Creating separate network for your IOT devices

D

deweyzeph

Honorary Master
Joined
Apr 17, 2009
Messages
13,669
Reaction score
9,007
Location
Cape Town
So I read a while ago that IOT devices on your home network could potentially be a security issue. Things like wifi switches, voip phones, alarm systems, IP cameras, etc. Most of them connect to a cloud service and pierce through your home firewall like that, instead of requiring port forwarding like the old days. The problem of course is that if a hacker gets into your IOT device somehow, they will be able to scan your entire home network and potentially get into other devices, or worse, your router.

I've got all of those devices, so I decided to separate out my IOT devices onto a separate network. Luckily I've got a Mikrotik router, and my Mikrotik skills are pretty good, so repurposed an old ADSL router I had lying around and turned it into an access point. On the Mikrotik router I dedicated one of the network ports as a separate network on a different subnet to my main network and with its own dedicated DHCP server and then connected the AP to that port using a network cable from the Mikrotik port to the one of the lan ports on the AP. I then setup some firewall rules on the Mikrotik to make sure that any device connected to the IOT AP cannot access anything on my main home network, including the Mikrotik router itself. Obviously I still allowed the IOT devices to connect to the internet, but that's the only thing they can connect to. Any wired IOT devices then connect directly to the lan ports on the AP as well, so they are also part of the separate network.

Was interested to find out if any of you guys are doing the same with your IOT devices? I'm probably being a bit paranoid, but even the FBI recommends that your keep your IOT devices on a separate network from the rest of your home network.

www.zdnet.com

FBI recommends that you keep your IoT devices on a separate network | ZDNet

The FBI also recommends changing factory-set (default) passwords and not allowing an IoT device's accompanying mobile app to gain access to too many smartphone permissions.
www.zdnet.com www.zdnet.com
 
Jip I do the same and also the reason why I have a Mikrotik.

VLANs everywhere on my network.

For those new to Mikrotik, also check the services tab. Only allow certain IPs to connect to the Mikrotik and disable services not needed
 
Hellhound105 said:
Jip I do the same and also the reason why I have a Mikrotik.

VLANs everywhere on my network.

For those new to Mikrotik, also check the services tab. Only allow certain IPs to connect to the Mikrotik and disable services not needed
Click to expand...

In my case I didn't need a VLAN because I used a dedicated physical port on the Mikrotik for the separate network. But yes, if you want to share separate networks across the same physical port on the Mikrotik then a VLAN would be required. What I don't like about VLANs is that as far as I know they only separate out networks on the IP layer (Layer 3) but not layer 2. Which means that a hacker could potentially sniff out ethernet frames from different vlans if they are going across the same physical port. I stand to be corrected though.
 
What's the worst that a hacker can do? Turn on my lights, play a different movie on Netflix?
 
The_Ogre said:
What's the worst that a hacker can do? Turn on my lights, play a different movie on Netflix?
Click to expand...

They could access your laptop, your router, your cellphone, etc. Anything that's connected to the same network as the IOT device. You'd be surprised how many people don't change the default username and password for their routers. A hacker could take over an IOT device, run a simple network scan on your network, discover all your devices including make and model, and then either try know default username/password combinations for each make and model, or brute force their way into devices with weak passwords.
 
The_Ogre said:
What's the worst that a hacker can do? Turn on my lights, play a different movie on Netflix?
Click to expand...

I got one scenario, the device can act as a middleman for incoming network traffic.

Hence a hacker can have an "inside device" that can scan networks and devices for any known vulnerabilities. Heck use the device to get access to the router and setup a lekka VPN between your network and his.
 
Hellhound105 said:
I got one scenario, the device can act as a middleman for incoming network traffic.

Hence a hacker can have an "inside device" that can scan networks and devices for any known vulnerabilities. Heck use the device to get access to the router and setup a lekka VPN between your network and his.
Click to expand...

They'd also be able to intercept any unencrypted ethernet packets with a simple network sniffing tool.
 
Hellhound105 said:
True, now I'm worried about my Samsung devices being able to do this.....heck each device :)
Click to expand...

My biggest concern are these IOT devices like wifi switches that call back to a cloud server. You have no idea who's on the other side of that network connection and what they can do with the IOT device. They effectively can see whatever the IOT device can see. I ran the Mikrotik Torch tool on the physical port that I've connected the IOT network to, and it's interesting to see all the network chatter going on between the IOT devices and their cloud servers. Unfortunately the traffic is all encrypted so it's impossible to know what's actually going on between them.
 
deweyzeph said:
In my case I didn't need a VLAN because I used a dedicated physical port on the Mikrotik for the separate network. But yes, if you want to share separate networks across the same physical port on the Mikrotik then a VLAN would be required. What I don't like about VLANs is that as far as I know they only separate out networks on the IP layer (Layer 3) but not layer 2. Which means that a hacker could potentially sniff out ethernet frames from different vlans if they are going across the same physical port. I stand to be corrected though.
Click to expand...

One uses vlans to separate layer 2 traffic. That's what vlans are for.
 
irBosOtter said:
One uses vlans to separate layer 2 traffic. That's what vlans are for.
Click to expand...

Ok, well my VLAN knowledge is not all that great. Do you know if you are running 2 VLANS over the same physical port whether or not a packet sniffer attached to the physical network could pick up the ethernet frames from both VLANS?
 
deweyzeph said:
Ok, well my VLAN knowledge is not all that great. Do you know if you are running 2 VLANS over the same physical port whether or not a packet sniffer attached to the physical network could pick up the ethernet frames from both VLANS?
Click to expand...

Depends...

a packet sniffer would only pick up traffic going through (or to/from) the sniffer. So someone would need to configure a packet capture (sniffer) on your network device if it even has that capability. Then he could capture everything if the capture is set on the trunk port. But then he already hacked your router/firewall just to config that so you are already screwed seeing the oke is in your firewall/router/switch.

Then plugging a sniffing capable device into your network, well, that's not going to sniff much unless the traffic starts to pass through the sniffer, meaning the sniffer is installed in either transparent mode, (two network cables, one going to your router, and another to your switch.... or the sniffer becomes your network gateway (default route) and all traffic passes through it and the sniffer passes it on to your router.

So if a guy hacks a IOT device on vlan 2, and somehow builds a sniffer on it, he would only see traffic going to and from the IOT device, can't magically see traffic in other vlans unless traffic from other vlans are talking to that specific device. He will not see your pc's traffic in vlan 3 talking out to the internet... he would see pc traffic talking to the IOT device yes
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X