SMB on MOBOTIX Cameras – Differences, Risks and Architecture Recommendations
Introduction
The Server Message Block (SMB) protocol is a widely used standard for file transfer over networks and is employed by MOBOTIX cameras to store video data on network-attached storage (NAS) devices. As the protocol has evolved, both its performance and security mechanisms have been improved. At the same time, however, there are significant security risks, particularly with older versions of SMB.
This article provides an overview of the differences between the various SMB versions, their security aspects, and the support offered by different MOBOTIX camera platforms. It also explains alternatives such as NFS, local storage on SD cards using MxFFS, and the use of VPN connections.
Recording via SMB is a key feature of the decentralised MOBOTIX concept.
MOBOTIX cameras operate independently, handling analysis, event processing and storage directly within the camera, and can also write video data autonomously to external file servers or NAS systems. This decentralised architecture enables:
- Reduced load on central servers
- High reliability
- Flexible storage strategies
- Cross-site archiving
SMB-based storage has historically and technically been a central component of many installations.
However, as the Linux kernel and SMB protocols have evolved, the supported SMB version has varied depending on the camera platform. This article explains the differences, risks and sensible architectural decisions for both home and professional environments.
Überblick über SMB-Versionen
| SMB version | Features | Security rating |
|---|---|---|
| SMB 1.0 (CIFS) | No encryption, NTLMv1 | Obsolete |
| SMB 2.0 / 2.1 | Improved performance | Limited |
| SMB 3.0 | Support for encryption | Secure |
| SMB 3.1.1 | Pre-authentication integrity, modern ciphers | State of the art |
Security considerations – where does the real risk lie?
An objective assessment is crucial:
The security risk associated with SMBv1 lies primarily on the server or NAS side.
Well-known attacks such as WannaCry targeted vulnerable SMB servers (particularly Windows systems) rather than embedded SMB clients such as cameras. MOBOTIX cameras act as SMB clients and are therefore significantly less exposed than an open SMB server on the network.
This means:
- The primary risk concerns the NAS or server.
- The camera itself, as an SMB client, is significantly less vulnerable.
- Nevertheless, SMBv1 is no longer state of the art.
A practical comparison for risk assessment
To better illustrate the importance of modern SMB versions, here is a comparison drawn from everyday life:
The use of SMBv1 in professional IT environments cannot be compared to a classic car that is only driven occasionally in fine weather by someone with extensive experience, using old technology in the sunshine, whilst the tyres – which are over 12–15 years old – ‘actually’ still have a good tread. Such a comparison would underestimate the actual risk.
A more apt analogy comes from road traffic:
Imagine you are out and about with your family and suddenly find yourselves in a critical situation – perhaps due to heavy rain, poor visibility or a sudden emergency stop on the motorway. At that moment, the question arises:
Which vehicle would you prefer your family to be in?
- An older vehicle without seatbelts, airbags or modern driver-assistance systems.
- Or a modern vehicle with ABS, ESP, airbags, emergency braking assist and lane-keeping assist
Applied to IT security architecture, this means:
| Comparison | IT security context |
|---|---|
| Vehicle without seatbelts and airbags | SMBv1 without encryption and with NTLMv1 |
| Vehicle with basic safety features | SMBv2 with improved stability |
| Modern vehicle with driver assistance systems | SMBv3 / SMBv3.1.1 with encryption and modern authentication mechanisms |
The key point is not whether an incident occurs, but how well a system is prepared to deal with it should it happen. Professional security architectures are therefore based on the worst-case scenario rather than on an ideal situation.
In private settings, the use of older technologies may be acceptable under controlled conditions. In professional or KRITIS-relevant infrastructures, however, the use of modern security mechanisms is essential – much like choosing a vehicle that offers maximum protection in an emergency.
Security risks of SMBv1
SMBv1 is now considered insecure and should be avoided where possible. The main risks are:
-
Known vulnerabilities: SMBv1 was exploited in the WannaCry and NotPetya ransomware attacks (2017).
-
Lack of encryption: Data is transmitted unencrypted and can be intercepted.
