News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch lady – Alexa should be on her own network

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Patch lady – Alexa should be on her own network

    Viewing 13 reply threads
    • Author
      Posts
      • #2016281 Reply
        Susan Bradley
        AskWoody MVP

        As a geek I use Alexa enabled devices to turn on and control turning on and off the Christmas Tree and other lights in the house.  “Hey Alexa, turn on
        [See the full post at: Patch lady – Alexa should be on her own network]

        Susan Bradley Patch Lady

        7 users thanked author for this post.
      • #2016317 Reply
        Kirsty
        Da Boss

        The Portland FBI security discussion on Smart TVs was originally posted by Woody a few days ago:

        About that nonsense FBI warning about TVs stalking you

        1 user thanked author for this post.
        • #2016801 Reply
          rc primak
          AskWoody_MVP

          And yes, it is nonsense. The FBI does not have a clear understanding of how Smart TV voice controls work, or else they are trying to spread FUD.

          -- rc primak

          • #2016806 Reply
            Kirsty
            Da Boss

            It does read somewhat as “weekly newsletter content”, rather than a PSA.
            It does not appear to have been written by a cyber-security expert… I would have expected references, if it was. (Or maybe its content has just been specifically written for a general newsletter audience?)

      • #2016366 Reply
        Paul T
        AskWoody MVP

        “Own network” may not be that easy depending on what router you have. Some have a “guest” wifi network that allows internet but no local access, but almost none have an ethernet equivalent. To achieve this you need another router to use as your local network and the original router then becomes the “guest” network.

        cheers, Paul

        1 user thanked author for this post.
        • #2016804 Reply
          rc primak
          AskWoody_MVP

          One solution (though an expensive one, with annual subscriptions) is to attach a hardware firewall like the BitDefender Box 2 between your IoT sub-network and your (one and only) router or ISP provided gateway. This allows you to provide security and privacy protections through the Box instead of having to set up a new network for your IoT devices (including the hub or smart speaker or smart TV). BitDefender Box 2 comes with a subscription to their antimalware product, which is a decent product. The subscription can cover a lot of your devices with one annual fee.

          BitDefender Box 2:

          https://www.bitdefender.com/box

          Review:

          https://www.techradar.com/reviews/bitdefender-box-2

          FAQs about the Box (and explanation of what a hardware firewall device does):

          https://www.bitdefender.com/consumer/support/answer/13906/

          -- rc primak

        • #2016812 Reply
          mn–
          AskWoody Lounger

          … depending on what router you have. Some have a “guest” wifi network that allows internet but no local access, but almost none have an ethernet equivalent.

          Actually that isn’t half as rare as advertising it outside the box is…

      • #2016432 Reply
        WildBill
        AskWoody Plus

        Sounds like a good idea… I may be paranoid about IoT now, but I think when I get my own place, I’ll avoid all connections with Alexa/Amazon echo/fire & Google Nest/Assistant. Sometimes I just sigh or say something meaningless… & Google Assistant thinks I want something. Which means she/he’s been listening on my Android phone. I can pause listening, but not turn it off. Oh, well… as the saying goes (sometimes attributed to Batman), “Just because you’re paranoid, doesn’t mean they’re not out to get you.”

        As for the Portland FIB, great ideas from them for IoT & holiday scams… but a bit paranoid themselves about Smart TVs, IMHO. Yes, Consumer Reports proved Samsung Smart TVs & the Roku platform can be hacked at the lowest level for minor pranks. “Cyberstalking” with your TV’s camera & microphone? Not proven to be possible… yet. “Dumb” TVs (no Internet connectivity) are still available at Best Buy & other retailers… but they’re getting harder & harder to find.

        Windows 8.1, 64-bit, back in Group A... & leaning toward Windows 10 V2004. As long as it's a Lot Less Buggy!
        Wild Bill Rides Again...

        1 user thanked author for this post.
        • #2016807 Reply
          rc primak
          AskWoody_MVP

          What’s being suggested is simply to isolate IoT devices and IoT hubs like Amazon Echo or Google Home Hub from your main network, and to restrict their exposure to incoming network traffic. This can be done by setting up a sub-net for the IoT devices, or you can spend some money and buy a hardware firewall with a subscription for security and firmware updates.

          I agree totally that the FBI is blowing the Smart TV hacking threats and their listening issues way out of proportion.

