Forumite › Forums › General Topics › Tech › Security Talk › Tin Hat Time – Scrap your Smart TV!
- This topic has 28 replies, 6 voices, and was last updated 7 years ago by Dave Rice.
- CreatorTopic
- April 2, 2017 at 9:33 am#5744
Only conspiracy theorists, terrorists and students in Hall need worry at the moment. However the ease of making a Software Radio opens this up to widespread attacks by ‘bad-actors’ doing Smart TV sweeps & exploits from cars within the near future. Let us just hope that the Smart TV hack blogged about in Ars (link), get some firmware fixes pdq
- CreatorTopic
- AuthorReplies
- April 3, 2017 at 8:08 pm #5821
The “proper” way would be an AP with multiple SSIDs with VLANs but that starts getting complicated and needs business grade kit.
That’s now not that expensive. My UAP is £60 and TP-LINK TL-SG1016DE 16 Prt Ggbt “Easy Smart” Switch is £75. The £26 TP-LINK TL-WA801ND has a Multi SSID mode (4) as an AP and also supports VLANs.
April 3, 2017 at 8:30 pm #5822I put the stuff i don’t trust on a separate guest network that has no physical connection to my private network.
However this is starting to become harder, when the iot in question, needs you to have access to it, (lights for example) ad if you put them on a guest network, you need to swap networks to turn a bulb on. This isn’t ideal.
My bulbs get round this, by connecting to an external server, but this brings up probably more threats overall, than it fixes. But atheist keeps them off your network. Bit im my case I’m trusting a Singapore server to turn my lights on/off.
If there is a hidden mic in there I’d never know. But I’m sure someone out there had ripped apart the Yii lights to look.
But keeping things off your personal network is only going to get harder as the devices become “smart”.
April 3, 2017 at 8:32 pm #5823I have a guest option on my router, as far as I know this is untrusted and has no access to the rest of the network. However, it has not been used or tested so I would need to do that before I worked on that basis.
April 3, 2017 at 8:38 pm #5824You can password a guest account and it will stop Windows saying it’s untrusted, but the router still won’t give it access to your main network.
Its just an Internet access point. Windows just says it’s untrusted as it’s not password protected, so it’s letting you know anyone could be potentially snooping on you. Once you put a password on its fine.
I have a very basic and easy to break password, just so I can say to friends, it’s 1234, (which it is), but this is an improvement to the no password I had on my gest network for years. Im not to bothered about anyone being on that network. Where I live, there is 6 houses in reach of my wifi signal, all occupied by over 70 years old.
April 3, 2017 at 8:40 pm #5825You say the guest network has no physical connection to your private LAN, yet it can access the internet.
How have you done this?
April 3, 2017 at 9:05 pm #5826I just had a thought, I have a separate PC with its own nic/separate domain(not sure that is the right word – unlike my ‘normal’ addresses on 192.168.x.x etc this PC is on 10.x.x.x. )I use this for the untrusted hard wired ip cameras. It has a broadcast wan mode so I can use this from my normal network to view the cameras. If I used the second PC to set up its own wifi hotspot would that be a safer way of connecting the Smart TV?
April 3, 2017 at 10:24 pm #5829I didn’t do it, but I suspect the word ‘physical’ I used wrong. The guest network, doesn’t allow connected devices to see each other or the main network. The main network is a virtual walled garden. The guest network only gets access to the Internet.
I actually have 2 guest networks, one i demo iot crap on and the kids, which has a proper pw, Â Plus another that friends and fambo can use with pw 1234. Neither of them 2 guest networks can see my network. Also the guest network don’t get access to the Routers home admin page.
But I’m sure with enough time and effort one could breach the other, but I’m hardy concerned by this, given I can demonstrate I’ve not been careless and taken reasonable  steps to protect my data. Someone would really want to get in to my network.
Even if it was breached I hold little work data on my network, it’s all backed x up to usb drives and pens, and only connected when needed.
The most anyone could get is my dvd collection, and a handful of “grey downloads”. So I really don’t care that much.
But physical was the wrong choice of words, is virtual. But I thought it a better way to explain the diffence of the two, to someone that hasn’t played with their guest networks options. As you know there are ways to run two physical networks, but unlike you I lack the knowledge, not to originally set it up, but rather in 6 months to trouble shoot and fix the inevitable hick ups. That is what prevents me from going all in. A simple virtual setup is sufficient for me.
April 3, 2017 at 11:28 pm #5831I thought that was what you meant, but just thought I’d check. Quite a few devices have that as an option i.e. can only access the default gateway.
No good for controlling IoT devices from the same LAN or for Chromecasts and Kodi Android remotes, but fine for giving a Smart TV access to the internet.
A lot of IoT are going to be cloud controlled using P2P techniques so that Port Forwarding isn’t required. This should still work and isolate that device from any others.
So I guess that’s the easy answer. Either your main router or a discrete AP needs multiple SSID capabilities with a “guest network” function that restricts access to only the default gateway.
The £35 TD-W9970 can use VDSL or ADSL and has a secondary restricted guest network, but it’s 2.4Ghz N only (I don’t find that a restriction). At the higher end the £70 Archer VR400 does the same (and more) is dual band AC and has USB sharing. You can also limit the bandwidth usage.
- AuthorReplies
- You must be logged in to reply to this topic.