Here are my ideas about setting up a video surveillance system on Qubes. I use ZoneMinder because it’s open source and seems to be enough for my needs.
I have attached IP cameras to Router_cams which is not connected to the internet. There’s a separate sys-net2 created for that router with the appropriate Ethernet controller attached to it.
The flow of information should go as follows from top to bottom:
IP cameras
│ │ │
Router_cams
│
sys-net2
│
ZM_qube
│
Encryption_qube (no network access)
│
Upload_qube
│
sys-net1
│
Router_internet
│ │ │
Servers that reside elsewhere
ZM_qube:
- has ZoneMinder installed (duh).
- It will save the video streams when there is motion detected and send them to Encryption_qube.
- I will also monitor the live feed when I’m near the Qubes machine.
Encryption_qube:
- takes video files from ZM_qube.
- It’s a separate qube with no internet access in case of a ZoneMinder supply chain attack or a malicious IP camera that exploits ZoneMinder somehow. That way I will be reasonably certain that the encryption process hasn’t been tampered with.
- It could also send the videos to another qube without internet access that will store the videos locally on the same machine or on another (hidden) machine via Wi-Fi (in case the attackers cut off my internet access and take/destroy the Qubes machine).
Upload_qube:
- Takes encrypted files from Encryption_qube.
- It has internet access, but will only have access to encrypted blobs and no plaintext (plainvideo? ) files.
Problems:
-
Can’t view the stream from another device while I’m away. I could route the videos to a separate qube that will act like a server, but securing that seems pretty hard, especially compared to the security guarantees given by of the rest of the system.
-
ZM_qube is trusted with the motion detection and filtering. I was thinking of adding another qube between ZM_qube and Encryption_qube to do that (Modec_qube), but it will also need ZoneMinder installed (or a similar program capable of motion detection). But if an IP camera is malicious, it seems (intuitively) that it would be easier for it to compromise ZM_qube directly than Modec_qube since Modec_qube will only receive (compressed?) video from ZM_qube without directly talking to the cameras and exchanging control/config data.
What would be the best way to share data between the Qubes? The data that goes ZM_qube → Encryption_qube → Upload_qube doesn’t need to touch the hard drive so something like Xen shared memory could be faster (but I don’t know much about it yet).