The P2P/QR code/port forwarding is how they are gaining access. They do not need your serial number, but in
@Perimeter example, if the delivery driver wanted to hack you, the serial number on the box does make that easier.
There are lots of examples where the security devices (ironic isn't it) are not very secure from the internet and pass information unencrypted before the P2P handshake begins...
Millions of people around the world want the simplicity of Internet of Things (IoTs) to be easy to connect to their system and work. They do not want to deal with security. They wrongfully assume that because they bought it and all they have to do is scan a QR code, that all is good. A manufacturer also doesn't want to deal with endless phone calls from consumers asking how to set something up, so they make it easy.
So these companies create these QR codes/P2P and magically the new device can be seen on the consumers app. Consumer is happy. But, this device has opened up the system to gain easy access to your entire network.
I have a friend that falls under this "I just want to plug it in and scan a code and it works" mindset. Many years ago she bought a Foscam wifi camera to monitor her front door. She plugged it in and pointed it out a 2nd story window and downloaded the Foscam app and scanned the QR code and magically she could see her camera through the magic of P2P.
A few years later she bought a wifi printer and again, simply downloaded the app from the manufacturer and scanned the QR code and she could start printing.
One time in the middle of the night, she hears her printer printing a page. She thinks maybe she is dreaming or hearing things, so she thinks nothing of it and goes back to sleep. Next morning she gets up and indeed her printer did print something in the middle of the night and the printed page says I SEE YOU and a picture of her from her Foscam camera was below the text.
She changes her wifi password in case it was the peeping perv next door that she has caught looking at her from through her window and he guessed her password, which was password because she liked things simple.
Problem still persists. She goes into Foscam app and changes the password to the camera. Problem still persists. She gets a new router and sets up a stronger password for wifi and changed the passwords of all of her devices. Problem still persists. She gets rid of camera and printer.
At some point Foscam issues a security vulnerability and issued a firmware update. Basically the vulnerability was something like when logging into the camera with a web browser over HTTPS, the initial login to the P2P site is done using SSL. But then it establishes a connection to the HTTPS port again (for the media service) and sends all of its commands unencrypted. This means the username and passwords are being sent unencrypted. While this was a security vulnerability found in Foscam, I suspect it is in others as well. I suspect this is how my friend was hacked and someone was sending pictures of her taken from her Foscam camera to her wifi printer that she set up using the QR code.
Many articles on this site and out on the internet show how vulnerable these devices can be. I remember seeing an article of a webpage showing like 75,000 video streams around the world that were hacked into because of these vulnerabilities. I know there is an article someone on this forum where someone posted that many of these cameras do send passwords totally unencrypted and wide open easy to see for anyone knowing what they are doing.
Do not assume that because it is a name brand that they actually have good security on these cameras or any device for that matter. Think about the typical end-user that just wants simplicity to connect. And then think how a company would go about that to provide that simplicity. End result is to provide that simplicity, it comes at a cost and that cost is security vulnerabilities, which is ironic for security cameras. But if it can happen to Amazon/Ring (which is a fairly large company), it can happen to anyone, especially all the no-name brands being sold on Amazon.
For that reason, most of us here prevent our systems from having access to the internet.
