A friend once asked me to do some pen-testing on a machine he was running on his home network. He said I'd need to come round to his house to do this as he didn't want to provide access to the machine via the Internet. Fair enough.

When he opened his front door the conversation went something like this:

    Him: "Ah hello, thanks for coming round to do this. It should be fun, come in and we can get started."
    Me: "OK, but I'm already done."
    Him: "What?"
    Me: "I'm done. I've already got root on the machine and I left a little text file in root's home directory as proof."
    Him: "What? But ... what? Wifi?"
    Me: "Nope. Let me in and I'll explain how."

The short story is he had an PoE IP-based intercom system on his front gate. I remembered this from when he was going on about his plans for his home network setup and how amazing PoE was and how he was going to have several cameras etc. I also remember seeing the purple network cable sticking out of the gate pillar whilst the renovation work was being done and the intercom hadn't yet been installed.

I'd arrived 45 minutes early, unscrewed the faceplate of the intercom system and, with a bit of wiggling, I got access to a lovely Cat-5 ethernet jack. Plugging that into my laptop I was able to see his entire home network, the port for the intercom was obviously not on its own VLAN. Finding and rooting the target machine was a different matter but those details are not relevant to this story.

I suppose I got lucky. He could have put the IoT devices on separate VLANs. He could have had some alerting setup so that he'd be notified that the intercom system had suddenly gone offline. He could have limited access to the important internal machines to a known subset of IPs/ports/networks.

He learned about all of the above mitigations that day.

I've always wondered just how many people have exposed their own internal network in a similar way when trying to improve their external security (well, deterrent, not really security) but configuring it poorly.

Not relevant? That’s the best part! Spill it!

enforcing 802.1x on switch is also good solution, especially for "external" ports.

802.1x is quite trivial to bypass if you have an authenticated device (in this case the intercom) that you can transparently bridge[1].

[1]. https://www.defcon.org/images/defcon-19/dc-19-presentations/...

it still will block or slow down many.

802.1x is commonly deployed with macsec. will it be also trivial to bypass ?

Did you ever seen an intercom or IP camera with macsec support?

I have my cameras connected to a N150 server running hostapd and dnsmasq and no IP forwarding. That server runs Frigate. I figured if I need a server anyway it might as well be the AP.

It's a little bit of a pain to set up the cameras because of the mobile app. I have to connect to the AP on my phone and as it doesn't have internet access my phone nags me, and this specific model doesn't have an external antenna. If it did I think it might be the ideal setup.

do you happen to have a guide on how to achieve this - I am fairly technical but still configuring Vlans and moving devices there would be good with some step by step instructions.

Are you running Ubiquiti hardware? If so, should be very straight forward (one of the main reasons I went back to Ubiquiti stuff after running my own OPNsense router) https://lazyadmin.nl/home-network/unifi-zone-based-firewall/

P. Sure the camera in question breaks in fun ways. From my observations because it can’t update it’s time, so messing with it a bit leaving to a need to update, downgrade, block from the web again.

But it’s worth trying

depends on your router, but you would want to stick to onvif or rtsp and connect to the camera using some sort of tailscale. Don't fail for installing open source firmware, there is only thingino and openipc, both are hard to install if you are a beginner, even if people say it's easy for technical specialist, it's not