IOT Seperation

Am I worrying un-necessarily?   All the security advice says to put the IOT on a separate network or sub net. However if you do this then the functionality of many of them   like Chromecast and Hive stop working without jumping through hoops to log on to the other network, which sure defeats the object of isolating them.   

My network is secured with all the usual advice to prevent it from reacting to pings and such from the internet.  If I can’t be seen from the outside world how will hacker get in to compromise them?

Best Answers

  • Marc
    Marc Moderator, Beta Tester Posts: 2,721
    250 Answers 1,000 Likes 2500 Comments 250 Awesomes
    ✭✭✭✭✭✭✭
    #2 Accepted Answer

    Your location doesn’t really matter. And it’s generally not the neighbor hacking you, though that’s always a possibility. It’s usually some malware or other back door that allows bad actors to get in and exploit you remotely.

    if your careful, use anti virus etc, keep your items up to day patch wise, practice safe computing . Don’t click on strange links, if it’s too good to be true it probably is. Always be distrustful of what you get in email unsolicited.

    I know I sound preachy but these are common sense when your on the net.

    So bottom line, if your careful you should be fine.

    Thats Daphnee, she's a good dog...
    ThorathomeSkewbee
  • Thorathome
    Thorathome Member, Beta Tester Posts: 10
    10 Comments First Answer First Anniversary 5 Likes
    edited February 23, 2021 #3 Accepted Answer
    If your IoT devices are talking only to Amazon (Alexa devices) or Google (Home/Nest), then the chance of you being hacked by them or through them is pretty low. Google’s and Amazon’s security is better then yours, or mine, or nearly anyone else’s. However, if your devices are talking to servers outside of your home network and you’re not exactly sure whose servers they are, then there’s some risk of eventual intrusion into the rest of your network. If you have opened ports so your devices can communicate, or you enable PnP, then your risk runs a little higher again. 

    What is the risk? With known IoT communications to known servers, not much. Primary risk is that someone running or hacking into your external IoT app servers tries to insert something in your network, most likely to clobber someone else with a DoS or Denial of Service attack. There’s even a tiny risk that someone wants to clobber you. 

    So if you stick to big IoT brands who have lots to lose, you’re probably ok. Always use security/anti-virus software on your devices, phones and laptops, yes, Macs, too. Switch off PnP if you can. See if you can avoid opening ports because some device told you to. And use Fing and your Fingbox to check for strange happenings on your network. I have a bunch of IoT devices using Google, Amazon and Blynk software. They’re all on my main network and nobody has died yet from it. But I keep an eye out. 
    Marc
  • Pippin166
    Pippin166 Member Posts: 3
    First Comment Photogenic
    #4 Accepted Answer
    Hi I don't have PnP enabled here are no open ports for ti IOT devices v and all of them are from reputable sources Amazon, Google and British gas for instance so this brings me back to my original point am I worrying un-necessarily. I don't think as the attack  vector is very small. and the convenience of the   IOT devices over rules this.   If I should get some third world light bulbs then I might start worrying again.
    Thanks for the reply 

    Marc

Answers

  • Marc
    Marc Moderator, Beta Tester Posts: 2,721
    250 Answers 1,000 Likes 2500 Comments 250 Awesomes
    ✭✭✭✭✭✭✭
    I have a feeling the responses your going to get will be all over the place.  Personally, I keep my iot devices on the main network for the reasons you state.  I try to take reasonable precautions with my network and the devices I have control over which is the best I can do.  The reason people say to isolate is if they get hacked, the worst case is they will only be able to attack other iot devices.  You have to weigh the risks with convenience or inconvenience with what separation may cause.
    Thats Daphnee, she's a good dog...
  • Pippin166
    Pippin166 Member Posts: 3
    First Comment Photogenic

    I agree but the thought "if they get hacked " is my point how likely is that with a protected network in a rural setting where it is unlikely to have "bad actors " sitting around trying to break into my network.

  • Marc
    Marc Moderator, Beta Tester Posts: 2,721
    250 Answers 1,000 Likes 2500 Comments 250 Awesomes
    ✭✭✭✭✭✭✭

    One last thing. Backup!!! Make sure you have your data in multiple places. If your hacked, locked out of your system or otherwise completely compromised, you can always start over again computer and software wise, but generally your data is irreplaceable.

    And make sure you check regularly to make sure whatever backup system your using is working.

    You don’t want to discover that your backup is not working on the day you need your data.

    Thats Daphnee, she's a good dog...
    Thorathome
  • Skewbee
    Skewbee Member Posts: 1
    Photogenic First Comment
    IoT separation is a good practice, but not one I would lose sleep over. If you can implement it without expending too much effort, then having it will help limit the exposure of your endpoints.

    WHAT DOES IT TAKE
    Separating subnets is only one component. You will need a firewall router acting as a gatekeeper to monitor and allow/disallow traffic between subnets and to the Internet. Your firewall rules will set the policies for Who can talk to What (e.g., let your smart bulb call the Internet or respond to call from your private LAN, but not call your private LAN).

    LIKELY RISKS
    As long as your device has a path to the Internet, there is a hacking risk no matter how big the company. Just look at the recent far-reaching Solarwinds breach. Fortunately, the risk for this method of attack on a consumer network is statistically nil. You can sleep well knowing that no bad actor is going to enlist 1000 engineers to target your network as the reward doesn't warrant the effort unless you're on the Forbe's Billionaires list. I monitor my incoming traffic and find mostly bots looking scanning for common injection points, lurking my cams or turn my endpoints into a DDOS or coinmining zombie.

    As it has been mentioned, sticking to larger brands may lessen the risk of a security breach. Keep in mind that Amazon is a marketplace. Sure they are pro-consumer, but there are plenty of questionable products sold. Consumer manufacturers clearly focus on feature set over security because that's the biggest bang for their development dollar. Another concern is the prevalence of electronics sourced from China, a known agent of digital espionage(think Huawei).

    RISK MITIGATION
    1) Use a firewall router between your LAN and the Internet.
    2) Maintain well-respected AV/malware tools on your endpoints.
    3) Backup important data.
    4) Encrypt sensitive data(make useless if released in the wild).
    5) Have a healthy dose of skepticism for all unsolicited emails.
    6) Employ tools(Fing, among others) to help identify potential weaknesses on your network.

    I employ IoT separation in my network because the above more rudimentary safeguards are already in place and it was manageable for me to deploy.