I thought a quick post on securing IoT devices might be useful to some people. The security of the Internet of Things is a hot topic these days, and it’s something you have to think about before adding the latest little gadget to your home network.

In my case, I have a couple of D-Link DSP-W110 Smart Plugs. These are neat little devices that I use to turn on a few lamps that aren’t easily accessible. At first, I had them connected to my home WiFi, but I grew uncomfortable with the idea that an attacker could break into these devices (they talk to the Internet, after all) and be inside my home network without my ever noticing it.

To mitigate against this risk, I have created a new dedicated WiFi network for all my IoT devices. Here’s how it works:

I have four main network devices

  1. A dedicated router. FIOS plugs into this, and everything else on the network is behind this device. The router is an enterprise level router with lots of security features. I’m not going to name it, but you can assume it’s something like PfSense, but not exactly.
  2. A managed switch that supports VLANs. Again, enterprise grade.
  3. Main WiFi AP for all my personal devices. Cheap consumer router
  4. Dedicated WiFi AP for IoT devices. More expensive consumer router

The LAN side of the router plugs into the managed switch on port 8. My IoT Wifi AP plugs into port 1. Port 1 and Port 8 are on a VLAN, so they can only talk to each other.

My home wifi AP plugs into port 7. A couple of hardwired devices go onto ports 2-6. Ports 2-8 are on a VLAN.

The IoT devices can talk to each other, and my router. They cannot communicate with any other device on my LAN. The only way to do that would be to break through the router.. and I have various firewall rules and other security setup to mitigate that risk. I also throttle the IoT network to less than 512 Kbps upstream. This is more than enough for the devices, and slow enough to really make DDos attacks less worthwhile as compared to my full fat 150 Mbps symmetric FIOS connection.

An attacker would now need to break into the D-Link Smart Plug. Let’s say this happens via a vulnerability, and the attacker is now running a root shell on the plug. He can now scan the network, and he will see

  1. The dedicated IoT wifi AP
  2. Any other IoT devices (smart plugs, some Arduinos, etc)
  3. The VLAN switch (enterprise grade)
  4. The router (enterprise grade)

Breaking into the wifi router won’t really help much. To get access to sensitive data, he’d have to break into the switch or the router. Both of which are far more difficult to break into as compared to a random IoT device. Since the upload speed is heavily throttled, he can’t really use the smart plug as a jumping off point to do too much damage to external networks. And I have rules on the router that will detect (in theory) unusual activity on the IoT network. I’m aware that a dedicated hacker can break through all this, but I’m not mitigating against that level of attacker (I can’t, and neither can most people). However, a random root shell vulnerability on an IoT device won’t let anyone get access to my LAN and all my private network traffic.

So there you have it. You might think this is really expensive, but it’s really not. I picked up the router and the switch for around $150 used on eBay. The IoT AP was $20. The main AP was $100. Yes, you need to understand networking and it’s complicated if you have never done this before - but I think it’s absolutely worth it for anyone who’s moderately technically inclined.