How can I defend against a dropbox in an IP-based, wired camera system?
I want to install security cameras at my house. One of the locations (on the street-facing side) isn't especially secure (hence the camera). I think it would be possible for Mallory to install a dropbox there.
![]() |
|---|
| A dropbox is a battery-powered computer (box) that can be left behind (dropped) by an attacker, plugged into a network, and later used to exploit a network remotely. These can be home-made (eg from a raspberry pi) or purchased ready-made. Photo credit: Hak5's Packet Squirrel |
I don't want to use wifi cameras. Wired is more secure (for numerous obvious reasons). But if I run an ethernet wire to the outside of the house (to the camera), then there's a risk that a malicious actor (Mallory) could tap into the ethernet port with a dropbox, and then have access to the network.
I don't think there's any physical security that can fix this problem. Sure, I could run conduit to a metal box with a window and install the camera inside of that. Mallory could cut the conduit (and the ethernet cable) and patch into it. They could even install a switch so the camera remains online. Please limit answers to technical (non-physical) solutions
This is for a home. I'm not going to have a staff to monitor the camera for disruptions. And, realistically, I'm probably only going to check the camera's footage if there was an incident. Please limit answers to technical (non-procedural) solutions.
Obviously the network will be segmented, so the attacker would only gain access to the security camera network. But I don't really like the idea of an attacker being able to use their dropbox to view all of our camera's feeds.
I'm aware that I could disable DHCP and/or use a MAC Address allowlist. But that's also trivial to defeat. Please don't suggest these as answers.
As I'm not sure it's possible to prevent Mallory (who has physical access to an ethernet cable) to connect to the network, I imagine the solution would at least include having the cameras encrypt their data back to the camera server, and to setup some sort of IDS audit logs/alerts. But I've never built a security camera network before, and I'm curious what other solutions exist to defend against a dropbox being connected to an exposed ethernet line outside the building.
What are standard best-practices to mitigate the risk of Mallory installing a dropbox on an ethernet line going to a security camera on the outside of the building?
