Does having devices connected via WiFi but blocking them from the internet itself improve security?

[Krisp-kiwi]

Hey everyone,

 

I've dived into the smart home market which has increased risk to my home network. As such I've done what I can be isolating the IOT devices to their own Vlan and separating them from my personal devices that way. However during a internet outage I noticed many of the devices I own still worked and upon taking a look further, things like my smart plugs etc have local keys in order to get them working offline as well. I was wondering if blocking internet access to these devices improved security since they'd still technically be connected to my home network via their wifi connection? Should I take this step or am I wasting my time? 

[RONOTHAN##]

I don't know if it would definitely increase security, but one less access point is always a plus. Besides, since they're already on their own VLAN, it shouldn't be too hard to block that VLAN from accessing the greater web, so it's not like you'd be wasting 4 hours trying to set that up (hopefully). I wouldn't put it at the top of your list of things to do, but if you have some free time on a day off or something, it might be worth trying to do. 

[Krisp-kiwi]

1 hour ago, RONOTHAN## said:

I don't know if it would definitely increase security, but one less access point is always a plus. Besides, since they're already on their own VLAN, it shouldn't be too hard to block that VLAN from accessing the greater web, so it's not like you'd be wasting 4 hours trying to set that up (hopefully). I wouldn't put it at the top of your list of things to do, but if you have some free time on a day off or something, it might be worth trying to do. 

Yeah, my main thought was for the products that are quite cheap, sensors etc some brought from places like aliexpress, I'd be willing to bet those companies don't invest too much into their cyber security so if I take them offline, that's less paths back into my IOT network.

[mtz_federico]

I would disable the internet and see what breaks. You could also do some monitoring to see what they are accessing. The easiest way to do it (but not the best) is to use something like pihole and monitor the dns queries.

[Krisp-kiwi]

7 hours ago, mtz_federico said:

I would disable the internet and see what breaks. You could also do some monitoring to see what they are accessing. The easiest way to do it (but not the best) is to use something like pihole and monitor the dns queries.

Yeah the only thing i saw that broke was my amazon alexas, ring doorbell,wyze cameras & outside sprinkler. All the plugs, broadlinks, hue lights etc appear to be able to run without an internet connection. 

 

[Alex Atkin UK]

4 hours ago, Krisp-kiwi said:

Yeah the only thing i saw that broke was my amazon alexas, ring doorbell,wyze cameras & outside sprinkler. All the plugs, broadlinks, hue lights etc appear to be able to run without an internet connection. 

 

The first two are kinda obvious, Alexa sends all speech it hears after the trigger word to Amazon to translate and Ring is all online driven.  Alexa actually annoys me as my Echo Show 5 doesn't reconnect if my Internet goes down without me disconnecting and reconnecting it to WiFi.

I was really annoyed LIFX disabled their LAN support, they HAVE to be online and its frequently unreliable.  I really shouldn't need to be online to turn my lights on and off, although I do mostly use Alexa for it so I guess I'd be doing so anyway.  But years down the line when many of these IoT services are taken offline, it just becomes e-waste because they wont work any more.

I'd use hue but AFAIK they don't have the same light output.

[Krisp-kiwi]

1 hour ago, Alex Atkin UK said:

The first two are kinda obvious, Alexa sends all speech it hears after the trigger word to Amazon to translate and Ring is all online driven.  Alexa actually annoys me as my Echo Show 5 doesn't reconnect if my Internet goes down without me disconnecting and reconnecting it to WiFi.

I was really annoyed LIFX disabled their LAN support, they HAVE to be online and its frequently unreliable.  I really shouldn't need to be online to turn my lights on and off, although I do mostly use Alexa for it so I guess I'd be doing so anyway.  But years down the line when many of these IoT services are taken offline, it just becomes e-waste because they wont work any more.

I'd use hue but AFAIK they don't have the same light output.

Yeah I expected the Alexas and ring doorbell to go down. Shame the Xoami vacuum doesn't appear to have a local key or at least not one i could find but I'm currently in the process of moving the plugs & broadlinks over to a different network & then ill block that network from everything but my home assistant IP

 

I've weighed up the pros and cons of doing this:
 

Pros:
Offline access
No longer vulnerable to overseas company decisions
still works with home assistant & Alexa
local only means no remote hacking.

Cons:
Updates require temporary deactivation of firewall If I choose to make them local only
Nabucasa integration costs a few dollars a month for home assistant cloud integration if wanting to control outside of my network (There are workarounds)
Devices require home assistant to be up and running to function. workaround: enable NoT network to access the internet if this occurs.

[Alex Atkin UK]

What I've done is just put the IoT devices on its own LAN, so even if they got hacked they can't then hack into anything on the main network.