Thoughts about PoE security cameras (and outdoor ethernet cables in general)

I’m currently trying to buy a security camera, because i have the suspicion that people are using my property as a shortcut. I had just one thought: There are a lot of security cameras which get their power by Power over Ethernet and use Ethernet for their connectivity.

At first this looked like a good idea, because I’m using PoE for my Unifi access points anyway. However, an outdoor security camera would have an Ethernet cable on the - guess it - outside. At least partially. Given how small access point are, I’m not convinced that having outdoor Ethernet cables is a good idea.¹ Normally networking cable would be protected from outsiders by the walls of the house.

To make it clear: I don’t think that someone would attack my network by fetching pliers and inserting a rogue access point. Nevertheless i try to err at the side of caution. And well … before i read that car thieves use relay attacks to open and start your car with the key fob lying on your night stand just by holding one device to your outside wall closest to the key fob and another one to the car, i wouldn’t have really believed that it’s that easy. I really think caution is warranted in this regards.

In addition often I look at problems or observations at home and what I could learn from them for my job. And this train of thought resulted out of such an observation.

Okay, I could just use WLAN security cameras with the usual mechanisms to protect the WLAN from unwanted members. But PoE would be nice. I have some spare PoE ports and wouldn’t need an additional power supply. With wired Ethernet the obvious solution for this problem would be 802.1x authentication, but as far I have studied the market, not all cameras offer 802.1x. Which is quite a failure in my opinion …

Another solution would be to ensure that all the cable on the outside is in the view of the camera, so at least you would know who manipulated the Ethernet Cable. The camera would monitor the cable it uses for its connection. Doesn’t really solve the problem, it’s still cut and I would have to check each time I would see someone close to the cable. I could mount the camera high enough, so cutting the cable and inserting something to it is not really feasible. But that would be more “security by possibly falling to death”

Another idea of mine was if there are any switches that keep the link down after losing link, so when someone cuts a connection, the link stays down until you have manually reactivated it. But I don’t know one. And it would be a problem, as it would be easy to deactivate the cameras just by removing the cable for a moment.

Of course I could hot-glue an RJ45 into the device … but this will for sure take revenge later on. And the cable is still unprotected.

Having a VLAN (without any access to other VLANS) just for the camera would be a must anyway - even with WLAN - so someone could not go into your network and snoop around. However, a possible attacker would have his first foot in the network and would just have to find an attackable device that is in both networks, the camera network and the home network.

Perhaps I should just buy a chain and a lock for my “shortcut” problem.

But this problem doesn’t go away with this solution: One of my plans for next year is to have an electrical car and of course an outside wallbox for charging this electric vehicle. Many of them have a network connection, many of them with a wired connection. The same problem. I really must make a note to myself that I must check candidate wallboxes for 802.1x.

The same is valid for outdoor access points. I’m thinking about one for a while and Ubiquiti has some nice ones. Just found in their community, that there is a feature request for 802.1x authentication to the switches for their access points open for a really long, long time. So far not implemented as far as I could find out in the community forum. There is actually a wpa_supplicant and a wpa_cli in the firmware of the access points. So, you could probably hack something like this with a script. But to be honest, I didn’t bought Unifi to hack something.

APDachgeschoss-BZ.6.5.62# /usr/sbin/wpa_cli
wpa_cli v2.10-devel
Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> and contributors
(...)
Could not connect to wpa_supplicant: (nil) - re-trying

But honestly … after all this discussion, how many people have network equipment at home capable of VLANs, capable of 802.1x, capable of RADIUS? How many small companies use such technology? Perhaps even with sites with an area where public access by customers is normal.

Perhaps, you have an idea … would like a discussion about it in my Mastodon profile