Opinion/Security Question - IOT vs. Not

Configuration
1

I’ve got almost all of my IOT devices moved over onto their own VLAN and dedicated SSID, tweaked with 2.4Ghz only, etc. The following devices are still NOT on the IOT VLAN. I have mDNS reflection turned on so devices on different vlans, even the guest vlan - can acces the printer and chromecasts. So… what are people’s opinions about these devices being or not being on an IOT VLAN?

WiFi - Chromecast
Ethernet - Chromecast Ultra
Ethernet - Hopper (Dish TV service main DVR)
Moca (to hopper) - Joey (Dish TV satellite base unit)
Ethernet - Ooma Lynx (phone line)
Ethernet - Printer-Fax

Thank you or reading my question and I look forward to hearing everyone’s optinions!

2

Hi,

“It depends… what are you trying to do…” :mage: :slight_smile:

Yes, a typical Engineer’s answer - but:

  • Is the Chromecast used for just internal streaming from other devices (e.g. HA dashboards), or do you watch YouTube?
    e.g. I might use a Chromecast Audio for internal TTS only, so can block it from Internet access on a IoT VLAN, especially as it is EoL with no more firmware updates (although Goog might use signing with a chain-of-trust giving relatively low risk).

  • Is your printer recent, up to date, and from a “good” manufacturer?
    If so, then IPP might be safe-ish and useful to print remotely.
    The word Fax might imply an older device, still working but utterly unsuitable to defend against protocol attacks.

  • Why did you create an IoT VLAN? For the learning experience? To give a point of control for access and updates?

Your “security posture” should give you a good guide:

Tech Enthusiasts: Everything in my house is wired to the Internet of Things! I control it all from my smartphone! My smart-house is bluetooth enabled and I can give it voice commands via HA Voice! I love the future!

Programmers / Engineers: The most recent piece of technology I own is a printer from 2004 and I keep a loaded gun ready to shoot it if it ever makes an unexpected noise.

Basically:

  • Do I get a benefit from connecting it?
  • What is lost if it is breached?
    (beachheads and lateral movement are real though - a fish tank controller hacked a casino!)
  • Is the manufacturer keeping up with updates, and trustworthy?
  • Are there other users on the network who need access controls?
  • Do I have the time and motivation to debug?
    (My washing machine refused to connect to the WLAN unless I temporarily unblocked Samsung’s ad DNS tentacles. SmartThings does work blocked and the feature is useful. Still took me hours to step through…)

If this helps, :heart: this post!

2 Likes