Tin Hat Time – Scrap your Smart TV!

[Ed P]

Richard wrote:

Thank you, that will take some time to appreciate. It does sound like the law of unintended consequences biting the backside of those who let it come near to them. The question then becomes how hard does it really bite?

‘Unintended consequence’ — that may be a charitable statement considering that this flaw was demonstrated during the draft consultation phase for the spec! Conspiracy theorists may have a different view. :scratch:

To be honest, at the moment (assuming you are not of interest to the powers that be) then there is almost certainly a zero impact on personal security around the home.. Widespread dangers are however on the near horizon and I do not know if they can be fixed at the firmware level.

As you earlier pointed out the ideal would be to put such devices on a separate (untrusted) domain. I do this for my (wired) ip cameras, but I would not have a clue on how to do this for my idiot-proofed Smart (dhcp wifi connected) TV. I think that may need at least a TV software fix. Any ideas Dave?

[Dave Rice]

The “proper” way would be an AP with multiple SSIDs with VLANs but that starts getting complicated and needs business grade kit.

That’s now not that expensive. My UAP is £60 and TP-LINK TL-SG1016DE 16 Prt Ggbt “Easy Smart” Switch is £75. The £26 TP-LINK TL-WA801ND has a Multi SSID mode (4) as an AP and also supports VLANs.

[The Duke]

I put the stuff i don’t trust on a separate guest network that has no physical connection to my private network.

However this is starting to become harder, when the iot in question, needs you to have access to it, (lights for example) ad if you put them on a guest network, you need to swap networks to turn a bulb on. This isn’t ideal.

My bulbs get round this, by connecting to an external server, but this brings up probably more threats overall, than it fixes. But atheist keeps them off your network. Bit im my case I’m trusting a Singapore server to turn my lights on/off.

If there is a hidden mic in there I’d never know. But I’m sure someone out there had ripped apart the Yii lights to look.

But keeping things off your personal network is only going to get harder as the devices become “smart”.

[Richard]

I have a guest option on my router, as far as I know this is untrusted and has no access to the rest of the network. However, it has not been used or tested so I would need to do that before I worked on that basis.

[The Duke]

You can password a guest account and it will stop Windows saying it’s untrusted, but the router still won’t give it access to your main network.

Its just an Internet access point. Windows just says it’s untrusted as it’s not password protected, so it’s letting you know anyone could be potentially snooping on you. Once you put a password on its fine.

I have a very basic and easy to break password, just so I can say to friends, it’s 1234, (which it is), but this is an improvement to the no password I had on my gest network for years. Im not to bothered about anyone being on that network. Where I live, there is 6 houses in reach of my wifi signal, all occupied by over 70 years old.

[Dave Rice]

You say the guest network has no physical connection to your private LAN, yet it can access the internet.

How have you done this?

[Ed P]

I just had a  thought, I have a separate PC with its own nic/separate domain(not sure that is the right word – unlike my ‘normal’ addresses on 192.168.x.x etc this PC is on 10.x.x.x. )I use this for the untrusted hard wired ip cameras. It has a broadcast wan mode so I can use this from my normal network to view the cameras. If I used the second PC to set up its own wifi hotspot would that be a safer way of connecting the Smart TV?

[The Duke]

I didn’t do it, but I suspect the word ‘physical’ I used wrong. The guest network, doesn’t allow connected devices to see each other or the main network. The main network is a virtual walled garden. The guest network only gets access to the Internet.

I actually have 2 guest networks, one i demo iot crap on and the kids, which has a proper pw,  Plus another that friends and fambo can use with pw 1234. Neither of them 2 guest networks can see my network. Also the guest network don’t get access to the Routers home admin page.

But I’m sure with enough time and effort one could breach the other, but I’m hardy concerned by this, given I can demonstrate I’ve not been careless and taken reasonable  steps to protect my data. Someone would really want to get in to my network.

Even if it was breached I hold little work data on my network, it’s all backed x up to usb drives and pens, and only connected when needed.

The most anyone could get is my dvd collection, and a handful of “grey downloads”. So I really don’t care that much.

But physical was the wrong choice of words, is virtual. But I thought it a better way to explain the diffence of the two, to someone that hasn’t played with their guest networks options. As you know there are ways to run two physical networks, but unlike you I lack the knowledge, not to originally set it up, but rather in 6 months to trouble shoot and fix the inevitable hick ups. That is what prevents me from going all in. A simple virtual setup is sufficient for me.

[Dave Rice]

I thought that was what you meant, but just thought I’d check. Quite a few devices have that as an option i.e. can only access the default gateway.

No good for controlling IoT devices from the same LAN or for Chromecasts and Kodi Android remotes, but fine for giving a Smart TV access to the internet.

A lot of IoT are going to be cloud controlled using P2P techniques so that Port Forwarding isn’t required. This should still work and isolate that device from any others.

So I guess that’s the easy answer. Either your main router or a discrete AP needs multiple SSID capabilities with a “guest network” function that restricts access to only the default gateway.

The £35 TD-W9970 can use VDSL or ADSL and has a secondary restricted guest network, but it’s 2.4Ghz N only (I don’t find that a restriction). At the higher end the £70 Archer VR400 does the same (and more) is dual band AC and has USB sharing. You can also limit the bandwidth usage.

[Author]

Posts