Help locking down my IoT devices

[vw-kombi]

Hi Knowledgeable People.

I have a number of IoT things on my network now - lifx lights, sonoff power devices, Robot Vac, IP Cam's, Garage Door opener etc. These all connect to the internet, and can be talked to from the internet too. There is a load of stuff in the media about security of these things - I don't know how much to believe.

I have skynet, absolution etc, but I figured, these IoT things could be locked down a bit more - as in not allow them to talk to anything on my LAN except what they need to - primarily, remove any way of talking to my Unraid server (where all my files are) and my Main PC. Both these have hardcoded IP addresses (192.168.1.7 and 192.168.1.10).

I was hoping I could do something at the merlin router level to not allow them to communicate, but maybe it is something that has to be done on the unraid server / PC side instead ?

Thanks

 

[indark]

put them on guest wifi and disable access to intranet ?

 

[vw-kombi]

Yep - I can do that from the ones that are close to the guest network. I was hoping to do it another way however and not enable the guest network - as I have three different routers, and also need to connect in the lan from some of the iphone apps that control these things.

 

[bitmonster]

Give them all static IP addresses and disable WAN access for each under the router device settings wherever that is.

Never allow anything to be accessible from WAN. Use VPN only.

See if you can put them all on a different subnet and maybe isolate that somehow. Next best thing to VLAN? If it worked it would break the apps though so you may need to just live with it and block each device static IP individually where you can.. It's a tough one.

Yes absolutely these things are a security risk because security and updates cost money so it's the first thing to be cut out as it does not effect sales until something shocking happens to trigger consumers to take an interest and therefore effect sales.

So yes treat this consumer first gen stuff as security garbage and lock it all down good.

At least until enough people have died for security to become an issue people care about.

Sent from my SM-G965F using Tapatalk

 

[vw-kombi]

hhmmmm - that is quite drastic and takes a load of the 'smartness' out of the smart home - at least until I get a proper lan based system implemented.
I currently have ifttt recipes doing stuff based on if iphones are home or not.
Plus - Garage door device (garadget) is wan connected - no option for local LAN operation.
I can do the lights as LAN only - I dont really need to be able to power off/on remotely - but when for example I have automation that is the last person leaves home, then a light gets turned on for the dog - that is ifttt. similarly, if the kids leave home, the power is cut to their rooms (as they always leave stuff on) - that is ifttt also.

Im thinking I will just have firewall rules on all laptops/PC's to not allow anything connect from all LAN ports, and unix iptables rules on the the Unraid server - that way, if something did sneak onto these smart devices, they could not connect to anything that has actual data on it.

 

[bitmonster]

Disable the garage WAN access.. Wouldn't surprise me if a WAN enabled physical break in voids insurance (no traditional evidence or something).

Unless one is running a server, the only permissible WAN access should be VPN.

Assign static IPs to all your devices and disable their WAN access via the router except for manual updates (ideally via file download so you never need to open them up).

VPN will be fine.

Perhaps assign all devices to a certain range and then block that on your storage or whatever..

Absolutely you should treat this security garbage with caution.

Remember Chinese law actually requires all Chinese companies to support intelligence gathering, IP theft etc.

Smart TV's record audio etc..

It's ridiculous.

Just block all their WAN access and re-enable only what you need.. In theory, just blocking WAN access should achieve a lot.

Ensure AIProtect is enabled internally too.

Just wait until enough people have died for government to take IOT security seriously and actually legislate for it.

Until then assume there is no commercial benefit to security and basic updates so it will generally be ignored until regulations force them to lift their game.

It's for this reason I will not trust autonomous cars until enough people have died from accident or intentional hacks for regulations to catch up either.

Sent from my SM-G965F using Tapatalk