-
Weak authentication: Support for NTLMv1, which is considered insecure.
-
Pre-authentication exploits: Attacks can occur regardless of user permissions – even with read-only access.
Even if SMBv1 is used only with read-only permissions (e.g. for access via MxManagementCenter), the risk remains, as exploits such as EternalBlue strike before authentication takes place.
Fact: Many modern NAS systems therefore have SMB1 disabled by default
Platform Overview: Firmware, SMB, NTLM and VPN
Platform Matrix
| Platform | Example cameras | Firmware major version | Linux kernel | SMB | NTLM | OpenVPN | Classification |
|---|---|---|---|---|---|---|---|
| P3 | M24, M25, M15, S15, T24, T25 | 4.x / 5.x | 2.6.37 | SMB1 | NTLMv1 / NTLMv2 | OpenVPN 2.4.3 | Legacy |
| P6 | M16, M26, D26, S16, T26 | 5.x | 4.6 | SMB1, SMB2, early SMB3 | NTLMv2 | OpenVPN 2.4.3 | Transition platform |
| P7 | M73, S74, Q71, D71 | 7.x | 4.14 | SMB2, SMB3 | NTLMv2 | OpenVPN 2.4.3 with SHA256 | Modern |
| P8 | MOBOTIX ONE | 8.x / 9.x | 5.4 | SMB2, SMB3.1.1 | NTLMv2 | OpenVPN 2.5.8 | Enterprise, Current Standard |
| P9 | MOBOTIX ONE S Dual | 9.x | 5.10 | SMB2, SMB3.1.1 | NTLMv2 | OpenVPN 2.5.8 | Enterprise, Current Standard |
NFS as an alternative
NFS should not be regarded as a general alternative to SMB.
Recommendation:
NFS is only appropriate for the deliberate continued use of legacy devices based on SMB1 if:
- no new hardware is to be purchased
- the device is to be used in a private setting
- the risk is knowingly accepted
For professional or KRITIS-relevant environments, modernising the platform is preferable instead.
VPN usage
Modern MOBOTIX platforms support OpenVPN (client mode).
A VPN can:
- provide additional encryption for communications
- secure site connections
- protect insecure transport networks
VPN ersetzt jedoch keine Modernisierung von SMB1, sondern ergänzt die “alte/bestehende” Sicherheitsarchitektur.
Rating by area of use
Personal use
-
SMB1 can still be used in strictly isolated networks if the customer absolutely needs to continue using existing legacy hardware and has no plans to purchase new NAS systems or MOBOTIX cameras. In such cases, the known security risks must be taken into account.
-
The risk is manageable if there is no internet access.
-
Alternatively: local storage on a (micro)SD card via MxFFS. (SD Card Whitelist)
Local storage with MxFFS
MOBOTIX cameras support local storage on SD cards using the MOBOTIX File System (MxFFS), which has been specially developed for long-term, secure video recording.
Advantages:
- High data security and stability
- Optimised for flash memory
- No reliance on a network
- Suitable for personal and professional use
Moderne Industrial-SD-Karten bieten ausreichend Kapazität und Lebensdauer für den produktiven Einsatz.
Professional use
- Use SMB2 or SMB3.
- Use NTLMv2.
- Implement network segmentation.
KRITIS / ISO 27001
- SMB 3.1.1
- Separate networks
- Up-to-date firmware
- Documented security architecture
Summary for security professionals: SMBv3.1.1, NTLMv2 or Kerberos, encrypted communication (VPN or SMB3 encryption), regular firmware updates and network segmentation are required.
Conclusion
SMB-based recording is a key component of the decentralised MOBOTIX concept and enables flexible, server-independent storage architectures.
Whilst older platforms (P3) are technically limited to SMB1, newer platforms (P6–P9) support modern SMB and security standards.
If SMB1 continues to be used, we recommend:
- Operating in an isolated environment
- Isolation from the company’s production network
- A dedicated VLAN for cameras and NAS devices
- No direct internet access
In the long term, however, migrating to platforms that support SMB3 is the most sustainable solution from both a technical and security perspective.