In a world where we’re enjoying the convenience of IoT connectivity and everything from our heating system to our blender connects to the internet, security is often overlooked. Breaches can and do happen, but fortunately, there are steps you can take to make your network more secure.
More often than not, we hear about certain security issues connected with the Internet of Things (IoT). But do you know how severe these issues can potentially be? Working at a tech company and always surrounded by techy people, I had a general idea. However, digging deeper into this rabbit hole, I realized that the situation was worse than I expected.
But let’s back up. Internet of Things is a term used to describe a network of interrelated devices or other objects that can be connected to the Internet. It’s like a social network, but instead of connecting people, IoT connects various devices.
IoT solutions have the power to make our lives easier in a number of ways. However, it also comes with some inherent risks. To protect our home network, we first need to understand them. And to tackle these risks and make our home network as secure as possible, we suggest a simple IoT connectivity configuration you can use.
IoT connectivity – convenience comes at a price
An IoT device can be almost anything. A smart lighting system, kitchen appliances like air fryers or coffee machines, blinds, a TV, air conditioner, heating, security cameras, you name it. If it can connect to the internet, it’s IoT.
This wide range of IoT devices can be very beneficial in making your life easier. Decentralized smart heating combined with some automatizations can reduce your heating costs, and you get to wake up in the morning to a warm home. Smart lighting can reduce power consumption by automatically turning the lights on or off depending on room occupancy. Automatic shades can let the sun in the morning for your house plants to enjoy even when you are not at home.
Even a smart vacuum cleaner can give you some extra time in your busy life. It can clean your home while you’re at work, so you can spend more time with your loved ones once you get back.
All that is convenient, but when we start thinking about IoT security, the question is, what price are we willing to pay for the convenience of our connected devices?
Is it IoT? Smart devices and connectivity
Before we dig deep into security issues, we need to be on the same page about the types of devices we’re talking about. Any device that has a screen and/or can be automated to an extent is considered smart. For example, this would be a coffee machine equipped with a number of stored recipes, a lamp connected to a movement sensor, etc.
However, smart doesn’t necessarily mean IoT. For a device to be considered IoT, it needs to be connected to the internet – directly over WiFi or Ethernet, to an online server, or via a different device like a mobile phone using Bluetooth (usually BLE – Bluetooth Low Energy).
It is precisely for this reason that IoT connectivity may pose a security threat.
Security breaches don’t only happen to corporations
One of the most famous security breaches and the largest in history happened in 2016 when a DDoS attack was deployed from several unsecured IoT devices like cameras and DVR players. The attack, aimed at the DNS provider Dyn, brought down a large part of America’s internet for a couple of hours, including Twitter, Netflix, Reddit, and CNN.
However, attacks don’t only happen to large businesses; with millions of devices out in the world, regular users are just as exposed. A few years back, Amazon’s internet-connected doorbell Ring presented security issues that could allow attackers to breach a home network.
Cyber attacks are often made possible by simple cost cuts. IoT devices using cheaper components may be unable to execute firmware updates that could fix vulnerabilities. Some devices were even initially deployed with firmware that contained known vulnerabilities.
Another potential security risk in IoT connectivity arising from cost cuts is unsecured communication between the device and the vendor’s server. To secure a connection with standards like Transport Layer Security (TLS), vendors would need to use more powerful hardware, increasing the device price and likely reducing sales figures.
On the other hand, connected devices are not always the ones to blame. The majority of the attacks are deployed successfully because of improper password protection. Strong passwords are rarely used, and surveys find that over 50% of people reuse their passwords. Combined with unsecured IoT connectivity, and if the attacker deploys traffic sniffing, they can easily obtain a user’s password – an entry point to anything they own (e.g., social network, email, cloud drive…).
Home networks – often more breachable than not
Let’s see how this translates to our everyday, home-network level. Since I work in the tech industry, my first instinct was to ask fellow colleagues about their home network setup. I ran a small survey among IoT enthusiasts, and the results regarding IoT connectivity security were pretty much as expected.
Around 40% of respondents have some sort of a secured network on top of the service provider’s router. 30% use default ISP routers with network security configurations, and the remaining 30% do not secure their IoT network. If IT professionals don’t care about network security, we can assume that most “regular” users care even less.
One of the main issues here is that most people won’t use separate networks at home. The IoT devices are usually connected to the same home network as our personal devices – local data storage (e.g., Network Attached Storage – NAS), work computers, mobile devices, etc. The reason probably lies in the fact that most users will get some (generally cheap) router from the ISP (Internet Service Provider) that can not be configured in any way.
Moreover, many users tend to keep the default settings even when a better router is provided by the ISP, thus missing the chance to make their network more secure.
How to manage IoT connectivity in a secure way?
