Network Security for Connected Devices
Knowing what we do about the state of internet-connected device security, or lack thereof, it has to be asked what consumers can do to protect themselves when jumping into the IoT game. Many devices are cheap and effective, but at a hidden cost; hackers exploiting connected devices in the home to gain access to your network, your computers, and your data.
While vulnerabilities in devices like light bulbs and doorbells may seem harmless enough, the real danger is the attack vector they offer right inside your network. The measures we can take depend on the situation, and the compromises users are prepared to accept. Unfortunately there is no one-size-fits-all solution to home network security due to the mixed nature of the technologies, and differing requirements for connectivity in different architectures.
First, let's look at the basic connectivity types likely to be in play.
The cloud-connected device:
These are the simplest to mitigate, and many of the earliest or more advanced products fall into this category. These devices need only an internet connection to enable communication with the vendors servers. Interaction with the device is generally through a smartphone app via the vendor's cloud service. This allows centralised control, access from any location, and over-the-air updates from the manufacturer with requiring any special gateway configuration on the home network.
The home automation device:
These ones present a different challenge. In order to enable inter-connectivity between devices from multiple vendors, a management framework is in place to provide communication and control. To allow the management communications between the various devices, they typically need to be on the same local network as each other...and your smartphone (assuming that's a key control interface for your set up). The implications for these devices vary depending on their connectivity (Wifi, Bluetooth, or something proprietary) and requirements.
The mesh connected device:
Many devices offer standalone functionality, or integration with other devices using a network protocol other than that used on our home networks. Common protocols like Z-Wave and ZigBee create their own mesh networks in parallel to our Wifi set up, so don't have a direct bearing on our network security, which is why I'm calling them a seperate class. The devices will typically use a bridge or some sort to allow control, if they do so through apps or internet accessible services. This is where we need to factor them in to our network security model.
When discussing router configuration, I'll be assuming some knowledge of the terminology and functions of these devices. It might b helpful to review my recommended videos on the subject if you're unsure.
The first, and most effective solution is to create an entirely separate WiFi network for use by connected devices that only accesses the internet. This is entirely adequate for the first class, the cloud-connected device. Note that this should be used for other appliances that don't need to access your data or be accessed by your smartphone or other computing devices, such as your TV and DVR.
The way to accomplish this is to use three WiFi routers in a Y configuration with your main modem/router as the root. Typically home networks have an ISP provided router that also provides you internet connection point (telephone line, cable feed or similar), otherwise the router would connect to a separate modem device via it's WAN port. These types of routers typically also have a number of LAN ports, which can be used to connect the two other routers which will be configured as separate networks (aka subnets). One of these is your normal WiFi access point (and Ethernet switch if you use wired connections), while the other is used as an untrusted device network.
You'll note that the network boundaries I've drawn in the diagrams overlap the routers. This is because the WAN port on each child router will be assigned an address on the root network, while the internal address of the router will be on it's own subnet the same as the other connected devices. We'll use a subnet mask of 255.255.255.0 for all these configurations. That defines the first 3 numbers in the IP Address as the network address, and only the last number will be the address of the devices.
It is best to configure the DHCP range for each router to a different address range, specifically a different subnet. This is not strictly necessary, ad the routers won't be able to see each others address ranges, but it helps avoid confusion. Consumer routers will typically use either the class A private address 10.x.x.x, or the class C private address 192.168.x.x. In the example below, I've used 10.0.0.x for the network of the root router, and two separate 192.168.x.x networks for the other two child routers.
An example address range for Network 1 could be 192.168.1.100 to 192.168.1.200. You can use any block of number from 2-255, but using a simple block of 100 is common for home networks. Remember to avoid using 1, as that will be the address of the router itself, and thus your gateway address (192.168.1.1) for devices on the network.
This configuration offers the greatest protection. By placing untrusted devices on Network 1, and your personal computing devices ans storage on Network 2, the two classes of device are segregated and unable to communicate directly. All devices will be able to connect to the internet, as the NAT function of each router will allow two way communication downstream, but no device in either child network will have any visibility of, or routing path to, the other.
Note that, assuming you have ethernet LAN ports on the child routers, you can use either wireless or wired connections on both networks as desired.
If you have need to communicate with specific devices in the untrusted network (as would likely be the case with home automation services), ports can be opened on the Network 1 router to allow specific traffic through, but this can get complicated if you need multiple ports to multiple devices, and makes many home automation setups unworkable. An alternative to that is presented below.
Note: If you intend to do any port forwarding, it is best the disable DHCP on the root network and assign the child router addresses manually in their network configuration. This way the address you're targetting on for the other network won't change unexpectedly.
In this configuration, I have connected the untrusted devices to the root router, now renamed Network 1. The still segregates the personal devices and data, and the untrusted devices cannot see into Network 2. Any device on Network 2 is able to communicate freely with the devices on Network 1 given a known IP address. This, however, is not a silver bullet. The catch is that a compromised device on Network 1 has the opportunity to sniff all traffic going between Network 2 and the internet, and could potentially spoof traffic to attack Network 2. Given the increasing use of encrypted communications between the types of devices on Network 2 and the internet this is probably not a major concern, but still worth noting. The other catch is that if device discovery is dependent on the untrusted devices sending broadcasts, those messages won't reach Network 2. So, less than ideal, but still better than a single shared network.
If you can tolerate the compromise, you can use dedicated devices (spare phone, tablets, or vendor specific controllers) to control your home automation setup, and have it entirely contained within Network 1 in the Y configuration. This gives the best security, but at the cost of some (possibly considerable) convenience.
So, what about the guest network setting offered in almost all consumer routers these days? Can that be used to provide similar segregation as the 'Y' configuration? The answer is, maybe. The configuration would look more like the diagram below, with the actual segregation handled internal to the root router.
This present a second WiFi network to connecting devices, so I've shown it as just a Wifi connection point. It's logically seperate from the main network, and on a different subnet.
There are two concerns with this approach:
Firstly, the implementation of the guest feature varies between router manufacturers quite a bit. We can't be entirely sure how the router is handling the traffic internally, and if the untrusted traffic is being properly blocked from the rest of the network. Some vendors offer increased protection by preventing devices talking to anything but the internet, and some don't even encrypt the guest traffic at all. It's not really desirable to have your smart home at the mercy of any passerby with a wireless radio.
The second concern is that there is little or no control over configuration of the guest network. This removes any possibility of opening ports for controlled access to specific devices and therefore limits the options for control of smart devices on the other side.
However, if your only requirement is simply to segregate untrusted devices, with or without the need for internet access, then this can be a viable option. Just ensure that your router can be configured to use WPA2 on the guest network, and set a strong passphrase to be sure.