I’ve set up my HA-based smart home, with a PoE Reolink doorbell. While being incredibly stable and responsive, it does put an Ethernet cable basically free to exploit outside my apartment.
I’ve put that device on a separate VLAN, with access only to HA through a separate virtual interface.
The problem is that the doorbell needs to established TCP connections to the integration through the common web interface - so I had to open port 8123 for incoming NEW connections in iptables. That basically opens up my entire apartment management to potential intruders…
Is there a way to restrict the access only to POST /api/webhook/reolink_*_ONVIF?
How likely is it that a a techno-thief is going to roll up to your door without being captured on the camera (to alert you) and start fussing with your network?
Do you live in the highest crime area of a movie set?
Around here a thief is going to take one look at the obvious video cameras I have installed and go and jimmy someone else’s sliding door (this has already happened).
If you want something more realistic to worry about, consider that someone may exploit a vulnerability in Reolink’s firmware remotely and make you part of a botnet.
Likely? Probably not. But considering HA can actually open my front door, I’d rather not have that exposure.
Considering the Reolink camera has absolutely no access to the internet, I’d say the botnet worry was put to rest.
The proper way to restrict anything but the camera from connecting would be 802.1x authentication if both your switch and the camera support it (doubtful).
A proxy could be setup to restict access by url.
A proxy could be setup to require a client cert if the camera supports it.
An iptables string match could be used to restrict packets.
I’d probably go with one of the proxy solutions.
I’d use https from the camera to proxy. Otherwise, if you really want to go down the rabbit hole, they could sniff the unencrypted from camera to HA.
I could run an L7 netfilter in iptables, but the support for didn’t last beyond kernel 2.6.
The easiest option seems to be to restrict access within HA’s webserver, had it been supported…