Chime Video Doorbell security

[jfh]

I’m going to be replacing a Ring Elite with a Chime.  Looking for opinions on how to handle security;

1) Physical security - how to keep the device from being stolen

 2) Network security - don’t know why I never thought of this before but since it’s PoE if someone takes off the camera they have easy access to your LAN.  Could this be prevented by configuring a VLAN?

 

I realize the likelihood of both are small but wondered what others are going to do to protect the Chime.

[-defunct-]

For 2). If you completely isolate it on a vlan, that defeats the purpose of integrating it since you would need it accessible by other devices and let other devices see it.

If you don't already consider your internal network as insecure, then I would suggest doing so and put passwords on everything.

[jfh]

5 minutes ago, Dunamivora said:

For 2). If you completely isolate it on a vlan, that defeats the purpose of integrating it since you would need it accessible by other devices and let other devices see it.

If you don't already consider your internal network as insecure, then I would suggest doing so and put passwords on everything.

Wouldn’t it only need to be on a VLAN with the controller and the NVR?  
 

I do have passwords on everything but just never thought about segregation.  I’ve always had my PCs and IOTs and C4 and A/V gear on the same network and prefer wired to wireless.

[ekohn00]

5 hours ago, jfh said:

 2) Network security - don’t know why I never thought of this before but since it’s PoE if someone takes off the camera they have easy access to your LAN.  Could this be prevented by configuring a VLAN?

There's a couple of things you can do to secure an ethernet port

1. MAC filtering. (only allow the Mac of the doorbell)

2. 802.1x (if the doorbell has it).

3. Use a static IP address on that port and block DHCP.

4. guest VLAN (of course you need connectivity to C4 world).

 

[ejn1]

Can someone shed some light on how a stolen chime will then allow someone to compromise your network?  

[jfh]

1 hour ago, ejn1 said:

Can someone shed some light on how a stolen chime with then allow someone to comprise your network?  

It’s theoretical.  The potential security threat isn’t the Chime itself but the Ethernet cable running to it.  Take the Chime off the mount and someone could simply plug the cable into a laptop and be attached to your network.   

[jfh]

1 hour ago, ekohn00 said:

There's a couple of things you can do to secure an ethernet port

1. MAC filtering. (only allow the Mac of the doorbell)

2. 802.1x (if the doorbell has it).

3. Use a static IP address on that port and block DHCP.

4. guest VLAN (of course you need connectivity to C4 world).

 

Thanks.  I like #1 and #3.  I had thought about #1. 
I would already have a static IP.  When you say “and block DHCP”, isn’t that done by forcing a static IP?  I use DHCP but most devices have an assigned IP reservation.

[-defunct-]

7 hours ago, jfh said:

Wouldn’t it only need to be on a VLAN with the controller and the NVR? 

Not if you want the controller to work with it.

[ekohn00]

1 hour ago, jfh said:

Thanks.  I like #1 and #3.  I had thought about #1. 
I would already have a static IP.  When you say “and block DHCP”, isn’t that done by forcing a static IP?  I use DHCP but most devices have an assigned IP reservation.

No, if you're still running DHCP a laptop could spoof the MAC address (assuming your MAC limited on the port) and still request an IP address if DHCP is active. It would then be "on net"

By removing the DHCP a person would have a much harder time coming up with both he MAC and IP address needed to get on net.

[RAV]

3 hours ago, ekohn00 said:

By removing the DHCP a person would have a much harder time coming up with both he MAC and IP address needed to get on net.

Since we're going hollywood hacking....  remove chime, power chime on a separate network, scan, bingo, IP and MAC to spoof.

[jfh]

1 minute ago, RAV said:

Since we're going hollywood hacking....  remove chime, power chime on a separate network, scan, bingo, IP and MAC to spoof.

Fortunately I don’t live in Hollywood

 

Anyone have thoughts on physical security?

[RAV]

Run 2 cats to chime. POE and a plunger security switch held in by chime.

[ejn1]

I think getting hacked via a Chime ethernet cable is lower risk than an asteroid taking out the western hemisphere    Now getting it stolen or spray painted with black paint are a different story

[OceanDad]

At least you'll get a good look at his face 

 

 

[Cyknight]

11 hours ago, ekohn00 said:

There's a couple of things you can do to secure an ethernet port

1. MAC filtering. (only allow the Mac of the doorbell)

2. 802.1x (if the doorbell has it).

3. Use a static IP address on that port and block DHCP.

4. guest VLAN (of course you need connectivity to C4 world).

 

use 1 and 3 and you're golden. Requires a managed switch of course.

 

If they're bypassing that, they've put in more effort than it would be to stand at the door and hack your wifi.

[Cyknight]

On 1 - it has a security screw to hold it on the mounting plate, could use security screws on the mounting plate as well.

