[mercora]

i would say making secure tunnels a default for home routers would be a better mitigation... there is no need to control my "smart home" or what ever from my neighbors phone...

Some things just do not make much sense without being able to control them remotely. A separate VLAN for devices would only allow them to communicate with another which probably is not what you want. BTW. i could not set up VLANs on a fritz box with FritzOS last time i tried. However nearly all routers with OpenWRT will do without a problem.

[kalleboo]

The only way to get it well-adopted would be if you could get Google, Apple, Microsoft and router manufacturers to agree on some user-friendly and secure way to set up tunnels and connect to them from your phone/devices. Good luck with that...

[mercora]

While a common agreement on how this should be done would be the best solution, it should be enough to have at least some option to setup such tunnels through an API. Router manufactures could develop an App to make that setup easier then.

Although this wont be practical for any device that is not a phone or a (desktop) computer.

[ge0rg]

And then there would be malware running in your browser that uses the API to expose your IoT devices. There is precedent for that where Javascript in the browser was accessing your router's web interface (with default credentials) to change your DNS server.

[fragmede]

That's just another target among many in the broader class of XSS attacks, and there are protections that router manufacturers (and anyone else hosting a website) are able to build in to protect against it.

Unfortunately, this belies the meat of the issue with IoT. After you've bought the router, there's no reason for your router's manufacturer to keep updating the firmware and fix bugs that allow an XSS attack, and even if the manufacturer does upgrade the firmware, there's no no way for the manufacture to force the firmware to be updated on all of the devices that have been sold, hence installed devices with older firmware that's been exploited and is now part of the botnet used to attack Krebsonsecurity.com

[mschuster91]

AVM doesn't call it VLANs, but "guest network". Activating the feature opens up a new SSID with internet-only access (the newest release of FritzOS even can do a captive portal!), and you can assign the LAN4 ethernet port to it, too.

Separating the IoT stuff (at least the stuff that needs connectivity from outside) into its own VLAN at least prevents a hacker from gaining access to the rest of your home network (e.g. NAS devices or your normal computers).

[mercora]

i can see why they would not call this VLAN functionality although it surely makes use of it, it is not configurable individually. So lets just say i misunderstood what you were meaning. Setting up a guest network with internet access would allow the same exploitation in order to participate in a DDoS attack.

While this would as you said protect my other networks to some extend it does not solve the problem. I will not ever trust these devices to get secure enough to expose them directly to the internet.

This is why i am thinking the only way to operate these devices securely is to require some kind of transport protection in form of an IPsec tunnel for example. This would allow me and anyone with the right set of access to control the devices without making them accessible to anyone else.

If home routers would encourage the use of such tunnels it would be a normal thing to have a link back to your home network (or maybe a separate IoT network) which could be properly firewalled...

[gonzo]

PfSense, too