TL;DR Would a potential attacker need to have my Wi-Fi password and be connected to my network in order to read HTTP requests?
Over the past year or so, I have made a few DIY home automation projects. Included in this is a garage door opener. The basic premise of which is that when I want to open the garage, the home automation hub sends an http
(not https
) GET
request (e.g. 192.168.1.xxx/openGarage
) to the DIY IoT device which then opens the garage. (The IoT device will trigger the garage whenever it receives that specific /openGarage
request)
However, for some time now, this has worried me. I was wondering whether an attacker who was not connected to the network would be able to intercept the HTTP get request (192.168.1.xxx/openGarage
) and then be able to replay this get request in order to open the garage without my knowing.
So, my question is: would an attacker need to be connected to my home network in order to intercept this GET
request (/openGarage
) or would they need to bee connected in order to see this?
Thank you in advance for your help,
Kind regards, Rocco
P.S. I understand that making this request an https
one instead would obfuscate the request, however, it is quite hard to implement proper SSL encryption on an ESP8266 which is what I am using for this IoT device. Thus, I am willing to hinge my security on the strength of my WPA2 password. That is, if an attacker would need to be connected to my network in the first place to intercept the request as per the above question.