FBI Recommends Keeping IoT Devices on a Separate Network
The FBI also recommends changing factory-set (default) passwords and not allowing an IoT device’s accompanying mobile app to gain access to too many smartphone permissions.
The FBI says owners of IoT (Internet of Things) devices should isolate this equipment on a separate WiFi network, different from the one they’re using for their primary devices, such as laptops, desktops, or smartphones.
“Your fridge and your laptop should not be on the same network,” the FBI’s Portland office said in a weekly tech advice column. “Keep your most private, sensitive data on a separate system from your other IoT devices,” it added.
The same advice — to keep devices on a separate WiFi network or LAN — has been shared in the past by multiple IT and security experts [1, 2, 3, 4].
The reasoning behind it is simple. By keeping all the IoT equipment on a separate network, any compromise of a “smart” device will not grant an attacker a direct route to a user’s primary devices — where most of their data is stored. Jumping across the two networks would require considerable effort from the attacker.
However, placing primary devices and IoT devices on separate networks might not sound that easy for non-technical users. The simplest way is to use two routers.
The smarter way is to use “micro-segmentation,” a feature found in the firmware of most WiFi routers, which allows router admins to create virtual networks (VLANs). VLANs will behave as different networks, even though they effectively run on the same router. A good tutorial on how you can create VLANs on your routers is available here.
While isolating IoT devices on their own network is the best course of action for both home users and companies alike, this wasn’t the FBI’s only advice on dealing with IoT devices. See below:
Change the device’s factory settings from the default password. A simple Internet search should tell you how—and if you can’t find the information, consider moving on to another product.
Passwords should be as long as possible and unique for IoT devices.
Many connected devices are supported by mobile apps on your phone. These apps could be running in the background and using default permissions that you never realized you approved. Know what kind of personal information those apps are collecting and say “no” to privilege requests that don’t make sense.
Make sure all your devices are updated regularly. If automatic updates are available for software, hardware, and operating systems, turn them on.
Last week, the same FBI branch office in Portland also gave out similarly good advice on dealing with smart TVs by recommending that device owners put a piece of black tape over their smart TV’s camera lens.
The FBI claimed that hackers who take over smart TV sets would be able to spy on device owners through the built-in cameras.
While this is prudent advice, it is worth mentioning that there have not been any known cases of this happening — with hackers taking over a smart TV and spying on its owner through the TV’s camera.