Security Concerrn Over Snipback Cameras vs Hudl

1

I work for a school district and the AD is going to get rid of the hudl cameras and go with a company called snipbackai. From what I can tell these cameras are running tailscale on them and I am refusing to put them on the network. I am fearful that they will advertise our routes and be able to access everything on the subnet that the cameras are on. I know everyone is going to say well set up a different subnet, vlan, firewall rules etc and keep them in their play ground. It is the point that they have this running on the cameras and can at anytime do this and everyone seems to be fine with it. Does anyone have any experience with this company or cameras? I am paranoid in thinking this way? Here is their requirements that they sent me.

Snipback Facility Cam Controller
Network Requirements – Technical

  1. Deployment Model
    Linux-based
    Outbound-only connectivity (no inbound firewall rules required)
    All application traffic encrypted (TLS 1.2+)
    No public IP address required
    No port forwarding required
    Controller Device:
  2. Required Outbound Access
    A. Core Application Traffic (HTTPS)
    Allow outbound:
    TCP 443
    To the following domains:
    *.snipback.com
    *.cloudflare.com
    *.r2.cloudflarestorage.com
    ports.ubuntu.com
    *.ubuntu.com
    *.docker.io
    *.docker.com
    TCP 8443
    stream.snipback.com
    UDP 123
    Allow outbound NTP traffic for pool.ntp.org via port UDP port 123
    pool.ntp.org
    Notes:DNS-based allowlisting is preferred.
    Cloudflare IP ranges are dynamic and may change.
    All traffic is encrypted via HTTPS.
    B. Tailscale Secure Connectivity (Required)
    Tailscale is used to manage and monitor our controller.
    Allow outbound:
    UDP 41641 (Preferred)
    UDP 3478
    TCP 443 (Fallback)
    TCP 80 (Fallback)
    To:
    .tailscale.com
    login.tailscale.com
    controlplane.tailscale.com
    derp    .tailscale.com
    Important:
    No inbound firewall rules required.
    All connectivity is outbound-initiated.
    End-to-end encrypted using WireGuard.
    If outbound UDP is blocked, Tailscale can operate over TCP 443 (with reduced
    performance).
  3. DNS Requirements
    Allow outbound DNS resolution:
    UDP 53 and/or TCP 53 to district DNS servers
    Device must resolve public DNS records for:
    *.snipback.com
    *.cloudflare.com
    *.tailscale.com4. Security Notes
    No inbound ports required
    No exposed services
    No public-facing endpoints
    No static public IP required
    If SSL/TLS inspection is enabled, exclude:
    *.snipback.com
    *.tailscale.com
    In order to ensure secure and stable connection with our network please ensure all traffic
    for Tailscale is not intercpeted by SSL inspection.
2

I know it is not the answer you want to hear but I would just put these on their own network / VLAN to avoid any issues or security concerns.

3

That was the plan but what bothers me the most is that any point they could advertise the route out and have access to the entire subnet without anyone knowing. Seems to me it is already a shady operation.

4

If they are on their own subnet I don’t see why that matter.

5

Vlan hopping attacks would be the only concern at that point.

Can you set up the firewall to block tailscale on that vlan, then they can’t get out. Or, do they even need to get out to the internet for anything? Will they work if you set their gateway to something that doesn’t exist, or do they need to phone home to even turn on?

I’ll agree, they sound kind of problematic, why would they need tailscale to get out or back into your system?

6

Although possible, its highly unlikely that would happen.

Yes.

No one can tell you this. You have to try and see. Possibly perform a packet capture so you can clearly see whats going on. What i can tell you is my experience with D-Link wifi cameras that have ONVIF/RTSP support. When these cameras are connected via wifi, and you limit their access to local network only, they constantly reboot their internal wifi every 5 minutes in order to “resolve connectivity issue”, and by doing that, they disconnect from local network as well and disconnect from NVR. As soon as i allow access to internet, rebooting stops. Fortunately these cameras have LAN ports as well, so i made them all wired and now they have no issue being in local network only. If these crappy D-Link cameras do that, i dont see why any other manufacturer would do the same. Or worse.

Because Tailscale is cheaper to implement. No need to invest tons of money to create entire camera network. They can just spin up Headscale server somewhere, and all cameras connect to that server. I would not buy or implement such devices in my network. If this decision is not on you, make sure you let everyone know that those devices pose security risk and they would be responsible for any damages. Not you. And get that in writing.