          Still, Alexa and Google Assistant (and Cortana in Windows 10) do seem to collect and retain some recordings. Whether this amounts to spying is highly debatable, but we each have our own threshold of suspicion.

          “Just because you’re paranoid doesn’t mean they aren’t after you.”  — Joseph Heller, Catch 22 .

          -- rc primak

          • This reply was modified 4 months ago by rc primak.
          • This reply was modified 4 months ago by rc primak.
          • This reply was modified 4 months ago by rc primak.
      • #2016882 Reply
        J9438
        AskWoody Lounger

        I use a single Ethernet line from my ISP to a router with 4 output Ethernet ports (1 to my PC and 1 to my printer and one to a laptop). Would one of those ports be a safe port for Alexa? If not then if I connected one of those output ports to another Router would that be a safe connection? Thanks.

        • #2016906 Reply
          AlexEiffel
          AskWoody_MVP

          By default, usually, those ports all connect to each other.

          Sometimes there is an “AP Isolation” function on the router that could prevent traffic from flowing from one device to another, but then you would loose connectivity to your printer if it is networked because turning it on would isolate every device form each other. Maybe you could activate the guest network (a form of isolation between one part of the network and another) on one port, but I think that most of the time it operates on the wifi network only and you can’t select a port as part of it (maybe some routers permit that, I don’t know).

          Using another router, you could hide your private network behind the router (laptop, printer, desktop) and you would plug this outside router port to one of the ports of your main router. This would in effect prevents the IoT device from reaching your internal network directly as your second router would act as a firewall to the outside network made on the first.

          1 user thanked author for this post.
      • #2016902 Reply
        AlexEiffel
        AskWoody_MVP

        What is more dangerous is to have an IoT device that can punch holes in your router’s firewall using UPnP if you didn’t disable it on the router. Then, the device becomes open to the web and could potentially create a door to your internal network, using a vulnerability on the unmaintained IoT device or if the device is so not smart that it allows external connections with default passwords you didn’t change.

         

        1 user thanked author for this post.
      • #2016935 Reply
        Paul T
        AskWoody MVP

        I use a single Ethernet line from my ISP to a router with 4 output Ethernet ports

        All of your ethernet ports can see all devices on your local network. IoT devices should not be on these ports.
        Adding a router to one of these ports moves your local network to the new router – connect your PC and printer to the new router and the IoT device to the original router.

        cheers, Paul

        1 user thanked author for this post.
        • #2017067 Reply
          mn–
          AskWoody Lounger

          All of your ethernet ports can see all devices on your local network. IoT devices should not be on these ports. Adding a router to one of these ports moves your local network to the new router – connect your PC and printer to the new router and the IoT device to the original router.

          Well actually, neither of those details are a given…

          Do check the router and switch configuration. Many of the home / small-business models default to having everything in the same network, which is what you specifically don’t want in this case. Others may already have isolation between Ethernet ports at least as an optional function that can be turned on.

          Also VLAN technology can be found in some surprisingly affordable devices now. Extra complexity, but enables having multiple isolated networks through shared routers and switches once you know how to use it correctly

          1 user thanked author for this post.
      • #2016954 Reply
        Vincenzo
        AskWoody Lounger

        Are TV’s that are connected to the guest wifi network suitably isolated?

        • #2017214 Reply
          Paul T
          AskWoody MVP

          Anything on the guest network is isolated from your “normal” devices.

          cheers, Paul

          1 user thanked author for this post.
      • #2017412 Reply
        Vincenzo
        AskWoody Lounger

        T

        Anything on the guest network is isolated from your “normal” devices.

        cheers, Paul

        Thanks, Paul.

        Another way of isolating that I realized I have is my living room tv is connected to a wi-fi extender that creates a “my-network-EXT” wifi network that is isolated.

        1 user thanked author for this post.
        • #2017430 Reply
          jabeattyauditor
          AskWoody Lounger

          Another way of isolating that I realized I have is my living room tv is connected to a wi-fi extender that creates a “my-network-EXT” wifi network that is isolated.

          I’d double-check that one – it may appear isolated, but a network extender has to connect to an existing wireless network and pass traffic across it. If you connected it to your router’s guest network, it’d maintain that isolation. If you connected it to your “inside” network, it’s isolated in name only.

