I’ve written before about just how many Internet connected gadgets I have.

I’ve also blogged about my dodgy WiFi lightswitches which send data back to China.

Every IoT device you put in your home brings a certain level of risk to the other devices in your network.

For example, my Smart TV and my Lifx don’t require a password to access. Any device on my network can control them. That’s extremely convenient – but it’s a security nightmare.

Consider, for a moment, my WiFi Smoke Alarm. It periodically connects to the Internet to check for software updates. What if a hacker uploads fake firmware which scans for local devices and abuses them? Or opens up a tunnel into my network for criminals to access?

We’re all one software update away from being infiltrated.

How should a suitably paranoid person design their home network?

All Together Now!

The naïve design is just to shove everything on one network.

Without a doubt this is the easiest to configure – just tell each device the WiFi password – but it’s the most dangerous. Any device can talk to any other device. If your SmartTV receives a commercial for a DELICIOUS MILLER LITE™ BEER OF CHAMPIONS® it might connect to your smart fridge (no password – because who needs security on a domestic appliance) and order you an unwanted beer.

Or the Taiwanese company which made your lightbulb might get sold to a company who have no ethical qualms about exploring your NAS to see what sort of “exotic” material you have on there. Then encrypting and ransoming it back to you.

Blind Segregation

The router supplied by my ISP allows me to set up two isolated networks. I currently have a guest network which is open to anyone who visits (although that, in itself, may not be a wise idea).

So I could put my untrusted devices on a separate network to the devices I have a reasonably high degree of trust.

This makes accessing those devices less convenient – and it still means my Smart Toaster can turn off my Security Cameras.

Complete Separation

Suppose I set up a separate subnet for each device? 192.168.0.* for trusted devices, 192.168.1.* for all the security cameras. 192.168.2.* for all the Samsung kitchen appliances. And so on and so forth.

A chore to set up, but this has a superficial charm. Until I come to do anything. I want my phone’s app to be able to control my games console. I want my TV to be able to read media off my local server.

Of course, that assumes that a regular ISP supplied router can do that. Hint – it probably can’t.

Complex Firewalls

Ok, so now we move way beyond what a domestic router can normally do and into professional grade stuff. Forgive me if my use of terminology isn’t 100%.

Each device added to the network needs to be part of an access control list. The firewall determines if any two devices are allowed to communicate with each other. For example:

My tablet and laptop should be able to connect to everything.

My Kindle should only have access to the Internet.

My fridge and freezer can talk to each other – but nothing else.

My solar panels can talk to my solar battery – but only on port 80.

What an absolute nightmare to set up. I’m not even sure what sort of router I’d need to buy in order to make something like that possible. How easy would it be to misconfigure? One errant mouse click and my Sonos speaker can unlock my front door when it plays a specifically crafted MP3…

How to build this?

I pride myself on being relatively tech savy. I’ve got around 40 Internet connected devices around the house – only some of which are under my direct control.

I’ve asked this question on the Security StackExchange – but I’d be grateful for any wisdom from you, dear reader. Are there any products that you can suggest?

Or, do I just give in gracefully? Stick strong passwords on everything which can be protected, and hope that none of me devices become part of the Internet of Traitors?