And more importantly, which should you not trust?
This post is the fourth in a series on how to make your home network harder to attack. Here are links to posts one, two, and three.
Now you might think the question in the post title is a bit strange - after all, these are you devices, so you'd think that they're all trustworthy. You'd be wrong. There are at a minimum two different categories of trustworthiness:
Your main computing devices. These are computers (duh) such as laptops and desktop computers, servers (a future post will talk about why these can be useful to you, and your cell phones (which are nothing but tiny hand held computers).
Now I've been in security for long enough that I get a bit twitchy about mobile phone security (I'll address this in a future post as well). However, that ship has sailed and even a security nerd like me won't bother making a separate network just for these. So they're computing devices for this discussion.
Then there's everything else. It's surprising how any Internet-connected thingies there are these days. Ring doorbells, Nest thermostats, online appliances (fridges, washing machines, etc). At this point the Borepatch from four years ago would have told you to just walk away from all this nonsense. Don't Internet-enable anything in this category.
Today's Borepatch sighs and tells you that this is coming to a home near yours. It's here in my home. No, not the thermostat (which was installed by the previous owner and which I have not connected to the WiFi). However, the TVs all come with streaming apps for Netflix, Prime, and Youtube (among dozens of others). And The Queen Of The World reminds me that the kids like to stream when they come and visit. She likes it when they come and visit, as do I. And so we have to do something for these devices.
Fortunately, you don't need any new kit to do this. If you remember from the last post on water tight compartments, you don't own the Internet box from your network provider. Basically, you can't trust it, so you install a new firewall box running DD-WRT. It's trustworthy because you own it and have your own software and configuration on it.
All of your main computing devices connect to it's WiFi. All of the other devices (doorbells, thermostats, TVs, appliances) connect to the WiFi from your network provider's box.
What you've done is to put a firewall between your computing devices and your untrusted devices. It doesn't matter if your TV gets hacked because it can't get through your DD-WRT firewall to your computers.
Likewise, your TV is at least somewhat protected from the outside world because it's behind the firewall in your network provider's box.
5 comments:
A fundamental rule for network security is the principle of Least Privilege. Don't give a user or network device more access than it actually needs to do the job. Hackers can't compromise a system they can't see in another Watertight Compartment.
By that rule the only devices on the Trusted (private) network hosted by your internal router are your PCs/laptops, printer/scanners, and NAS boxen. Don't advertise the SSID for the wireless side and use a complex pass phase. No, your personal cell phones don't (IMO) connect to the Trusted network. If you need data off a personal cell phone I prefer to use an USB cable for the transfer.
Use the Untrusted network on the ISP's router for immediate family cell phones, IOT devices, streaming boxes/TVs, etc. but be sure to change the wireless SSID AND the password away from the vendor defaults. I'd also strongly recommend turning off external management ports and changing the admin passwords on the ISP router.
For even better security use the Guest network on the ISP's router for guest access. You don't know what is on the grandkid's phones and don't have a good way to scan and quarantine them so best to keep them in their own sandbox away from (slightly) more trusted devices much less your PCs and NAS.
Yes, running multiple networks can be inconvenient, but you should consider your personal privacy and network security a higher priority than running your home network on the Easy button.
Glad you're back posting Borepatch - I was getting worried.
Didja notice that Microsoft just gave the FBI BitLocker recovery keys?
If you are using a Microsoft product, anything you do for security is time and money wasted!
With respect to phones - Google just admitted in federal court the microphones in Android phones are always on, and Google is, in fact, recording your private conversations. They accepted the multi-million dollar fine as the cost of doing business their way.
I will note that the case didn't involve the cameras, so that issue wasn't addressed.
Thank you!
Post a Comment