Arlo
Support

JustPhab · ‎2022-01-12

We bought a Arlo Ultra SmartHub and had it connected to our router but we recently replaced the old router and upgraded to a mesh router system and created net new networks and passwords.

It seems the Arlo Ultra SH does not require our network password to access our network.

I don't recall providing the Smart Hub the new password so the question is how is this device getting on my network without my consent?

I am concerned about security given this is the age of information. What measures can be taken to mitigate risk or am I missing a step in my router setup to gate rouge hardwired connections?

Mick_Phelan · ‎2022-01-13

The great majority of wired Ethernet (networking) connection require no password. The difficulty in accessing the physical network port inside your home is the security measure. It is technically possible to configure authentication for network devices attached via cable but it's not a feature that is found in home networking devices. Authenticating wired network devices is complex and expensive to the degree that such measures are typically only found in the likes of banks and military installations.

jguerdat · ‎2022-01-13

Basically the need for the hub to be connected via Ethernet to your router, regardless of brand or if it's a mesh network, means there is no need for a password. That's needed to connect a device using WiFi but not hardwired devices. As such, the best ways to ensure inappropriate connections are to use strong passwords everyplace (router login, WiFi passwords, etc.). If you're really paranoid about rogue Ethernet connections, which require physical presence to accomplish, you can set up MAC address filtering in the router's configuration which would allow only those devices you've specifically put into the table to be able to get an IP address - all others would be denied. If you have a lot of devices on your network that could take some time and effort to determine the MAC (hardware) address, especially for IoT devices. Your router may provide an easy way to do this (just checked mine and found it in Security, Access Control which shows all connected devices so I could simply select all and enable the feature). Different brands of router and the age of the firmware may require some digging and effort.

Mick_Phelan · ‎2022-01-14

@jguerdat wrote:
If you're really paranoid about rogue Ethernet connections, which require physical presence to accomplish, you can set up MAC address filtering in the router's configuration which would allow only those devices you've specifically put into the table to be able to get an IP address - all others would be denied.

For the kind of person who would go to the effort to attach a rogue device to your network, MAC address filtering doesn't provide much protection. If you can get access to a network port or a patched wall outlet for example, then you can use a packet sniffer to read the MAC addresses of devices already attached to the network and then spoof one or more of those MAC addresses to get around MAC address filtering.

Strong authentication of wired connections requires something like an implementation of IEEE 802.1X, which typically requires switches that support the protocol and a RADIUS server that can authenticate user accounts. You actually need at least 2 servers as network access is critical for business function and you can't have everyone locked out of the network every time a server crashes. It's time consuming work to get it working perfectly, and so it's pretty expensive. Locking your router and switches away in cabinets and avoiding patching any outlets that aren't needed is how most companies tackle the problem. In the home it's not worth worrying about - if someone can get access to your Ethernet ports then they can just steal stuff and run away. It's easier to just steal a laptop than to try to hack a laptop over the network.

Edinburgh_lad1 · ‎2022-01-14

Well, are you talking from experience @Mick_Phelan ?

Fritzbox allows guest access for LAN4 and also, if you choose to do so, after consent of terms of use (https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7490/949_Setting-up-LAN-guest-access-in-the-F...)

Draytek routers enable you to use wired 802.1X - LAN Port Security (https://www.draytek.co.uk/information/our-technology/wired-8021x-security)

StephenB · ‎2022-01-15

Circling back to @JustPhab's original question...

When you set up your mesh router, you were setting up the wifi password (and probably also the admin password to manage the mesh). The smarthub uses ethernet, not wifi. As @Mick_Phelan says, wifi is different from ethernet - someone needs to be in your home to use your ethernet port. Very few home networks require 802.1x authentication.

@Edinburgh_lad1 : The fritzbox feature appears to be a VLAN (though it might be implemented differently). It's not an authentication feature. As described, when the feature is enabled, anything connected to LAN port 4 is able to connect to the internet, but is blocked from reaching other devices on the home network (whether wired or not). This is not password secured, anything connected to the physical port simply isn't allowed to reach non-guest devices.

The dreytek link is definitely addressing a business router feature - home office and headquarters.

Mick_Phelan · ‎2022-01-17

@Edinburgh_lad1 wrote:
Well, are you talking from experience @Mick_Phelan ?

Yes, somewhat. I was once asked to cost an 802.1X deployment for wired connections on Dell switches; similar functionality to the Draytek link you posted. The company proceeded with authentication for wireless connectivity, given that wireless connections were possible from outside the building, but did not want the setup or ongoing maintenance cost of using 802.1X for wired connections. That was over 5 years ago. Maybe 802.1X is more commonly used now but I have yet to see it implemented for wired connections in the average company.

Arlo Support

Arlo App for Support

Arlo
Support

Arlo App
for Support