Kitz Forum

Computers & Hardware => Networking => Topic started by: Weaver on November 16, 2021, 11:18:48 AM

Title: Safely networking TV on guest WLAN
Post by: Weaver on November 16, 2021, 11:18:48 AM
My wife Janet has a new television in the kitchen. Just as well since the large one in the lounge has sickened and is near to death, the bottom 4 in of its picture being distorted and unwatchable. The other day Janet asked me about connecting the kitchen TV to the internet. I told her I had a number of concerns about this: TVs Ďphoning homeí in particular guzzling bandwidth when they have a mind to, such as perhaps when they decide to do a software update; but far more important, a vulnerability in the TV when it has opened a hole in my firewall by creating a session.

I want to do this for her but of course not if it creates any kind of security risk or usability nightmare with bandwidth hogging. It has options for ethernet or WLAN connections. I can place it on the guest SSID so the other machines are protected from it at L2. Guidance?
Title: Re: Safely networking TV on guest WLAN
Post by: tubaman on November 16, 2021, 11:52:43 AM
If the TV is from a reputable manufacturer then I really wouldn't worry about it. It will likely connect in the early hours each day to check for updates but on most TVs they are pretty infrequent.
If you want to use these devices then you have to trust the manufacturers to a certain extent. Millions of people, myself included, are using them every day without any issues at all.
 :)
Title: Re: Safely networking TV on guest WLAN
Post by: g3uiss on November 16, 2021, 11:54:29 AM
I donít think they phone home very often and software updates are a rarity even with the latest kit.


I suppose if your concerned DMZ is the answer but it wonít stop downloading

Title: Re: Safely networking TV on guest WLAN
Post by: meritez on November 16, 2021, 12:07:41 PM
I've yet to find a tv that has a 5ghz wifi chipset, I'd recommend ethernet if possible on it's own subnet separate from the rest of the network.
Title: Re: Safely networking TV on guest WLAN
Post by: tubaman on November 16, 2021, 12:13:11 PM
I've yet to find a tv that has a 5ghz wifi chipset ...

My 2014 Samsung has one so I don't think it's rare.
Title: Re: Safely networking TV on guest WLAN
Post by: DaveC on November 16, 2021, 12:49:24 PM
Presumably if Janet wants to connect it to the Internet, it's to use streaming video apps, which will use far more bandwidth than any software updates (which as others have said, are very rare things in my experience with smart TVs).

If you already have a guest wifi set up (and especially if that isolates clients from each other), then you've already solved the problem I think.

Or for £14/month, get an unlimited 4G connection from Three (including a free router), and connect it to that, completely independently of your home network.
Title: Re: Safely networking TV on guest WLAN
Post by: meritez on November 16, 2021, 12:53:06 PM
My 2014 Samsung has one so I don't think it's rare.

The LG and Sony I have to hand do not :(
Title: Re: Safely networking TV on guest WLAN
Post by: j0hn on November 16, 2021, 01:06:13 PM
I have 4 TV's. A 2014 Samsung, a 2016 LG,  a 2018 LG and a 2020 LG. They all have 5 GHz.
It's probably harder to find 1 without 5GHz than it is to find 1 with it.

My most recent TV is my LG CX. I wouldn't even consider blocking internet access for the tv.
LG have added half a dozen features since I got the TV and fixed a number of bugs affecting my usage.
I use numerous apps on the tv which wouldn't be possible without internet access.

TV's send random anonymous usage statistics online but you can opt out of that on many TV's.
The TV will use next to no bandwidth unless streaming via an app or downloading an update.
Updates are usually once every couple months at most on a new tv from a well maintained tv brand.
Less or not at all on many other tv's.

If you really have security concerns about connecting your tv to the internet then can I recommend this security device (https://ibb.co/dGgHYWf).

I also recommend turning the toaster around just in case it is watching you.

Just a joke obviously. I've never understood the paranoia regarding certain devices being online or not. Cameras I can understand.
I'm not bothered if some Korean TV  company knows I watch Judge Judy or if some Chinese company knows I turned my smart light bulb on.
Title: Re: Safely networking TV on guest WLAN
Post by: tubaman on November 16, 2021, 03:37:50 PM
... I've never understood the paranoia regarding certain devices being online or not. Cameras I can understand.
I'm not bothered if some Korean TV  company knows I watch Judge Judy or if some Chinese company knows I turned my smart light bulb on.

