Is it bad to have cameras using a static IP address?

Static or dynamic IP is a non-issue.

But since you brought up cameras, you should know that many IP cameras have VERY poor security. Many of these cameras have a known bad firmware in them that allows unauthenticated download of the entire memory of the device via simply going to /proc/kcore, without the need to authenticate. This allows anyone to obtain the password for your camera.

http://www.tripwire.com/state-of-security/vulnerability-management/vulnerability-who-is-watching-your-ip-camera/


I would consider another contractor, since that statement doesn't precisely increase my trust in his knowledge/skill.

The correct way of setting up a security camera system so you are able to check them when you are away is to have port forwarding on your router exclusively for VPN or HTTP/TLS mapped to the machine recording data from the cameras. This will work with a static IP or with DynDNS. If you use e.g. a Diskstation to do the recording (like I do at home) then you get DynDNS as well as the surveillance software (with a limited number of licenses, 4 in my case) for free already.

Never, never ever, expose an IP camera to the internet. This is an open invitation not only for people like the Russians who set up insecam half a year ago to mock you so on their website as well as all kinds of perverts and of course burglars.
You also risk being exploited and having malware (maybe botnet control software?) installed inside your home network. From there they'll attack the other computers which will see the traffic coming from a "trusted" source. Almost all IP cameras have cheap, default-to-insecure firmware, some do not even support basic encryption. Firmware is updated rarely, if ever, and not necessarily to account for security issues. The cameras in my home are susceptible to Heartbleed (although this is publicly known for almost one year). There's nothing to do about it, other than not letting anyone access them. The documentation doesn't even mention it, but they're demonstrably exploitable.

You might allow the cameras to make an outgoing connection to upload files to an external server when alarm triggers, which makes stealing or destroying your server at home futile. But never allow incoming connections whatsoever.

Personally, I wouldn't even allow a camera to make outgoing connections, seeing how virtually all IP cameras and their firmware are produced in China (and those that aren't are made in the USA, which is just as bad).
Government-supported espionage and in particular industrial espionage is a big business, and how could you do it better than by requiring a covert channel built into every camera that your prospective targets will readily place where there's something important? Of course you said that you are not an important person (...but who is really unimportant enough so nobody would care watching? Why is the NSA reading your mails then?). Not being the prime target doesn't mean that the backdoor is not built into your camera anyway, which could be used and abused by pretty much anyone.
Anyone, that includes burglars who can conveniently check whether someone is home. Don't make their lives easier than it needs to be.

Update:
Meanwhile, my statement about risking botnet software being installed on your IP cameras is no longer a mere possibility. The above statement which maybe sounded a tidbit paranoid turned out being outright prophetic (October 2016 attack on Dyn).
Therefore: No direct internet access for presumably insecure devices, never, not ever.


The only difference between the static IP address your technician is referring to and a dynamic, changing address in this situation is that one never changes, and the other does (how frequently depends on many factors).

There is nothing inherently more or less secure about either one. Both are a means to identify you and your home network on the Internet.