Internet of Things and VLANs

 

Securing Internet of Things (IoT) devices within VLANs.


On my home automation network I have a separate restricted VLAN for IoT devices. There is a single main reason why I set this up, security. Pretty much all of these devices have some form of processing ability within them. Almost all of them will have some small form of Linux installed with them.


I have many IoT devices, some from manufacturers like Belkin and TP-Link, others from smaller outfits like Lifx (light bulbs) and Broadlink. 

 


Additionally, when I get a smart TV, it will be heavily restricted as to what external services it can access (if any). I want to be able to control it over my network, but I don't want it spying on me or spamming me with adverts.


All of these are what I would call consumer devices and the lifetime I would expect from a consumer device is quite long (5+ years). However the support the manufacturer provides for these devices can sometimes be measured in months. That is also combined with the fact that the device may have been sitting on the suppliers shelves for sometime prior to me buying it. So it maybe out of date even before it arrives. When you connect it to the network, it may prompt you for an update. The age of this update maybe brand new to fix some security breach that surfaced last week, or it maybe months old. A recent notice of a security breach in some Belkin sockets had many users on Reddit saying that they would be retiring their sockets. In light of all this, I view all IoT devices on my network as hostile.


There may be other reasons for not wanting to update your devices with new firmware, such as feature removal. Like TP-Link removing the local control feature from their mains switches (https://www.home-assistant.io/blog/2020/11/23/tplink-local-access/). These are features that many will only buy these devices for. So removal of that functionality can limit the usability of the device or at worst make it useless.


So in light of all this, I have all “hostile” IoT devices within their own VLAN. Access to the outside internet is restricted to those devices that I allow or on services to specific destinations such as DNS or NTP. I have access restricted to groups, so that I can easily switch it on or off. This is useful for setting up new devices, which may require the use of an app for initial setup. So any device that does get compromised, it can't go off to the internet and join some botnet.


Also access to and from my main network is heavily restricted. So only my main PC and my home automation server can ping VLAN devices (Home Assistant can be setup to alert when a device stops “pinging” and disappears off the network). Only my PC can get access any configuration web or SSH server running on the device. The devices themselves can only access certain ports on the home automation server to pass their data or vice-versa. So any attacks from a compromised IoT device to the main network are greatly limited. Though this will never be 100% attack proof, it is much better than have all devices doing what they like on the same network as everything else.


I use a Draytek firewall. It is very flexible in this respect. I haven't found too many issues with this setup in the few years I have been using it. Home Assistant doesn't have much problem talking to the devices once setup. But it won't be able to find the devices automatically by auto discovery or multicast, so this maybe a limiting factor in some setups.

The main issues are around initial setup of devices. So with the LIFX bulbs, you use an android app to do the initial setup, which is cloud based. So with these, I just allow the device to have external access whilst the setup is in progress, then switch it off when I can address it locally. Again if I wished to upgrade the firmware on the devices I can open up access and close it afterwards. This allows me to choose when to do upgrades and check for any risks to future functionality.

Comments

Popular posts from this blog

Controlling an LG TV via serial from Linux.

Linux autofs and Wake on Lan bodge.