          2 users thanked author for this post.
      • #2017602 Reply
        RetiredGeek
        AskWoody MVP

        Ok, up front I’m no networking guru, not even close. However, and I’m just guessing, Susan is talking from a business perspective. It was my understanding that the IP’s 192.168….. & 10.10…. ,used for most home networks, are NON-Routeable addresses? Doesn’t this mean that they can’t be reached by incoming traffic unless you open a port to do so and then doesn’t your router need make them talk through that port? I’m sure one or more of the Loungers can enlighten us networking noobs. LOL! 😎

        May the Forces of good computing be with you!

        RG

        PowerShell & VBA Rule!
        Computer Specs

        1 user thanked author for this post.
        • #2017636 Reply
          mn–
          AskWoody Lounger

          It was my understanding that the IP’s 192.168….. & 10.10…. ,used for most home networks, are NON-Routeable addresses?

          Oh, they can be routed just fine. It’s just 169.254.x.x that is unroutable. 10.x.x.x, 172.{16-31}.x.x and 192.168.x.x are merely private.

          Private IP ranges are not “known” so any standards-conforming router in the public Internet doesn’t know a route to them. That doesn’t mean such packets wouldn’t appear in the public ‘net, it just means they can’t come from very far and are probably from either crooks or honest configuration mistakes.

          So if you have a public IP on your router/firewall, it’s a good idea to make a rule to drop any package purporting to be from one of the private ranges that comes in from the public side.

          And if you’re in a local 10.x block (some residential buildings and student housing organizations at least are known to have had those, also business parks), well, the other residents can route to you. As can anyone who has hacked into their systems. Network management might give you a subnet that you can firewall off, though.

          (Say the network manager gives you a /28 subnet… that’s 14 normal local addresses. Could be for example 10.200.100.192 / 28; that’d mean netmask 255.255.255.240, broadcast 10.200.100.207, and you could use 10.200.100.193 – 10.200.100.206 for your devices.)

          Small business networks, well, if you have branch offices or something, if you’re not all cloud-based already it makes a lot of sense to do routing between sites using site-to-site VPN links between the offices’ firewall/router boxes, and then you could have 192.168.1.x in one town’s offices, then 192.168.2.x in another and 192.168.3.x in third, and have those be able to talk to each other through the private routing.

          1 user thanked author for this post.
        • #2018754 Reply
          AlexEiffel
          AskWoody_MVP

          Ok, if I can clarify, your router should in theory protect you from any unsolicited outside network traffic. This is what the default rules of the firewall portion do, just like the firewall of Windows on a public network. If unasked for traffic comes from the outside, block it. You local IP is something like 192.168.0.11 and it won’t be reached from the outside. But…

          If you have UPnP enabled on your router, which often it is by default, any software on your computer or IoT device that can speak UPnP can tell the firewall to open a port so that anything outside could connect to it. This is how a security camera can be accessed from the outside from your phone, for example. This is also very bad from a security standpoint because if the security camera is not updated and have a vulnerability, anyone could send tainted packets to it and maybe take control of it. So, when you test at Gibson’s site for open ports, you also never know if you have a software that punch holes that is simply not active at the moment. It only tells you that right now, there are no ports open. The solution is to disable UPnP and open only required ports, but sometimes that can prevent adequate functionality of some badly designed devices (like that security camera you want to access from the outside).

          A better system is one where you connect to a central server, no hole in the firewall, and incoming traffic comes to this server too and then get relayed to you through the connection that you requested. There might be performance issues but it is safer from a security standpoint. Allowing any IP to connect to your internal resources is not a great idea if that resources is not secure and patched, which is not a characteristic of consumer devices.

          Michael is spot on on his comments below and I fully agree with the idea that each device should be isolated from each other. I would even go so far to say that I try to avoid as much as possible IoT devices as I don’t feel they are worth the convenience they bring, especially the ones that requires an open port from the outside to your network. Even if the device is isolated, do you really want to have someone spying on your security cameras or your baby video monitor? Devices that only connect to the outside from inside are less of a concern, but still, you should always think twice before adding IoTs in your life if you care about security and privacy.

          Also, there is the question of spoofing internal IPs from the outside. Some devices has an anti-spoofing feature that will for example say if a packet that pretends to have 192.168.0.14 as a source comes from the Internet port, discard it, it should only come from the internal ports. If you don’t have that, some outsider could maybe impersonate an internal IP to try to bypass the firewall, but I’m not sure how it is handled at the ISP level and if it would be blocked higher up the chain.

