Just watched the recent KH

[G+_Shawn Ashe]

Just watched the recent KH. I've used nmap and it is a standard for security. I guess my question is on Fing. When I look at an app that has a purpose of scanning a network, I wonder about its safety.

Do you have a standard process you go through to verify an app is not collecting data and sending it off to who knows where?

I keep a very minimum set of apps on my devices just because of this. Too bad there isn't some sort of app certification service that verifies privacy/security.

[G+_Dan Baldwin]

Not sure if this is pertinent but I recently played with the pi-hole and found out one of my apps was pinging out constantly to its server which could have been eating up data so I uninstalled it as it wasn’t really necessary. However I would have never caught this by scanning with Fing, which I do regularly to help find devices on my lan. The downside is the pi-hole slows down my network to much to use 24/7.

[G+_Travis Hershberger]

Dan Baldwin I haven't had any issues with performance with pi hole. I've only run it on rpi3 or actual server hardware. An rpi1 or 2 might not keep up.

[G+_Travis Hershberger]

+Shawn Ashe. The only way to verify an apps communicate is to use Wireshark or another packet capture utility when running it.

 

We know that Fing is misbehaving, but this is on purpose. A quick example is that it will find devices on VLANs that it nominally doesn't have access to.

 

Which brings me to a soapbox of mine. VLANs have nothing to do with security or performance/QoS. The only reason they are needed is to sperate large LANs with more than 2000 devices.

[G+_Paul Hutchinson]

Travis Hershberger Not a networking expert but AIUI, Fing can detect all the devices because they are a single physical network. However a good router can be configured to not allow packet routing between the VLAN segments. So in that respect there is a bit of extra security, enough for home use guest network isolation I think.

[G+_Travis Hershberger]

Paul Hutchinson on no way do VLAN segments add security. If I control a device on a guest VLAN, all that's needed to get access to other VLANs it's change the VLAN id tag. VLANs can add extra network security, but only in combination with other network technologies. Bypassing a VLAN without other security is trivial.

 

With FING, I've scanned networks while connected to a guest network, and gotten everything on the physical LAN. That's how simple it is to bypass a VLAN without other added security measures.

[G+_Paul Hutchinson]

Travis Hershberger When logged in to my open VLAN guest network and Fing tries to ping anything on the secured VLAN it says unreachable and 100% packet loss. When I scan for services it shows 0 services for anything on the secured VLAN. So while Fing can see the names and addresses it can't get a route from the open side to the secured side.

 

When logged in to the secured VLAN Fing can ping and get the services list. Sounds like my router is preventing routing from the open to the secured side like I said could be done with a good router.

 

Having no way to route from the open VLAN to the secured VLAN sure seems like security to me. So I searched and read a bunch of articles they all say that what I'm seeing is exactly as I described and is providing security between the two VLANs. So if you have any links to articles that say otherwise I'd love to read them.

[G+_Ben Reese]

Fing collects data so it can sync to your other devices if you have an account setup. According to TOS, it also collects MAC IDs and transmits them to their server for device recognition. This feature can be turned off in settings, which TOS seems to suggest means that data won't be collected/transmitted.

https://app.fing.io/privacy

 

Collecting MAC addresses seems pretty innocuous. They could do device identification on the phone, but it's probably easier to do server-side. But that's really the world we live in now. Collect what data we can "to better serve the client".

 

[G+_Ben Reese]

Depending on the setup, I think it would be possible to setup a device to tag the secure VLAN as long as the port was setup to route that VLAN. What I'm not sure about is if multiple VLANs can be tagged on a packet. Like, if your device tags VLAN 20 but your router tags all the traffic on that port as VLAN 10, does the VLAN 20 stick or get replaced?

[G+_Travis Hershberger]

Ben Reese this is the problem with wifi VLAN tagging. The network Port had to be set to forward all VLANs being served by the wifi AP, so all it takes is changing the VLAN tag to a secured one and your in. Yes, you can secure it in other ways, but they ARE other ways.

 

Shawn Ashe, sorry to have detailed us from your question.