Disabling Cloud Camera Access

2022-11-16

mikrotik , security , network

I’ve recently bought a TP-Link TAPO C200 camera (product page) so we can keep an eye on the flat when we are not at home*. This security camera is admittedly an entry level one, but suited our needs perfectly. I did not do much research before buying it, because I planned to use it with my Synology Surveillance Station, so I don’t care about vendor apps or anything fancy, just give me an RTSP stream and I’m good to go.

You can imagine my surprise when I unboxed the stuff, plugged it in and faced with the wonderful decision of TP-Link to only allow the camera setup through their app which needs a user registered with TP-Link. I worked my way through the process (which was admittedly pretty straightforward) and after came the realisation that I’m able to connect to the camera stream not just through my local network but from outside as well. Cloud based home security devices? With access from anywhere trusting in some random company? Nope. Nope. Nooooope. After all, the cloud is just other people’s servers. I prefer to keep everything for myself, especially recordings of my cat.

*most importantly to keep an eye on our cat, of course

Killing the phone line home

I have a Mikrotik hAP ac3 running my home network, so it was obvious to use it to block any kind of traffic between the TP-Link servers and my camera. This can be easily achieved by the following filter rules:

1
2
3


/ip firewall filter
add chain=input action=drop src-mac-address=DE:AD:BE:EF:xx:xx
add chain=forward action=drop src-mac-address=DE:AD:BE:EF:xx:xx

Insert your device’s MAC address and move the rules to the start of the input and forward chains so they will be caught in time. Using these rules will not prevent traffic on the LAN so Surveillance Station is still able to connect to the camera.

Aftermath

Blocking the traffic was the way to go, the camera is not accessible from outside my home network using the app. If I’m at home, I’m still able to use the TP-Link app to configure the device if needed. Looking at the traffic logs after a few days, the camera generated twentysomething MB of data trying to call home.

The only drawback so far is the camera is not able to sync time with its internet access blocked, so using the time stamp on the RTSP stream is not too useful. Personally I don’t mind this, since Surveillance Station takes care of timestamping my recordings and snapshots.