IoT Security
What are the risks when using Belkin WeMos or any other IoT device for home automation?
- Anyone who you allow to connect to your wifi can add your device to their phone and connect to them from anywhere (for example, tenants, house guests).
- There have been reports on the belkin community of belkin's cloud getting confused and allowing others remote access to your wemo's (and vice versa).
- You should not install wemos in any kind of public area over a public wifi network.
- These risks are compounded with IFTTT and similar cloud services.
- If your internet connection is down or compromised your home autmation will not function.
What happens if someone has remote access to my IoT devices?
- They may be inclined to practical jokes.
- Someone can spy on your movements in your home, including knowing when you've left.
- The devices can act as trojan horses - they call out from your home network, if that call is intercepted it's now a route back into your network.
What can I do?
- Create an isolated network segment on your network. Do not allow wemo's to communication outside of that network, and do not allow your secure devices to be routed onto that network.
- Disable remote access in the wemo app.
- Use firewall rules to prevent the wemo's from calling outside of the isolated segment.
- Dedicate an old android device to run AutomationManager/WemoServer and connect it to that network. Use it as a central console for controlling your lights.
- Run automation rules on WemoServer for instant response to other events, e.g. lights on with motion.
- Set up remote access using WemoOnDrive. Connect WemoOnDrive to your google Drive account.
- Use WemoRemote from your android phone or from a web browser running on a laptop or iphone using your google account. Use file sharing in google Drive to allow or revoke access to your wemos at any given location by other users.
Why does that work?
- Denying your wemo's access to your network and the internet means your home network is completely secure (at least from the wemos).
- WemoOnDrive uses YOUR google drive account as a proxy and does not involve any other parties (not even me).
- It communicates securely to google using your account credentials that you enable/disable through google. Unlike belkin's cloud, this is your account rather than one they own and manage.
- If you lose your phone you simply use google to revoke access for that phone; in the belkin case you're SOL unless you can figure out how to remove that phone from the list of authorized devices.