POE doorbell security

Daniel-W · May 11, 2023, 9:19am

Hi

Not directly Home Assistant related yet but this is the first step.

I am looking to install a Reolink POE doorbell and having very little network knowledge was unsure if there is a security risk having an ethernet cable running into the back of the doorbell. If someone were to remove the doorbell they would have access to the ethernet cable, could they then access devices and data on my network? Should there be any security steps I should take when installing security via ethernet outside?

For further information I have not decided yet if i’m using an nvr or a nas to record the video, I know i want it to be local and avoid the cloud, and I will certainly be running it through Home Assistant and want to receive the usual notifications and possibly run a few automations based on doorbell ring or presence detection.

Any network security help would be appreciated.

Thanks

Dan

tom_l · May 11, 2023, 9:25am

I mean it’s possible but how probable is it in the area in which you live?

e.g. Around here it is exceedingly more likely that a brick will be used to gain access to the house.

Also keep in mind that someone who wants to gain access that way would be in plain view of the camera before they could get access.

If it is a likely scenario then you can segment your network with VLANs.

Daniel-W · May 11, 2023, 10:36am

Ah yes I appreciate it’s unlikely, I just wasn’t sure of best practice when setting up

orange-assistant · May 11, 2023, 11:41am

Best practice would be not expose your network to the “outside” without taking extra measurements like encryption and authentication. While this is the “default” for WPAx WIFI’s the ordinary ethernet is missing this.

Ether only provide power (the P in PoE) over the cable and use wifi for coms or implement at least some authentication if you prefer the wires. You also wanna make sure that the ethernet is not (too) easy accessible - maybe by using some security screws or so

Daniel-W · May 11, 2023, 2:12pm

I just find video doorbells only require a paperclip to remove from the mount so the screws are largely irrelevant. I’m probably being overly cautious as someone plugging in a laptop outside my house to the ethernet would be quite obvious

Daniel-W · May 11, 2023, 2:14pm

Thank you for coming back so quickly on this.

I was going to avoid WiFi because whilst I have a strong WIFI connection I’m certain some delivery companies have used WiFi blockers in the past as some events doesn’t get recorded correctly.

Protoncek · May 11, 2023, 3:00pm

Some doorbells have tamper switch. Connect that to your alarm system, or just to a powefull siren. Anyone who will unscrew doorbell will trigger it.

Daniel-W · May 11, 2023, 3:16pm

Ok I’ll check if Reolink does before I buy it

brucek1642 · May 11, 2023, 3:25pm

I have a Unifi Poe switch, so I have created a mac address filter on the port that goes to the camera. That way the link only works with that one mac address… if someone was to plug in another device it would not work.

Daniel-W · May 11, 2023, 3:45pm

Sounds ideal, I’ll look into this as I’m not that network savvy so will need to find a tutorial on setting that up

Protoncek · May 11, 2023, 3:49pm

Well, that is some protection, but bear in mind that mac of network card can be easily changed in laptop…
Regarding tamper switch: if unit doesn’t have it you can add any microswitch, it will also do it’s job.

brucek1642 · May 11, 2023, 7:44pm

Check out

about 3 minutes in to the video, gives pros and cons of this approach

Daniel-W · May 11, 2023, 9:39pm

Thank you, that made it really clear. I was looking at the Netgear GS308EP managed poe switch on Amazon which looks like it’ll do just that

texnic · June 5, 2024, 7:59pm

Can you share how it went? I am in the same situation, also have a Netgear POE switch, and wondering how to go about securing the external LAN connector.

TH3xR34P3R · June 6, 2024, 12:31am

There are many guides out there and here is one example of how to set up a secure network:

In most setups VLAN 1 is the default untagged route so you setup say VLAN 2 for the internal network, 3 for IoT devices and 4 for guest devices and for each VLAN you setup a dedicated subnet IP i.e 192.168.1.1/24 for VLAN 1, 192.168.2.1/24 for VLAN 2 etc

Then at the firewall level you can designate to allow the IoT VLAN to access only your home assistant host on the internal network and no other deivces.

sparkydave · June 6, 2024, 12:36am

As well as what Robert has suggested you could lock down that ethernet port to only allow data from the MAC address of the doorbell.

orange-assistant · June 16, 2024, 12:31pm

Don’t tell anyone spoofing a MAC is one of the simplest thing to do

It’s often even supported by an OS (without any additional tools)

Beside MAC randomization is an common privacy measurement these days…

sparkydave · June 16, 2024, 11:24pm

Sure, but they would need to know the MAC that is being allowed so would need to get that from the doorbell first. It’s all time spent standing at your door when a brick through the window is an easier option.

TH3xR34P3R · June 17, 2024, 3:01am

This is why you do layered security, if you can make them waste time then its more time for the cops to get them and its more evidence of property damage if you can get it for cases against them.

Then again there are people that just vandalize and run.

orange-assistant · June 18, 2024, 8:41am

That’s like 2 seconds with the correct tool after the doorbell was ripped off

In anyway suggesting half backed and easy to circumvent solutions while proper (secure) ways do exist (like VLAN) is not that smart of a move. Many people out there still believe that locking network access to certain MACs is a security feature as people sadly not getting tired repeating this false claims

It’s even funnier when people do this for WIFI as the MACs are usually broadcast openly