6

How can I defend against a dropbox in an IP-based, wired camera system?

I want to install security cameras at my house. One of the locations (on the street-facing side) isn't especially secure (hence the camera). I think it would be possible for Mallory to install a dropbox there.

Photo shows a very small computer with ethernet cables coming out of both sides
A dropbox is a battery-powered computer (box) that can be left behind (dropped) by an attacker, plugged into a network, and later used to exploit a network remotely. These can be home-made (eg from a raspberry pi) or purchased ready-made. Photo credit: Hak5's Packet Squirrel

I don't want to use wifi cameras. Wired is more secure (for numerous obvious reasons). But if I run an ethernet wire to the outside of the house (to the camera), then there's a risk that a malicious actor (Mallory) could tap into the ethernet port with a dropbox, and then have access to the network.

I don't think there's any physical security that can fix this problem. Sure, I could run conduit to a metal box with a window and install the camera inside of that. Mallory could cut the conduit (and the ethernet cable) and patch into it. They could even install a switch so the camera remains online. Please limit answers to technical (non-physical) solutions

This is for a home. I'm not going to have a staff to monitor the camera for disruptions. And, realistically, I'm probably only going to check the camera's footage if there was an incident. Please limit answers to technical (non-procedural) solutions.

Obviously the network will be segmented, so the attacker would only gain access to the security camera network. But I don't really like the idea of an attacker being able to use their dropbox to view all of our camera's feeds.

I'm aware that I could disable DHCP and/or use a MAC Address allowlist. But that's also trivial to defeat. Please don't suggest these as answers.

As I'm not sure it's possible to prevent Mallory (who has physical access to an ethernet cable) to connect to the network, I imagine the solution would at least include having the cameras encrypt their data back to the camera server, and to setup some sort of IDS audit logs/alerts. But I've never built a security camera network before, and I'm curious what other solutions exist to defend against a dropbox being connected to an exposed ethernet line outside the building.

What are standard best-practices to mitigate the risk of Mallory installing a dropbox on an ethernet line going to a security camera on the outside of the building?

Improve this question
7
  • 1
    If the camera environment cannot be trusted you have to treat it as untrusted. Have a firewall between the camera and the rest of the network. Configure the firewall so that it allows only the expected traffic, i.e. at minimum port and direction of communication and even better with actual control that the expected application protocol is spoken. If properly configured the attacker should not be able to access the rest of the network and should only be able to view the feed of the compromised camera. Actual details depend on camera and used communication protocols. Commented 2 days ago
  • Why would a firewall plus possibly alarms for disconnections work? Commented 2 days ago
  • 2
    @vidarlo: my understanding of the setup is a camera which sends its feed into the network to an internal camera server and the OP wants to prevent the attacker to use the existing connection to attack the network and get to the stored feeds. It's thus not about detecting disconnect, but preventing exploitation using the physiclal connection to the outside camera. Commented 2 days ago
  • See also discuss.privacyguides.net/t/… Commented 2 days ago
  • See also en.wikipedia.org/wiki/… Commented 2 days ago

6 Answers 6

Reset to default
8

Move the camera.

No, really: if the location you want to put the camera isn't acceptable from a security standpoint, move the camera to one that is - possibly with an additional camera to maintain the desired coverage.

Select a location (or set of locations) where the cable can run inside for the entire run. This often means putting the camera directly on the eaves, with the cable running through the attic and through the wall there.

If you're worried about Mallory getting into the house - or to the base of the camera - to tamper with the network, well, surely Mallory has better things to do once they've gotten into your house, right?

Beyond that:

  • Choose cameras that encrypt the feed data in flight, such that Mallory's dropbox can't see the feed.
  • Choose a camera system that works by having the cameras' controlling software establish the network connections to the camera (rather than the cameras trying to connect to the server): in conjunction with a managed switch, that lets you limit - if not prevent entirely - the ability of devices on that port to establish network connections.
  • With a managed switch, prevent any devices on that port from communicating with any devices other than the camera system's control server. Even if you can't pick cameras that encrypt the video feed in flight, that at least reduces the feed data that Mallory can see to a view that's outside - ie., somewhere where Mallory might be able to put a camera of their own - while still blocking any internal feeds.
  • Use fiber instead of copper to wire the camera to the network. While this doesn't wholly prevent dropboxes, it does meaningfully raise the bar to splicing the cable to install the box.
Improve this answer
6

As with any security question, one must determine what they're actually defending against, and how much risk they're willing to accept.

These are the issues I'd consider, in (gut-feeling) order of their likelihood of being exploited. A bad actor might:

  1. Disable the camera entirely, whether by cutting its power supply and/or data connection, or physically destroying the camera or otherwise rendering it inoperable (eg paint over the lens).
  2. Tap in to the ethernet line in order to gain internet access.
  3. Tap in to the ethernet line in order to gain LAN access.
  4. Tap in to the ethernet line in order to reconfigure it and/or view the video feed.
  5. MITM the camera in order to alter the video stream (eg the "replace live video with a recorded loop" trick).

#1 is an almost entirely a physical security problem. Long runs of outdoor conduit offer more opportunity for someone to find a place to discreetly cut the line. If the camera is to be mounted on the side of your building, I'd ensure that the wires to the camera go in to the wall as close as possible to the camera itself, which itself might be placed in a tamper-resistant enclosure. Otherwise, look to reduce the amount of wiring exposed in places that are easy-to-access and/or hard-to-notice when compromised.

I'd also look to have multiple cameras covering a given area such that someone cannot tamper with one camera without being seen by another.

The only technical thing to do here is to set up alerting so that you're notified as soon as a camera goes offline or black.

The rest are technical problems. Treat the camera port as untrusted. This means using a managed (ie higher-end) switch to isolate the ethernet line that goes outside from the rest of your network. It should have no route to the internet (solving #2) and only allow traffic to your NVR server (solving #3). The details will depend on your exact setup, but this can be accomplished with VLANs per-camera and/or firewall rules. I wouldn't even have DHCP available, and configure IP statically.

Problem #4 is unlikely in this scenario. Viewing the feed of a camera pointed at the street isn't particularly useful. Reconfiguring the camera in order to disable it might be a risk, but it's far simpler to just cut the line instead of tapping it and trying to attack digitally. I'd ensure that the camera admin UI has a strong password, keep the firmware updated (to avoid software vulnerabilities), and if paranoid, investigate whether the stream between the camera and NVR can be encrypted.

Problem #5 is extraordinarily unlikely unless you're housing art worth millions (or whatever) and have to worry about professionals. It would take a pretty extreme level of sophistication to physically tap your ethernet line, devise an attack against the video stream, and execute the attack without you noticing.

But if I was ultra-paranoid about my Picasso, I'd:

  • Want mutual authentication between the camera and NVR. I'd find (or build) an IP camera that transmits everything over a WireGuard VPN, and has everything else firewalled off.
  • At the switch, lock down the camera's ethernet port to allow only WireGuard traffic between the camera and the VPN endpoint (which may be the NVR itself or a separate server).
  • Set up alerting for both the camera feed on the NVR, and on the network level for unusual activity: eg if the switch detects that the ethernet was unplugged, or especially if there's any traffic that's not from your camera.

With this in place, even if someone taps the camera's ethernet line:

  • They can't access anything else (internet or LAN) because the switch will drop the traffic (#2 and #3).
  • They can't reconfigure the camera because it won't respond to any traffic sent directly to it (which also significantly reduces the firmware vulnerability attack surface), and they can't view the stream because it's encrypted; sniffing packets will only reveal UDP packets that are indistinguishable from random data. (#4)
  • They can't alter the stream (#5) because WireGuard is encrypted and mutually authenticated with key pairs known only to the camera and the NVR. Attempting to MITM the camera and NVR simply won't work; the attacker can't pretend to be either the camera or the NVR to the other device.
  • Alerting will warn you if someone has attempted to tamper with the camera.

…but again, as a practical matter, this is all overkill for an average residential setting. Simply locking down the ethernet port for the line that goes outside solves your concerns almost entirely.

Improve this answer
1
  • The idea to use wireguard to wrap the video transmission (instead of trusting TLS or RTSPS is interesting. Do you have a link to a guide on how to do that? Commented yesterday
3

If you're worried about someone getting into your home network, there's an option to not expose your ethernet or IP network onto untrusted wires.

The solution is to attach a USB camera (or over a similar non-network cable) to a machine that runs at a secure location. This way even if Mallory cuts the wires, they'll only be able to install another USB device, which you can easily configure the OS to reject.

Improve this answer
1
  • 2
    Note that maximum USB segment length (between active repeaters, if present) is 5 metres, whereas your typical twisted-pair or coaxial Ethernet is good for 100 metres or so. Which means that you might need to add (or move) a host near to the camera. Commented yesterday
2

As with any network that might be physically accessed by untrusted individuals, there are a few options:

  • Place the untrusted device behind a DMZ that prevents traffic flow to unauthorised network segments (like the other cameras) and only allows traffic from the camera to the recording server
  • Network Access Control that only allows authenticated devices on the network (this should block the dropbox or a switch)

You wanted technical suggestions only, but I would be remiss if I did not suggest this:

  • Physical intrusion detection measures that would alert you to the fact that the conduit was damaged/accessed (conduits that shatter when cut, light sensors in the conduit, etc.)
  • A camera covering this one untrusted camera location to detect interaction with it

But it sounds like the cheapest, straightforward approach (assuming your concern is just this one physical location):

  • Use wifi for this one camera and place it in its own segmented network and ensure authenticated wifi protocols are used.

You say that wifi is not secure, but it is more secure if you can't restrict access to the physical cable.

Improve this answer
6
  • I'd add one measure: alarm on port status change. This would alert you to that something happened. Commented 2 days ago
  • The biggest problem with wireless cameras is radio jamming attacks. Your suggested mitigation decreases security and increases risk. Commented 2 days ago
  • 6
    @MichaelAltfield jamming is only an availability issue. One shared by ... obscuring the lens. So, I'm not sure the wireless media is appreciably riskier in terms of availability. In no way does my suggestion "decrease security" nor does it increase risk. Your stated threat model is a dropbox and unauthorised access to the transmission. Now you are concerned about availability. You're going to have to clarify what threats you are actually concerned about, else no one will be able to answer you to your satisfaction. Commented 2 days ago
  • 3
    @schroeder I'm actually with OP on this one, WiFi is a bad choice for security cameras. And I'd argue that a security camera availability issue is a security issue, since the camera failing to record is a breach. "Jamming" WiFi is not even particularly difficult; it can be done with any Linux device by transmitting deauth frames. There are many reports of thieves doing just that to evade cameras. So yes, switching from wired to WiFi does appreciably increase risk. Commented yesterday
  • 1
    @josh3736 as I mentioned, it increases certain kinds of risk. The OP is wanting to combat network access threats. Wireless is a valid suggestion. Are you aware of the mitigations against deauth attacks? So, that can be dealt with. Leaving signal jamming. But again availability attacks are no different from physical interference, so the risks are equal even if you use a wired connection. Two words: "painball gun". I'll repeat: wifi cameras are not a security risk, insecure wifi cameras are a security risk. Commented yesterday
2

Use a multi-layered approach.

For example, higher-end switches support Private VLANs which allow traffic to a single uplink but not between private ports. In your case, you want the IP cameras to deliver their video data to a firewall-protected network video recorder (NVR) but not be able to communicate with any other host (including each other). The firewall should ensure that no host behind a camera port can pull video data from the NVR.

The NVR should require authentication for any kind of access and ideally have different roles for sending and receiving video data. If possible, use end-to-end encryption between the cameras and the NVR. The cameras themselves should also be password-protected, so that an attacker cannot simply read the NVR credentials from a configuration UI of the camera.

Improve this answer
2

Not a complete recipe, but a few suggestions:

  1. Use POE powered cameras. This limits the variety of dropboxes an attacker can use.

  2. Use a POE power source that can measure the power consumption of the camera and can be scripted to alert about the changes. The dropbox has to be powered somehow and hiding it in the camera power variations is quite a high spec.

  3. Segment the network even more so that each camera runs in its own segment and only legitimate connections between the camera and the nvr are allowed.

Devices that can do both 2 and 3 are quite affordable these days, see e.g. Mikrotik.

  1. Use NVR and cameras that can use encryption and mutual authentication. Well, it is 2026 so most of them probably can, but be sure to enable both.

The wireguard suggestion in one of the answers is about the same idea but may be an overkill, depending on how much IT capable you are.

The other suggestion to use a wifi camera boils down to the same - encryption and mutual authentication between the camera and the access point, assuming that the connection between the access point and the NVR can be secured by other means. Modern wifi protocols are quite secure, but the reliability of the connection is still a consideration - wifi can be remotely jammed, cables are safe in this regard.

  1. Be sure to use NVR and cameras that can work acceptably without a cloud connection and that the optional cloud connection is disabled for good. After all, most CCTV leaks happen from the camera vendor cloud or directly from a remotely accessible cameras.

With all of the above, the worst an attacker with a dropbox can do is to remotely disable your camera - assuming that the dropbox is self-powered somehow, capable of POE passtru and has a separate control channel.

Improve this answer
2
  • Use a POE power source that can measure the power consumption of the camera and can be scripted to alert about the changes...see e.g. Mikrotik. do you have a link to an article or any product's documentation that describes how to do this? Commented 15 hours ago
  • Use NVR and cameras that can use encryption and mutual authentication can you please list which open standards support mutual authentication? RTSPS? ONVIF? Commented 15 hours ago

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.