Keep Your IoT Devices on a Separate Network, FBI Says

The FBI says owners of IoT (Internet of Things) devices should isolate this equipment on a separate WiFi network, different from the one they're using for their primary devices, such as laptops, desktops, or smartphones. From a report: "Your fridge and your laptop should not be on the same network," the FBI's Portland office said in a weekly tech advice column. "Keep your most private, sensitive data on a separate system from your other IoT devices," it added. The same advice -- to keep devices on a separate WiFi network or LAN -- has been shared in the past by multiple IT and security experts. The reasoning behind it is simple. By keeping all the IoT equipment on a separate network, any compromise of a "smart" device will not grant an attacker a direct route to a user's primary devices -- where most of their data is stored. Jumping across the two networks would require considerable effort from the attacker. However, placing primary devices and IoT devices on separate networks might not sound that easy for non-technical users. The simplest way is to use two routers. Further reading: Now Even the FBI is Warning About Your Smart TV's Security.

Good advice!

[nospam007]

From the 'no shit Sherlock' department I presume.

Re:Good advice!

[AlanObject]

But then how do I know if my toilet paper dispenser is empty when I'm at the store? This is a real urgent problem in desperate need of a technological solution!

Re: Good advice!

[paul_engr]

Just fast 24/7. Problem solved, no more shits

Re:

[arglebargle_xiv]

I usually check whether my toilet paper dispenser is empty when I'm on the toilet. Going to the store to, um, take care of business seems like a lot of trouble to go to.

Also, remind me never to visit stores on your neighbourhood.

Re:

[slickwillie]

I caught my IoT Toilet trying to hack into my "reading room" iPad.

Re:

[Aighearach]

Or fed it to his pet trolls. They'll eat anything.

Re:

[mallyn]

Hay look, folks. I have a bidet seat on my toilet. My toilet paper dispenser has been out of toilet paper for the least three year.

Re:

[Jaime2]

Not only is it good advice, the fact that these devices are cloud based and can be accessed from anywhere means that there is zero benefit to actually putting them on your primary network.

Re:

[rsilvergun]

Also, do not touch Willie.

Re:

[hawguy]

From the 'no shit Sherlock' department I presume.

I think few mainstream users of these devices know this. Or know how to implement it.

And it's hard with some devices since your phone app won't discover the device unless it's on the same network.

But even this is just partial protection, what you really need is a separate network for each device so your refrigerator, for example, can't gain access to your webcam or smart door lock. Or just having fewer (or no) smart devices would also be a good solution.

Re:Good advice!

[pslytely psycho]

Or just having fewer (or no) smart devices would also be the best solution.

Fixed that for you.... :)

Re:

[No Longer an AC]

I'm certainly aware I should probably do this although I don't have any IoT things, but I should probably just learn how to do it and isolate a couple of tablets laying around the house. I don't have them set up to talk to my PC anyway unless I plug them in with a USB to transfer a few files. They all do access WiFi though.

My attitude usually is "I don't want to deal with it right now" which is certainly how I feel on a Friday night in December. I did Google it a bit briefly and I see there's plenty of

Re:

[zidium]

I don't even know how to implement this.

My cable modem only has one out port.

Re:

[PMS Robot]

Use a switch off your cable modem, then multiple routers from the switch...

Re:

[oh_my_080980980]

Really that's your reaction? I knew Slashdot has a serious brain drain problem but that's a fucking stupid response. Here's a thought, demand internet devices have actual security. You know make sure they're not open to the public. All you are doing is moving the problem. You're not eliminating it.

Re:

[Compuser]

Most users, myself included do not want to maintain their devices. One of the reasons to buy a smart fridge is for it to manage your food storage and make you think about that issue less. If you now need to think about internet security instead then the primary reason to buy smart devices becomes the primary reason not to buy smart devices.
Demanding security is not a solution if it means users have to keep an eye out for patches and penetration attempt logs. The only winning move is not to play.

Re:

[teranine]

That should have been scored a 5 lmao

Yep

[pak9rabid]

Done. Thank god I have VLAN-aware router & switches.