 

Once you go beyond that, you're being targeted to a point that they'll figure out a way no matter what and them stealing the doorbell itself is a non issue, which brings you back to point 2 and already posted options

[Amr]

I wonder who will not spot an intruder on your front door that is carrying a laptop and trying to hack into your network? Indeed a mission impossible episode ... If it’s me, then brute forcing into ur WiFi is much easier while doing in from the comfort of my couch or in my car if u live in a mansion

[Köhler Medientechnik]

34 minutes ago, Amr said:

I wonder who will not spot an intruder on your front door that is carrying a laptop and trying to hack into your network? 

Well, it depends where the device is mounted. At my place, i don´t have direct sight to the entrance gate. And during the night, i seldom watch my outdoor cameras - so plenty of time to hack into the LAN.

For outdoor LAN devices, it´s indeed very important that they can´t be removed easily to get access to the physical port in the first place. That´s one of the main reasons why the "serious" doorstations are usually pretty expensive - they are solid build. Then - in terms of security - handle the outdoor LAN ports the same as if they are your Internet access.

[ekohn00]

3 hours ago, Amr said:

I wonder who will not spot an intruder on your front door that is carrying a laptop and trying to hack into your network? Indeed a mission impossible episode ... If it’s me, then brute forcing into ur WiFi is much easier while doing in from the comfort of my couch or in my car if u live in a mansion

Actually, the evil hacker could take your doorbell, and scan for ip & Mac address..... once this is found, it's fairly easy to replace with a wireless device in the middle that could be used to allow remote hacking.

Like an alarm box, some physical security cold give priced of mind..... there's a camera...so obviously there's a picture before the camera is unplugged. I'd also hope there's a way to script sending a picture just before the button is lost on the network (unplugged). Someone mentioned security screws....    Come to think about it...I'd be more afraid of someone replacing my outside WAP.

[ejn1]

1 hour ago, ekohn00 said:

Actually, the evil hacker could take your doorbell, and scan for ip & Mac address..... once this is found, it's fairly easy to replace with a wireless device in the middle that could be used to allow remote hacking.

Like an alarm box, some physical security cold give priced of mind..... there's a camera...so obviously there's a picture before the camera is unplugged. I'd also hope there's a way to script sending a picture just before the button is lost on the network (unplugged). Someone mentioned security screws....    Come to think about it...I'd be more afraid of someone replacing my outside WAP.

Assume if the evil hacker really wants inside your network and they are skilled,  they will get in and there are likely less risky ways for the hacker to enter (eg not committing physical theft or being onsite) ...

[Köhler Medientechnik]

40 minutes ago, ejn1 said:

Assume if the evil hacker really wants inside your network and they are skilled,  they will get in and there are likely less risky ways for the hacker to enter (eg not committing physical theft or being onsite) ...

Well, the fact that there are other attack vectors shouldn´t prevent you from taking measures to mitigate this one.

If i were a hacker, i´d assume that most households have at least a basic security in place towards their internet access and wifi. But i´d assume almost none of them takes measures to secure their LAN. So getting LAN access via outdoor LAN ports (door stations, wifi APs, outdoor cameras) would be an easy catch (of course based on the location). And if you´re on the LAN, additional things like opening the garage or backdoor could be achieved.

In commercial environments, it´s often LAN ports in publicly accessable meeting/conference rooms that are often neglected and potentiall at risk.

But of course everybody has to do his own risk assessment and what measures to take. And yes, i´ve also got homework to do regarding my own outdoor LAN connections. 

[ejn1]

1 hour ago, Köhler Medientechnik said:

Well, the fact that there are other attack vectors shouldn´t prevent you from taking measures to mitigate this one.

If i were a hacker, i´d assume that most households have at least a basic security in place towards their internet access and wifi. But i´d assume almost none of them takes measures to secure their LAN. So getting LAN access via outdoor LAN ports (door stations, wifi APs, outdoor cameras) would be an easy catch (of course based on the location). And if you´re on the LAN, additional things like opening the garage or backdoor could be achieved.

In commercial environments, it´s often LAN ports in publicly accessable meeting/conference rooms that are often neglected and potentiall at risk.

But of course everybody has to do his own risk assessment and what measures to take. And yes, i´ve also got homework to do regarding my own outdoor LAN connections. 

Good points and agree with you completely that practical measures should be taken and not faulting anyone who wants to take those measures to whatever degree they want.   My only point was if someone "wants" to get in your network and they're skilled at it (typically not onsite thieves my guess) they will likely get into to most consumer or prosumer gear and they wont need to stand at your doorbell with a laptop to do it.       

[Köhler Medientechnik]

12 minutes ago, ejn1 said:

My only point was if someone "wants" to get in your network and they're skilled at it (typically not onsite thieves my guess) they will likely get into to most consumer or prosumer gear and they wont need to stand at your doorbell with a laptop to do it.       

Sure, if they want to they would be able to. It´s just different approaches. 

Network security works similar to physical security: if you have the basics set right (secure passwords set, no port forwarding, current patch level, etc), then they´ll most likely move over to an easier target. Same with physical security: if you have reasonable modern and secure doors and windows, they´ll just move to the neighbour...