Isolating Devices on a Home Network

Call me paranoid but I’d really like to be able to easily isolate devices on a home network.

As it is most people have at a best a single router running a single local area network. On that network they have 1 or more computers, 1 or more tablets, 1 or more phones. Then they might have 1 or more smart TVs, 1 or more game consoles. And finally now people are starting to add Internet of Things (IoT) devices. IP Webcams, Network connected door locks, Lights that change color from apps, etc…

The problem is every device and every program run on every phone/tablet/tv/game consoles/computer can hack all your other devices on the same network. That includes when friends visit and connect to your network.

So for example here’s a demonstration of hacking into your network through the network connected lights. There’s ransomware where your computer gets infected with a virus which encrypts all your data and then demands a ransom to un-encrypt it. The same thing is happening to smart TVs where they infect your TV, encrypt it so you can’t use it and demand money to un-encrypt it. Printers can get infected.

All of this gets easier with every app you download. You download some new app for your phone, you have no idea if, when it’s on your home network, that it’s not scanning the network for devices with known exploits to infect. Maybe it’s just hacking your router for various reasons. It could hack your DNS so when you type “mybank.com” it actually takes you to a fake site where you type in your password and then later get robbed. Conversely you have no idea what bugs are in the app itself that might let it be exploited.

One way to possibly mitigate some of these issues seems like it would be for the router to put every device on its own network. I know of no router than can do this easily. Some routers can make virtual networks but it’s a pain in the ass. Worse, you often want to be able to talk to other devices on your home network. For example you’d like to tell your chromecast to cast some video from your phone except you can’t if they’re not on the same network. You’d like to access the webcam in your baby’s room but you can’t if they’re not on same network. You’d like to print but you can’t if they’re not on the same network etc…

So, I’ve been wondering, where’s the router that fixes this issue? Let me add a device with 1 button that makes a lan for that one device. Also, let me choose what other devices and over which protocols that new device is allowed to communicate. All devices probably also need to use some kind of encryption since with low-level network access an app could still probably manage to hack things.

I get this would only be a solution for geeks. Maybe it could be more automated in some way. But in general there’s clearly no way you can expect all app makers and all device makers to be perfect. So, the only solution seems like isolating the devices from each other.

Any other solutions?

  • If you want to control what devices can interact with other devices down to a protocol level, why not have a guest network that can’t access anything internal, and a private network with fixed IP addresses.
    Then you can use a firewall on the router to limit communication between devices based on what IP address the device has, and what protocol it’s allowed to use.

  • That sounds like it might work. I need the guest network to not allow devices to interact with each other as well though.

  • I would say a guest network, for friends or unknown devices to connect to, only needs to isolate itself from the main network with your devices on. Anybody connecting to it should treat it like a public network, and make appropriate security arrangements based on that.

    Alternatively, forget about the guest network and have the main network use a different address range for dynamic and static ip addresses. Anything in the dynamic range gets very limited access through the firewall (http only, maybe?)