Internet of Things and VLANs

-

 

Securing Internet of Things (IoT) devices within VLANs.

On my home automation network I have a separate restricted VLAN for IoT devices. There is a single main reason why I set this up, security. Pretty much all of these devices have some form of processing ability within them. Almost all of them will have some small form of Linux installed with them.

I have many IoT devices, some from manufacturers like Belkin and TP-Link, others from smaller outfits like Lifx (light bulbs) and Broadlink. 

 


Additionally, when I get a smart TV, it will be heavily restricted as to what external services it can access (if any). I want to be able to control it over my network, but I don't want it spying on me or spamming me with adverts.


All of these are what I would call consumer devices and the lifetime I would expect from a consumer device is quite long (5+ years). However the support the manufacturer provides for these devices can sometimes be measured in months. That is also combined with the fact that the device may have been sitting on the suppliers shelves for sometime prior to me buying it. So it maybe out of date even before it arrives. When you connect it to the network, it may prompt you for an update. The age of this update maybe brand new to fix some security breach that surfaced last week, or it maybe months old. A recent notice of a security breach in some Belkin sockets had many users on Reddit saying that they would be retiring their sockets. In light of all this, I view all IoT devices on my network as hostile.

There may be other reasons for not wanting to update your devices with new firmware, such as feature removal. Like TP-Link removing the local control feature from their mains switches (https://www.home-assistant.io/blog/2020/11/23/tplink-local-access/). These are features that many will only buy these devices for. So removal of that functionality can limit the usability of the device or at worst make it useless.

So in light of all this, I have all “hostile” IoT devices within their own VLAN. Access to the outside internet is restricted to those devices that I allow or on services to specific destinations such as DNS or NTP. I have access restricted to groups, so that I can easily switch it on or off. This is useful for setting up new devices, which may require the use of an app for initial setup. So any device that does get compromised, it can't go off to the internet and join some botnet.

Also access to and from my main network is heavily restricted. So only my main PC and my home automation server can ping VLAN devices (Home Assistant can be setup to alert when a device stops “pinging” and disappears off the network). Only my PC can get access any configuration web or SSH server running on the device. The devices themselves can only access certain ports on the home automation server to pass their data or vice-versa. So any attacks from a compromised IoT device to the main network are greatly limited. Though this will never be 100% attack proof, it is much better than have all devices doing what they like on the same network as everything else.

I use a Draytek firewall. It is very flexible in this respect. I haven't found too many issues with this setup in the few years I have been using it. Home Assistant doesn't have much problem talking to the devices once setup. But it won't be able to find the devices automatically by auto discovery or multicast, so this maybe a limiting factor in some setups.

The main issues are around initial setup of devices. So with the LIFX bulbs, you use an android app to do the initial setup, which is cloud based. So with these, I just allow the device to have external access whilst the setup is in progress, then switch it off when I can address it locally. Again if I wished to upgrade the firmware on the devices I can open up access and close it afterwards. This allows me to choose when to do upgrades and check for any risks to future functionality.

Comments

Post a Comment

Popular posts from this blog

Linux autofs and Wake on Lan bodge.

-
Hi, Like many people, I have a media server which stores all of my films, music and pictures in all one central place. It's a Centos Linux box with a SATA card and software Raid5, it serves to devices like my Acer Revo running Xbmc and Mythtv frontend. With this configuration it's a little noisy, creates a bit of heat and probably uses a bit of electricity, but turning it on can be a bit of a hassle. Particularly when it's at the other end of the house. My solution autofs and wake on lan. autofs is a suite of tools that will auto mount devices and NFS shares when you first use them. Wake on LAN on my setup was a small cable that goes between my (dlink) PCI network card and my motherboard and I had to edit the BIOS to allow the machine to be woken. There seems to be a number of different ways to setup WOL on linux. I had to use ethtool to put the network card in a fit state to be woken up when the server was shutdown: ethtool -s eth1 wol g I actually put this in a Bash scri
Read more

Everything Presence One Sensor Review

-
Image
I recently received two Everything Presence One Sensors from the Everything Smart Home YouTube channel ( https://www.youtube.com/@EverythingSmartHome ). I was quite lucky to get them as during the ordering process back in December, as I had a bit of a cock-up on the credit card front and couldn't put the payment though. Oddly a few hours later I got an email from the site, asking me if I'd like to pay. A change of location and PC later and I had succesfully paid, which is cool, considering they sold out pretty quick. Fast forward to March and I recieved two sensors plus cases. It comes with a 3D printed case (with mounting stand), a main board, a PIR sensor and a Millimeter Wave sensor. It is a well made custom made board, with the nice option to mount the Millimeter Wave sensor in one of two directions. Assembly is simple to anyone who has successfully put together an MFI wardrobe.  The assembled sensor looks like this: It looks quite neat. To setup, it is a case of plugging i
Read more