This week’s Internet of Things Podcast is a bit different from our typical format. Instead of discussing a range of topics and sharing a guest interview, we’re tackling the question we get so often from our listeners who are rightfully concerned about their home network security with smart devices installed: Should all of these webcams, smart locks, thermostats, and other devices be segmented to a guest network?
On the surface, that sounds like a smart idea. The main reason is that any compromised smart devices won’t be able to infect computers and other things on your primary network. A secondary reason is to limit access to your smart home when guests are over.
So here’s what we did: We both created guest networks in our home and migrated all of our smart devices over to them. And we found out some very interesting things. For starters, we didn’t lose access to any of our devices through this setup, which is good. However, we also found out that the reverse situation is a bad one. When on our guest networks with devices on the regular network, we still had access to many of them unexpectedly, which is bad.
Our takeaway is that if you want to put your smart home devices on a guest network, that’s fine but it may not add much more security. In particular, if your smart device credentials are stolen, this setup won’t really help you. We’re thinking that using a network monitoring system such as a Firewalla is a better solution. And better yet would be installing a router that supports VLANs, or Virtual LANs, for your smart home devices. Tune in and let us know what you think or if you have additional related network concerns or solutions.
It would be interesting to know if you would have been able to connect to your home devices from a neighbor’s Wi-Fi. Would the access have been different than what your testing showed? The access you had from your primary to your guest network sounds just like what you would have if you tried to turn on the lights from a Starbucks.
The purpose for putting the IOT devices on a VLAN or guest network is to stop a hacker from accessing your computer after they have compromised a smart device, not to stop you from controlling a device from a smartphone on the main network while the devices are on different guest network
Stacey & Kevin.
Many of the devices tested (i.e. Hue Lights, Smart Switches, Amazon Echo, June Oven, Thermostat, Cameras, etc.) have a cloud based component. You can control these devices from a smart phone when you are on a Cellular Network or on the internet outside your home. When you move these IOT devices to a “Guest” network, you are still able to control them outside your home. When you are on you Non Guest network in your home, the communication to the IOT devices on the “Guest” network is still going thru the “Cloud”
A basic test to see if the Guest network is functioning is “ping” Put a computer on the Guest network and try to ping the IP address on the Non Guest network. If you cannot ping the device, then the “Guest” function is work
If you have local resources exposed, such as file shares on the local network, then a Guest network is advisable to prevent virus such as Eternal Blue from IOT devices or Guests
Love the show
BTW: I have the EdgeMax router with multiple VLANs and Subnets. It is only $50 and works great. However, as stated on you podcast, you need to know something about networks to set it up. It is not plug and play
I think if you knew how to configure your router properly you would have gotten the results you wanted.
After listening to this podcast I am guessing you had mDNS enabled. You really should understand your router before doings these tests and telling others the results. This podcast was a waste of time as they don’t know what they are doing.
The point here was to do what most normal people would do when told to create a guest network for their routers, and see what would happen. As someone who has covered networking for almost two decades, I know what multicast DNS is, but that’s not the level of the average homeowners. And most of the results we got weren’t a result of the network but were from the cloud-to-cloud information sharing.