Holes In My Security? (AC1900 Nighthawk & IoT)

Hey, gang - I recently got a Wemo smart plug and noticed that even after installation, it broadcasts an SSID. It got me thinking and, poking around, I see my HP printer does the same. This got me thinking some more. I have 27 devices connected to my network including Amazon devices, smart plugs, smart hub, phones, laptops, thermostat, Roku players, printers and a lone chrome cast all on a single network. It can't be healthy security-wise.

I have been reading a bit and find it a little confusing so I am interested in what this community thinks about solutions. A second router and, if so, what would you recommend? Using the current modem's VLAN options and, if so, where do I need to start reading about proper setup methodology? A third or even more options?

Thanks in advance,

R7000|Nighthawk AC1900 Dual Band WiFi Router V1.0.9.64_10.2.64

Discussion is locked

Reply to: Holes In My Security? (AC1900 Nighthawk & IoT)
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: Holes In My Security? (AC1900 Nighthawk & IoT)
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Clarification Request
SSID broadcasting is not a security breach.

Also, a LAN (which can have WiFi devices) is designed so all your devices are on the LAN so they can communicate. That also would not be a security issue.

Making a second LAN may placate your security worries but as presented I don't see the problem. You bought these to do specific things and it's working. Do you want to break them and become a network guru? Because that is how you become a network guru (cue Archer meme about ants.)

I don't recommend this. Just update your router and device firmware. Change your WPA2 or better WiFi passwords and opt out where your can on device features and reporting.

- Collapse -
What About WPS?

I seem to recall reading a couple of years ago that Wi-fi Protected Setup (WPS for short) should be disabled to make the network more secure. WPS is where you connect to the LAN by using a simple PIN, and it may be a security risk kind of like using the maker's default password. Is this still true today?

- Collapse -
The default password is about older network gear.

For years I haven't been able to use default passwords. I have to go to the router and press the WPS button or get the PIN or password/passcode from the product sticker. And that password is usually changed by the owner so I would debate if that's a security issue.

Since we are in a technical discussion I want to keep terms rigid. That is, for a wired connection that would be short as I connected to the LAN. For WiFi you write WiFi, WiLAN or other but I prefer WiFi so we know which sort of networking we are discussing.

If you feel the WPS button is a security risk then disable it. All the routers I've worked on in the past decade offer an off setting.

- Collapse -
WPS is notoriously insecure

I went searching around, trying to find out if you can turn on WPS just long enough to sign a device up, and then turn it off, and the device and router use a more secure key from that point on. I couldn't find anyone who says that's how it works. And I don't feel like digging into the protocol documents themselves.

Apparently, push-button WPS is reasonably secure, as long as untrustworthy actors do not have physical access to your router. PIN WPS is the problem. Unfortunately, most routers won't let you enable one and disable the other.

So, the short answer is to always turn WPS off.

I did find one report that in 2012, all Linksys and Cisco Valet access points would ignore that setting and leave WPS active even after the user disabled it in the settings. Hopefully, nobody is doing that, anymore.

- Collapse -

Appreciate all the thoughts here, gang!

- Collapse -

The SSIDs by themselves are not security issues.

Where it becomes more of a concern is if these devices have well known default passwords. That gives passersby access to the device.

Even that is not, necessarily, a security issue. Unless that access can be taken advantage of to gain access beyond the device. Or, used to install nefarious software on the device that can be controlled remotely, not through its own Wi-Fi server (very short range.)

As R.Proffitt says, part of the advantage of having all those devices on your network is that they can talk to each other, and your computers and phones can talk to them. Your local Wi-Fi is intended to be walled off from the rest of the Internet, partly in order to give you a safe place for your devices to communicate. If you move some of them to another network, then you lose most of the advantages of even owning those devices.

IoT devices, as a general rule, have a fairly poor reputation for security. I'm sure that some are secured well. But, a lot of name brand models have known vulnerabilities. If security is important to you, then you're going to need to thoroughly research each model for those vulnerabilities. Those you find, you should patch, if one is available. Or, remove them from your network. Some that are not even on your Wi-Fi, but are talked to by your phone, computer or other devices that *are* on the network could have vulnerabilities that can give a hacker access. Those should be patched or removed from your home. And, you should research any new devices that you're thinking of adding to your system. And, routinely do check-up searches for new vulnerabilities on devices that you previously found to be clean.

Yes, that's a huge amount of work. But that's where we're currently at with IoT security. Until a large percentage of people start voting with their wallets, security is going to remain a superficial afterthought by the manufacturers.

Having said all that. Your actual vulnerability will also depend on where you live.

If a given device does not, itself, have an Internet-facing interface, then you're probably fairly safe. IOW, if you have not set up a port forward or similar access on your router, then your devices are only vulnerable to really short range access. Unless a lot of traffic passes nearby. Unless you live right next to a university dorm or other concentration of bored, smart people. Unless you live in some particularly densely populated spot. Unless one of those, chances are you're not going to be within range of anyone looking for devices to penetrate. If you live in a rural area, or in a spread out 'burb away from the main streets, then it's not really worth anyone's time to go seeking those dispersed devices.

Up to you to weigh your own comfort.

And, I will also reiterate another suggestion from R.Proffitt. Where possible, turn off the access systems you don't use. So, if you're not using your printer's Wi-Fi server to print on-the-fly, then turn it off. Same with the WeMo. Anywhere you can, if it's an ancillary connection point that you don't use in your routine use of the product, turn it off.

CNET Forums

Forum Info