According to this Kaspersky blog post, it is a security risk to connect IoT devices, such as Smart TVs, to my home WiFi. It claims I should use my guest WiFi network for this.
Is this true? Is it a security risk to use my regular network to get internet to my TV?
Using a guest WiFi for IoT devices is essentially just a practical, easy to understand implementation for network segmentation. The goal is to prevent lateral movement between and from IoT devices. As a typical user isn't aware of such terminology and how this should be implemented, this might actually be a good tip.
However, in order to increase security, using this recommendation has some prerequisites:
Ziv Chang (Trend Micro): Inside the Smart Home: IoT Device Threats and Attack Scenarios sums up some typical security measures for IoT devices, the network segmentation among them:
- Map all connected devices. All devices connected to the network, whether at home or at the enterprise level, should be well accounted for. Their settings, credentials, firmware versions, and recent patches should be noted. This step can help assess which security measures the users should take and pinpoint which devices may have to be replaced or updated.
- Change default passwords and settings. Make sure that the settings used by each device are aligned toward stronger security, and change the settings if this is not the case. Change default and weak passwords to avoid attacks like brute force and unwanted access.
- Patch vulnerabilities. Patching may be a challenging task, especially for enterprises. But it is integral to apply patches as soon as they are released. For some users, patches may disrupt their regular processes, for which virtual patching could be an option.
- Apply network segmentation. Use network segmentation to prevent the spread of attacks, and isolate possibly problematic devices that cannot be immediately taken offline.
The premise of the question is slightly wrong. A better way to ask is as follows:
Ideally, you want IoT devices to connect to their own separate IoT network. Rationale: The question inherently assumes the guest network is password protected. It might be an open guest network (mine is).
Either way, you don't want house guests turning on/off lights, security cameras, heating or other smart devices in your home. Nor should they have access the admin consoles of any network device in your home - especially the network router! Guests should have throttled internet access and nothing else on the guest wifi. Guest networks should be configured so that guest wifi client can not see other clients on the guest network. This is a standard feature on many guest wifi wizards, in my experience.
Set up an additional dedicated IoT network in your home instead. By proper use of VLANs and firewall rules, you can isolate your IoT devices to their own network (perhaps grant them limited internet access for software updates where necessary) Proper use of VLANs and firewall rules can still allow you to control your devices from your main WiFi network. Not all consumer network devices will have these sort of capabilities, but higher-end gear will.
I have this sort of configuration in my home. Main Wifi, Guest (which is isolated and open) and a dedicated IoT network for smart devices.
It's always sensible to consider the risk of consumer devices exfiltrating sensitive info from other machines on your network; or, in a worst-case, providing a route into your network for an active attacker (though the latter normally requires the attacker to work for, or infiltrate, the device's manufacturer, so that's a fairly long shot).
However, be proportionate: is there actually data freely accessible on your network that's sensitive enough to need protection?
Let's say the only other devices on your network are the router, a PC and maybe a smartphone or two. These have their own firewalls, and only allow communication from other devices in ways laid down by the manufacturer/operating-system vendor, and normally subject to the user's control.
Where you do set them up to allow access (e.g. for Windows file and printer sharing), you can do this in a controlled manner, requiring credentials for access. If you want the TV to access media stored on your PC, you can tell the PC to share only the folder that holds those media files.
If there is no such sharing in place, your TV will only be able to see some basic metadata about your network: what type of other machines are on it, at what times, and so on.
If you can't be confident that your other devices are adequately protected against undesired access, and they hold data that is sensitive enough that you absolutely cannot take the risk of compromise, then using the guest-network is a simple remedy.
If you still require some communication between the TV and the network, you can give your router the job of controlling which specific devices are allowed to contact each other. This level of control isn't always available with consumer wifi routers, but a replacement can be had quite cheaply: either buy second-hand (although bear in mind the device could be compromised), or get one of the cheap consumer models that can be modified to run openwrt or similar highly-configurable open-source firmware.
Make 3 (or more) networks:
Set your firewall rules to accomplish the following:
