I have my IoT/IoS devices cordoned off onto their own network locally (with internet access, of course) as a matter of trying to protect my LAN from any exploit.
However, I find the convenience of these devices to be extremely high: they play music, they give us convenient timers, they function as a whole house intercom, they tell us the weather and answer (often poorly) some random questions without going to get our phones out.
With the advent of this technology, it's no longer just your data that's being risked. If you have a neighbor who owns a sidewalk-enabled appliance and doesn't want it to connect online, anybody in the neighborhood with sidewalk enabled is now an accomplice in subverting the preferences and desires of that person.
It's no longer enough to think "Well I didn't give the TV my wifi password, so it can't spy on me." Now I have to wonder about what opt-out bullshit buried deep in settings menus my neighbors neglected to disable.
Can you give any insight into the solution you’re using to achieve this? I’ve got some noisy gadgets on my network that I want to cordon off, but I’m not sure where to begin.
Dedicated SSID(s) with that/those SSID configured as a guest network goes pretty far. I happen to use Ubiquiti gear, but most any router is likely capable of creating a dedicated guest SSID (or multiple). That covers wireless devices (which is all the IoT stuff that I have).
The one aggravation I had was trying to get the Chromecasts to work correctly (where I wanted to be able to cast from a machine on the main LAN to a Chromecast on the Google IoT SSID). I would periodically get it working and then it would periodically break. I'm not even sure that it's working right now to be honest, mostly because a lot of the need for that use case (video playback) has shifted to FireTV sticks.
Oh no, I was trying different bits of routing trickery. I'm pretty sure if I sat down and gave it a solid 3 hours straight of methodical effort, that I'd have figured it out once and for all. Instead, I would have 5-10 minutes total per attempt, try something, see if it worked or didn't, then the next time I tried the Chromecast (possibly weeks later), it wouldn't always be repeatable. I also had the Casts being powered off the TV, so they got hard shutdown and cold-booted pretty often.
In short, I never really cared enough to get it working right as the FireTV was "winning" the convenience battle by enough to make it not matter most of the time and I always had an HDMI cable for the times when I really had to get a screen "sharing" to work.
TL;DR I tried to force Chromecast (and everything else) to use Pihole as DNS and misbehaving devices (like Chromecast) hammered my pihole into oblivion. I'm talking tens of thousands of requests in a very short amount of time which caused my RPI4 to stop responding to DNS requests (dashboard was still working though). See linked comment thread for details but suffice to say 4 virtual machines with pihole behind two load balancers still saw some downtime. OPNsense gateway is a much better (and safer!) fix IMO :)
that's what i thought too. or somehow having to to relay specific broadcasts or similar ways to make the discovery work. this is why i had the impression it could be related to some routing trickery that might had worked for ipv4 but not for ipv6 and the discovery process could make it appear as they are on the same network segment while link-local ipv6 is available when in fact its not...
i have my chromecasts and computers on two different vlans and works just fine, but there are a few things you need to do, ensure MDNS works between then and open up a half dozen or so ports.
5556,5557,5558,8010 + MDNS is how i got VLC & videostream to cast across vlans with ubiquiti, of course now i've setup an emby server now so don't bother anymore but i doubt its changed in the last year.
The whole IoT thing just goes to show how... unique many people on HN are. I get it, it's a risk, etc. but IMO the convenience is massive. I do the same as you do, its a bit more work but it works fine for my use case. Use reputable products and segment them and the attack vector is rather small, IMO. I also try to not use wifi devices and instead go for something like zwave.
> However, I find the convenience of these devices to be extremely high: they play music, they give us convenient timers, they function as a whole house intercom, they tell us the weather and answer (often poorly) some random questions without going to get our phones out.
It’s 100% genuine, 0% sarcasm. Shaving minutes everyday, making music a more frequent presence in my life, all with a non-contact interaction is a noticeable convenience and quality of life improvement. Sure, I could install a wired intercom, buy different Bluetooth speakers and futz with my phone to play music, clean my hands every time I wanted to adjust a timer in the kitchen, etc.
I have an old dot connected to my stereo to stream music. As they say, it is extremely convenient to be able to request some music and have it played.
My amplifier has a switched outlet on the back that I've plugged the USB into; so if I turn off the amplifier the dot is powered off as well (presumably).
And, apparently, 2nd generation dots don't "support" sidewalk anyhow (though of course it is a little snitch hiding in my living room).
The "smart" TV is more of a concern as it is always on...
I might be the only one here who doesn't care at all about this. I love my Echo and Amazon IOT devices and have got better things to do than wring my hands over what they're doing with my internet connection. They use hardly any bandwidth so whatever, not going to turn this feature off.
The threat vector at this time isn't what Amazon does with access to your internet. It's what John Q. Public does.
'Free Internet' (on your dime), will always lead to abuse.
Plus, how much do you trust Amazon's security to NEVER allow access to other resources on your network?
I guess you could say they are about like those "new-fangled horseless carriages". You could argue that we sold our souls to the devil at the (now regulated) crossroads with them. But at the time (and now), they bring some real value at a cost that not all are aware of, or willing to pay.
