1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Help locking down my IoT devices

Discussion in 'Asuswrt-Merlin' started by vw-kombi, Oct 19, 2018.

  1. vw-kombi

    vw-kombi Regular Contributor

    Joined:
    Apr 13, 2018
    Messages:
    71
    Hi Knowledgeable People.

    I have a number of IoT things on my network now - lifx lights, sonoff power devices, Robot Vac, IP Cam's, Garage Door opener etc. These all connect to the internet, and can be talked to from the internet too. There is a load of stuff in the media about security of these things - I don't know how much to believe.

    I have skynet, absolution etc, but I figured, these IoT things could be locked down a bit more - as in not allow them to talk to anything on my LAN except what they need to - primarily, remove any way of talking to my Unraid server (where all my files are) and my Main PC. Both these have hardcoded IP addresses (192.168.1.7 and 192.168.1.10).

    I was hoping I could do something at the merlin router level to not allow them to communicate, but maybe it is something that has to be done on the unraid server / PC side instead ?

    Thanks
     
    Vexira likes this.
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. indark

    indark Regular Contributor

    Joined:
    Jan 17, 2014
    Messages:
    188
    put them on guest wifi and disable access to intranet ?
     
    agilani, SMS786 and ChatmanR like this.
  4. vw-kombi

    vw-kombi Regular Contributor

    Joined:
    Apr 13, 2018
    Messages:
    71
    Yep - I can do that from the ones that are close to the guest network. I was hoping to do it another way however and not enable the guest network - as I have three different routers, and also need to connect in the lan from some of the iphone apps that control these things.
     
  5. bitmonster

    bitmonster Regular Contributor

    Joined:
    Sep 26, 2018
    Messages:
    181
    Give them all static IP addresses and disable WAN access for each under the router device settings wherever that is.

    Never allow anything to be accessible from WAN. Use VPN only.

    See if you can put them all on a different subnet and maybe isolate that somehow. Next best thing to VLAN? If it worked it would break the apps though so you may need to just live with it and block each device static IP individually where you can.. It's a tough one.

    Yes absolutely these things are a security risk because security and updates cost money so it's the first thing to be cut out as it does not effect sales until something shocking happens to trigger consumers to take an interest and therefore effect sales.

    So yes treat this consumer first gen stuff as security garbage and lock it all down good.

    At least until enough people have died for security to become an issue people care about.

    Sent from my SM-G965F using Tapatalk
     
  6. vw-kombi

    vw-kombi Regular Contributor

    Joined:
    Apr 13, 2018
    Messages:
    71
    hhmmmm - that is quite drastic and takes a load of the 'smartness' out of the smart home - at least until I get a proper lan based system implemented.
    I currently have ifttt recipes doing stuff based on if iphones are home or not.
    Plus - Garage door device (garadget) is wan connected - no option for local LAN operation.
    I can do the lights as LAN only - I dont really need to be able to power off/on remotely - but when for example I have automation that is the last person leaves home, then a light gets turned on for the dog - that is ifttt. similarly, if the kids leave home, the power is cut to their rooms (as they always leave stuff on) - that is ifttt also.

    Im thinking I will just have firewall rules on all laptops/PC's to not allow anything connect from all LAN ports, and unix iptables rules on the the Unraid server - that way, if something did sneak onto these smart devices, they could not connect to anything that has actual data on it.
     
  7. bitmonster

    bitmonster Regular Contributor

    Joined:
    Sep 26, 2018
    Messages:
    181
    Disable the garage WAN access.. Wouldn't surprise me if a WAN enabled physical break in voids insurance (no traditional evidence or something).

    Unless one is running a server, the only permissible WAN access should be VPN.

    Assign static IPs to all your devices and disable their WAN access via the router except for manual updates (ideally via file download so you never need to open them up).

    VPN will be fine.

    Perhaps assign all devices to a certain range and then block that on your storage or whatever..

    Absolutely you should treat this security garbage with caution.

    Remember Chinese law actually requires all Chinese companies to support intelligence gathering, IP theft etc.

    Smart TV's record audio etc..

    It's ridiculous.

    Just block all their WAN access and re-enable only what you need.. In theory, just blocking WAN access should achieve a lot.

    Ensure AIProtect is enabled internally too.

    Just wait until enough people have died for government to take IOT security seriously and actually legislate for it.

    Until then assume there is no commercial benefit to security and basic updates so it will generally be ignored until regulations force them to lift their game.

    It's for this reason I will not trust autonomous cars until enough people have died from accident or intentional hacks for regulations to catch up either.

    Sent from my SM-G965F using Tapatalk
     
    Last edited: Oct 20, 2018
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!