Segregating IoT Devices on an Isolated Network

Posted on March 13, 2017

While I was busy setting up my new router for my whole home VPN, I took advantage of that opportunity to make a few other changes to my network in order to make it more secure. In particular, I created a new WiFi network to be used exclusively by so called “Internet of Things” (IoT) devices in my home.

If you’ve been paying attention to tech news, you’ve probably seen reports of IoT devices being hacked en masse. Everything from thermostats, to lightbulbs, to electrical switches, to refrigerators have been reported as hacked and turned against their intended purpose. Results have reportedly included a refrigerator that is used as a spam gateway, electrical switches that have been turned into a botnet for DDOS attacks, and lightbulbs that expose their owners WiFi passwords.

To put it mildly, IoT devices have a horrible security reputation and are generally regarded as some of the least secure devices likely to be attached to a home network. To make things worse, once one IoT device is compromised on your network, it often begins probing other network attached devices looking for weaknesses that it can exploit. That’s bad enough when those other devices are other lightbulbs, but it could be catastrophic if your desktop computer was compromised. In that case, sensitive personal information saved on your computer could be exposed, and your personal contact list could be used to further propagate malware to everyone you know.

Despite their horrible security, IoT devices are really handy. I like being able to check my thermostat while away, and have lamps automatically turn on at sunset. So if I’m not willing to get rid of the IoT things in my home, how can I at least mitigate the damage they can do? It turns out that there is one thing you can do that will dramatically improve the security of your home network – segregate IoT devices from other computers on your network.

Segregating your IoT devices doesn’t have to be something as complicated as creating a separate subnet and messing with routing tables. In fact most modern routers have tools built-in to segregate untrusted network devices onto their own “guest network.” So what I did was create a separate guest WiFi network for the exclusive use of IoT devices. Now if one of my devices gets hacked, at least they won’t be able to reach really important devices like my desktop computer and backup server. At worst, they will be able to infect other IoT devices on my network.

If you follow this advice on your own network, I suggest you enable “AP Isolation” mode on your guest network, if it is available. This mode restricts devices attached to the network from being able to talk to each other. Instead, they can only reach the Internet. This further protects devices on your network and prevents your lightbulb from hacking into your electrical switch, for example. (Lightbulbs hacking into electrical switches – What a world we live in!)