Couldn't have put it better myself - I have far more important things in my life to worry about.
My advice @Weaver would be to let Janet connect it up using whatever method is easiest and then just forget about it.
 :)
Title: Re: Safely networking TV on guest WLAN
Post by: Weaver on November 16, 2021, 08:22:47 PM
Thanks. Didnít want to find out about any software bugs or vulnerability horrors that have come to be known. Iím not worried about legal behaviour of manufacturers.
Title: Re: Safely networking TV on guest WLAN
Post by: tubaman on November 17, 2021, 07:53:12 AM
Thanks. Didnít want to find out about any software bugs or vulnerability horrors that have come to be known. Iím not worried about legal behaviour of manufacturers.

The only issue I remember about smart TVs was a privacy concern some years ago on some Samsung models that had a voice recognition system. There was concern that the company were potentially storing peoples private conversations. I don't remember ever hearing about any nasty bugs or vulnerabilities in them.
 :)
Title: Re: Safely networking TV on guest WLAN
Post by: Reformed on November 17, 2021, 02:04:00 PM
Stick it in guest if you're worried about it. Same goes for any IoT device.
Title: Re: Safely networking TV on guest WLAN
Post by: Weaver on November 17, 2021, 05:57:24 PM
> If you already have a guest wifi set up (and especially if that isolates clients from each other)

The guest SSID does isolate clients from one another as well as from all wired devices and wireless devices outside guest. Itís internet access only.
Title: Re: Safely networking TV on guest WLAN
Post by: Ronski on November 17, 2021, 07:21:08 PM
If you really have security concerns about connecting your tv to the internet then can I recommend this security device (https://ibb.co/dGgHYWf).

Absolutely brilliant, there me wonder what security device it was going to be  :lol: :lol: :lol:
Title: Re: Safely networking TV on guest WLAN
Post by: Chrysalis on November 17, 2021, 07:27:09 PM
I wouldnt laugh so hard, anything is exploitable.

With that said any TV that doesnt let you download apps should be ok, if its from a reputable brand not some cheap chinese no name company, I wouldnt worry about outbound connections either, I did put my smart bulb on my guest network primarily because its a no name chinese company running the device.
Title: Re: Safely networking TV on guest WLAN
Post by: Ronski on November 17, 2021, 09:01:20 PM
I wouldnt laugh so hard, anything is exploitable.

Might as well laugh, before I cry.
Title: Re: Safely networking TV on guest WLAN
Post by: Weaver on November 18, 2021, 08:18:57 AM
My wife was involved with a charity that helped people some of whom are genuine security device users, seriously in a bad way. Not good.

Weíve all read about CPE being successfully attacked some years back, albeit from the LAN side, not the WAN afaiaw. Deciding to be worried about something is one thing; wondering whether or not thereís anything to be worried about is just the precautionary principle, no? Having adopted the latter route to wisdom, I sought to call upon the combined brainpower of my kitizen friends and to see if I have missed anything.
Title: Re: Safely networking TV on guest WLAN
Post by: aesmith on November 18, 2021, 09:06:28 AM
I removed networking configuration from our TV as I was fed up with it always bitching about software updates being available.
Title: Re: Safely networking TV on guest WLAN
Post by: Reformed on November 18, 2021, 01:49:37 PM
but far more important, a vulnerability in the TV when it has opened a hole in my firewall by creating a session.

I didn't mention: this isn't an issue. The outbound session should be over TLS anyway and even if it's not an attacker would have to compromise DNS infrastructure somewhere in order to obtain control over the endpoint the TV is trying to reach. Can't spoof into the connection as would require correct TCP sequence number, alongside the port and IP of the existing session and a way to receive responses.

