Do you have IoT devices at home that you don’t fully trust? You don’t have to get the broom through right away. In this workshop we give you tips to limit the risks.

Gertjan Groen

It is of course very practical if smart devices ‘hang’ in your network, but it also entails vulnerabilities. You can’t always trust that the devices (only) do what they think they do. In the article Securing IoT we give some examples of this. In the average home network, it is very difficult to exclude those vulnerabilities. For example, devices often have free rein to make connections to the outside world. In this workshop we give you tips to limit the risks.

bridge 2
ZigBee is a secure protocol, but a hub or bridge can contain vulnerabilities

USE SAFE TECHNOLOGIES
It may seem obvious, but give preference to technologies developed especially for home automation, such as ZigBee and Z-Wave or dect, which is used by AVM in the Fritz!Box. The devices work with strict protocols and are separate from the rest of your network. Keep in mind that a hub or bridge that provides the connection to your network can still contain vulnerabilities.

hue bridge 2
Make sure the firmware of hubs and bridges is also up-to-date!

UPDATE THE FIRMWARE
Smart devices work with firmware that is hopefully well maintained by the manufacturer, so that leaks are closed. Unfortunately, many manufacturers are lax about this. Also know: if there is an update, there will be a good reason for it! It is advisable to keep up-to-date with the firmware yourself. They are usually not installed automatically. Also think about your router! For hubs and bridges, as part of your ZigBee or Z-Wave network, this may be less obvious, but it makes sense here too. For example, vulnerabilities in the Hue bridges of Philips have already been found that have been closed via firmware. To see if your Hue bridge is up to date, open the Hue app, go to Institutions and choose you Software update. You read in Version information also what has been renewed.

accountip camera 2
For IP cameras, among other things, immediately change the default password to something more powerful

CHANGE DEFAULT PASSWORDS
To make things easy for you, smart devices often offer a standard username and password that you can use to log in to the device (the first time). This is especially true for IP cameras. Unfortunately, many users do not change this password. Sometimes the device asks for it itself, but otherwise you have to actively change it to a stronger password. For example, some IP cameras have ‘admin’ without a password as the default username. It is even safer to avoid the username ‘admin’. To change the password, log in through a browser and for this camera, in the user interface, go to Settings. below Basic Settings and User Accounts you can change user accounts and privileges. Note that the default account is active again with this camera after a hard reset!

p2p 2
You can turn off the p2p functionality via the user interface

AVOID P2P CONNECTIONS
Manufacturers of IP cameras want to make it as easy as possible for you to view the images from your surveillance camera remotely via the internet. They have the IP camera set up a p2p (peer-to-peer) connection for this, as a means of easy remote login. Unfortunately, it is also made easy for hackers if those connections are not properly secured, or if manufacturers are lax about addressing vulnerabilities. Moreover, scanning a QR code on the camera itself or taking over an identification number is often enough to view the images. The best solution – often cited by security experts – is to simply not buy these kinds of insecure devices. If you do have them and want to use them safely, a first improvement is to turn off the p2p functionality. With the (safe) Foscam R4M you log in via a browser. Then go to Settings, then to Network and then to P2P. Check the box Enable P2P away.

Dividing your network with virtual networks

A professional way to isolate devices you don’t trust from the rest of your network is to divide your network into several virtual networks. We call them vlans either virtual lance. Physically you still have one network, but the traffic itself remains separate. A kind of flag in every data packet ensures that. It is also how companies approach this for various internal departments, for example. It is a complex change for most users. And there is another stumbling block: your equipment has to support it and that is not very common. That starts with the router, the starting point of your home network. But the switches, which distribute it further, must also support this possibility. And there are also access points for Wi-Fi, if you want a separation there too. Some consumer routers allow you to work with vlans by using alternative firmware such as dd-wrt or OpenWRT. Business routers usually support it, but are much more difficult to configure. This also applies to software-based routers such as pfSense or OPNsense. For such software, an old computer with multiple network ports is sufficient. And as far as the switches are concerned, the simplest models will not suffice, but you have so-called managed switches required.
Once you have separated yourself from virtual networks, you can set strict firewall rules per network or even per device in your router. On the switches you then set per port to which network it belongs. For example, you can create a separate network for untrusted IoT devices, on which you assign IP cameras and the like. And also a trusted network for your computer and printer, among other things. You then create firewall rules to determine, for example, that normally only the devices on the trusted network have internet access and are also allowed to ‘talk’, or connect to, both with each other and with devices on the untrusted network.
Then you block all outgoing traffic for devices on the untrusted network. They then have no internet access and cannot reach the devices on the trusted network themselves. You will be able to (temporarily) make an exception for a single device, for example if internet access is required for a firmware update.

modem 5436144 2If you make such a separation, you probably want it not only on the fixed network, but also on WiFi. After all, most IoT devices work wirelessly. This applies, for example, to most IP cameras, even though they actually work better if you connect them via a network cable. For access points that support vlans, you can set up two separate ssids. So you actually have two WiFi networks, or even more if you wish. This also requires a business router model, for example from Ubiquiti.


Consumer routers usually don’t support splitting your network

BLOCK PORTS
With some obscure IP cameras, turning off the p2p functionality – if that’s possible – has no effect. In that case it is better to block the used udp ports. This applies to various models with the p2p service called iLnkP2P, which is known to have leaks. With this service you can block port 32100. Whether and how easily you can do that depends mainly on your router. With some routers you can block devices via the MAC address, but usually you deny them access to the network completely. With the Fritz!Box you can use the parental control options to block internet access for individual devices or configure time limits for access profiles. We recommend that you read the detailed instructions for your Fritz!Box. To do this, go to https://nl.avm.de/service. Choose your router model, go to the Knowledge Base and search Parental supervision. Here you can read how to create an access profile, which you can then assign to devices.