Why all your IoT devices should be on your guest network
A simple step to keeping your information more secure
When you think of security breaches and personal data leaks, you might imagine someone breaking into a huge database somewhere that contains the information of millions of users. While this certainly happens more often than any of us would like it to, personal data breaches can happen much closer to home than you might think.
The smart home is a wonderful thing — especially when you can save a few bucks on products that offer the same features as the big guys without the big cost — but it can also be a place ripe for the picking for information thieves looking to make a quick buck off your daily habits.
That's because many smart home (opens in new tab) devices — also known as the Internet of Things or IoT — don't receive regular updates like a computer or a smartphone would. That includes everything from the smart lock on your front door to the security camera in your child's room or even your living room TV.
Most modern electronic devices connect to the internet somehow, and that's the very nature of the problem. But basic smart home security doesn't have to take up hours of your time. In fact, there are a few simple steps you can take to ensure your home's network is better protected, and it won't take you but a few minutes of your time to do it.
Be our guest
Modern smart home networks are complex things. They often have to service dozens of devices that may or may not have a secure connection, and that’s assuming your Wi-Fi password and connection protocol are secure in the first place. In total, I’ll cover three points of entry that could be used to gain access to your network — and, subsequently, three ways to avoid such a headache.
The first, least common option is Wi-Fi piggybacking. If you live in a house that’s a good distance away from your neighbors, this is almost certainly never going to be an attack vector. After all, you’d probably notice someone sitting in a car out front of your home for hours while they snoop on your traffic.
Apartments, condos, and other shared dwellings are much more prone to such an attack. For that, we have several steps that you can follow to protect your Wi-Fi network from hackers (opens in new tab). Those are pretty simple steps, including changing your SSID (the Wi-Fi name you connect to), changing the default password, and a few other steps.
Conversely, the most common way someone can access any connected device in your home is through the account you use for that device. While you can take several steps to secure an account, enabling 2-factor authentication is the most surefire way to help guard against unwanted account access.
But what about the middle child that oft gets forgotten? Yep, you guessed it. A clever hacker could gain access to your entire network — indeed, even all of your secure devices — by way of a single unsecured device that hasn’t had all its security holes patched up via regular updates.
In short, a clever hacker who gains access to an insecure device on your network can then use a suite of tools to watch that traffic on your network and figure out which device they should attempt to hijack next.
I was able to chat with Nishanth Sastry, a professor at the University of Surrey in the U.K. who specializes in the privacy of tracking technologies and network security, and I posed a question to him: what if people moved all their IoT devices to the guest network? Would that make them more secure? He had this to say:
“(When) thinking of malware, separation of networks, like having them the guest network, is usually helpful. Because the malware would need to get through some additional hoops to be able to access your private network because, essentially, the guest network creates a separation between your devices and anything else on the guest network.”
As a person who previously had a 15-year career in IT, I can tell you that people on an office guest network cannot see each other's devices. This network gives employees Wi-Fi access while keeping their personal devices from infecting the office's network. That same tactic works perfectly at home.
Your home router's guest network is wholly separate from the one you connect your smartphone or computer to. Furthermore, guest networks restrict devices from seeing or talking to each other via a method called client isolation.
In essence, devices connected to a guest network go straight out to the internet instead of mingling traffic with other devices on that network.
If you've got an older IoT device that you know hasn't been updated in some time, this is the perfect way to ensure that someone can't use it to gain access to any other connected devices in your home.
But not every smart home device works properly when on the guest network. My Nest Home speakers, for instance, can't be properly cast to as a group if they're not all on a network where one speaker can discover the other. So, too, will Chromecast devices fail to work properly if they've been isolated.
Experimenting, then, is the best first step you can take to ensure your home’s network is more secure. If you don’t already have a guest network set up, connect to your router via the app or web interface and get that thing turned on. Then, jump into the 50 smart home apps you have installed on your phone and get those devices connected to the guest network instead of your main one.
Over the next few days, check to ensure everything is working correctly with those devices. If not, they may need to be on the main network to work properly, especially if they rely on shared connectivity with other smart home devices. Still, it’s certainly worth a try.
You’ll also want to ensure you have one of the best Wi-Fi routers that will not only give you the option of a more secure guest network but will also be regularly updated itself. Routers are also an easy vector of attack, especially, as Sastry notes, since people generally have the same router for years at a time.
