Your new smart home may need a smarter network
In part 1, I suggested a few things to consider when shopping for a thermostat, door lock, baby monitor, kitchen appliance, or other smart home IoT (Internet of Things) device. Here, in part 2, I’ll share some thoughts on deployment.
Right away, that word, deployment, should stand out. We deploy things at work. At home, we want to unpack consumer devices and start using them. How quaint. That internet-connected washing machine you just brought home is really a website with a peripheral device attached. If you deploy it improperly, you’ll invite the whole world into your laundry room. And from there, some of the people you invite will probe every nook and cranny of your home.
Like it or not, you’re taking on the same problems as multibillion-dollar companies. Except most businesses locate their websites with professional hosting services. By definition, your smart home device is inside your home. You can’t outsource it into the cloud.
Welcome to the internet hosting business. It’s time to step up your game.
Your deployment strategy needs to address two key questions:
- How does the world find your devices?
- How do you secure your devices?
And these lead to deeper questions.
Deployment – finding yourself
Every single IoT device needs a unique identity on the internet. If you can control your door locks from your cell phone, it stands to reason your cell phone needs a way to find the locks from the other side of the planet. There are three choices
- Dynamic DNS
- Static IP Address(es)
- Third-party intermediary.
DNS (Domain Naming System) assigns names to IP Addresses. Visualize DNS by looking up your neighbor’s phone number in a directory. But unlike phone numbers, most home networks have dynamic IP Addresses, which means they change from time to time – sometimes, minute by minute. Work around this problem by signing up with a dynamic DNS service. Dynamic DNS services are supposed to keep those name translations current with changing IP Addresses. The good ones cost money every month. The free services come and go, and your mileage may vary.
Solve the dynamic DNS problem by acquiring a range of static IP Addresses from your internet service provider for your home internet connection. Static IP Addresses are good because they don’t change. Static IP Addresses are bad because they cost money and the internet is running out of them. IPV6 will cure the IP Address shortage, but IPV6 has been two years from wide adoption since 1988.
Sometimes, IoT devices are really a beachhead into your home for companies that want to sell you stuff. Amazon, Google, and others offer devices that register with their companies. If you buy, say, an Amazon Echo, Amazon records every interaction you have with it, and the path into your home from the rest of the world goes through Amazon. If you trust a team of marketing analysts inside your home 24X7, then devices like the Echo offer great conveniences.
Deployment – securing yourself
You need to do two things:
- Protect your device(s) from bad guys
- Protect yourself from your device(s).
NAT (Network Address Translation) is your friend, and you already use it in your home network. You’ll need to expand it to accommodate your device(s). All kinds of NAT tutorials are available. Here’s the one sentence summary. Give your device a private IP Address, visible only in your home network, and set your firewall to advertise it to the world with a public IP Address.
That simple NAT gateway setup will protect against nearly all the junk flying around the public internet. But it’s not enough. Even though you closed the Illinois Tollway of traffic from pounding your device, the world still has a path to it. It will only take a few seconds for automated probes from everywhere to find it. Defend yourself. Make sure you change any factory default passwords and lock down all the security settings. And make sure your patches are up to date, both in your device(s) and your firewall.
And that’s still not good enough. You need another defense layer in case somebody compromises your device(s). Limit potential damage by segregating your network into zones, just like big companies should do (but many don’t and some pay dearly for it). One zone has your computers, TVs, printers, tablets, and cell phones. Another, called a DMZ (the acronym really does stand for demilitarized zone – it’s a metaphor) has your IoT devices partially exposed to the internet behind your NAT gateway.
Here’s where it gets tricky. Those IoT devices probably connect to a home WiFi network. But most homes only offer one WiFi for everything. Your home needs to do better. You need at least two semi-independent WiFi networks; one for your DMZ with your IoT devices, the other for the traditional family network.
To make this work, you could buy another consumer-grade WiFi router, but there’s a more secure way to do it for about the same cost, using a concept called VLANs (Virtual Local Area Network). With VLANs, traffic shares the same physical medium, but one network cannot interact with the other except where the VLANs meet at a router; in this case, your internet firewall. Put rules in the firewall to carefully regulate any traffic between the family network and your DMZ with your device(s).
You’ll need VLAN support in all your networking components, including your WiFi access point, firewall, and Ethernet switch, to pull this off. You’ll also need your WiFi access point to support at least two SSIDs (service set identifier – your WiFi network name). This probably means you’ll need to upgrade your entire home network.
Why bother with a deployment strategy?
Even with all that, if somebody compromises, say, a cheap security camera, a bad guy can still use it to attack somebody else on the other side of the internet. That happened in 2016 on a massive scale. But at least your private stuff will be safe. And if your firewall has the ability to monitor traffic in and out, you have a decent chance of finding and fixing your compromised device.
Is all this a hassle? Yup. You’ll face a learning curve and you’ll spend time and money on home infrastructure upgrades. Your neighbors might even ridicule you for going to all this trouble. But while your neighbor’s internet-connected washing machine is sending their private information to a crook in eastern Europe, your internet-connected devices will never find your private stuff. That makes it worth the trouble.
(I originally submitted this as a guest blog post to bestcompany.com in early 2019. But I noticed it’s been removed, and so I published it here.)