           

      • #2017696 Reply
        RetiredGeek
        AskWoody MVP

        MN,

        So if you have a public IP on your router/firewall, it’s a good idea to make a rule to drop any package purporting to be from one of the private ranges that comes in from the public side.

        And being the Network Noob I am just how would I go about doing that?

        I’m using 192.168.1.xxx with a subnet mask of : 255.255.255.0
        Default Gateway: 192.168.1.1
        DHCP Server:       192.168.1.1

        Is this where I’d make the changes in my router?
        FTCRouterSettings
        Thanks for your assistance! 😎

        May the Forces of good computing be with you!

        RG

        PowerShell & VBA Rule!
        Computer Specs

        Attachments:
        1 user thanked author for this post.
        • #2017776 Reply
          Paul T
          AskWoody MVP

          You don’t have to do anything. Your home router blocks incoming by default – see the GRC test page.

          cheers, Paul

          1 user thanked author for this post.
          • #2017901 Reply
            jabeattyauditor
            AskWoody Lounger

            You don’t have to do anything. Your home router blocks incoming by default – see the GRC test page.

            cheers, Paul

            Most home firewalls also allow unhindered inbound traffic for devices/programs that first send outbound traffic.

            1 user thanked author for this post.
            • #2017972 Reply
              Paul T
              AskWoody MVP

              Only from devices you first sent a packet to. Not from random IPs.

              cheers, Paul

              1 user thanked author for this post.
      • #2017883 Reply
        RetiredGeek
        AskWoody MVP

        Paul, that’s what I thought as, I’m familiar with GRC Shields Up, but I wanted to make sure as I have an Echo and three Dots.

        Thanks.

        May the Forces of good computing be with you!

        RG

        PowerShell & VBA Rule!
        Computer Specs

        • This reply was modified 3 months, 4 weeks ago by RetiredGeek.
        1 user thanked author for this post.
      • #2017993 Reply
        Michael432
        AskWoody_MVP

        CORRECTING THE RECORD

        Much of the information here and in the original story is sub-optimal. Let me correct things.

        The idea of separating IoT devices from important computers on a LAN is a good one.
        That said, it is only half the story. The next half is blocking IoT devices from seeing each other. The idea being that a malicious/hacked IoT device can not spread badness anywhere.

        And, not to pick on IoT, any device that does not need shared network resources should be in a network that gives it Internet access – period. No such device should be able to scan its subnet and see any other device. Even an iPad just used for YouTube should be isolated so that it can not see any other devices in your home.

        A second router does not fully isolate the devices that only need Internet access. It still allows one IoT device to interact with another one in your home.

        A guest network may or may not isolate the devices on the Guest network from each other. You would have to test each router to see. Some have a configuration option for this, most do not.

        A second router is also not the only way to make a new network for un-trusted devices, a VLAN is another option. Read about VLANs here

        That said, consumer routers do not support VLANs. My favorite router, the $200 Pepwave Surf SOHO is not a consumer router and it does support VLANs. So too do routers from Ubiquiti.

        You also want to prevent untrusted devices from being able to logon to the web interface of the router from the LAN side. A Guest network probably does this, but test it. The Surf SOHO supports this.

        My home has two SSIDs from the Surf SOHO. One is assigned the main network which is where shared devices (a network printer, a NAS) exist. The other is assigned to an isolated VLAN that allows Internet access and nothing else. Devices on this network can not see anything but the Internet. Any time I use a tablet, I connect it to the isolated VLAN.

        The comment about UPnP was spot on. It is a huge security issue. See more about it at RouterSecurity.org.

        As for firewalls, any router purchased at retail can be expected to block all unsolicited incoming traffic from an IP address, public or private. No need for firewall rules. In fact, consumer routers generally do not support firewall rules. A router/gateway provided by an ISP is likely to have holes punched in the firewall. You can test the firewall using assorted online tests listed here routersecurity.org/testrouter.php That said, this is best tested offline with nmap.

        As for Alexa spying on you, see the Voice Assistant topic at defensivecomputingchecklist.com 

        Get up to speed on router security at RouterSecurity.org

        4 users thanked author for this post.
      • #2018010 Reply
        Paul T
        AskWoody MVP

        That said, consumer routers do not support VLANs.

        You can cheat by purchasing something like a TP-Link C7 and loading DD-WRT on it. Then you can do VLANS, multiple SSIDs, etc.

        cheers, Paul

        1 user thanked author for this post.
    Viewing 13 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch lady – Alexa should be on her own network

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.