As discussed in the article above, the FBI has recommended that we keep our smart home devices on a separate network so that the bad security on your refrigerator doesn’t compromise your laptop.
Recently, there has been a spate of articles about security problems with Ring products, which only serves to illustrate the FBI’s concern: the security on a lot of our smart home products are crap.
I have my modem/router from the ISP set up as the IoT network. I have another WiFi router attached to the modem via Ethernet, which then creates a subnet with Ethernet and Wifi using different SSIDs.
IoT Network
SmartThings Hub (ethernet)
Philips Hue Hub (ethernet)
Thermostat (WiFi)
Smart washing machine (WiFi)
Smart refrigerator (WiFi)
2x ArloQ cameras (WiFi)
Chromecast device connected to stereo receiver (WiFi)
Router for main network (Ethernet)
Main Network
Computers and laptops (ethernet and WiFi)
Phones and Tablets (WiFi)
Printer (Ethernet)
Dish Hopper and Joey (satellite TV set top boxes) (Ethernet)
Two smart TVs (Ethernet)
Two Blu-Ray players (Ethernet)
Smart speakers (1x Google Home Mini, 2x Sony LF-S50G) (WiFi)
Stereo receiver for home theater (Ethernet)
NAS (Ethernet)
Secondary router broadcasting same SSID (Ethernet)
Let me try and explain my reasoning here, and I’m asking for advice on my setup regarding which devices are on which network.
Most of the TVs and home theater stuff is connected via Ethernet. I have left them on the “main” network because they need to be on the same network as computers and mobile devices for casting, and because they’re on Ethernet. I may be willing to set up multiple WiFi networks, but there’s no way I’m going to deal with having two separate Ethernet networks in my home. That’s more work than I’m willing to put in.
My main question is the smart speakers. While I do occasionally cast from one of the mobile devices to play music on the Sony smart speakers over WiFi, I could just as easily use verbal commands to play my music on a given speaker. What do you guys think? Should the smart speakers go on the IoT network, or remain on the “main” network where the laptops, computers, mobile devices, and home theater stuff is?
I invite comments about the rest of my network setup. Should I move all the home theater stuff to the “IoT” network with all the other smart home devices? I like the reliability of having those devices on Ethernet, but I could move them back to WiFi and put them on the “IoT” network if that would be a good idea. Of course, that would make casting a hassle, but I can work around that or forgo casting.
I think the FBI needs to stop making network engineering recommendations…
Segregation of the network isn’t the answer. It creates the kind of complication your post highlights… Good password practices (specifically strong passwords not reused between sites) with Two Factor authentication are a better option.
Yes, and the recent problems with Ring doorbells would not have been helped by that, if I remember correctly, and the washer & refrigerator (among the more problematic types of devices) don’t seem to have two factor authentication available at all.
Not necessarily true. If devices have their own built in services that are hackable with weak passwords, or are not patched, then maybe. Any good hacker who really wants to get to your stuff will work around all that complexity you’re proposing.
Let’s start with the Ring security issue linked in the first post. Would two-factor authentication (I don’t even know if Ring has it) have prevented this specific issue?
Many of my devices (generally the ones I’m more suspicious of) do not have two-factor authentication available at all.
And yes, I understand that any hacker who really wants in can get in with enough patience and know-how, but the whole idea of security is not to make anything perfectly safe (that’s impossible) but to make it more obnoxious to get in, particularly for people with low skills.
Yes, Ring offers 2 factor. Via the hamburger menu in the Ring app, go to Account and then under Enhanced Security turn on “Two-Factor Authentication”.
I don’t know the details surrounding the recent Ring incidents, but I suspect hackers accessed the cameras through the Ring app via compromised credentials. If 2FA was enabled, the owner’s mobile phone would have been prompted to validate access being attempted by the hackers; so yes it should have prevented certain incidents.
First, a comment on the ring vulnerability. It was bad, but mostly for people who were individual targets. Not a general breach.
The potential hacker would have to be within range of your Wi-Fi to carry out this attack.
.
While this attack can only take place during the video doorbell’s setup process, a hacker could also send fake messages to the person to trick them into setting up the doorbell again, the researchers said.