Re:

[darkain]

This should become standard in SOHO equipment, there is absolutely no reason it ISNT. Hell, even the WRT54G of yesteryear supports it, but was only really exposed via hacking it with 3rd party firmware. Most devices just have a "guest" network that is still on the same subnet, but disallows wifi-to-wifi communication, and that's it.

Re:

[aaarrrgggh]

Ok, now what are your firewall rules between the two networks? Did they mention to proxy and inspect outbound data from the IoT VLAN? I give 99% of the population a 5% chance at properly setting things up.

Guest network

[93 Escort Wagon]

A lot of routers allow for a separate, isolated "guest" network. Seems like a good use for it.

Re:

[LynnwoodRooster]

This is exactly what I do. And the side effect is my friends can use my wifi all they want, since they cannot touch my own personal network...

Re:

[Anonymous Coward]

It isn't. The devil is in the details. Most of these "Guest Networks" are just running Access Point Isolation so that Wi-Fi devices can't communicate with each other - but they can still see and communicate with anything plugged into the LAN/WAN ports.

Re:

[hondo77]

So if the guest network isn't safe, what to do (I'm not a network guy)? Get another WiFi router, plug that into a LAN port of my DSL router, have the IoT devices use the WiFi of the DSL router and my laptops and iPhones use the WiFi of the new router?

Re:

[zidium]

See? That's my question, too. I'm a techie and I have no idea what to do. I would assume that just installing another wifi router for my IoT stuff and connecting it via ethernet to the cable router would not isolate it enough.

Re:

[maybe111]

I use parental control on mine so I am still able to access them from the local network

Re:

[antdude]

Sure for wifi, but not network cables. :(

A separate network?

[linuxgeek64]

At that point, why have them on any network at all?

Re:A separate network?

[93 Escort Wagon]

We just bought an LG washer and dryer. With these devices, anyway, any messaging to you goes through an LG server - so they don't need to be on the same network that you're on.

I have to admit I've gotten a bit conflicted about this. I've railed against these devices before, and deep down I still feel like the best thing is to leave them off the network. But, damn if the lazy guy inside of me doesn't find it really handy to get a notification when the washer is done or when the dryer is done - so I don't forget about the clothes (which in the past I have done, many times). Thing is, I know I could manually set an alarm for when I think the washer or dryer will be done... but having them notify me is easier. I have disabled any auto-start, at least.

We'll see... maybe the prudent guy will eventually win over the lazy guy.

Planet: Game Over

[kackle]

Thing is, I know I could manually set an alarm for when I think the washer or dryer will be done... but having them notify me is easier

Holy cow, is that a first world problem. Rhetorically, is it worth the extra cost, the extra man hours to design such a device, the cloud maintenance (if required), the extra use of electricity for those electronics (and the monthly bill) AND the extra pollution to the world (including recycling the old electronics-ridden product) so one doesn't have to set a timer?

When you run out of underwear, you'll remember the laundry's done.

Re:

[omnichad]

The thing is already loaded with electronics. The power costs or recycling concerns change not at all. A washer or dryer already uses fuzzy logic to optimize dry time and temperature or amount of water to use in the wash cycle.

The fact is, the extra man hours to develop are amortized over not just the current generation but all future generations, and could easily be paid for by increased sales (or at least sales not lost to competitors already doing it). The cloud resources should be incredibly minimal

Re: Planet: Game Over

[paul_engr]

When I run out of underwear, the hamper is full of dirty underwear. How did you get yours to wash itself?

Actually...

[rnturn]

``When you run out of underwear, you'll remember the laundry's done.''

I think when you run out of underwear, you'll remember the laundry needs to be done.

Re:

[No Longer an AC]

"Semper ubi sub ubi"

One of the few things I remember from Latin class.

Re:

[oh_my_080980980]

Dumbest reason for connecting a dryer to the internet. It's literally too stupid to live type thing.

Re:

[LynnwoodRooster]

My oven, washer/dryer, and much of the lighting and outlets and locks (and garage door) in my home are all "smart". Very handy to get a ping in the backyard when the washer is done, or the oven timer has gone off. Also great to automate lights/timings (and make them reactive to sunrise/sunset, weather, etc) and even check the door lock status when I get the text from the wife of "did I lock the front door? Can you check?".

