Smart Home Security

[The Dark Knight]

So I'm getting into the whole smart home / home automation thing, and I have a few doubts.

 

Amazon has recently launched their Echo devices in my country and I have mine on order, set to arrive next month. Also ordered a few Xiaomi Yeelight LED bulbs from China. Do I need to keep anything in mind when it comes to security? I'm not concerned about Amazon Alexa, more about the Chinese stuff. I did look at Philips Hue and some other brands, but they are way too expensive! I have like 35 light points I intend to replace with Smart LED's! 

[+BudMan MVC]

Forgetting about the wpa2 krack stuff, but these sorts of devices are what need to be patched.. So keep an eye out for that when you get those bulbs.  I don't see any statement from Xiaomi yet that they will be patching any time soon.

 

But in general yes there are some things you should and could do to help secure your network while using these iot devices.  You really should look to being able to segment your iot wireless from your normal network..  This can be done with real AP that supports vlans and switch that does and router that does, etc.  Most of your typical off the shelf soho stuff you pick up at the local computer store is not going to support this sort of segmentation of your network.  The good news there are budget friendly ways to get it done.. You don't have to go spend 1000's on enterprise grade stuff.  AC AP from unifi can be had for 90$, smart switch that does vlans less than 50...  You can run a firewall/router distro on any old pc hardware you have about or pick up a low box for less than $200...  Or a usg 3p from unifi is only 100$ etc..

 

Or really cheap some off the shelf soho wifi routers that can run 3rd party like dd-wrt, or openwrt can support vlan and the ability to segment your wifi and wired networks, etc.  Its a bit more than just enable guest network on your soho wifi router.  But that would be better than nothing that is for sure.  I would not put these sorts of devices on the normal wifi network these home wifi routers turn on where all wired and wireless on the same network.

 

With the right kit you can segment say all your lightbulbs to their own network.. And prevent them from talking to anything else on your network directly.  The way alexa and any other app controls them is not normally via local direct access but via both of them talking to the internet.

 

I would then log pretty much everything they do outbound...  So you can see that what they are doing looks to be legit.. Ie phone home on https vs scan random IPs all over the globe

 

When you start getting different type of iot devices - if possible isolate them to their own segment vs just putting all your iot devices on same network.. This prevents from say one bad device messing with another device like alexa, thermostat, tv, medit stick, your toaster and coffee pot when they go online, etc.

 

Keep in mind that I have started my smart home project as well.. And can do quite a bit via remote and alexa in controlling lights, tv, thermo, etc etc..  Keep in mind that some of these cheaper bulbs and alexa itself don't function without internet..  So if you replace all your lights with these smart bulbs and internet is down   Keep in mind as well these smart bulbs the switch on the wall needs to be on... So when if there is power outage or internet outage it can say turn on all your lights in the house when power comes back or whole house go dark, even when power comes back on.

 

Depending on the makers of the bulbs.. When there is a loss of power like you flip the switch to off or outage... They can loose their settings to how they connect to the wifi and you have to set them up again, etc.  If you have 35 of them that could be a real pain in the you know what!

 

While just the cheap smart bulbs is a cheaper option and makes sense for some lights in the house.. Say a table lamp that has no switch on the wall and is just plugged in and you control if on or off at the lamp itself.

 

If you have lights that are controlled by switches on the wall, or there are multiple bulbs that controlled from the same switch..  It could be better to change out the switch in the wall to a smart switch..  So that if internet is out you can still control these devices with the wall switch.. The smart bulbs normally cycle to on when the power is removed and returned.  So for example if internet out and you need to turn on a bulb and alexa is not working.. You might have to go cycle the switch on the wall to get the light back on -- and it you might have to reset up the bulb again, etc.

 

I am using a combination - lamps are just smart bulbs.  I am using tp-link ones.  Also quite reasonable in price.  But also using http://www.lutron.com/en-US/Products/Pages/SingleRoomControls/CasetaWireless/Overview.aspx

 

For some rooms and lights.. Such setups normally require a hub to be installed to control the devices.  The nice thing is with such a setup is when there is a power outage, etc. you do not need to setup these devices.  And when internet is down you can still control the lights just like normal.

 

Suggest you do some good research on what will work best for you and your budget before jumping in and buying 35 smart bulbs for example.. You might make more sense to do the lighting in a few different ways around the house, etc.  So get a few and play with them.. See what happens when power outage, when internet is offline, etc.

[The Dark Knight]

Hey thanks a LOT BudMan for your detailed reply! 

1. Yes, I did want to know how to isolate it from my main network, which I will now work on based on your advice.
2. I have only bought 2 bulbs just now to start with and test out. Was planning to slowly move to Smart LED's, not all at once. 
3. But I did NOT know that many of them will not work at all without an internet connection! Here's hoping that these bulbs do work...
4. Settings resetting after a power outage....crap, crap, CRAP!! Power outages are pretty common here. I have UPS backup, but even that runs out sometimes. 

How do I monitor the bulb internet traffic?

[The Dark Knight]

32 minutes ago, BudMan said:

Forgetting about the wpa2 krack stuff, but these sorts of devices are what need to be patched.. So keep an eye out for that when you get those bulbs.  I don't see any statement from Xiaomi yet that they will be patching any time soon.

I checked up on this, they seem to be working on it.

http://forum.yeelight.com/t/yeelight-products-and-krack-wpa2-wifi-vulnerability/2421

[+BudMan MVC]

Depends on what your using for router.. I run pfsense.. I just have it log the network I have my bulbs on and send it to a syslog server

 

I also run pi-hole so its gives me nice insight to what dns devices are looking up really easy, and allows for simple blocking, etc.

 

Lots of ways to skin the cat to be sure.. Sorry to say moving to a smart home - if you want to do it securely going to most likely require a bit of a learning curve to your network understanding and network setup away from.. Yeah my ISP put in a device and now my phone connects... What is your ssid are you running psk or enterprise - my huh??? Sort of setup..

 

Happy to help where I can... I think even put in a while back for a smart home section in the forums, etc.  But yes it does tie in very tightly with networking and security anyway.

 

Smarthome tech is changing very rapidly recently.. Security is very very bad in these sort of iot devices.. Hoping to see vast improvement in that area as more people move to such setups.  And demand more from these makers vs just plug it in and it works.. Yes it should do that - but it needs to do it in a secure manner..  These camera's are really bad.. A lot of the makers shared code that was just horrific!!!

 

edit:  Here is where I am at in my smart home setup, ie what I can control via alexa or remote on my phone, etc.

 

Living room lights: caseta switch for ceiling lights and 2 smart bulbs in lamps.  Dimmable

Front port light - caseta switch. Dimmable

TV and audio system (harmony hub tied to alexa).. On Off, change channel, pause, etc.

Garage door - app on phone not yet tied to alexa.. But this is really nice since get alerts when not home when wife comes and goes, etc.  And if forget when leaving can just close with tap on phone.

Nest thermo - alexa access, phone access get temp, set temp, etc. etc.

Nest protect - alerts if via app if detects anyway.  Got alert the other day when wife was burning dinner while still at work

2 remote wall plugs (tp-link).  Normally use for Xmas lights outside and Tree, etc.  They also report on energy usage.. So you can track how much it cost to run your xmas lights   Same goes for the light bulbs in lamps.

 

I think that its it off the top of my head, was actually quite surprised actually how fast my wife started using it all..

 

It is an on going project.. Will be doing the lights and ceiling fan in my computer room next.. Or maybe the main hall lights.. Not sure yet.. Quite a bit to still.. Camera's coming - but they are not cheap to do it how I want to do it

[The Dark Knight]

Currently using an ASUS RT N56U router, but plan to move to pfSense eventually.

When it comes to networking knowledge, I'm nowhere close to your level, but I'm not at complete beginner level either. 

 

Thanks, will definitely ping you for help!

[+BudMan MVC]

When you make the move let me know - happy to help.. Your going to want a smart switch and AP that can do vlans!!!

 

Clearly your ahead of the game from the networking aspect.. Or you would not even be here asking the questions

[The Dark Knight]

20 minutes ago, BudMan said:

Nest protect - alerts if via app if detects anyway.  Got alert the other day when wife was burning dinner while still at work

Camera's coming - but they are not cheap to do it how I want to do it

Ha ha! 

3 minutes ago, BudMan said:

When you make the move let me know - happy to help.. Your going to want a smart switch and AP that can do vlans!!!

 

Clearly your ahead of the game from the networking aspect.. Or you would not even be here asking the questions

Thanks! 

[The Dark Knight]

So I was doing some more research on these bulbs....turns out they have 2 servers that can be used depending on your requirement. If you use the Xiaomi Gateway hub, you need to connect to their server in Mainland China. If you want Alexa, Google Home and IFTTT, then you use a server in Singapore. It doesn't connect to both, so it's one or the other.

Even better, they have a Developer Mode, which lets you control it fully on a local LAN! Then there's this open source programme called Home Assistant that you can install on a PC or Raspberry Pi that connects to a big bunch of smart devices. It even lets you extend an Echo device with a lot of neat tricks like custom responses instead of the fixed "Ok"! 

Can't wait to start playing with all this! 

Edited October 21, 2017 by The Dark Knight

[+BudMan MVC]

Yeah it can be a time eater   Looking at the home assistant.. Lots of supports for lots of different devices... Very interesting... I can see me installing this to one of my pi's here real soon...