See and/or check channel SmartThings WiFi

Hello,
I just got a SmartThings WiFi 3-pack for my new house, which is large with heavy walls. Two (so far) are using my ISPs slowest product. That’s the network I’m going to put my home automation devices on, and my guests on. When the new Orbi routers come out I’m going to connect them to my ISPs fastest product for streaming, printing, etc for my wife and I to use. Yes, I am purchasing two products from my ISP, and yes I am being super cautious about keeping home automation segregated.

My question is, how can I find out what channel my SmartThings WiFi routers are using? If I know that I should be able to set the channels on my Orbis to stay out of the way. I’m guessing that one answer will be that the two sets of routers will automatically stay out of each other’s way, but that sounds like a recipe for thrashing.

My research in this community mostly is kind of old and not related to SmartThings WiFi.

Thanks,
Michael

As far as I know they should stay out of the way, between the plume on ST and the Orbi’s onboard software.

That said why a separate network? And I’m not trying to sound trite… What security threat are you trying to protect from?

  1. ST is mostly not Wi-Fi and if you have ST it’s generally much easier to use ZWave or Zigbee, not wifi when possible.
  2. if you’re using wifi switches then most likely you’re connecting them to a foreign cloud provider, which IMHO your vector is that cloud, not your devices. Because I could never trust that cloud I’m not only not getting devices that connect to it, I’m not cloud to cloud connecting it to Alexa, GH, ST or any other cloud.
  3. HA wifi traffic is minimal with the rare exception of certain ip cameras while streaming, so it’s not a bandwidth issue.
  4. zigbee and wifi 2.5 Ghz share the same radio space, so now with two of your wifi mesh networks trying to not interfere with each other, they will spread out on opposing ends of the spectrum, and completely smash your zigbee channel. OK that’s a bit of hyperbole, but chances are your Zigbee connectivity will suffer.
  5. Which network are you connecting your home entertainment systems to? You’ll eventually want to automate those too and you’ve just segmented the network. If you poke a hole, you lose the reason for segmentation.

Personally I don’t see any threat here worth the expense (two hi end mesh networks, separate providers, routers etc.) or headache of segmentation… There are a handful of other network segmentation threads on the community site where this is discussed in detail. General accepted practice is save the money and use best practices on one rather than trying to properly manage two.

FWIW, I do run a separate Wi-Fi network for my home automation system.

That’s because as a quadriparetic, the reliability of the home automation system is really important to me. And I have two unreliable housemates, which is to say, the entertainment network does occasionally get viruses on it and even denial of service attacks because one of them in particular will download a lot of torrent trash. :confounded:

I know not many people do this, but I’m not the only one. :wink:

2 Likes

Well, unreliable roommates are a different reason entirely. If I were back in college with roommates again I’d have my own wireless network, period. :sunglasses:

2 Likes

There are a number of smartphone apps that will turn your phone into a rudimentary Wi-Fi analyzer. You’ll be able to see the channels occupied by your system and and neighbors that are in range.

Thanks for the detailed response Nathan. As I was working up an equally detailed reply, I gradually came around to the idea of using Plume to achieve an acceptable level of security. For example, I am going to put my ADT system on a Guest network where the only devices the ADT devices can see are other ADT devices.

My change of heart was a combination of a) realizing I can’t plug ALL the holes no matter how hard I try, and b) getting more knowledgeable about Plume features. As well, I will be very picky about what HA devices I use.

Thanks again for your reply. It set me on a more reasonable path.

– Michael

2 Likes

Glad it helped, look forward to seeing what you come up with. Apparently you dont have unreliable roomates, then :slight_smile:

Here are the elements of my home automation security plan.

  1. Only buy devices from companies that have a known security solution and update firmware regularly. For example, use ST devices, but don’t use LifX.
  2. Put guests on internet-only networks.
  3. Use Plume’s AI Security product, specifically: the Advanced IoT protection product, which uses AI to watch for suspicious activity in the HA network; and the Online Protection product, which uses AI to watch for known malware.
  4. Put installers, like the ADT installer, on a guest network.