Re:

[DogDude]

Holy shit. You can't use a light switch? Is that too much effort? Are you that fucking busy that you don't have time to move your finger one inch in one direction twice a day? How could you possibly have time to post here if you're that busy?

Re:

[krray]

I can use a light switch. Unfortunately it would be prohibitively expensive and/or WAY TOO time consuming to make that happen myself (I do my own electrical work).

Let me explain -- in our new house there were banks of light switches. Drove me nuts the first week there. For example the fireplace has eight lights around it (it's a monster :) -- on three switches all in different locations. I just wanted the "fireplace" light(s) to go on.

And then outside lights... Marker / spotlights in all the eves. Motion ac

Re:

[bjwest]

Maybe you shouldn't live in a house ten to fifteen times larger than you actually need. No way in hell any reasonably sized house needs that many lights.

Re:

[zidium]

Every single one of these smart device users' gripes are all so Top 1% problems, it's not even funny!

I say let them all get pwned.!

Re:

[LynnwoodRooster]

Oh, I can use a light switch - and they all still function that way! However, the lights come on in various rooms as needed, based upon the time of day - and the lights in the garage hallway will come on automatically when the garage door opens and the car or motorcycle returns home. It's called convenience. But I guess you still split your wood, render out the fat for your candles, and hoe the back 40 by hand, right?

Re:

[kackle]

You too... [slashdot.org]

Re:

[Aighearach]

Very handy to get a ping in the backyard when... the oven timer has gone off.

This is so boneheaded, like you need a special "smart" app for that, because what? Timers are too complicated? If you have the app, you have a timer already too.

I just use a kitchen timer for that shit. It works fine in the backyard, too. If you set a timer on the oven, and you care when it is finished, you've saved nothing. You still set a timer, and report to the kitchen when it goes off. You can just as easily turn the oven on, set a regular timer, and turn the oven off when the timer goes off.

The only t

Re:

[LynnwoodRooster]

I guess I can carry the timer around with me, or always open the phone to set a timer as needed, but that breaks down when I'm using a temperature sensor to make sure the roast is just right. It's pretty handy for me - if it doesn't work for you, well you don't have to use it.

Re:

[zidium]

You're seriously part of the problem!

Convenience over privacy and personal liberty, am I right?!

If you don't think I am, you're even more stupid than you think you are.

Re:

[LynnwoodRooster]

Not sure what kind of privacy I am giving up? Or personal liberty? If the Internet goes down, everything still works perfectly fine... I guess if you consider having an account with ANY company as "giving up privacy" then you would have a point. But unless you're Ted Kaczynski living like the 1800s, or Amish (neither of whom should be on an Internet Forum like /.), you inevitably have at least one account online, somewhere.

Re:

[Anonymous Coward]

A number of smart TVs won't even bother to display a picture unless they have Ethernet or Wi-fi access because they need to "update their firmware"... i.e. download ads and send back analytics.

Egress control and regulation

[Cmdln Daco]

There should be a big opportunity for egress control on networks. All devices on the network you own should be generating known traffic. Nothing should be connecting to the greater internet without your knowledge. These sorts of appliances should already be commonplace in the market for home networks. They really should replace anti-virus and malware products.

Re:

[JaredOfEuropa]

I've wondered about just that myself, it seems like such an obvious product. It's not really something to replace anti-virus products, but it'll be a great complement to them.

Re:

[ctilsie242]

In a perfect world, there would be one, perhaps 2+ (for high availability) hardened hubs that the IoT devices communicate with, and the hub takes care of all external Internet communication, either by Wi-Fi, Ethernet, or even a cellular modem. Each device connected to it would have a profile that shows what IP addresses the device can connect to. If a device tries to connect to something outside the profile, it gets denied by the hub.

Of course, device makers would put wildcards in the profile, allowing an

Re:

[Bongo]

Yes, and known destinations. Products like LittleSnitch are excellent for this, but you have to spend a lot of time deciding what is normal traffic.

It is the sort of thing which could be legislated, like food labels which declare the composition. The normal traffic and destinations should be declared.

What is the actual worry?

