A neighbor asked me about a recommendation Steve Gibson and Leo Laporte made a couple of weeks ago about securing your IoT household “smart” devices, like doorbells, thermostats, televisions, and anything else that wasn’t traditionally computerized, by putting it on a guest network.
The short answer is yes, it’s something you should do. It doesn’t make them perfectly safe, but it’s the best you can do, so you should. But I would do it a bit differently from Gibson–I think the ideal setup has two guest networks.
In corporate security, this is called network segmentation, or in extreme cases, an out of band network. Systems that don’t need to talk to each other cannot, which makes it harder for systems to attack each other. Using a wifi guest network limits what they can do–your doorbell doesn’t need to print or pull files off your PC, so it shouldn’t be able to talk to your printer or your PC at all. That way one can’t attack the other if either gets hacked.
Gibson recommends setting up a second router if your router doesn’t have a guest network available. This may be the excuse you need to upgrade your router.
But a good way to get that capability with a single router is to use DD-WRT. DD-WRT also has some other valuable features you can enable on your guest network. For example, you can throttle the network, which reduces its value if a hacker gets in because your IoT devices only get a small slice of your Internet bandwidth.
Gibson floundered on the feature that DD-WRT calls AP isolation. Some routers enable this by default on guest networks, to keep clients on that network from seeing each other at all. The way he talked, he made it sound like this is undesirable. It is if you have IoT devices that need to talk to each other. But many of these devices only need to talk to the Internet. In that case, isolation is a highly desirable feature because it means one hacked device can’t hack another.
So I would take a two-pronged approach. Set up a guest network with AP isolation enabled and put everything there that you can. Set up another router as its own separate network, and put the stuff that has to talk to each other on it. This segments your IoT devices are from your PCs. It also segments them from each other to the extent that is possible.
Cool new technology often brings security concerns with it, and IoT is a glaring example. But a guest network with AP isolation is a good way to give yourself the benefits of the newest technology without compromising your security too badly.
I don’t generally listen to Security Now! because Gibson’s advice often doesn’t go far enough. Here’s a list of security podcasts I do listen to and recommend.
I’ll give this approach a try and get back to you. Heck, a honeypot on that isolated segment may be fun also!
So what are your recommended podcasts?
That’s something I thought I’d posted before but never had. Thanks for the reminder!