No, two factor authentication (which ring does have) wouldn’t have prevented it because the vulnerability occurs during initial set up. You haven’t turned on two factor authentication yet. Like many devices, ring has its own little Wi-Fi network when you’re doing the original set up, and they didn’t have that encrypted. Stupid in 2019, but again very few people would’ve been victims because the hackers would’ve had to be going after them individually and physically be close to the house. And have perfect timing.
Ring has standard 2FA. Once your Ring account is set up and you turn on 2FA, then anytime after that when anyone tries to sign into your account on any device, even if they know your password, before letting them into your account ring will send a numeric code to the phone number registered with the account. Then that authentication code must be entered before access to the account is allowed. So the two factors are the permanent password and the temporary authentication code, which changes every time.
If the malefactor knows your password and physically has possession of your phone, they’ll be able to get into your account (like a malicious significant other), but you won’t be the victim of random drive by hacking even if someone gets hold of your password from a crack site.
As I’ve mentioned before in the forum I’m one of those people who has always run multiple networks. I also have two laptops, one for entertainment, one for higher security stuff. (I also have two housemates who are pretty typical guys under 35 Who access a lot of sites I don’t want anywhere near my financial information. )
I always consider streaming video/audio to be high risk, so those go on the entertainment network.
Financial and medical records are on a different network.
Home automation is on a third network which is shared with my own TVs and entertainment devices, but not those of my housemates. That’s because I’m quadriparetic and I need a high degree of reliability.
My medical monitoring system is on its own network. As is my security system.
I’m sure that sounds like a lot of work to most people, but I was a network engineer before I got sick, and to me it’s just sensible.
So for me, my echoes go on my home automation network. My housemate’s Google home goes on the group entertainment network.
BTW, I try really hard to avoid teaching network engineering 101 in this forum, but an ethernet VLAN is pretty easy to set up if you have the right hardware. Wi-Fi is not a requirement.
I do not advocate multiple vlans or networks in HA except in specific rare circumstances. Most people do not understand how they really work and segregated networks poorly done are almost always less secure (and even create a false sense of security) than one really well secured and managed one using current best practices. If you’re a network engineer or IT person and who really (and I mean really, trust me there’s plenty of people in the business who don’t) understands the tech and it’s complexities, go for it. This is coming from someone who understands TCP at the bit level, and how Windows Doman Controllers communicate with each other at the code level… I don’t have the time or the patience to properly manage a segregated network in my home nor do I really want to.
Protecting the credentials well and keeping your updates installed will be much better in the long run for the casual user. Besides, the days of building really big walls around the fortress mode of IT Security are way over. Protect the data as close to where it lives as you can… Don’t rely on the transport to do it for you. Most attacks these days are centered on either owning your credentials or installing ransom ware on a workstation. The attacks that are mentioned above would be not covered by 2FA in that one specific setup attack, true… But that’s a risk I am personally willing to take because where I live it’s pretty difficult to part an inconspicuous white van in wifi range.
I can talk my mom through using a password manager on the phone and explain why it’s bad to reuse passwords… Repairing a poorly planned vlan that someone bridged… Nope.
Thanks for all the input, guys. I’m pretty sure I have everything reasonably locked-down, updated, etc., but the truth is, I’m not as careful with home stuff as I probably should be.
I originally had the WiFi on the ISP’s modem turned off and was just using the router parts of the modem as an extra firewall, so configuring two different networks was fast and easy, and I think I’m going to leave my network as-is. Computers, mobile devices, NAS, smart speakers, and media devices will live on the “main” network, while all the other smart home stuff will be on the “outer” “IoT” network created by the modem/router from the ISP.
From the point of view of the devices on the “main” network, the only thing that changed was the WiFi router got turned on on the modem. Please explain what a “double NAT” issue is, but if the arrangement of routers was a problem, I would have had it before this.
The secondary router on the “main” SSID does need frequent reboots, but that router has always been troubleseome like that, even when it was the only router in the house and I was using a modem that didn’t have a router built into it. That’s why it’s currently relegated to acting as an ethernet-connected network extender of sorts.
)