Network IOT Segregation

[Richywilson]

Hey everyone

 

I'm in the process of segregating my IOT smart home devices onto their own network. These are mostly the cheaper devices which I assume have less security behind them like sonoff smart switches, broadlink minis, b-hyve smart sprinklers, kogan kettles etc and because this network is only 2.4ghz, I've chucked my Ring doorbell camera on there as well. My question is, should I be including my Amazon echos in this? I have presumed up to this point that they likely have better security than my cheaper devices so I've let them sit on my main 5ghz network along with my laptop and phone but should I be creating a separate 5ghz network purely for them to isolate them from the main network or am i being a bit paranoid here?

 

Cheers

[mtz_federico]

2 minutes ago, Richywilson said:

Hey everyone

 

I'm in the process of segregating my IOT smart home devices onto their own network. These are mostly the cheaper devices which I assume have less security behind them like sonoff smart switches, broadlink minis, b-hyve smart sprinklers, kogan kettles etc and because this network is only 2.4ghz, I've chucked my Ring doorbell camera on there as well. My question is, should I be including my Amazon echos in this? I have presumed up to this point that they likely have better security than my cheaper devices so I've let them sit on my main 5ghz network along with my laptop and phone but should I be creating a separate 5ghz network purely for them to isolate them from the main network or am i being a bit paranoid here?

 

Cheers

You are not being paranoid. What router are you using? you can't just segregate a network by putting devices in the different wifi frequencies you need to make firewall rules that block access to the secure network from the iot network

[Richywilson]

2 minutes ago, mtz_federico said:

You are not being paranoid. What router are you using? you can't just segregate a network by putting devices in the different wifi frequencies you need to make firewall rules that block access to the secure network from the iot network

I'm using a Unifi setup, following the below tutorial. So do you reckon i should isolate the amazon echos as well? I also have a fire cube connected via ethernet which I don't think is possible to segregate or if that's needed

 

[Windows7ge]

A number of vulnerabilities have been discovered in the Amazon Echo products. It's even been found some can be hacked by pointing a lazer at them. I would treat them as no more secure than other IOT devices.

[mtz_federico]

1 minute ago, Richywilson said:

I'm using a Unifi setup, following the below tutorial. So do you reckon i should isolate the amazon echos as well? I also have a fire cube connected via ethernet which I don't think is possible to segregate or if that's needed

 

I would isolate the echos, just keep in mind that if the echos have to access something on the network (i.e. smart plugs, etc) those devices need to be in the same network or there has to be a firewall rule to allow them. you could isolate the fire cube if the switch that it is connected to supports vlans.

[Richywilson]

2 minutes ago, Windows7ge said:

A number of vulnerabilities have been discovered in the Amazon Echo products. It's even been found some can be hacked by pointing a lazer at them. I would treat them as no more secure than other IOT devices.

Damn I did not know about that. Does that extend to lan amazon products like the Cube?

3 minutes ago, mtz_federico said:

I would isolate the echos, just keep in mind that if the echos have to access something on the network (i.e. smart plugs, etc) those devices need to be in the same network or there has to be a firewall rule to allow them. you could isolate the fire cube if the switch that it is connected to supports vlans.

sweet, sounds like chucking them on the IOT network will do the trick. I also have a phone that i can't give updates to because the latest updates disable a feature on the phone I use which i presume makes the phone more of a security risk. As a result, would you recommend chucking this onto the segregated IOT network as well? Currently its on its own.

[mtz_federico]

1 minute ago, Richywilson said:

Damn I did not know about that. Does that extend to lan amazon products like the Cube?

sweet, sounds like chucking them on the IOT network will do the trick. I also have a phone that i can't give updates to because the latest updates disable a feature on the phone I use which i presume makes the phone more of a security risk. As a result, would you recommend chucking this onto the segregated IOT network as well? Currently its on its own.

