Wi-Fi Security, Guest Networks and Virtual Local Area Networks

The main thing to know about any Wi-Fi connected smart device you're looking to buy is that unfortunately each represents a possible point of failure, which can ultimately compromise your entire Wi-Fi network. Much as with password management the issue is the security of each of the individual sites that you use it for, a single password over multiple sites represents a risk as a single sites security breach can compromise every site the login is shared across. Similarly when you're using smart devices it's important to think about the amount of time, energy and effort that's gone into securing these systems and services.

Generic Devices vs. Named Brands

If you're buying from a recognized brand such as WeMo or TP-Link then you may have a level of comfort in that these businesses are brands, they have a vested interest in keeping your products secure and supported so as to protect their brand name and ability to sell devices in future. Which is not to say that a known brand is guaranteed to do this particularly well but that the have a vested interest in doing so.

If on the other hand you're using a generic plug or bulb that has been created in China for the UK market then you run the risk that either:
The device is already compromised and having no brand behind it will receive no ongoing supported
The company will fail and stop issuing security updates
*The servers your device is comunicating with will be compromised

This is not to suggest that you can purchase security, nor that generic devices are inherently bad, many of them use the ESP8266 which can very easily be flashed with open source Tasmota firmware and configured to only comunicate with your internal network. Instead it's neccesary to point out that there are risk to bringing any device of dubious security onto your personal network.

The Dangers of using a Single Network for all devices

If you have ever connected your PC to your Wi-Fi network for the first time odds are that your device asked you to classify this as either a personal, a work or a public network, this happens for a very good reason. Your computer will choose to share more information about itself on a secure network than it will the public network, sharing files, communicating with other devices and broadcasting what ports it will allow connections over. It does this for your conveniance allowing you to share video files with your TV, talk to your printer etc. The long and short of that is that your personal computer your PC or your Mac is going to be far more trusting with devices on your local network than it is going to be with devices that it finds out in the wider world.

If you've got potentially compromised smart device on the same Wi-Fi network as your laptop or mobile phone you might be in trouble. Any hacker who compromises this device now has the ability to communicate openly with any device on the network, potentially copying intimate photographs, financial information or anything else you've not properly secured. There are a few steps you can take:

Set up a Virtual Local Area Network (VLAN)

This should be your first choice for security and is the gold standard for isolating your devices. A VLAN creates a partition between your computers connected on your network. By assigning devices to seperate networks they can be blocked from not only communicating with each other, but even seeing that the other dewvices exist. If you're router does not come with this functionality out of the box then you should look to either replace it, or flash it with a custom firmware such as DD-WRT which will allow you to create VLANs.

Custom firmware

While flashing custom firmware might sounds very technical it's actually rather simple. You're installing new software onto your computer in much the same way that you might have used an installer DVD, or USB stick to change the OS onm your PC from XP to Windows 7, or install a new version of Mac OS. Except in this case the software allows you much more control over your computers hardware.

There is a variety of absolutely fantastic firmware ports for some of the higher end routers that will look and feel much like your existing software, if these don't exist then you're probably going to want to use a system called DD-WRT, which happily supports a vast array of different routers. If you don't have a DD-WRT capable router and your router doesn't come with the functionality needed then you should consider looking at buying an alternative. If you're on a budget there's a handy list of cheaper DD-WRT capable routers available.

Create virtual ones As I see the main reason for this is the ability to secure your network a DD-WRT is a custom firmware based on the Linux kernel, which allows you a lot more control over the configuration of your router and virtually any rotor once properly configured will have the ability to do this excluding obviously the ones provided by your internet service provider virgin be theee Etc. These devices are usually pretty well locked down. I'll give you only a limited amount of control. These devices are themselves generally quite insecure as covered off in a previous article.

Set up a seperate Wi-Fi nework

Out of the box a lot of routers allow for the creation of additional guest Wi-Fi networks or SSIDs (Service Set Identifier). If your router has this functionality then it's generally a good idea to set this up and give it to guests, children and IoT devices. As a rule these don't allow devices as much ability to communicate with each other, and the handily seperate these devices from your private network. If your router doesn't allow this out of the box you can look at installing custom firmware such as DD-WRT which often does, or finding a more suitable router.

Set up a seperate router

If you have an old router lying around then this might be a simpler, less technically challenging way of securing your devices. By plugging a seperate router into one of your ports and having all your smart devices connect to this you can create a layer of seperation between these devices. Obviously this is not as secure as using a VLAN but it adds another layer of security in the form of your router between your devices and your wider network.

Avoid Having Multiple Points of Failure

While you might not as yet be decided on what smart hub or Home Automation protocol you want to adopt chooising a single system can make ytou far more secure. If you adopt Zigbee or Z-Wave via a hub rather than relying on each device to connect to the internet individually you can reduce the number of possible access points. Zigbee and Z-Wave devices are often as cheap as Alexa and Google Assistant compatible Wi-Fi plugs but have one huge advantage. As they communicate with each other outwith your Wi-Fi network the only risk they pose, short of someone sitting outside your house trying to hack them is via their hub. Z-Wave can handle some 250 devices from a singlehub and the Zigbee mesh network can handle 65,000+ connections.

Obviously the security of these devices is dependant on the type of hub you choose to introduce as before a gernic Zigbee of Z-Wave hub is likely less secure, and will probably be sending information outwith your network. Alternatively as these devices can be connected using an MQTT system via a raspberry Pi or old laptop you could lock down the hub as it would never need to communicate outside your network at all.

Consider Who Has Access

Consider the lock on your front door, the best lock in the world wont stop a determined theif but it may well make them target someone else instead.

Ultimately any smart home system is going to have its flaws, and there are always going to be computer experts who have the ability to compromise even the most robust systems. How much they are able to achieve might be the only thing that you can limit, but the vast majority of people trying to hack your system or grab your data are unlikely to be targetting you specifically. A little bt of seperation, or another layer of security might just encourage them to try elsewhere