As a person who uses pretty much everything imaginable connected to the internet, like smart switches, lights, heating, cooling, air purifying, kitchen appliances, blinds, etc., I felt that at some point, my local network became more exposed, and I could quickly become a victim of an attack.
To secure our private data from breaches, we would need to do some network segmentation, i.e., separate the IoT traffic from the rest of the home traffic. That way, an IoT device will have access to the internet, but not to the other devices using the network.
To accomplish this, we have to use a router. Acting as our network’s “brain”, a router will help us separate those devices from everything else on our network.
Hardware limitations
Before we get into network configuration, we should note that the suggested course of action for secure IoT connectivity will not be possible on any router. Most routers provided by the ISP will be locked and therefore not so configurable. You may be able to create some firewall rules, but without proper network separation, that’s only half of the job, and your network won’t be as secure as it should be.
As we invest in smart home devices, we should also invest in the equipment that connects those devices to the network. It doesn’t have to be a major investment. Any router that can run DD-WRT or OpenWRT will do the trick. However, if you are prepared to invest more seriously into your home network, you’ll find some very powerful routers from well-known brands.
Network configuration
In this configuration, the idea is to separate your local network into a few smaller virtual networks. We can do this by “tagging” our local network traffic, so our router knows which device is responsible for the traffic.
Separating a local network with VLANs and tagging
VLAN is a virtual network created on top of our local network. When VLAN networks are employed, the traffic that enters our local network will have an assigned “ID”, a number that identifies one virtual network from another and, therefore, the traffic coming from one device from that of another.
1
Network tagging (create VLAN)
Let’s say we want to create three Virtual LANs. Let’s name the first one “Trusted”, and connect all of our personal devices (e.g., laptops, mobile phones, tablets, etc.). We can then assign it the ID (tag) 10 and set the local IP range of 192.168.10.X.
The next step is to create a new VLAN called “IoT”, and connect all the IoT devices (e.g., lights, TVs, heating) to it. Its ID will be 20, and we’ll set the range to 192.168.20.X.
And last but not least, we’ll create a “Guest” VLAN for all the guests that we want to share our network with. We’ll use the tag 30 and the range 192.168.30.X.
Disclaimer: the tag numbers used are arbitrary. You can use any number you want (e.g., 100, 200, 300, etc.). The IP ranges are also optional but can help to easily identify the devices on the network.
2
Assign VLAN to switch ports
Once we’ve created the virtual networks, we should assign them to the router’s switch ports or an additional switch. So, the “IoT” VLAN should be connected to all the ports an IoT device is connected to.
3
Assign VLAN to WiFi
The same applies to our wireless network. We have to create a new WiFi network, for example, “My Network IoT”, and we should assign the “IoT” VLAN network to it.
4
Connect devices to assigned networks
Connect all the devices to their appropriate switch ports or wireless networks, and we can move on to the next part of the configuration.
Creating a firewall for IoT devices
A firewall is a network security system that monitors and filters all incoming and outgoing traffic, based on some established security rules. When we employ a firewall for IoT devices, we create a barrier between our devices and our personal computer or NAS.
1
Allow trusted traffic
The first rule we create should allow all traffic from our “Trusted” VLAN to the “IoT” VLAN. That way, we can be connected to our smart home devices, but only in the direction from “my personal computer” to “my smart light”.
2
Block “IoT” (and other networks, e.g., “Guest”) traffic toward trusted devices
Next, we should block the traffic coming from the opposite direction. So, let’s create a few more rules!
This rule will block all traffic from the “IoT” VLAN to all the other VLANs (i.e., “Trusted” and “Guest”). That way, when my smart light tries to connect to my personal computer, the firewall for IoT devices will block (or drop) that traffic, and the light will not be able to access the computer.
The same approach should be used for other VLANs. In our example, that would mean adding a “Guest” network rule to block all traffic from the “Guest” VLAN to all the other VLANs.
3
Customize your setup (optional)
Following these steps, you’ll separate the traffic on your home network. However, if you want to play with your network a little more, you can fine-tune it any way that suits you. For example, we run our smart home assistant applications on a tablet. Even if we have blocked IoT devices’ communication with the rest of the network, we can allow communication only on specific ports. That way, the devices can communicate with the smart home assistants, while the tablet itself remains connected to the “Trusted” network.
Make your home smart, but be smart about security
In conclusion, we can safely assume that most devices on the market lack adequate security measures, especially within the context of IoT connectivity. Knowing that there are more IoT devices than people on this planet, chances are that we have at least one unsecured device in our homes.
If you have just a few devices, you are probably safe, and you should be fine applying some basic firewall rules on your ISP router. In this case, investing in your network can only be a bonus.
However, if you decide to make your home or office as smart as it can be, using many different IoT devices, you should consider investing in your home network. Not just the hardware, but also a better network configuration using VLANs and firewalls.