I would put all Amazon devices in an iot lan. Sure, putting the phone on the iot network can't hurt

[Richywilson]

1 minute ago, mtz_federico said:

I would put all Amazon devices in an iot lan. Sure, putting the phone on the iot network can't hurt

Sweet and last but not least. I currently have smartplugs in my room (About 20m from the AC Pro) which are hidden under my bed and thus only receive roughly 60-70% signal strength. I've been thinking about using the wireless uplink feature to put a AC lite at a location in my room to get a better signal to them. I understand this will have a speed impact because its effectively like a mesh but would that have a speed impact when connecting to AC pro as well or just the ac lite or am i going a bit overboard considering they do still get a connection. I've been weighing that up for a few months.

[mtz_federico]

1 minute ago, Richywilson said:

Sweet and last but not least. I currently have smartplugs in my room (About 20m from the AC Pro) which are hidden under my bed and thus only receive roughly 60-70% signal strength. I've been thinking about using the wireless uplink feature to put a AC lite at a location in my room to get a better signal to them. I understand this will have a speed impact because its effectively like a mesh but would that have a speed impact when connecting to AC pro as well or just the ac lite or am i going a bit overboard considering they do still get a connection. I've been weighing that up for a few months.

if you are not having any signal or speed issues then you shouldn't since it could have a speed impact

[Windows7ge]

6 minutes ago, Richywilson said:

Damn I did not know about that. Does that extend to lan amazon products like the Cube?

It appears to be an exploit specific to the microphone. So if the cube accept vocal input then I see no reason it'd be an exception. In the below video he doesn't actually get it to work but the threat is very real.

There's also the matter that some appliances with the Amazon Echo use UPnP which is basically a way around port-forwarding and can causes these devices to be harbored for nefarious purpose. Just another reason to limit it's network access.

[Richywilson]

15 minutes ago, Windows7ge said:

It appears to be an exploit specific to the microphone. So if the cube accept vocal input then I see no reason it'd be an exception. In the below video he doesn't actually get it to work but the threat is very real.

There's also the matter that some appliances with the Amazon Echo use UPnP which is basically a way around port-forwarding and can causes these devices to be harbored for nefarious purpose. Just another reason to limit it's network access.

Damn, Is this unique to echo devices or do you think it would apply to things like the Fire Tablet as well?

 

19 minutes ago, mtz_federico said:

if you are not having any signal or speed issues then you shouldn't since it could have a speed impact

They don't really need speed as they're just smart switches but with the signal dropping to 60% at times, it's a lot lower than everything else. They did drop off to 0% a few times last night but i had just rebuilt the network so I'm assuming that was just because everything was newly setup. My previous setup (before i lost everything because i forgot to back it up and did a system reset of my pc) seemed to be pretty solid. The downside of using the software controller. 

[mtz_federico]

3 minutes ago, Richywilson said:

They don't really need speed as they're just smart switches but with the signal dropping to 60% at times, it's a lot lower than everything else. They did drop off to 0% a few times last night but i had just rebuilt the network so I'm assuming that was just because everything was newly setup. My previous setup (before i lost everything because i forgot to back it up and did a system reset of my pc) seemed to be pretty solid. The downside of using the software controller. 

You could do it, but if possible connect another AP via ethernet

[Richywilson]

4 minutes ago, mtz_federico said:

You could do it, but if possible connect another AP via ethernet

Sadly there's no way to get an ethernet cable into this room without drilling. What's your thoughts on fire tablets, segregated or fine on the main wan?

[Windows7ge]

9 minutes ago, Richywilson said:

Damn, Is this unique to echo devices or do you think it would apply to things like the Fire Tablet as well?

I would imagine the potential is there for any device that has a microphone that accepts user vocal commands and has laser line-of-sight.

[Richywilson]

Thanks for your help

[Alex Atkin UK]

10 hours ago, Windows7ge said:

I would imagine the potential is there for any device that has a microphone that accepts user vocal commands and has laser line-of-sight.

Only if you have wake commands active though.

 

Honestly, I wouldn't want to use smart devices for anything sensitive anyway.  I turn off purchasing on my Echo Show and wouldn't dream of using it to open doors, etc.  Just how often it picks up the TV or something else I said as something completely random, makes it rather unsafe for anything that could cause a security issue.

I think its insane that anyone would consider using a cloud service to open their doors, let alone a voice control system, like they show in the laser exploit videos.

[mtz_federico]

here is another good video