In the age of self-hosting and the home lab, the Internet of Things (IoT) continues to play a vital role in providing data from thermostats to security cameras. These products offer unparalleled convenience, but often come at the cost of security. Your home could become a potential entry point for malware, data breaches, and more, all thanks to those seemingly innocent smart home devices that are set up and connected to the network. Thankfully, there are a few ways you can safeguard your home network from potential attack.
Segmenting your home network is great for keeping not only the network itself safe, but also everything connected to it. This includes your desktop computer, smartphone, tablet, refrigerator, and network-attached storage (NAS). Creating a barrier between IoT hardware and the rest of your network can help avoid compromised devices from acting as a gateway to the wider local area network (LAN). It also helps reduce the chance of this occurring if configured so IoT hardware can’t communicate with the outside world. This is the approach I took, utilizing the power of Home Assistant.
I’ve deployed virtual LANs (VLANs), enabled demilitarized zones (DMZs), and completely segmented my network to protect against rogue IoT devices, and here are some tips I’d like to share to help keep your LAN safe.
Segment the network with VLANs
Keep everything separated
Step one is to create a VLAN for IoT equipment. This should be the first task you complete when installing any IoT hardware at home. It’s the most effective way of protecting your home from not only potentially vulnerable IoT devices, but also your wireless layer, too. Should someone manage to break into your wireless network, they’ll have access to everything, like they would physically connected to your router or network switch. That’s where VLANs come into play, which are supported by many router brands.
Virtual LANs can be formed for trusted hardware (computers, phones, consoles), IoT devices (smart plugs, cameras, TVs), guests/untrusted clients, and sensitive infrastructure (servers, NAS). And if your ISP-supplied router doesn’t support VLANs, why not create your own network firewall with OPNsense? It’s fun, you learn something new, and it’ll help protect your home with even more control over security and privacy. But what if you don’t have a router with VLANs and don’t wish to build a custom router? Consider activating guest Wi-Fi and throw all your IoT stuff on there.
Use strong passwords
This one is painfully obvious
Look, there are some of you out there still using “password” and “password123” for network-connected hardware credentials. This includes devices that can connect to the internet. That’s a recipe for disaster on a PC, and it’s no different with IoT devices. Many of these products can communicate with external services and often offer (or sometimes outright require) an account to be created and logged in. Using strong passwords for all your accounts is a good idea, as we covered throughout World Password Week here at XDA.
Don’t leave default credentials set, even if they’re only available on the local network. Devices can come rocking an admin account with the exceptionally secure password “admin.” Change these immediately, even if you don’t plan on opening these products up to the outside world. Should someone breach your network through other means, using insecure passwords can only extend their reach. Better still, use password managers like Bitwarden to store credentials. You can even self-host one yourself!
You may not get alerted
Not all IoT-enabled hardware will automatically check for, notify, or install software updates. If you can remotely access these devices, check to see if an update is available through official software or API access on Home Assistant. Newer software releases help bolster security by applying vulnerability patches. It can be easy to leave IoT devices running on older firmware, especially when they’re out of sight and out of mind, but it’s vital you keep all connected devices running their latest software releases. Enable automatic updates, should the devices support it.
If you haven’t heard of it, the Mirai botnet managed to exploit old, out-of-date webcams. Your security cameras or some other device could become the next target if left running outdated firmware.
Monitor network traffic
Keep tabs on what’s live
There’s little point in setting up your advanced home network with IoT devices, smart home automation, and other technology if it’s not adequately monitored. Consider using a custom firewall or at least a branded solution that offers more advanced capabilities than your standard router. That said, even some basic routers will allow for some form of network monitoring. Ensure your hardware and software firewalls are configured accordingly to allow only traffic that should be handled between clients.
With firewall rules configured, you can easily block IoT hardware from communicating outside without your knowledge. It can also help prevent your network from being used as a node in a bot network or some other malicious scenario. I always assign and reserve IP addresses for clients using the DHCP server, which ensures all hardware will be assigned the same IP, even if the software changes or needs to be reset. This way, I don’t have to worry about a device being assigned a new IP and getting around security measures.
Not all IoT devices are bad
I’m not suggesting you shouldn’t go out and spend money on smart thermostats, cameras, bulbs, and other hardware that can connect to services. It’s simply important for you to consider that many of these may not be supported for long with updated firmware and may even have undocumented vulnerabilities. You should treat each IoT device like a desktop PC. It runs software that needs patching, and if you’re unable to maintain it, keep it locked away behind firewalls and segmented networks.
IoT devices aren’t going away — but with some network improvements and segmentation, you can enjoy their convenience without giving attackers an open door to your smart home.