NEST Thermostat Network Isolation
NEST Thermostat Network Isolation
With the proliferation of IoT (Internet of Things) objects such as smart thermostats, sensors of all kings, video cameras, video doorbells, light bulbs, media hubs and the like it comes as no surprise that security problems are cropping up. These IoT devices are proving to be a door through which malicious software can gain direct access to your home network behind your router. An excellent summary of the potential security problems with IoT devices can be found here InfoSec Resources Iot Security Summary. The takeaway is that these devices are vulnerable, and attackers can use them to penetrate your home network. Once an attacker gains access to the network behind your router, they have the “keys to the kingdom”. What is the solution? As usual with home network security, there are several solutions ranging from relatively simple to very complicated. As a first step, I chose a relatively simple solution: Isolate my IoT devices from the rest of my home network. Most newer home routers have one or more guest networks available. These are password protected WiFi networks which are (by definition) isolated from your internal home network. You can explicitly grant or remove access to the rest of your network in the router’s guest network settings.
Steve Gibson did a great summary of this method of isolating IoT devices here: Security Now 544 IoT Security.
I have successfully used this method to isolate two NEST Thermostats and one Ring doorbell on their own, password protected guest network. My ASUS router has six separate guest networks; I have allocated one of them to several of my IoT devices. This involved generating a complex, random password for the IoT guest network, and then setting up each device to use that guest network. I found that I initially had grant the devices permission to access my internal network. However once the devices were set up, I removed this permission and they functioned normally, but were now isolated from the remainder of my internal network.
Shaun M