value added being able to see a camera in a C4 app since I can just as easily and with a better UI, better control and better camera quality do that with the native Security Spy app? The exception would be when using an older iPad as a C4 panel but not having it here is not a huge loss and also likely something I can do using the native SS app.

Where I do want C4 integration is; 1) Triggers - both ways to have C4 trigger a camera movement or recording or have C4 respond to camera motion, 2) Display a camera on a T3/T4 panel, 3) Display a camera on an app per above when using an iPad as a C4 control panel.

Link to comment
Share on other sites
Cyknight Grand Master

Cyknight

Posted
Posted
15 hours ago, Andrew luecke said:

The ports on most NVR's are isolated from the main network. But if they're not being used (if you're using the normal switch), someone could disconnect a camera and get internal network access, and potentially compromise the home security.

Or they could do a dozen other much easier things vs trying to get to a camera network port 20+f up in the air.

Holy hyped issues Batman!

Note that a separate VLAN for cameras is a good idea for many reasons, as is port-based MAC filtering as an added security measure on any exposed physical network connection (exterior or in public areas for commercial locations) but...

15 hours ago, Andrew luecke said:

I'd also recommend against using Wifi Cameras (particularly if they don't have protected management frame support)

You're worried about 'open' hardwired connections for cameras but don't want to use WiFi either?

I avoid WiFi simply for stability issues just to note, but you're REALLY over-hyping security issues here.

Do you recommend 4 latch-bolt interior locks on the front door that has glass panels as well?

Link to comment
Share on other sites
TundraSonic Rising Star

TundraSonic

Posted
Posted

To clarify my earlier post. If someone already has a Unifi network or Synology NAS and want a simple 4 or 6 camera surveillance system then I think either of those are fine. If they want a more robust system then BI or SS are the better options. If they want a dealer maintained system then an NVR or whatever the dealer wants to support will be the ticket though BI or SS will be the more capable.

Link to comment
Share on other sites
cnicholson Rising Star

cnicholson

Posted
Posted

I recently set up SecuritySpy on a M1 Mac Mini.   Works great so far.  I'm told there is a C4 driver, but I'm not using it (so no C4 integration at all currently).  I have SS grab the high-quality streams and C4 grabs the lower quality sub stream.   Use C4 for quick live views, and flip over to SS on iPhone or AppleTV for high quality live viewing and to view recorded footage.   I plan to have AppleTVs on each TV, and the SS AppleTV app is pretty good (for my needs).   Nice way to pull up live or recorded footage on any screen without a video matrix.  

SS seems well-optimized for the new M1 Macs.  I'm running six cameras doing H.265 transcode and AI Human/Vehicle motion detection as well as time-lapse continuous recording and average CPU load is 9-10%.  Peak GPU load is about 50% while reviewing multi-angle footage.  I think I'll ultimately have over 20 cameras, so might need to dial-back on CPU/GPU load to scale that much.  Hopefully Apple will release a "Mac Mini Pro" next year.

 

 

Link to comment
Share on other sites
GregCAMS Community Regular

GregCAMS

Posted
Posted
1 hour ago, TundraSonic said:

Is it Snap firmware? Or Hik rebranded?

Don't know what to tell ya!  Bought one HikVision system with NVR and 3 cameras in 2016, Cameras lasted about 3 years before starting to give issues.  Bought the 1st NVR in 2016 and then that one crapped out completely in 2019.  Bought a replacement unit and it stopped working in August of last year.   Regardless of branding or not they don't always make good product from first person trials and usage here.

Link to comment
Share on other sites
TundraSonic Rising Star

TundraSonic

Posted
Posted
1 hour ago, cnicholson said:

Hopefully Apple will release a "Mac Mini Pro" next year.

Yes. I think we've currently got 23 cameras running on whatever the most powerful Mac Mini was available 18 months ago.  Combo of 2, 3, 4 and 8 MP streams. Not a lot of AI. I think 17 cameras are set for 24hr motion triggered recording. Runs well. 

Link to comment
Share on other sites
Cyknight Grand Master

Cyknight

Posted
Posted
3 hours ago, TundraSonic said:

For me there's little value added being able to see a camera in a C4 app

One of the 'other' reasons that clients tell me they like it is that they may not want kids to have access to full control over recordings etc, but do want them to be able to see a live view (for if someone's outside for example).

While some 'brand' apps have the ability to split that out by app or user settings, by having the kids just have the C4 app anyway, it's a no-brain setup for them.

 

YMMV of course - and yes there's an argument to be made to what the added value is over the 'brand' app of the nvr/camera manufacturer/re-seller. If a different setup/brand gives you XYZ but it doesn't integrate (well) with Control4 - that doesn't make it a bad choice.

Link to comment
Share on other sites
Andrew luecke Mentor

Andrew luecke

Posted
Posted
On 12/30/2021 at 3:20 AM, Cyknight said:

Or they could do a dozen other much easier things vs trying to get to a camera network port 20+f up in the air.

Holy hyped issues Batman!