[dirk]

This is a legitimate question I have (and have asked before but never gotten an answer), what exactly are they worried about with hackers and smart tvs/devices? Pretty much every broadband connection comes with a generic firewall type device which should stop someone from accessing the device directly (minus people who poke holes in it and things like that, but I can't imagine those are the people they are worrying about). They aren't worried about someone clicking on something on the PC and then letting so

Re:What is the actual worry?

[Xenolith0]

There are multiple layers of problems.

First, IoT devices are commonly made as cheaply and lazily as possible, and to "just work" they'll often poke holes in consumer-level firewalls using UPnP. (yes, you can disable it but how many non-slashdotters do?). See:
https://en.wikipedia.org/wiki/... [wikipedia.org]

Consumer level firewall/NAT devices are easily bypassed using multiple techniques, allowing direct access to the device. See:
https://en.wikipedia.org/wiki/... [wikipedia.org]

A lot of IoT device establish a tunnel back to their corporate headquarters, allowing anyone on the corp network direct access back into your private home network. (It is a good thing companies never get hacked /sarc)

Further, a lot of IoT devices are just plain malicious, even when made by a so called "reputable" manufacture. See:
https://krebsonsecurity.com/20... [krebsonsecurity.com]

Re:

[DarkOx]

The posibility the devices could be used for pivot in general.

Lots of ways that could happen. As you say someone could MITM the real service, Frankly I don't think its your smart lock or light bulb that are going to get exploited though. Most likely its going to be a little bit 'smarter' device like you TV. You get one malicious app on that thing and its scanning your internal network for everything of value and sending it back to some fast-flux-dns address the attacker controls. Or maybe its even crea

Re:

[dysmal]

The problem is the "bad guys" have already used trivial items like thermostats to launch attacks.

There was something about the New York Times being hacked repeatedly years ago because hackers got into their thermostat and kept using that to launch attacks. Same with printers being used for launching attacks. An IoT device is another device that someone can compromise your network.

Re:

[PPH]

Don't forget about the toaster [memecdn.com].

DDOS attacks

[rsilvergun]

get a few million smart TVs running a tiny web server to DDOS and you can do some damage. Hell, I once got shut out of an API at a job because I ran a bunch of queries from my work PC and that looked like a DDOS to the admins. My very crappy work PC.

That's fine, as long as....

[mark-t]

.... the devices that need the require access to both LANS can be dual-homed.

Subnetting and IOT

[Scutter]

Now just explain the concept of subnetting to the IOT manufacturers. Most of the devices I see don't seem to understand that subnets are a thing and trying to talk to them with their app requires you to be on the same VLAN. In some cases, IGMP snooping solves it, but definitely not all.

Re:

[pak9rabid]

This is what routing is for. Surely they're all operating over IP, and not some Layer 2 technology, so just configure your router/firewall correctly and you should be good to go.

Re:

[Scutter]

Most of the IOT stuff I've used doesn't route. Like, at all. That's my point. They have control apps that assume they're on the same subnet and just flat out refuse to work if they're not. In some cases, it's only necessary for initial setup, which is bad enough, but I've had plenty that won't work at all across subnets. Oh, they're completely happy to talk to the internet over their default gateway but they absolutely won't talk to the control app unless it's on the same network.

Re:

[ArhcAngel]

I have numerous devices like this. I finally got a cheap fire tablet, but any cheap Android tablet (or old smart phone with WiFi for that matter) would do. I put that tablet on the IoT VLAN so I can set up the devices.

Re:

[PPH]

requires you to be on the same VLAN

Not really. I can check my thermostat or doorbell in Seattle from my condo in Monaco just fine.

Re:

[Aighearach]

And some other guy can check the doorbell on your condo in Monaco from Seattle just fine, isn't that convenient?

Re:

[ellbee]

This.

I tried using a separate subnet and none of the apps autodiscovery worked. Some apps could be configured with a target IP address but many couldn't. For those that could it meant setting up static addresses for the targets. Overall, a huge PITA - gave up in the end.

FTFY

[thomn8r]

Your fridge and your laptop should not be on the same network

How about Your fridge should not be on the network

Re:

[pak9rabid]

Ok luddite.

Seriously though, wouldn't it be convenient if you could, say, check the inside of your fridge with your phone to see what you're out of while at the store in the event you forget to check beforehand?

