Secure Your IoT Devices
IoT devices can be incredibly useful in our day to day lives. These are gadgets such as smart tv’s, WIFI grilling thermometers, smart thermostats, and various smart home devices. As useful as these devices are, they are frequently very insecure. Due to the simple nature of their circuitry and software, they often have little to no imbedded security features. Additionally, IoT devices are increasingly targets for either corporate, “nation state,” or independent malicious actors to place “backdoors” or other surveillance mechanisms in. An insecure IoT device can act as an entryway for a malicious actor and present a pivot point to take over an entire network. An example of a IoT device that is an enormous security risk can be found at this CVE entry in the National Vulnerability Database.
This vulnerability was found by another security researcher and expanded on by myself. Another good example can be found in my previous blog post here.
For vulnerabilities such as these, it is very important to secure your IoT devices. Here are a few ways to secure these devices on your network, for a variety of network setups.
Secure Your IoT Device using a guest Network
Ideally, We’d all own an advanced router that’s separate from our modem and wifi access point. However, this simply isn’t an option financially or time wise for some people. There are some devices such as the Firewalla Gold or Protectli Box with Opnsense that provide security and granularity of settings in an easy to use manner. However, they are fairly expensive at around 400 dollars. For those who can’t go that route, there are still ways to increase the security of your home network with your WIFI router/modem combo. To better secure your IoT devices using this setup, do the following.
- Log into your admin panel on your Wi-Fi router/modem combo device. This can usually be found by typing 192.168.0.1 into your browser address bar. Many Internet Service Providers(ISP’s) provide this info in a pamphlet or sticker on the device.
- Navigate to WIFI networks and create a “guest” network. Most devices issued by the ISP or available commercially allow at least one guest network.
- Look for a setting that enables guest network devices to access the main network or LAN(Local Area Network). Ensure this isn’t enabled.
- Turn off Universal plug and play within the router admin panel. Ensure no ports are forwarded unless the IoT device manufacturer specifically calls for it in the instructions.
- Disconnect any IoT devices from the main network and instead configure them to connect via the guest network.
Limitations For This Setup
- Some device manufactures will not allow devices on the main network to contact devices on the guest network. You may need this functionality for devices such as smart home controllers if you want to control them from a device on your main network. Unfortunately, many commercial Wi-Fi routers/modem combo’s do not have this granularity of settings built in. If your device needs to contact another device on your main network and you do not have the settings ability to allow this, consider adding that IoT device to your main network. Its better to have only 1 or 2 IoT devices on the main network out of necessity then having all of them.
- If your device doesn’t allow you to disable any feature which allows devices on the guest network to “see” devices on the main network, then this setup is pointless. It is equivalent to security theatre, where it has the appearance of being more secure but really isn’t.
- This setup may prevent IoT devices from contacting devices on the main network but they may still be allowed to contact the internet.
- Router/Modem combos often offer little to no logging or ability to monitor network traffic.
Secure your IoT devices with a dedicated Router/Firewall
Owning a dedicated router/firewall allows more granularity in configuration to chose more secure network settings. Dedicated Router/firewalls increase security in a network. They allow the setup of dedicated VLAN’s, advanced firewall rules, and traffic filtering. This is the preferred setup for home security. To secure your IoT devices using a dedicated router/firewall, you will often need to purchase a dedicated Wi-Fi access point that has VLAN SSID tagging functionality. You may also configure an old Wi-Fi router as an access point(as long as it can tag VLANS in access point mode). Here are some necessary steps to increase your IoT device security using a dedicated router/firewall.
- Contact your ISP and ask them to place your modem/Wi-Fi router combo in bridge mode. Alternatively, If you are using your own modem with no routing capability, you are good to go.
- Connect your new router/firewall WAN port to the WAN port on the modem using a cat5e or cat 6 cable.
- Setup the router/firewall appliance using the instructions provided by the manufacturer.
- Plug your WI-FI access point into one of the Gigabit Ethernet ports.
- Login into your WI-FI access point admin panel and create a “guest VLAN” with its own SSID. Follow your device manufacturers instructions. Take note of the VLAN number
- Using your router/firewall admin panel create a VLAN. Ensure the number is the same as the VLAN number you created in the WI-FI access point.
- Assign that VLAN to the port that your access point is plugged into.
- In your router/firewall admin panel, enable “inter-VLAN routing.”
- In “firewall rules,” create a rule that blocks all traffic FROM the guest VLAN into your main network.
- Create a rule that blocks all internet traffic to/from the guest VLAN.
- Consult with the documentation for each IoT device, and make a rule that allows necessary connections to specific devices or services on your main network and the internet. For example, if my smart TV needs to contact internet to work I would place a rule that allows internet connections FROM the smart tv TO the internet. If my WI-FI grill thermometer needs to be controlled via my smartphone connected to my main network, I’d place a rule on the firewall that allows traffic FROM the smartphone to travel TO the Wi-Fi thermometer.
- To extend the guest VLAN to wired devices, You may install a managed switch connected to another Gigabit Ethernet port on your firewall/router. Enable VLAN trunking on both the managed switch and the firewall. Ensure that the VLAN number you created for the guest network is “tagged” on the Managed switchport that is connected to your firewall. Make sure that the VLAN number for your guest network is “untagged” on any switchport that you want an IoT device to be plugged into. For example. – If you have a 8 port managed switch and port 1 is connected to your router, Port 1 will be a trunking port and it will be tagged with your guest VLAN ID. If you have a smart tv plugged into port 2, port 2 will be an access port and will be “untagged” with whatever your guest VLAN ID number is. Every switch manufacturer uses slightly different verbiage so you will need to consult your documentation.
Limitations For This Setup
- Complex- Depending on the Firewall/router manufacturer, configuring VLAN’s and firewall rules can be complex. I recommend Opnsense or Firewalla for ease of configuration in this regard.
- Firewall rules- Firewall rules can be very unforgiving. Ensure you do one rule at a time and then test. Its very hard to pinpoint why you don’t have connectivity when you have a myriad of “allow” and “block” rules for multiple devices. Go Slow!
- Price- A decent firewall/router can be anywhere from around 150 bucks for an Ubiquiti Edge Router, to over 400 dollars for a very fast device like a Protectli mini pc with Opnsense installed.
- Wifi access points- Wi-Fi access points that support VLAN SSID tagging are hard to find. A few brands that I’m aware of are TP-Link Omada, Ubiquiti Unify Access points, Ruckus Access points, and Cisco Meraki access points. Of those, I recommend TP-Link or Ubiquiti. They have a good price to value ratio.
The goal we want to achieve is a usable yet secure network for our IoT devices. It makes zero sense if our network is so locked down that it becomes unusable. Likewise, its extremely unwise to leave our network so open that we are sitting targets. What we want to accomplish is isolating our IoT devices to the greatest extent possible while still allowing connectivity for services that WE control and identify. You should assume that your IoT devices are open doors to the outside digital universe and act accordingly.