jfh Posted October 20, 2020 Share Posted October 20, 2020 I’m going to be replacing a Ring Elite with a Chime. Looking for opinions on how to handle security; 1) Physical security - how to keep the device from being stolen 2) Network security - don’t know why I never thought of this before but since it’s PoE if someone takes off the camera they have easy access to your LAN. Could this be prevented by configuring a VLAN? I realize the likelihood of both are small but wondered what others are going to do to protect the Chime. Quote Link to comment Share on other sites More sharing options...
-defunct- Posted October 20, 2020 Share Posted October 20, 2020 For 2). If you completely isolate it on a vlan, that defeats the purpose of integrating it since you would need it accessible by other devices and let other devices see it. If you don't already consider your internal network as insecure, then I would suggest doing so and put passwords on everything. Quote Link to comment Share on other sites More sharing options...
jfh Posted October 20, 2020 Author Share Posted October 20, 2020 5 minutes ago, Dunamivora said: For 2). If you completely isolate it on a vlan, that defeats the purpose of integrating it since you would need it accessible by other devices and let other devices see it. If you don't already consider your internal network as insecure, then I would suggest doing so and put passwords on everything. Wouldn’t it only need to be on a VLAN with the controller and the NVR? I do have passwords on everything but just never thought about segregation. I’ve always had my PCs and IOTs and C4 and A/V gear on the same network and prefer wired to wireless. Quote Link to comment Share on other sites More sharing options...
ekohn00 Posted October 20, 2020 Share Posted October 20, 2020 5 hours ago, jfh said: 2) Network security - don’t know why I never thought of this before but since it’s PoE if someone takes off the camera they have easy access to your LAN. Could this be prevented by configuring a VLAN? There's a couple of things you can do to secure an ethernet port 1. MAC filtering. (only allow the Mac of the doorbell) 2. 802.1x (if the doorbell has it). 3. Use a static IP address on that port and block DHCP. 4. guest VLAN (of course you need connectivity to C4 world). jfh and calbear 2 Quote Link to comment Share on other sites More sharing options...
ejn1 Posted October 20, 2020 Share Posted October 20, 2020 Can someone shed some light on how a stolen chime will then allow someone to compromise your network? msgreenf 1 Quote Link to comment Share on other sites More sharing options...
jfh Posted October 20, 2020 Author Share Posted October 20, 2020 1 hour ago, ejn1 said: Can someone shed some light on how a stolen chime with then allow someone to comprise your network? It’s theoretical. The potential security threat isn’t the Chime itself but the Ethernet cable running to it. Take the Chime off the mount and someone could simply plug the cable into a laptop and be attached to your network. Köhler Medientechnik, RyanE and ejn1 3 Quote Link to comment Share on other sites More sharing options...
jfh Posted October 20, 2020 Author Share Posted October 20, 2020 1 hour ago, ekohn00 said: There's a couple of things you can do to secure an ethernet port 1. MAC filtering. (only allow the Mac of the doorbell) 2. 802.1x (if the doorbell has it). 3. Use a static IP address on that port and block DHCP. 4. guest VLAN (of course you need connectivity to C4 world). Thanks. I like #1 and #3. I had thought about #1. I would already have a static IP. When you say “and block DHCP”, isn’t that done by forcing a static IP? I use DHCP but most devices have an assigned IP reservation. Quote Link to comment Share on other sites More sharing options...
-defunct- Posted October 20, 2020 Share Posted October 20, 2020 7 hours ago, jfh said: Wouldn’t it only need to be on a VLAN with the controller and the NVR? Not if you want the controller to work with it. Quote Link to comment Share on other sites More sharing options...
ekohn00 Posted October 20, 2020 Share Posted October 20, 2020 1 hour ago, jfh said: Thanks. I like #1 and #3. I had thought about #1. I would already have a static IP. When you say “and block DHCP”, isn’t that done by forcing a static IP? I use DHCP but most devices have an assigned IP reservation. No, if you're still running DHCP a laptop could spoof the MAC address (assuming your MAC limited on the port) and still request an IP address if DHCP is active. It would then be "on net" By removing the DHCP a person would have a much harder time coming up with both he MAC and IP address needed to get on net. Quote Link to comment Share on other sites More sharing options...