Re:

[Delicious Pun]

When I'm at the store? I shop at Walmart with an app on my phone. It's even got a bar code reader. They do the shopping for me and I go pick it up. For free. The future is now old man.

Re:

[MrL0G1C]

What a strange grudge, you're getting pissed because someone decides to shop online instead of going to a store to buy their groceries - did you get fired as a checkout operator?

If someone has spare time they have to suddenly invent things so great as to alter society!!!! Do you read what you write?

Re:

[PPH]

check the inside of your fridge with your phone

More like your fridge contacts the store ahead of you and tells them that you are out of something. "This bozo ran out of Dr. Pepper again and he's headed your way. Quick, raise the price!"

Re:

[Anonymous Coward]

No, if you forget what you have in the fridge the shit's too old anyway.

Man amazing how little memory people have when they're used to looking up every single thing all the time if it you're not just talking about your own opinion. And even then people look that up to see if it's validated by others first.

Try to rely on your brain a bit more. Exercise it like a muscle.

Re:

[gtall]

Along the same note, I think there was a story here on Slashdot (or NYT or WPost) about kids testing scores going downhill and the teachers were blaming the devices the kids use. If your brain doesn't have to work for anything, essentially it becomes inert; when you really need it, it won't have the capacity or the grit to grind through a tough problem that you cannot look up.

Re:

[oh_my_080980980]

Who's the luddite when you still go to the store for groceries as opposed to have them delivered to you.

Re:

[demonlapin]

You can get free pickup at Walmart, or at Kroger if you spend at least $35, but nobody delivers for free - it's $10), and if I'm buying meat or produce, I want to look at it first. If I have to go to the store for some of the stuff, might as well just do it all myself.

Re:

[omnichad]

Me, me. I'm not going to trust a delivery service to select fresh produce or decide not to purchase if it's not fresh enough. Meat is much the same, but that often comes down to equal thickness or marbling in steak or other variations.

And so far, most grocery delivery services won't let you look at a product package in 3 dimensions to check ingredients/nutrition info - especially if it's a new brand or product. But if most of your shopping is canned or dry goods, why bother owning a kitchen at all?

Re:

[Oligonicella]

Um, to cook it before eating? I don't just pop a can and chow down (most times). And I certainly don't munch on my potato flakes dry.

Re:

[Aighearach]

But if most of your shopping is canned or dry goods, why bother owning a kitchen at all?

Canned and dried goods are normally cooked on a stovetop.

It is only fresh and frozen goods that can be eaten without a kitchen, as most frozen goods can be microwaved.

If you want to do that

[Solandri]

Seriously though, wouldn't it be convenient if you could, say, check the inside of your fridge with your phone to see what you're out of while at the store in the event you forget to check beforehand?

If you want to do that, the proper way to do it is for your phone's built-in VPN client to connect to your home router's VPN server. At that point, your phone is on your internal home network. To other devices on your LAN (like your IoT devices), your phone looks like exactly like you're sitting at home dire

Re:

[Oligonicella]

I use this thing called "memory".

Re:

[alvinrod]

Unless it can identify the amount of beer remaining and automatically order more when it has determined that it's likely to be emptied I can't think of any reason. Of course if it can do all of that, some asshole is just going to pwn it so they can make it mine bitcoins. Then not only will I be out of beer, but the last one will be warm due to all the excess heat from the coin mining. This is why we can't have nice things.

Highly technical Fridge Operative

[notdecnet]

thomn8r [slashdot.org]: “How about Your fridge should not be on the network”

Just how many Fridge Operatives can configure a sub-net?

Am I the only one who notices the irony ...

[cpurdy]

The FBI suggestions, the article, and 99% of the posts here agree: You should trust your network, and thus keep untrustworthy things off of your network.

In reality, you should never trust the network, and you should always harden the end-points.

Just ask Google. They trusted their own network, and that's how the NSA was able to access all of the data flowing through the Google network.

Never. Trust. The. Network.

Never.

Re:

[skids]

Pretty much. while I would still advise people to follow this advice, this in particular is rosy thinking:

any compromise of a "smart" device will not grant an attacker a direct route to a user's primary devices -- where most of their data is stored.

