Have I created an unsecured port with this device?

[Jester]

I'm fairly lost when it comes to network security, this is for home network with wifi router provided by local internet provider.

I recently installed one of these wifi interface door switches and installed the accompanying smartlife app on my iphone. FWIW It seems to work well.

https://www.amazon.ca/dp/B07M5GWSJZ?psc=1&ref=ppx_yo2ov_dt_b_product_details

How secure or unsecure are these things?

It's not obvious exactly how these work? My best guess is once you have paired the switch with the ap and provided the local wifi password, when the switch is activated it sends a message to some cloud based server, and then that server sends a message to the ap. I wanted to make sure it would work when my iphone was not near the home network and to test that I turned my phone off, activated the switch and then drove well out of wifi range and powered up the phone. I received the alert within about 30 seconds.

In reading some reviews of this ap, some claimed there was an excessive amount of data transfers occurring between the servers supposedly in China and their router after installing the system. I have no idea if this is just fear mongering, or something I should be aware of and possibly do something about.

Comments and suggestions please.

[Shonky]

The server doesn't send a message to your AP (I read AP in you post as access point but you meant app I see rereading) when the device is triggered. Basically your phone also connects to the cloud service too. So when the notification occurs from the device your phone can receive it back on that connection. If your phone is just inside your LAN connected to the AP, an outside cloud service can't just send it a notification. The phone needs to create connection so it doesn't matter where it does that from and hence it works anywhere the phone also has access to the interner/cloud.

One of the main concerns with these sorts of devices is that they live inside your LAN so have access to anything unsecured. They also have full internet access in most user's homes. That internal access could be a NAS with open file shares or anything.

Also, because you've also given the device your WiFi details there is also some chance it could transmit or leak them.

For this reason some people prefer to put "IOT" type devices like this on to a separate VLAN and/or separate WiFi network to prevent them accessing the rest of your network. They still have access to the internet which is needed for their cloud service.

[ataradov]

This is a device on your network, it has access to the same resources all other devices have. And yes, in theory it can receive commands from remote servers and it can send information from your network. It still would not have access to password-protected resources.

I would not panic about it, but consider what other resources are available on your network and if any of that may be of interest. In many cases the concern here is not the makers of the device, they often don't care. But the concern is the third-party attackers, who often exploit security holes in products like this (and they always have holes, because makers really don't care). This is especially true for security cameras, where footage can be leaked. The doorbell itself is not that valuable, but it might be an entry point into your network.

[Shonky]

Also to test such things you can generally just turn your WiFi on your phone off and it will switch over to cellular. It doesn't matter if you're still right next to the device if it's WiFi only. No need to go for a drive

[Jester]

For this reason some people prefer to put "IOT" type devices like this on to a separate VLAN and/or separate WiFi network to prevent them accessing the rest of your network. They still have access to the internet which is needed for their cloud service.

A separate WiFi network seems like it might be good idea. The present setup is a cable modem from internet provider that then uses Wifi for all devices in the house. I don't have a PC running all the time so I don't think virtual is an option. If I were to implement a second network, what hardware would be required and how would I physically connect and configure the new network?

Quick read leads me to believe I just need to setup a guest password on existing modem and use that for the iot devices and that should prevent the iot stuff or anyone who hacks their way to them from seeing anything else in the house, does that sound correct?

[ataradov]

Yes, if your router has guest network option, it is a good idea for isolating random IoT stuff. The only issue is that you will lose local control from the phone because the phone would be on a real network. So, you will always go through their servers.

[Shonky]

Yes, if your router has guest network option, it is a good idea for isolating random IoT stuff. The only issue is that you will lose local control from the phone because the phone would be on a real network. So, you will always go through their servers.

Yep. Probably not an issue here but the round trip can become a nuisance for home automation where you might have a PIR switching a light on and you want it as near to instantaneous as possible.

A proper router with a DMZ that's accessible from the real LAN to the guest LAN (not in reverse) *might* help but the average consumer grade types usually just completely split the two networks.

Even with the a DMZ it significantly depends on how the devices actually communicate and find each other on the LAN and so probably they still won't talk directly.