Router setup or IoT devices

[dieter]

Hello and Happy New Year,

Some of you may be aware that Wyze Labs (the Washington state cam company) had a recent data breach of some of their non-production servers, and exposed customer's SSIDs, email addresses, etc. No passwords were exposed.

I have an RT-AC1900P and I sure I'm not using my router config fully to cover IoT device/network security. For my IoT devices, I have created a dedicated GUEST network, with paraphrase protected SSID, and disabled SSID broadcast. I'm assuming that even if someone is able to connect to this "GUEST" SSID, they would not be able to access the rest of my network on the other SSIDs. Is this correct?

1. Is a another IoT dedicated router more secure? (I have an old DLink router.)
2. What other config setting should I use to make my RT-AC1900P IoT network more secure?



Thanks much,
Dieter

 

[wouterv]

Hello and Happy New Year,

Some of you may be aware that Wyze Labs (the Washington state cam company) had a recent data breach of some of their non-production servers, and exposed customer's SSIDs, email addresses, etc. No passwords were exposed.

I have an RT-AC1900P and I sure I'm not using my router config fully to cover IoT device/network security. For my IoT devices, I have created a dedicated GUEST network, with paraphrase protected SSID, and disabled SSID broadcast. I'm assuming that even if someone is able to connect to this "GUEST" SSID, they would not be able to access the rest of my network on the other SSIDs. Is this correct?

1. Is a another IoT dedicated router more secure? (I have an old DLink router.)
2. What other config setting should I use to make my RT-AC1900P IoT network more secure?



Thanks much,
Dieter

Hiding the SSID adds no security, it only makes your own life more difficult.
As long as you have set Access Intranet = Disable, use WPA2-Personal and have a strong pre-shared key for the Guest Network you have done the best you can.
It never hurts to change pre-shared keys on a regular basis.

 

[CaptainSTX]

A double NAT setup might make your network more secure but this is only true if your Internet facing router is the one that the IoT devices connect to and your more secure personal network router's WAN port is connected to a LAN port on the first router AND you have disabled access from the WAN on your second non IoT router.

Without knowing the specifics of your Internet connection speeds, LAN setup I don't know if your D-link router would be up to the task of either the first or second router in a double NAT setup.

In addition to strong passwords another thing you could consider that might increase security is connect the Iot devices using a VPN client on your router, if using two routers assigning all IoT devices and your second router static IPs and then limiting or disabling the DHCP server on the IoT router. Doesn't prevent someone from hacking in but makes it a bit more complicated.

 

[OzarkEdge]

Hello and Happy New Year,

Some of you may be aware that Wyze Labs (the Washington state cam company) had a recent data breach of some of their non-production servers, and exposed customer's SSIDs, email addresses, etc. No passwords were exposed.

I have an RT-AC1900P and I sure I'm not using my router config fully to cover IoT device/network security. For my IoT devices, I have created a dedicated GUEST network, with paraphrase protected SSID, and disabled SSID broadcast. I'm assuming that even if someone is able to connect to this "GUEST" SSID, they would not be able to access the rest of my network on the other SSIDs. Is this correct?

1. Is a another IoT dedicated router more secure? (I have an old DLink router.)
2. What other config setting should I use to make my RT-AC1900P IoT network more secure?

Thanks much,
Dieter

To date, Wyze only recommends the precaution of updating your Wyze account password by way of the app.

I also stopped sharing cams since those e-mail addresses were also breached indirectly... if not directly.

If you use a Guest network with intranet access disabled (like it should be) and your Wyze app device is not connected to this Guest network (like it likely won't be), then you may not be able to use your Wyze app device to access your Wyze cam(s) (?).

OE

 

[dosborne]

While the suggestions above are all sensible, and correct me if I'm wrong, but there is little to no risk if your SSID was "exposed" as they would have to care enough to find your physical location to be in range as well. (Not that the SSID name in itself actually represents a security risk unless the passphrase was revealed)

Since no passwords were compromised, revealing your email address may generate an increase in spam but little or nothing else (but I always use "throwaway" emails such as new Hotmail or Gmail for this sort of thing, never my "primary" email address).

Personally, I like physical hardware separation for security as an errant reset or user error could allow intrusion, even briefly, if done via software. But, for most people, a properly configured guest network is a viable option.

 

[XIII]

It never hurts to change pre-shared keys on a regular basis.

In my experience it actually hurts a lot to configure a new password in all my IoT devices.

Especially if you have devices that don’t adhere to standards, but don’t document that and you’ll have to use trial and error to see which password they do accept...

 

[dieter]

Thanks all for your comments. Since I'm a retired techie, I'm going to experiment with VLans switches. Not sure how to implement physical separation. The Wyze devices require WAN access.

 

[CaptainSTX]

VLans switches

TP-Link smart switches will let you set up either port based or 802.1Q type VLANs using the GUI. Reliable hardware and at US$28 for an 8 Port model a good deal.

 

[dieter]

The T2500G-10TS or the TL-SGS108?? Or which model?

 

[CaptainSTX]

The T2500G-10TS or the TL-SGS108?? Or which model?

I am using two TL-SG108E on my LAN using 802.1Q VLANs.