The move to IOT devices

7

Hello all,

After reading Paul’s venture into smart lighting and the rise of the AI voice assistants Echo and Google Home, I am now leaning to getting in on the action. However, I am still concerned about the security issues IOT devices bring with it.

With that in mind, what is the best way to secure these devices within a home network? Or is it even a concern? My thought was to take my existing router ( A Netgear nighthawk X6) and attach an old router I have (an Actiontec C1900a) via a VLAN port. Use the Actiontec 2.4 band and use that for all IOT devices. On the Actiontec I would deactivate the 5 ghz band and on the Netgear deactivate the 2.4 ghz band to eliminate interference. Would this prevent the IOT devices from being able to see my data on my personal devices (phones, tablets, PC’s)?

Is this too overthought? Is there a better solution? I have heard using the guest network on the router for IOT, but since the devices can’t see each other I would imagine that would gimp the voice assistants ability to control the device.

Long thread over. Thanks for your advice.

Todd

Comments (7)

7 responses to “The move to IOT devices”

  1. wunderbar

    having 2 routers doesn't mean that your devices won't be able to communicate between them. In fact, you kind of need them to be able to communicate, otherwise you won't actually be able to control any of the devices from anything but those devices. I.e. if you want to be able to use your phone or voice to control light bulbs, the 2 routers would *have* to be able to talk to each other. And in reality, I can almost 100% guarantee that not every wifi device you own supports 5ghz, so then you can't even put every non iot device on a router on 5GHz only.


    And a lot of smart home devices don't actually use Wifi anyway. Phillips Hue, for example, uses a hub that plugs in via an ethernet cable, and the bulbs connect to that through a protocol called zigbee, which is a mishmash of bluetooth like technology. The bulbs do not use wifi at all.


    Honestly, the best you can do is only use reputable/known vendors that are more likely to keep things up to date. to keep the same example, use Phillips Hue lights instead of a knockoff brand you've never heard of, etc.


    If you wanted to get crazy you could use a router with good firewall rules and try to block the iOT devices from being able to communicate with the internet, but that could also interfere with the normal functions, because again updates come from the internet, etc.


    tldr: yea you're kind overthinking it, because there isn't really all that much you can do to have a fully functional system and also have it be 100% isolated from a main network.

    • rtodd_us

      In reply to wunderbar:

      "having 2 routers doesn't mean that your devices won't be able to communicate between them."


      Won't a VLAN port prevent the devices on one router from communicating with anything else not on that VLAN port or is that wrong.


      "if you want to be able to use your phone or voice to control light bulbs, the 2 routers would *have* to be able to talk to each other"


      The idea is that the phillips hub would be connected to network the old router provides and to control the lights via phone it's just an internet connection right? or do I have that wrong? I assumed that if you could control your lights from outside your home/network that it didn't matter if it was local network.


      "tldr: yea you're kind overthinking it, because there isn't really all that much you can do to have a fully functional system and also have it be 100% isolated from a main network."


      That's kinda where I'm leaning although articles like this don't make me feel confident and why I am hesitant:

      https://www.cnet.com/news/new-study-details-a-security-flaw-with-philips-hue-smart-bulbs/

      • wunderbar

        In reply to rtodd_us:


        Won't a VLAN port prevent the devices on one router from communicating with anything else not on that VLAN port or is that wrong.


        Sure, but then what's even the point? The entire idea is that you want to be able to control the devices from the LAN. If you can't then why are you even doing it?


        The idea is that the phillips hub would be connected to network the old router provides and to control the lights via phone it's just an internet connection right? or do I have that wrong? I assumed that if you could control your lights from outside your home/network that it didn't matter if it was local network.


        If you're concerned about security this is the backwards approach. You shouldn't be wrying about protecting/restricting LAN access, you should be worrying about protecting/restricting WAN/internet access. This is like putting a lock on the door betwen your living room and kitchen, but then leaving the front door open so the bad guys can get in and then try to pick the locks between your living room and kitchen.

        • rtodd_us

          In reply to wunderbar:

          If you're concerned about security this is the backwards approach. You shouldn't be wrying about protecting/restricting LAN access, you should be worrying about protecting/restricting WAN/internet access. This is like putting a lock on the door betwen your living room and kitchen, but then leaving the front door open so the bad guys can get in and then try to pick the locks between your living room and kitchen.


          I'm a newb at this so I am only getting information from the experts over at DSLreports. However, I think the idea is that you have an ER-X router front ending the two other wireless routers (one secure, one IOT) and providing DHCP from the ISP (it has more robust controls). From that the other routers will be connected via VLAN ports to their WAN ports. Double NATing the addresses which might cause a problem, but also provides a layer of security (?). However if you DMZ the secure router that keeps that from being an issue. They call it a 3 layer security. However, another poster suggested that the 3 router set up might be vunerable to a man in the middle attack. His suggestion was to use a VLAN:

          I use two VLANs for these devices, except wirelessly because most of these devices lack Ethernet ports. One VLANis for Apple stuff that needs to communicate and the other VLAN is for everything else. I have set up firewall rules to prevent routed communication with other local subnets and set client isolation on the second VLAN. I also do policy based routing to send the non-Apple traffic over a VPN connection.


          I could do what you suggest by using different SSIDs, but that does not scale well. Firewall rules restrict communication with router ports to just DHCP and DNS while I believe that pfsense operates separate daemons for each subnet (although I need to check). What concerns me is the possibility of a MITM attack over WiFi where a compromised client device acts as the AP for another client device and then attempts further infection. It would be possible to use aircrack-ng type techniques to capture a WPA2 handshake, send it to a remote server farm and crack it, so this attack could be expanded to operate across segments.


          That means that even if I used different SSIDs, the other devices are not strictly safe. I do use long random passwords, but there is the third possibility of these devices somehow compromising my enterprise AP, which would make it game over. :/


          By the way, the enterprise technique that comes to mind as “solving” this is 802.1x, but that does not provide any way for the clients to validate the AP and these devices would not support it even if it did.

  2. rtodd_us

    So I got on DSLReports forum and posted this topic there and got some really helpful advice. The overall consensus was to do a three router set up using an ER-X router as the front end and then use VLAN ports to go to the other two routers. One router for non-iot devices and the other for iot devices. Here is the full discussion for those interested.


    http://www.dslreports.com/forum/r31652367-Other-How-to-secure-IoT-devices-in-home-network-for-a-newb

  3. rtodd_us

    I finally got my IoT network set up and posted this to the DSLreports forum, but I figured this might help someone here looking to secure the IoT devices.


    Sorry for the long delay in writing a follow up, but I was doing some research, buying things and getting friends to consult. This is what I finally ended up doing. First I got the ER-X as was mentioned in the thread. I set it up using the rules set up by this guy:

    EdgeRouter IoT/Guest Network Isolation

    »www.youtube.com/watch?v= ··· fos&t=1s

    . I then took my actiontec C1900a and turned of DHCP to make it into an Access point and plugged a Lan port into the IoT configured port on the ER-X. I then configured my Netgear into an Access point and plugged it into one of the switch0 ports. To test I plugged my laptop into the actiontec router (ie IoT router) and did an IPconfig. Confirmed it was on the subnet that I assigned to the IoT network. I then tried to ping my router and got no response. I then tried to ping one of my devices on the Netgear and again no response. I then went online and was able to surf the web. So it appears I have isolated my IoT network from the rest of my network, but can allow the IoT devices to phone home via the internet. My next venture will be something like this: »wnmctech.blogspot.com/20 ··· _28.html


    Thanks again to everyone who chimed in to help this old newb.

Leave a Reply