Note that a separate VLAN for cameras is a good idea for many reasons, as is port-based MAC filtering as an added security measure on any exposed physical network connection (exterior or in public areas for commercial locations) but...

You're worried about 'open' hardwired connections for cameras but don't want to use WiFi either?

I avoid WiFi simply for stability issues just to note, but you're REALLY over-hyping security issues here.

Do you recommend 4 latch-bolt interior locks on the front door that has glass panels as well?

  1. Not all break-ins are smash and grabs..  In Indonesia, the residents of a home across our street moved out. After the packers finished moved all their stuff, we discovered a few days later that it was a theft operation (when the residents returned). No alarm, no evidence they were dodgy. Even a functional alarm would have tipped us off
  2. In an apartment building at a previous job I worked at, alledged drug dealers allegedly compromised the camera system of the building apartment complex, and a few surrounding buildings too. They were likely not elite hackers. These attacks DEFINITELY exist in real life..
  3. In some areas (like toorak here in VIC Australia), I was told by a resident that some homes have attempted break-ins 3 times a year too, so some houses are fairly high risk, and we've had a lot of cases where people walked into our customers back yards (detected on cameras).. 

The idea of my comment was to make people think a bit more about securing their jobs. 

  • In fact, It was only a year ago I had to do a PSA on FB, because many installers were recommending hidden open networks as a solution for HP printers). 
  • The idea was to offer a bit more info on how to avoid risks for clients, as not everyone has a security background here (everyone has different strengths), but it's good to help people strengthen their weaknesses.... It doesn't hurt.. 


Taking down wifi using deauth is actually now a LOW skill attack (when PMF or WPA3 isn't implemented).

  • They just need something like: https://maltronics.com/products/wifi-deauther at a minimum or Kali, a laptop and Youtube .
  • In fact, here's a fancy watch that deauth's 2.4ghz: https://www.amazon.com.au/AURSINC-Deauther-Development-Wearable-Smartwatch/dp/B08YWJPCSL/
  • Criminals just need to be aware such attacks exists.
  • The beauty of the attack, is that without WIPS, it is undetectable, and can be done outside of visual range. There are no real disadvantages. With WPA3 devices, PMF or custom protocols, it would require full blown jamming instead. WIPS is actually an area which Ruckus completely beats Unifi
  • Easy solution to reduce the risk is to be aware of the attack, and the mitigation imho is to ensure PMF is being utilised or ensure WPA3 is enabled for critical devices, or add additional device monitoring.  
  • C4 installers could even consider buying a deauther as an  upsell tool to Ruckus/Access Network/Aruba AP's from their mesh AP's so at least they can demonstrate to customers the risks (and is even more useful in cases where customers don't want to upgrade their crappy Airport Extreme, because it's "fast enough" and they don't need Wifi6). What is interesting, is that apparently EERO supports PMF, but only uses it for Mesh to mesh point apparently (not sure about their new gear)


Stealing the ethernet from cameras?

  • Most cameras (at least in Australian homes) aren't 20ft in the air in most residential jobs. But similarly, in many, the ethernet can be fairly accessible via other means, (such as at the gate).
  • There's no reason not to secure cameras with VLAN's if smart switches are already installed, and it was mentioned because of people talking about BlueIris (and I wanted to ensure they didn't share the network. which is also a good idea anyway for other reasons, but it's definitely worth knowing why too). 
  • Using tamper events in particular would help mitigate a lot of the risk, because clients would be made aware not only if the camera was being messed with, but when someone was messing with it

 

Risk management to protect installs should be in place anyway for low cameras for other reasons.

  • I actually previously assisted at a site where the CAMERAS were stolen in a year (at a dentist). They gave up installing cameras after the 3rd time. They didn't once try to break into the actual building, there was nothing to steal there, they had an alarm, and they were just stealing the cameras to sell..  

 

Sure you can throw a brick through a window (if its not security glass).

  • The alarm will go off though. 
  • The idea is to consider and try to mitigate the risks (which is why we generally use mobile for Alarm monitoring and/or fixed line), especially if easy to do so. High-reward multi-million dollar properties are more likely to get targeted by good people .
  • With exterior lan access without any additional security, technical crims could potentially open doors (without setting off the alarm), or even use the default alarm installer code (if not changed) to turn off the alarm. Common? Maybe not. BUT as an installer, you should also ensure the house is secure (especially if the security causes no usability issues). 

 

There's one final consideration which is also the 3rd party factor.

  • When another installer comes onsite, they will comment on everything you did..   
  • This means that they might pick up some of these risks and tell the client.. What do you tell the client if they ask why the cameras aren't on a VLAN? Or why you never mentioned the risks with wireless? 

 

People are free to agree or disagree.. This whole thing is just an opinion. But my feeling is that in particularly for high end jobs especially where the customer is wiling to pay, additional care should be taken to secure the job to a higher extent. And in jobs where the customer isn't willing to do it to a higher level, they should at least be informed of the security risks (there are no disadvantages to informing the customer). All these security considerations do add up eventually, and if they don't add any inconvenience or cost with the existing hardware, it's worth doing imho

Link to comment
Share on other sites
This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept