korin
Young grasshopper
What solutions have you found to secure your network from unauthorized access through the LAN connection on an IP camera? I'm considering an IP doorbell camera, but one thing that concerns me is that ability of a technically savvy intruder to access the LAN connection in the back of the camera. I imagine it's a fairly remote possibility right now, since most intruders are most likely opportunistic burglars looking for a quick and easy score, but as network connected security devices become more popular, the frequency and sophistication of attacks is sure to increase. This may sound like something from a Hollywood movie, but I assure you that these are all completely plausible scenarios that could be performed by any determined attacker with common network intrusion skills.
Consider the implications if an intruder is able to access the LAN connection of an IP security camera. With direct access to the network switch he could perform several forms of attack. If the camera is POE, he could just short the power pins to fry the switch. High-end switches have short protection to prevent one port from shorting out others, but a lower end switch won't have this protection and a short could potentially take out all of your cameras, or even your whole network. Alternatively, he could send a high voltage current through the cable to short out the switch. See this Slashdot thread about a security researcher who built an ethernet "deathray" device to kill networks https://tech.slashdot.org/story/15/09/23/143255/misusing-ethernet-to-kill-computer-infrastructure-dead
Alternatively, if he's a bit more sophisticated, he could use the LAN connection to access your network directly. MAC filtering is of little help, since he could easily spoof the MAC address of the camera that he has just removed. At the very least, he may have direct access to your NVR. At worst, he could also access to all of your camera feeds, or even every device on your network. Imagine what he could do with this. He could directly access your video storage to download or delete footage. Not only can he view the live feeds from your cameras, but he could even install a small wireless access point of his own and then replace the camera to allow himself to remotely monitor your cameras. Now, with remote access to your network, he could take his time attempting to hack into any computers and other networked devices to install malware or steal data. He could even simply use your internet connection for illegal activities that would be traced back to you.
I can think of some basic measures you can take to help protect yourself, roughly in order of complexity/expense:
Any thoughts or other suggestions?
Consider the implications if an intruder is able to access the LAN connection of an IP security camera. With direct access to the network switch he could perform several forms of attack. If the camera is POE, he could just short the power pins to fry the switch. High-end switches have short protection to prevent one port from shorting out others, but a lower end switch won't have this protection and a short could potentially take out all of your cameras, or even your whole network. Alternatively, he could send a high voltage current through the cable to short out the switch. See this Slashdot thread about a security researcher who built an ethernet "deathray" device to kill networks https://tech.slashdot.org/story/15/09/23/143255/misusing-ethernet-to-kill-computer-infrastructure-dead
Alternatively, if he's a bit more sophisticated, he could use the LAN connection to access your network directly. MAC filtering is of little help, since he could easily spoof the MAC address of the camera that he has just removed. At the very least, he may have direct access to your NVR. At worst, he could also access to all of your camera feeds, or even every device on your network. Imagine what he could do with this. He could directly access your video storage to download or delete footage. Not only can he view the live feeds from your cameras, but he could even install a small wireless access point of his own and then replace the camera to allow himself to remotely monitor your cameras. Now, with remote access to your network, he could take his time attempting to hack into any computers and other networked devices to install malware or steal data. He could even simply use your internet connection for illegal activities that would be traced back to you.
I can think of some basic measures you can take to help protect yourself, roughly in order of complexity/expense:
- Use a secure password on your NVR - Never use the default password! Assume that anyone can access the login prompt and attempt to guess the password or use a computer to brute-force it. Make sure that you keep the firmware or software up to date and apply any security fixes. If available, enable security features to lock out access after a number of unsuccessful attempts.
- If you are running a software NVR rather than a hardware one, you are at an advantage because you have control over the hardware and OS. Add a second NIC to the machine, put your cameras on a dedicated switch and connect this switch directly to the NVR through the secondary NIC. Configure the OS to not block any logins or other access from the camera network. Only allow the protocols needed to control and monitor the cameras. Connect to your main network through the primary NIC. This will at least limit the attacker's access to just the camera network. They would have to hack into the NVR to access your storage, computers and other network devices.
- Consider the devices on your camera network to be untrusted. Add a stateful firewall between the cameras and the NVR and only allow outbound traffic from the NVR that is necessary to monitor and control the cameras. Don't allow any unsolicited inbound traffic from the camera network.
- If you can afford it, use a managed switch for your camera network. Enable security features to prevent Layer 2 attacks that could be used to access other devices on the switch. See https://howdoesinternetwork.com/2011/switch-security-attacks
- Use cameras with tamper switches. Configure the tamper switch to execute a script on activation that will immediately down the network port that the camera is connected to and trigger an alarm (you'll need to allow this trigger to pass through your firewall). If an attacker removes the camera from the wall, the script should completely disable that LAN port on the switch and alert you to the intrusion. This alone could prevent most attacks, but it requires a managed switch and some programming ability. This is only theoretical, since I don't have any cameras with tamper switches, and don't know how configurable they are. Also, if the attacker knows the location of the tamper switch and is able to prevent it from tripping during removal, he can circumvent the protection, so the other security measures are still important.
- Put surge protectors on your most vulnerable LAN connections, to prevent high-voltage surges from damaging the switch or other downstream devices. This will impact the performance of the connection, and could get expensive for more than a few ports, but might be worth it if you really want to protect against destructive power spike attacks, like the "deathray" device mentioned above. Something like this might help: https://smile.amazon.com/dp/B00805VUD8
Any thoughts or other suggestions?
Last edited by a moderator:
though domestic networks it normally easier to hack the router 