This list of ports are the ports used by the Wyze cam to connect TO the Wyze servers. (i.e., these are the ports that are open on their servers for incoming connections from the cameras). Blocking any/all of these ports to incoming connections to the user’s home router will accomplish nothing. The NAT mapping in the user’s router effectively blocks all incoming connections from the internet (unless a port forwarding rule has been defined).
As you found, your guess about blocking TCP:10001 from outside access was not correct. It won’t stop the camera from streaming video to the cloud. What might prevent video traffic to the cloud would be to block outbound connections from the Wyzecams to port 80. Most consumer routers don’t provide the user with that degree of control. Some have the ability to block all outbound connections for a specified device. If one were to do so, the Wyze cam would lose the ability to check/update the time setting, check for new firmware, send events to the cloud, etc. However, it might still be able to stream video locally to the Wyze app on the same subnet. I suspect that this configuration ( internet connection blocked) is a use case that Wyze hasn’t tested. It’s certainly not part of their design intent.
@kyphos Thanks for popping in; I was hoping you would.
I don’t think blocking all outbound connections from the camera will work because I don’t think the local stream will start without an authentication from the server to get it started. So perhaps there’s no easy way to block outside streaming but still allow inside streaming.
I haven’t tested it lately, but in the past I’ve used a V2 ‘off-the-grid’ with no problems. My setup is a little battery- powered travel router with integrated AP. Connect the cam to its WiFi. Connect my iPhone to its WiFi. The Wyze app finds the camera, does Live View, lets me set up Time Lapse recordings, etc. Later (after the time lapse is done), I would download the TL video from the SDcard to the iPhone, view it, etc. While doing all of the above, there was no internet access of any kind.
The only ‘trick’ was that the cam has to be added to the app prior to going off the grid. Internet access is required for the initial registration, but after that, the cam + app + hotspot worked just fine with no internet connectivity. The local stream (Live View) started without any remote authentication from WyzeHQ required.
That was a while ago. I will be testing my off-grid setup with a new MT300N-V2 travel router soon.
What is your purpose?
It’s my understanding that someone has to be able to log into your account to view.
Good password security should prevent the next door neighbor or wardriver from logging in.
Wyze writes they are working hard on 2 factor authorization to make it more secure.
And they design the cameras with security in mind.
My purpose is described in the original post. In my ideal scenario, I can use the wyze cam locally without cloud and remote access because (1) I don’t need to monitor my baby when I’m away (I’d just use facetime with my wife) and (2) the crib is in my bedroom and the field of vision is large enough to include my bed.
It seems kinda arcane for me to unplug the camera but I guess I could just do that. It’d be easier if I could just disable remote access. I don’t think everyone wants or needs access to a feed off site.
The OP got me interested in this use case, so I’ve done a test with a V2 cam. On the router that hosts my IOT network (including my Wyze cams), I defined an access rule that blocks all internet access by the camera. Most modern routers have such a feature, named Access Control, or Parental Control, or something like that. It was a couple of clicks to define an ‘always block’ rule for the camera.
Having done so, I can still view the Live Stream when my iPhone is connected to the IOTnet’s WiFi. As expected, it can’t view the camera if I attempt to connect from outside my network (ie., over cellular data). Even knowing my Wyze credentials, the app can’t access the camera from the internet.
The little blue LED on the back of the camera started blinking shortly after I blocked its internet access. It’s announcing it’s not happy that it can’t connect to WyzeHQ, but the unhappiness is not sufficient to prevent local Live Stream viewing. Note that with access blocked, it won’t be able to obtain network time from NTP servers, check with WyzeHQ for firmware updates, stream to the cloud, send notifications, etc.
Occasionally, while viewing the Live Stream, an error message appears on screen indicating "Connecting camera (1/3), Connections attempts (1/3)… If I wait a few seconds, the stream usually resumes automatically. If I return to the Wyze home screen and then tap on the camera again, the stream resumes.
In summary, it appears that blocking all outbound access is an effective way to prevent streaming of video to the cloud (or to other far-away places) without inhibiting local live viewing. However, internet access is required to initially set up and register a camera with the app.
Ideally, to block a particular LAN device reliably, it’s best that the device be assigned a static IP address by the router. Some routers insist on it; some routers don’t care. Most consumer routers provide this functionality with a DHCP Reservation feature. There are lots of articles about DHCP reservation on the web. Ms. Google is your friend.
To add to this, after blocking internet access for my cameras, i also have spun an OpenVPN server on my RasPi, if im out and about i can just connect to the VPN and i am able to look at the feed.
Hope this helps!
so here is the deal. You can’t block ports via any firewall. Anytime the camera is restarted, say a power loss or you move location, the camera needs to connect to china to start the stream. So if you block it with a firewall that process cant happen and local LAN viewing is not possible. So you need to leave ports open and give the device full freedom to connect to china and stream who knows what in order to get it working. Why not enable local LAN support? that will make the product so much better. There is no technical need to have this process, it is call data harvesting. They want to know where the cameras are, what your settings are and who knows is they take the occasional picture here and there.
There is still a major privacy issue with this cameras, All my IP cameras from all brands are blocked outside my LAN and i access them via VPN. Now, i cant do this with the wyzecam as it requires a “start-up” and “maintenance” connection to china which is effectively punching a hole in your network to let this traffic pass. If you enable RTSP you can do this though (need to use different app for viewing) which is ok, but you are capped at 10fps which is just too low
Would you STOP going from post to post telling everyone the cameras are reporting to China? This is UNTRUE, and just starts a new round of paranoia. They require Internet for SECURITY REASONS, to assure you have authorization to view the live stream.
Just trying to find the information on your forums on local LAN support, the cameras hit DNS servers every 5s, what type of information is needed every 5s if i have no active streams going through the app or anything else. Why does the camera needs to go to the cloud every 5s when there is no user connected?
Yes i am paranoid because i thought this product was more secure and had user privacy in mind. So i am trying to learn from it and figure out what is the reality of my privacy with it.
That is why i am asking the questions on your “SECURITY REASONS” which is a blanket statement that i will trust when you provide an answer or data to back it up.
Why does the cameras need to go to the cloud every 5 seconds even with no users connected?
What is the advantage of your 'SECURITY REASONS" of having to authenticate in the cloud?
Why not authenticale locally like you do with RTSP and give the option to people that have a firewall to block the camera to “phone” to the internet when there are no users connected
Some companies usually “ban” people when you ask this questions…hopefully you are not one more of those
I don’t know about the every 5s is but there is an authorization heartbeat that goes out about every 3 mins. No live stream exits your house unless you are sharing the camera or viewing from outside the house. Exception is 12-second event clips, which are stored in the cloud.
Please read this link, it has actual responses from actual Wyze Team employees:
Is there a new way to make this happen? Blocking outbound access at the router works for about 24 hours then stops until the firewall rule is temporarily removed and readded (I guess to allow the camera to call out)…this isn’t acceptable to me so if there’s not a way around this I’ll just be returning the camera I just bought and look for other options.
@Newhound: I agree, he should stop saying its connecting to china. BUT, I disagree about requiring internet for security reasons. The app should need internet to check a device code for what you are allowed to connect to. The device (camera) should not need internet for security reasons if the connecting app is on local wifi and has the device code.