How do you prevent IoT (internet devices/appliances) from connecting to the internet once you've initially configured them?
from cheese_greater@lemmy.world to nostupidquestions@lemmy.ca on 28 Jun 09:27
https://lemmy.world/post/48746566

A lot of devices require internet for st least one time to set them up.

How can I set them up such that as soon as I’ve programmed them/set their schedule, I can deny them access and prevent them from being chatty back with the mothership?

#nostupidquestions

threaded - newest

ZapBeebz_@lemmy.world on 28 Jun 09:44 next collapse

Hopefully someone else can chime in with the specifics/confirmation because I just think I know broadly, but setting up a pihole (or sim) should let you do what you want. Essentially, most of the time the device itself isn’t going to let you block its access, so you go further up the chain to your router, and have all data coming into/going out of your network funneled through a raspberry pi. Installing the right software (which I think is pihole) should let you block unauthorized communications outside your local network. Hopefully this is a pointer in the right direction for you

cheese_greater@lemmy.world on 28 Jun 09:54 next collapse

Is that like LittleSnitch for home internet essentially?

walden@wetshav.ing on 28 Jun 13:15 collapse

This approach works sometimes, but not for a lot of IoT devices.

PiHole, Adguard Home, Technitium, and others act as DNS servers and cache. DNS is what takes a domain name like https://climate.us and tell your computer the actual network address of that website. In the case of climate.us it’s 2600:9000:2032:2a00:1b:a10e:7bc0:93a1 for IPv6 and 13.32.241.53 for IPv4.

Most computers are well behaved. When they contact your router, they ask it “hey, what should I use as my DNS server?”. If you’ve set up AdGuard Home in your LAN, your router would respond “192.168.2.69”, for example.

At that point, your computer would ask 192.168.2.69 all of its DNS queries.

IoT devices, on the other hand, often ignore the router when instructed to use a specific address for DNS. Google products, for example, are hard coded to 8.8.8.8. So if you’re trying to block a Google device from finding something on the internet, it gets more complicated.

DNS traffic all happens over port 53, both UDP and TCP. So to fully capture every single DNS request coming from your LAN, you need a router which is able to filter those requests and “translate” them. So the router would step in for a request to 8.8.8.8:53 and translate it to 192.168.2.69:53. Keep in mind you also have to set your router to not do this for 192.168.2.69, because then AdGuard Home will be asking itself DNS queries, which it still needs to find out on the internet.

That’s the hard part. From there, you check AdGuard Home or whatever, and see what addresses each IoT device is trying to reach.

If a WiFi connected toothbrush keeps trying to reach ‘chinesetrackingcompany.com’, then you can manually block that domain. The toothbrush will try for a bit, then give up.

slazer2au@lemmy.world on 28 Jun 09:58 next collapse

After setup I blacklist the IP on the firewall to not allow internet traffic.

cheese_greater@lemmy.world on 28 Jun 10:07 collapse

Firewall on what? The ISP router?

slazer2au@lemmy.world on 28 Jun 10:12 collapse

If you have access to it you can. But I have my own router I can control internet access through.

jet@hackertalks.com on 28 Jun 10:09 next collapse

Set up a dedicated Wi-Fi SSID for your iot devices, only. Allow those devices to connect to a non-internet routed VLAN.

Don’t blacklist IP addresses, or Mac addresses, you’re trusting the device not to change itself to get around your blacklist. Keep them completely segmented from your normal network. That’s the best way

If they must have internet, you can use a white list while you’re setting them up, and then remove the waitlist

TerdFerguson@lemmy.ca on 28 Jun 15:01 next collapse

Lots of good suggestions.

The simplest answer assumes you have a router with a firewall that you can configure.

The basic idea is a deny rule targeting the ‘source’ IP address from reaching the ‘destination’ ip addresses.

There are various ways to do this, the best way will be very precise. Some folks have said separate VLAN, very good practice but not required. Some folks suggest pihole, thats really hit or miss unless you know your device relies explicitly on DNS and you also know how to manage that.

It will be easies for you to learn the basic traffic policy before proceeding to other more advanced suggestions, but you will have to probably at least learn that bit of network security to attempt this task. Low difficulty in the grand scheme of things networky.

cheese_greater@lemmy.world on 28 Jun 16:03 collapse

Look, do i need to buy some seperate doohickey or can this sort of business be usually dealt wirh it theu rhe routers portal wheee you type in your IP address in the browser or something?

BCsven@lemmy.ca on 28 Jun 15:48 collapse

Many commercial routers have a parental controls section, you can block access to the internet per device.

If your IoT devices are TPLink Kasa devices there is a github project that lets you connect to them first and change them from remote server to local server and configure them for your wireless LAN. It only works on certain firmware as the company has been updating the hardware and firmware to stop this.

github.com/jkbenaim/hs100