RAV Posted October 20, 2020 Share Posted October 20, 2020 3 hours ago, ekohn00 said: By removing the DHCP a person would have a much harder time coming up with both he MAC and IP address needed to get on net. Since we're going hollywood hacking.... remove chime, power chime on a separate network, scan, bingo, IP and MAC to spoof. Quote Link to comment Share on other sites More sharing options...
jfh Posted October 20, 2020 Author Share Posted October 20, 2020 1 minute ago, RAV said: Since we're going hollywood hacking.... remove chime, power chime on a separate network, scan, bingo, IP and MAC to spoof. Fortunately I don’t live in Hollywood Anyone have thoughts on physical security? Quote Link to comment Share on other sites More sharing options...
RAV Posted October 20, 2020 Share Posted October 20, 2020 Run 2 cats to chime. POE and a plunger security switch held in by chime. Quote Link to comment Share on other sites More sharing options...
ejn1 Posted October 20, 2020 Share Posted October 20, 2020 I think getting hacked via a Chime ethernet cable is lower risk than an asteroid taking out the western hemisphere Now getting it stolen or spray painted with black paint are a different story Quote Link to comment Share on other sites More sharing options...
OceanDad Posted October 20, 2020 Share Posted October 20, 2020 At least you'll get a good look at his face ejn1 and Köhler Medientechnik 1 1 Quote Link to comment Share on other sites More sharing options...
Cyknight Posted October 20, 2020 Share Posted October 20, 2020 11 hours ago, ekohn00 said: There's a couple of things you can do to secure an ethernet port 1. MAC filtering. (only allow the Mac of the doorbell) 2. 802.1x (if the doorbell has it). 3. Use a static IP address on that port and block DHCP. 4. guest VLAN (of course you need connectivity to C4 world). use 1 and 3 and you're golden. Requires a managed switch of course. If they're bypassing that, they've put in more effort than it would be to stand at the door and hack your wifi. Quote Link to comment Share on other sites More sharing options...
Cyknight Posted October 20, 2020 Share Posted October 20, 2020 On 1 - it has a security screw to hold it on the mounting plate, could use security screws on the mounting plate as well. Once you go beyond that, you're being targeted to a point that they'll figure out a way no matter what and them stealing the doorbell itself is a non issue, which brings you back to point 2 and already posted options Quote Link to comment Share on other sites More sharing options...
Amr Posted October 21, 2020 Share Posted October 21, 2020 I wonder who will not spot an intruder on your front door that is carrying a laptop and trying to hack into your network? Indeed a mission impossible episode ... If it’s me, then brute forcing into ur WiFi is much easier while doing in from the comfort of my couch or in my car if u live in a mansion msgreenf 1 Quote Link to comment Share on other sites More sharing options...
Köhler Medientechnik Posted October 21, 2020 Share Posted October 21, 2020 34 minutes ago, Amr said: I wonder who will not spot an intruder on your front door that is carrying a laptop and trying to hack into your network? Well, it depends where the device is mounted. At my place, i don´t have direct sight to the entrance gate. And during the night, i seldom watch my outdoor cameras - so plenty of time to hack into the LAN. For outdoor LAN devices, it´s indeed very important that they can´t be removed easily to get access to the physical port in the first place. That´s one of the main reasons why the "serious" doorstations are usually pretty expensive - they are solid build. Then - in terms of security - handle the outdoor LAN ports the same as if they are your Internet access. Quote Link to comment Share on other sites More sharing options...
ekohn00 Posted October 21, 2020 Share Posted October 21, 2020 3 hours ago, Amr said: I wonder who will not spot an intruder on your front door that is carrying a laptop and trying to hack into your network? Indeed a mission impossible episode ... If it’s me, then brute forcing into ur WiFi is much easier while doing in from the comfort of my couch or in my car if u live in a mansion Actually, the evil hacker could take your doorbell, and scan for ip & Mac address..... once this is found, it's fairly easy to replace with a wireless device in the middle that could be used to allow remote hacking. Like an alarm box, some physical security cold give priced of mind..... there's a camera...so obviously there's a picture before the camera is unplugged. I'd also hope there's a way to script sending a picture just before the button is lost on the network (unplugged). Someone mentioned security screws.... Come to think about it...I'd be more afraid of someone replacing my outside WAP. Quote Link to comment Share on other sites More sharing options...
ejn1 Posted October 21, 2020 Share Posted October 21, 2020 1 hour ago, ekohn00 said: Actually, the evil hacker could take your doorbell, and scan for ip & Mac address..... once this is found, it's fairly easy to replace with a wireless device in the middle that could be used to allow remote hacking. Like an alarm box, some physical security cold give priced of mind..... there's a camera...so obviously there's a picture before the camera is unplugged. I'd also hope there's a way to script sending a picture just before the button is lost on the network (unplugged). Someone mentioned security screws.... Come to think about it...I'd be more afraid of someone replacing my outside WAP. Assume if the evil hacker really wants inside your network and they are skilled, they will get in and there are likely less risky ways for the hacker to enter (eg not committing physical theft or being onsite) ... Quote Link to comment Share on other sites More sharing options...
Köhler Medientechnik Posted October 21, 2020 Share Posted October 21, 2020 40 minutes ago, ejn1 said: Assume if the evil hacker really wants inside your network and they are skilled, they will get in and there are likely less risky ways for the hacker to enter (eg not committing physical theft or being onsite) ... Well, the fact that there are other attack vectors shouldn´t prevent you from taking measures to mitigate this one. If i were a hacker, i´d assume that most households have at least a basic security in place towards their internet access and wifi. But i´d assume almost none of them takes measures to secure their LAN. So getting LAN access via outdoor LAN ports (door stations, wifi APs, outdoor cameras) would be an easy catch (of course based on the location). And if you´re on the LAN, additional things like opening the garage or backdoor could be achieved. In commercial environments, it´s often LAN ports in publicly accessable meeting/conference rooms that are often neglected and potentiall at risk. But of course everybody has to do his own risk assessment and what measures to take. And yes, i´ve also got homework to do regarding my own outdoor LAN connections. Quote Link to comment Share on other sites More sharing options...
ejn1 Posted October 21, 2020 Share Posted October 21, 2020 1 hour ago, Köhler Medientechnik said: Well, the fact that there are other attack vectors shouldn´t prevent you from taking measures to mitigate this one. If i were a hacker, i´d assume that most households have at least a basic security in place towards their internet access and wifi. But i´d assume almost none of them takes measures to secure their LAN. So getting LAN access via outdoor LAN ports (door stations, wifi APs, outdoor cameras) would be an easy catch (of course based on the location). And if you´re on the LAN, additional things like opening the garage or backdoor could be achieved. In commercial environments, it´s often LAN ports in publicly accessable meeting/conference rooms that are often neglected and potentiall at risk. But of course everybody has to do his own risk assessment and what measures to take. And yes, i´ve also got homework to do regarding my own outdoor LAN connections. Good points and agree with you completely that practical measures should be taken and not faulting anyone who wants to take those measures to whatever degree they want. My only point was if someone "wants" to get in your network and they're skilled at it (typically not onsite thieves my guess) they will likely get into to most consumer or prosumer gear and they wont need to stand at your doorbell with a laptop to do it. Quote Link to comment Share on other sites More sharing options...
Köhler Medientechnik Posted October 21, 2020 Share Posted October 21, 2020 12 minutes ago, ejn1 said: My only point was if someone "wants" to get in your network and they're skilled at it (typically not onsite thieves my guess) they will likely get into to most consumer or prosumer gear and they wont need to stand at your doorbell with a laptop to do it. Sure, if they want to they would be able to. It´s just different approaches. Network security works similar to physical security: if you have the basics set right (secure passwords set, no port forwarding, current patch level, etc), then they´ll most likely move over to an easier target. Same with physical security: if you have reasonable modern and secure doors and windows, they´ll just move to the neighbour... ejn1 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.