Most of people's data is stored on the cloud, and as IoT progresses most of their data will be accessed through IoT devices, not laptops.

So a compromise of one IoT device will give a toehold on the IoT LAN, where other IoT devices that have access to other chunks of your cloud-stored data reside.

Really you need to prevent all intra-client traffic on the IoT VLAN, which is not something most home consume

Re:

[Aighearach]

Never. Trust. The. Network.

Never Trust.

Re:

[cpurdy]

The NSA was able to access all of the data flowing through Google's network because Google agreed to let the NSA have access after a wink-and-a-nudge.

Sorry, but I do not think that the NSA tapping optical cables between data-centers was done with Google's blessing.

Sure, but...

[twocows]

This is great, very sound advice that the vast majority of people will never follow because they just run whatever box Comcast gives them without any other knowledge of networks.

How about talking to Comcast and friends to get them to actually implement this on the stuff they send out? Maybe Comcast's router can default to broadcasting two networks, one named "Appliances" and one named "Computers and Phones" or something.

Hackers, crackers, government slackers

[slick7]

Better yet, put down your xbox, shut off your stupidphone, get your fat effing ass out of your grandma's basement and do it as G-D intended. G-D helps those who help themselves.

uh, yes?

[Tom]

I just figured that millions of home owners have no clue about security and this literally decades-old principle is probably news to them.

I figured that because I put up a seperate network for my (few) smart devices, without even thinking about it. But all the other Wifi in range still have their default names and probably passwords.

But, you know, the professional gardener down the road and the car mechanic across the street probably shake their heads about how I treat my garden and car and wonder how someone can be so stupid.

IPv6

[Tough Love]

Is this another indictment of IPv6? Why yes it is. 128 bit addresses so every atom in the galaxy can be online, feh.

Re:

[WaffleMonster]

Is this another indictment of IPv6? Why yes it is. 128 bit addresses so every atom in the galaxy can be online, feh.

128-bit address space is only big enough to cover an infinitesimally small portion of earths atoms let alone the galaxy. It's the equivalent atoms of 11.2 billion tons of water.

Re:

[Tough Love]

That's your defence of IPv6?

That's not the simplest way to do it

[Solandri]

The simplest way is to use two routers.

No, the simplest way is to enable the guest network built into most new routers. That's the network whose password you're supposed to give out to guests staying at your home, so they can use the Internet but won't have free rein over your private LAN. Your IoT things belong on the guest network, not on your private network.

The best solution is for IoT things not to access the Internet if they don't need to. And for you to connect to your home router's VPN server if you need to query your IoT things from the Internet at large. But failing that, isolating the IoT things on your guest network is the second-best way to do it.

Does anyone here actually use this stuff?

[Qbertino]

I mean anybody if us computer experts? Why the eff does a toaster need a Webserver? Why on effing earth does a lock or a thermostat need one?!?

I honestly fundamentally do not get it.

Another example, similar to this IoT bullshit: brother has a label printer that connects via Bluetooth to an app on your smartphone... Why? Why on earth? Bazillion points of breakage there.

I have one from 20 years ago. I use once a year, when I'm labeling some new backup drive or something. It has those reels, a small display an

When will this end?

[AndyKron]

How bad does this have to get before it gets better?

Doesn't seem like enough

[Tailhook]

As some point whatever you accumulate on your "IoT" network become as great a liability as what you have on your "main" network. If you wish to host device you don't trust not to exploit other devices then the answer is to disallow all non-explicitly permitted communication between devices. Everything in its own isolated network.

Great. How?

[JoshWurzel]

I'm fairly tech-savvy but I don't know how to do any of this. Can it be done with my airport extreme base station? If not, what do I need? Any links with a step-by-step set of instructions for doing this?

I'd like advice

[jrraines]

a couple of weeks ago my TV stopped connecting to my wifi network. I couldn't solve the issue (the names of networks still showed up on the TV but I couldn't log in to the Guest network). Disconnecting power, resetting, etc. didn't solve it. I think the firmware is up to date. The easy solution was to plug ethernet into the TV and that's what I did. I hadn't given the security implications any thought until I saw this. It seems like an issue I can't solve without some extra hardware piece, right? some sort