CHOICE membership

How do you Secure Home Networks from IOT, And Other Smart Devices


#1

Continuing the discussion from Will 5G Push Fibre Aside?:

Having just added a Solar PV System to the house we now have one more smart Wifi connected device.

Alarmingly it has both a broadcast SSID with WEP security (IE next to useless), and has also connected with an IP to our home WAP2 secured network as that is how the iPhone App needs it configured?

What is the best way to take advantage of these devices without compromising the home network?

And is there also a solution for those of us who do not understand if you have Foxtel you most likely have Broadband and a router?


#2

I can never leave a straight line.

Ans: 'OK Google, secure my network." All done :laughing:


#3

Typically, we are already into the complex mathematics of the geometry of straight lines and how to divide. :thinking:

For the more challenged amongst us is connecting a second router to the Ethernet port of the ISP provided router, and creating a separate network one answer? It still needs some smarts to ensure the traffic is separated between two networks.

Alternately many routers allow you to create a guest network. You could use that for all the extra devices.

Of course neither is perfect as having separated the two networks moving content dynamically between the two may not be possible? After all you are trying to stop that from happening?

Do you simply consider your home network for ever more a public network and revert to using a VPN for the majority of your personal use?

There is no paranoia under this hat :billed_cap:.
Hopefully not another marketing specialist either.

P.s. might - “OK Google, Secure our Network!” be a more effective request?


#4

An edge router will allow you to create (IIRC) four or five separate networks from one broadband connection. Don’t ask me how. :grin:


#5

This entirely depends on your router capabilities. You can configure two networks with two ip ranges and seperate the IoT from other devices.

You can isolate devices on your wireless network so that they cannot communicate with each other ( if they only need internet)

Some routers have firewall functionality and you can block IoT device communicating with you phones using access control lists.

You must:

  • Change the routers default password
  • keep the firmware uptown date.

Then try shutting down services that you don’t use on your router.


#6

That’s good feed back. Especially if you are comfortable going into the router configuration software. There is some knowledge required to do so. One of our routers allows a guest network to be enabled with a minimum of effort.

Another simpler router to do so requires you to configure the IP ranges, set a mask and open selected ports! Not so simple for many!

That is partly the reasoning for asking about the options.
It is made harder or easier by how your ISP treats you and whether the ISP supplies a decent router. I know many who have a standard Telstra broadband router of what ever vintage that carries the default Telstra configuration. I used to have one that when supplied used a WAP encryption key related directly to to the SSID. Many users do not have any knowledge of the risks or how to access and change these settings.

Our latest iiNet router standard configuration is a little better, however any built in security - in my example adding a PV solar power invertor, disappears the moment we attach other devices we have no control over. These necessary devices can communicate with their big brothers and like smart TVs also auto download and install software without our knowledge or explicit permissions.

Is it subsequently acceptable for devices to behavior this way?
Should all such software/firmware be subject to third party audit and certification before it is released?
Should all broadband users need a license and pass a test before they are connected?
Should all ISP’s meet an agreed configuration and security standard for the devices they supply including remote configuration?

Our Solar PV Invertor has a two line info display, is effectively headless, amd requires an externally connected device to access it’s performance. Why does it also need to access big brother?
And to whom does big brother facilitate access to?

True many of the concerns are no different to having a Google ID and Gmail account, except the power of a headless smart device on the inside of a home network is infinfinitely greater in what it can discover.


#7

Put them on a separate network. Use three routers, one being the gateway and the other two being your ‘main’ network and your ‘IOT’ network. Start at page 21 of the following podcast transcript:

(If you go up a level at that website, you will find all the shows with downloadable audio, show notes and transcripts.)

There are further iterations of the ‘three dumb routers’ concept; the following article and its comments appear to be well considered additions.

https://www.pcper.com/reviews/General-Tech/Steve-Gibsons-Three-Router-Solution-IOT-Insecurity

The suggestion of a Ubiquiti EdgeRouter X router is also valid, as from my understanding (coming from the above-mentioned podcast) they do not permit any interchange between their ports. They are discussed in the following episode.

Unfortunately many or most routers do not have this capability.

We are in a period of immense change in the computing world. IoT devices can cost pennies to manufacture, and there are plenty of companies willing and able to go into business without worrying about end user security.

I expect that a few years from now things will have settled down, there will be some basic security standards either imposed on the industry or by the industry for devices, and we will all live happily ever after.

It isn’t just IoT devices such as a baby monitor that uploads video to the web which is available to any who can guess your user name. Unpatched security holes in routers, or in server software, are enabling massive breaches and botnets.

We are only relatively new to the idea of IT security, and even newer to the idea of securing everything on the Internet! Microsoft has finally (almost) figured out how to do it right in Windows; Apple and Google are probably in the same range of proficiency, but Google’s partners vary from ‘regular updates’ to ‘what’s an update?’.

It is likely that at some point in the future there will be a ‘stamp of security’ that you can trust for an Internet-connected device. Probably operated by manufacturers who are sick of the low quality stuff that’s poisoning the Internet, it will require functions such as regular automatic updates, limitations on Internet access depending on the device’s purpose, and similar kinds of security. Unfortunately, we are not yet there - and when you are designing one of these devices security is not an add-on, it is a fundamental feature. It is incredibly easy for bugs to slip past, even if you do use third party auditing, so as matters stand you can assume that every Internet-connected device you own has at least some bugs.

There is one other advancement that may make the Internet secure. I cannot remember the terminology, but it is the concept of an ‘error-free’ programming language/tool that does not provide for the easy mistakes that might be made in a million or more lines of code. I suspect it is a while away.