Just keep cameras out
As a smart home enthusiast, I'll be the first to tell you never to put an internet-connected camera in your home. Sure, the best indoor security cameras (opens in new tab) are as secure as they could possibly get and are updated at a regular cadence. Security companies also require 2-factor authentication and other methods of ensuring you have a secure account.
But there's always the one-off chance that someone could gain access to a camera, and an indoor camera that's quite literally staring at your family all day is the last one that you want this happening to.
More than that, Sastry tells me they could present another attack vector for someone who might be snooping on your wireless network. How so? By watching for active network traffic from a camera.
"Even though my security camera is probably using SSL TLS and multiple types of encrypted connections, just the fact that they're sending some bytes means that there is movement happening in the house. If a burglar taps my wireless connection and sees that there is no data being sent for the last few days, that tells them that I'm probably not at home, indicating that it is probably safe to go in my house."
In essence, the tricks these devices use to help prolong battery life or keep storage from filling up by not constantly recording could be actively working against your home's security. When modern internet-connected cameras don't see movement, they aren't recording or sending data, and that could be enough for someone to be sure your home is unoccupied.
Indoor cameras are also bad from a privacy standpoint, as I alluded to above. An internet-connected camera that’s always looking at your child in their room, or in your living room can be used as a spy device to see or hear things you probably wouldn’t be comfortable with strangers viewing or hearing.
As Sastry pointed out, there have been more than a few stories of someone’s child being spied on via an internet-connected camera and that, alone, is enough for me to never have one. It’s why I can’t wait for products like the Ring Always Home Cam, because there’s no way to tap into them and use them without someone in the house realizing the drone camera is flying around.
Keeping an eye on your network
The final point revolves around those cheap or inexpensive IoT devices you might have around your home. Inexpensive IoT devices — like security cameras, video doorbells, smart light bulbs, etc. — are great to have because name brands can cost a lot of money, but there’s always a trade-off that needs to be made when deciding to spend less money. More often than not, these less expensive devices don’t receive updates like name-brand ones.
That leaves them open to security vulnerabilities — an industry term that simply means an open door to an in-the-know hacker — which could leave even your secure and up-to-date devices vulnerable, just because they’re on the same network.
Lower cost devices often offset the manufacturing cost by collecting user data and sending it off to a data warehouse so that it can be sold in the future. While much of this type of data is purely analytical, personal information can also be included — either on purpose or by accident.
Thankfully, inexpensive devices exist that can help guard against these very things from happening. Sastry recommends that you “invest in some visualization tools that can show what traffic is being sent.”
Such a device can tell you “what are the other endpoints that are being contacted by your devices? When are they contacting, and how much data is being sent?”
Nishanth recommends using something like Pi-hole, a piece of software that can be installed on inexpensive devices like a Raspberry Pi. While that’s great for power users who understand how to use a command-line — and will, ultimately, give you the most control over your network — everyday users might enjoy something more user-friendly like a Firewalla.
I have a Firewalla Blue Plus in my home, and while the initial $200 investment might sound steep upfront, this tiny blue box couldn’t be easier to set up and use. Firewalla Blue Plus, specifically, connects to your home’s router via an Ethernet cable and is powered by a small USB cable.
The entire thing is maintained via a smartphone app, including a user-friendly dashboard that makes it easy to see what’s happening on your home’s network. Firewalla maintains a document (opens in new tab) that helps users block unwanted traffic, including traffic to and from other countries. Really, the whole thing couldn’t be much easier.
Through the app, you can look at real-time traffic, including what countries traffic every device on your network is sending traffic to. For instance, within 5 minutes of installing the Firewalla Blue Plus, I found out my Philips Hue bulbs were sending traffic to China. I’ve got no idea why they’re doing that but there’s no reason they need to be doing that. I tapped block in the app and never looked back.
Using something like a Firewalla is likely the most effective way to manage traffic on your network for those pesky devices that won’t let you put them on the guest network. It’s also a great way to ensure your network is more secure, in general, and should help give you some pretty significant peace of mind.
In summary, get those always-connected devices on your guest network as soon as you can. It’ll keep them from talking to each other when you don’t want them to, and keep prying eyes at bay. If you want to graduate to the next level of security, a Firewalla or Pi-hole will certainly do the trick.
Get the Android Central Newsletter
Instant access to breaking news, the hottest reviews, great deals and helpful tips.