What I’m missing is a way to segment the network for families of HA products. For example, I want my ADT devices to be able to talk to each other, but I don’t want them to talk to any other devices, and I definitely don’t want any other devices to talk to them.

I tested this by installing ST bulb on a Plume Guests network, then installing an ST button on the full Home network, and the button could access the bulb. What’s confusing is why the two devices don’t show up in Plume as devices I can give or remove access to in the Guests UI.

Thanks

Which bulb and button specifically? As JD says Model numbers matter in Home Automation. As far as I know ST native bulbs and switches and things are ZigBee, so I wouldn’t expect them to show anywhere in your WiFi network…

1 Like

They are Zigbee devices. Unless I’m mistaken (which would be great) Zigbee and Zwave devices don’t confer any protection just by virtue of the protocol they use. And the ST Hub component of my ST WiFi router doesn’t either, right?

Looks like I won’t be able to achieve great device segregation using Plume HomePass. HomePass user segregation is great, but once a device is installed, it can see and be seen by all other devices on the network, according to my light-and-button test. Even when the HomePass account that installed them has been destroyed, they can still see each other. My HA safety will depend on Plume’s AI analysis of my HA devices’ behavior. That, and buying devices designed with security as a feature. That’s a fairly thin safety net, but it’s better than nothing.

Am I missing something here?

– Michael Stallings / mstallings@mac.com

Ok Michael - you made me make a diagram just so I know we’re speaking the same language. :slight_smile: Note this is probably not at all perfect and WAY oversimplified and if anyone from ST corrects us - use their explanation instead. :slight_smile: This is how I understand the logical assembly of the ST Wifi:


Yes there’s a 2.5GHz network there too, and other APs but you can get the idea here.
The blue box is the actual device, the white boxes inside are how I understand them to be connected internally. It’s no different than if you had a WiFi Router and a ST V.3 hub sitting next to each other on a table, they just happen to be in the same box.

So to get to the Wifi network from the Zigbee Network (assuming it is possible and an attacker is successful, of course) one would have to traverse the zigbee network into the hub, own the ST hub (and your account), then compromise the WiFi network. Zigbee, Zwave, WiFi and Bluetooth (if Samsung enables it) are all segmented from each other at the ST Hub. Or alternatively, they have to own the ST cloud, then your hub and then out from there. (Which quite honestly, the cloud inward vector due to compromised creds is the more likely option.)

To protect mine I have physical security protecting my networks - cameras making sure nobody can sit outside my house and compromise Zigbee or ZWave, or WarDrive my WifI network. My gear is in a secured closet where possible, yes I have one in teh clear but good luck finding it. You already have to be in my house. I disabled old authentication protocols on my WiFi network. I only use ZWave or Zigbee HA endpoints for sensors and actuators (No TuYa WiFi switches here). I don’t bother hiding my SSID - someone who knows what they are doing can get it anyway.

To protect my perimeter - I’m religious about keeping my firmware up to date on the perimeter router. Check regularly, apply it immediately, and complain to the vendor if they mess up.

To protect the cloud, I only install SmartThings Apps I have reviewed and use multi factor auth (MFA) on not only my ST cloud - but anything I connect to it that supports MFA. (Such as Amazon) So if Mr. Badguy tries to come in that way, my phone starts to go nuts with auth attempts.

Does that help?

Yes, that helps a lot! Thank you. The key point is what the ST hub is doing. The weak point is, as you say, a local threat to the one of the 3 networks. To address that, I’m thinking about a battery of surface-to-surface missiles hooked up to AI-powered cams that can identify war driving behavior at a distance. But that may be overkill, so to speak.

Are there any SmartThings white papers or links that explain this in detail? Any Plume material? I haven’t been able to find any. Same with ADT’s ZWave technology. I’m having that installed today (not using the ST-ADT hub) and how it interacts with the ST Hub are of interest to me.

Thanks again for taking the time to explain it.

Michael Stallings

mstallings@mac.com

1 Like

Must. Get. Missiles… :slight_smile:

1 Like