Ask HN: Guide for securing home network with smart devices?
My parents have recently moved into an apartment in NYC with a number of smart devices that came with the apartment: thermostats, light bulbs, et cetera.
Given the tenuous security of IoT devices, are there guides or resources that you'd recommend for securing and configuring one's home WiFi so that this doesn't become a Mirai-botnet-style problem?
1 comment
[ 2.0 ms ] story [ 19.6 ms ] threadI suggest you begin with the network itself, and look at the different fault points that exist or could be easily introduced. There are three basic components - the IoT smart devices, the computer(s) used to browse the internet and the networking equipment (specifically the gateway/router, but also separate access points and switches if you happen to have those).
Let's first outline reasonable security goals:
1) reduce the likelihood of one IoT device compromise leading to compromise in any other single IoT device,
2) reduce the likelihood of one IoT device compromise leading to compromise in your network itself (gateway/router)
3) reduce the likelihood of one IoT device compromise leading to compromise in your computer(1)
Now we can proceed:
1) Set up a separate VLAN for IoT devices so that they cannot interact with the other fault points on your network (your computers).
2) Assign a statically mapped subnet address to each device.
3) Set a firewall policy so that no device can see any other device on the network by default.
4) Set a firewall policy that drops all traffic on this network by default.
5) Now we'll sort the devices by required privilege. For devices like the Amazon Echo, Google Home, Control4, URC, etc that need to control many other devices, allow traffic from their IPs to proceed to the devices they need to control.
6) If you can figure out exactly which ports the devices use to send and receive requests, further lock them down.
7) Set a firewall policy that drops all outbound traffic from the IoT VLAN by default. For each device, set a specific policy that allows traffic for it to pass through only to specific hosts (i.e. Hue lights to Hue hosts). Nest cameras don't need to send traffic anywhere but Google's servers, for example.
8) Remove password-based SSH authentication into your router and set a firewall policy that only allows SSH login from a specific IP address that you control (such as a $5/month VPS).
9) So that you don't shoot yourself in the foot with 8), set up daily backups of the router in case you lock yourself out of it and need to restore settings.
10) Set up your router so that it can only be locally managed from a specific subnet IP, which will be your main computer.
This is a reasonable start. All the other advice about how to secure your main computer still applies, because (as ever), that is a huge failure point.