Possibility of 3rd part app "hacking" through wifi

[InterstellarShield]

To start off I am not sure if this is the correct sub topic for this, but I am genuinely curious and cannot find a "reasonable" enough answer to cope with my curiousity....

 

Here's my hypothetical situation. I purchased a Meco video doorbell off of Amazon. I recieved it. In the setup you have to download a application off of the Google play store called "Cloud Edge". It will run you through the setup of the doorbell. Essentially summarized you manually reset the doorbell it finds the WiFi network closest to it and then obviously you punch in your password for said network.

 

So the doorbell is interconnected through your WiFi network and the application you allow it to access all of your typical permissions like, microphone, storage, location(for a brief moment), etc.  Is it possible or how vunerable is it for a application to be able to "hack" into your WiFi network into other computers or the phones that use the application to access and use the camera. 

 

 

(Sub note I have a DLINK DIR 879? Router and I have read quite a few DLINK routers have security flaws? This is somewhat besides my original question, but I am definitely interested in this aswell.)

 

This is purely for my curiousity and I have little to no knowledge when it comes to network security other than supplying a good password. I am here to learn 100% and this is my second post on the forum so go easy on me lol. TIA! 

[Windows7ge]

My own opinion which I've grown to believe from over the years is that if it is connected to the Internet it can be hacked. If it can be connected to wirelessly it can be hacked, and of course if physical access is possible it can be hacked.

 

The biggest reason you have to not panic and put on a tin-foil hat is the people who are interested in carrying out most of these attacks are out for fish MUCH bigger than you. Banks, Stock markets, Drug distributors, other large corporations.

 

About the only time you have to be really worried is if you pissed someone off who known how to exploit these devices.

 

As for how they could attack it would likely be intercepting the four-way handshake and then running either a dictionary attack or brute forcing the password. As I've heard only a few months ago WPA2 (may have been WPA2-PSK) has been effectively cracked. I did not read too far into it so do you own research. I think it was said that vulnerabilities in how the encryption works were discovered (What most home routers operate on today). Basically it may be possible to connect to an AP without legitimate authentication at all.

 

Pretty recently I heard there were some security concerns with those Amazon Ring doorbells. I've already forgotten what it was specifically but it wasn't insignificant.

 

So personal rules I go by relative to your question:

1. Avoid IoT devices (in general)
2. Avoid IoT devices that rely heavily on UPnP (basically a router firewall loophole that attackers on the Internet can exploit)
3. Keep firmware/security up do date.
4. Don't give IP security cameras access to the Internet (at least without mitigating access though the router)

If I think of any others I'll add em later

[Donut417]

22 minutes ago, InterstellarShield said:

So the doorbell is interconnected through your WiFi network and the application you allow it to access all of your typical permissions like, microphone, storage, location(for a brief moment), etc.  Is it possible or how vunerable is it for a application to be able to "hack" into your WiFi network into other computers or the phones that use the application to access and use the camera.

Watch the 6PM news. You will hear reports of Ring camera's being comprmised. To the point that attackers were able to speak to the home owners. For reference they dont hack your WiFi. They hack their way in thru these piss poor secure apps and tunnel in thru the internet. This is the reason I refuse to allow cameras or "smart speakers" in this house, PERIOD. IoT devices have security issues as a whole. 

 

If I were to do some type of internet connected cameras Id be looking in to VLAN's. Just so none of those devices could touch the data on my home network. But to me its just not worth the hassle. 

[Windows7ge]

3 minutes ago, Donut417 said:

If I were to do some type of internet connected cameras Id be looking in to VLAN's. Just so none of those devices could touch the data on my home network. But to me its just not worth the hassle.

My thoughts of setting up PoE IP security cameras is to either as you said VLANs or to outright put them on a network that has no Default Gateway (something to act as a DHCP server but has no WAN interface) with only a connection to the recording server. A Closed System basically.

[mynameisjuan]

1 hour ago, Donut417 said:

They hack their way in thru these piss poor secure apps and tunnel in thru the internet. This is the reason I refuse to allow cameras or "smart speakers" in this house, PERIOD. IoT devices have security issues as a whole. 

This is no different than when Teamviewer was breached and people began logging in remotely to people's machines. Blame the PCs?

 

This isn't an IOT problem, this is a security problem. Sure there might be more pressing issues like Ring being breached and allowing people to watch them creepily, but IOT are the least of your worries. IOT devices tend to run locked down Linux dostros or limited custom OSes, general extremely limited in commands. Even if breached they can only tend to perform their few daily functions.

 

You know what's worse? PCs and phones. Devices that have full functionality to execute, install, download, discover.. they can be used to infect other devices, used to act as a proxy for data gathering, listen in and watch just as much as a smart speaker. IOTs dont generally have this level of execution. PCs and phones are much more dangerous in the scope of things.

 

In the end it's security and how companies and just now starting to take it somewhat seriously.

[Donut417]

33 minutes ago, mynameisjuan said:

In the end it's security and how companies and just now starting to take it somewhat seriously.

Which is why I said. The fact is Ring has been in the news for being hacked at least 2 times in the last month in the Metro Detroit area. I dont trust any of these IOT devices. Because the companies dont secure them. Sorry to tell you this, but the average person kinda expects corporations to protect their data. Even though they do a shit job at it. Equafax being a prime example. 

 

Im just suprised a lot of people are stupid enough to put cameras that talk to the internet in their homes. Or trust smart speakers that could be used as bugs in their homes. Besides hackers, whos to say the law enforcement or intellegence agencies are hacking these? 

 

But Id have to dissagree. Yes security is a problem. BUT the biggest issue is the trust people put in theses corporations. And the trust people put in to our elected officals. They are all out for theirs and give a shit less about the people. 

[mynameisjuan]

55 minutes ago, Donut417 said:

I dont trust any of these IOT devices. Because the companies dont secure them

More often than not the security issue is the consumers reusing passwords. Same goes for employees that lead to the breach.

 

57 minutes ago, Donut417 said:

Im just suprised a lot of people are stupid enough to put cameras that talk to the internet in their homes. Or trust smart speakers that could be used as bugs in their homes. Besides hackers, whos to say the law enforcement or intellegence agencies are hacking these? 

Not sure how it's stupidity. My home is loaded top to bottom with IOT. I know the risk and do so accordingly. Sure it can be bugged but like I said earlier, there are other devices that are more of a concern. You know, the devices you carry around with you most the time and PCs/laptops. Don't try to act above everyone else because you ignore IOT.

 

1 hour ago, Donut417 said:

BUT the biggest issue is the trust people put in theses corporations. And the trust people put in to our elected officals. They are all out for theirs and give a shit less about the people. 

This applies to so many other devices and services. This is not relavant here.

[InterstellarShield]

I do appreciate this information tremendously. Even though I am late to my own party! This forum is filled with so much information it makes my head turn.