Following my thoughts on the botnet of things, and not trusting users with security, I was reading this post from Troy Hunt a couple of months back talking about not letting untrusted devices onto his home network, for much the same reasons. And it got me thinking about how such devices could be isolated enough to provide security without compromising other devices that you do trust.
I asked him the question in that post, but I wanted to repost it here to expand on the idea.
This is something I was thinking about with the new set of connected devices, smart lights, smart fridges, etc. What would it take for you to able to trust a guest mode for friends and untrusted devices? (isolating them from each other)
- Craig Nicol
I’d love to be able to easily put my IoT things that don’t require any interactivity within my network into their own VLAN *and* joined via it’s own logical wifi network, not least of which because we’ve seen multiple attacks in the past where the IoT thing has exposed the credentials of the network (LIFX, iKettle).
- Troy Hunt
I don’t want to put words in Troy’s mouth, but my interpretation of the suggestion here is to isolate devices, so that there is a separate area for untrusted and trusted devices. I’ve seen many companies introduce something similar, where they have a trusted network for their own devices, accessible via Ethernet and pre-approved WiFi endpoints, and a guest network for visitors and BYOD, isolated from network resources, and a VPN solution to allow trusted, authenticated users to access the trusted network.
The question I would have on this arrangement is whether the IoT devices need the VLAN to talk to each other. Some such devices (Google’s Chromecast, or Amazon’s Fire TV stick for example) require to be on the same network as a control device, such as a smartphone, to prove proximity, before accepting commands, so would need some VLAN solution that also supports such devices. I do note however, that the Chromecast has alternative means to prove proximity via audio or PIN, so the VLAN solution may not be required.
If the VLAN can be written out of the equation, could each IoT device have its own access point, secured only to itself (i.e. the router will only allow one device, with that MAC address, and a specified ipv6 endpoint, with an admin console to set exclusive firewall rules for that device). Each device would therefore have the ability to phone home (either to the manufacturer’s site or a trusted local proxy for those devices that support it – and only on a secure channel), and nowhere else, no matter what firmware update is applied.
Thence, each device cannot compromise any other device on the network, and the data endpoints for the device can be controlled. Obviously, this does nothing to protect the data sent to the server (as compromised in the VTech and plenty of other attacks), and still relies on trusting the server to not compromise the device (as in the Nissan vulnerability), although both can be mitigating by isolating the device completely, if the connectivity aspect can be temporarily or permanently disable by a firewall change.
Would you use a router that could isolate your devices in such a way?