If an attacker can exploit an outbound TCP flow the TV is the least of your concerns - someone is sniffing all your data.
Title: Re: Safely networking TV on guest WLAN
Post by: Chrysalis on November 18, 2021, 05:26:48 PM
Do smart TVs have a web browser usually?
Title: Re: Safely networking TV on guest WLAN
Post by: g3uiss on November 18, 2021, 07:46:00 PM
Yes most do
Title: Re: Safely networking TV on guest WLAN
Post by: tubaman on November 19, 2021, 08:33:24 AM
Yes most do

You'd have to be desperate to want to use the one on my Samsung TV!  :lol:
Title: Re: Safely networking TV on guest WLAN
Post by: g3uiss on November 19, 2021, 09:01:44 AM
I agree there M most are virtually impossible to use
Title: Re: Safely networking TV on guest WLAN
Post by: Ronski on November 21, 2021, 06:50:39 PM
I washing machine has finally died after about 15 years, and I can't fix it, the drum seems to be melting its way through the plastic outer drum, even though the bearings feel fine.

Anyway the main reason I'm posting is because the new one is wifi enabled, a washing machine! Mind you it does look like it will have its uses.
Title: Re: Safely networking TV on guest WLAN
Post by: Chrysalis on November 21, 2021, 10:03:37 PM
I washing machine has finally died after about 15 years, and I can't fix it, the drum seems to be melting its way through the plastic outer drum, even though the bearings feel fine.

Anyway the main reason I'm posting is because its wifi enabled, a washing machine! Mind you it does look like it will have its uses.

They made wifi enabled washing machine 15 years ago? O_o
Title: Re: Safely networking TV on guest WLAN
Post by: Weaver on November 21, 2021, 10:58:52 PM
My wife has now set up Kitchen TV on guest WLAN. She even remembered to do some other config in it such as disabling auto software update downloads. I forgot to talk to her about IPv4 address allocation so will do that tomorrow. Iím not going to take its IPv4 out of the small address pool for guests as I donít want permanent residents eating into it, so Iíll probably allocate its address statically. I will think about that when Iím not so tired.
Title: Re: Safely networking TV on guest WLAN
Post by: Reformed on November 21, 2021, 11:23:11 PM
Wouldn't it be better to put the guests behind NAT than spend public IP addresses on them? I presume FBs can do this?
Title: Re: Safely networking TV on guest WLAN
Post by: Weaver on November 22, 2021, 12:55:49 AM
Certainly could do that. Would make my config slightly messier, but I think you could have NATed sub-subnet like that, Iíd have to ask.

At the moment though Iím not even remotely short of IPv4s. Old kit will hopefully be retiring and be made IPv6-only if possible. Already several old devices have just been retired, freeing up a lot of IPv4 addresses too.í

One reason I donít like to do that at all is that it would make it far more difficult for me to spy on these devices and any other guest devices. I want to know what theyíre getting up to if they use my network. We donít offer Ďaccommodation guestsí internet access now and if we ever do, I would require any such future users to indicate that they understand that we will only ever spy on them for the purposes of network admin and also even then only with their prior agreement.

But as for spying on kit:
Say we have a Ďclient/userí category of Ďpersonal guests - untrustedí, like friends who come to stay and bring kit that I donít trust - because it could be crawling with nasties. Within this category we have something like Ďlong-term resident personal guests untrustedí and this TV goes into this new sub-sub-category of untrusted long term personal guests. I had part of this design successfully implemented for years until Apple blew the whole thing apart with source MAC address faking, as my design had relied on the insecure, and highly non-maintenance friendly (ie. not sysadmin-scalable) strategy of using certain firewall rules based on whitelisted source MAC addresses.

I need to find out what people do here who know what theyíre doing. Iím also thinking about looking into whether or not I can make use of VLANs in my old ZyXEL WAPs which appear to have a feature that looks like it might be useful but who knows what it does because the documentation is a disaster. Written by people who have no idea what it all meant and were too deferential to the gods that are the devs to ask and wouldnít understand the replies anyway. (From my personal experience of working inside a software company.)
Title: Re: Safely networking TV on guest WLAN
Post by: Ronski on November 22, 2021, 01:22:21 PM
They made wifi enabled washing machine 15 years ago? O_o

Nope, I meant the new one, post edited to reflect that.
Title: Re: Safely networking TV on guest WLAN
Post by: j0hn on November 22, 2021, 02:06:04 PM
I need to find out what people do here who know what theyíre doing.

They use NAT.

Giving devices you don't trust a public, globally routeable IPV4 address isn't the place to start.
Title: Re: Safely networking TV on guest WLAN
Post by: tubaman on November 22, 2021, 02:45:54 PM
They use NAT.

Giving devices you don't trust a public, globally routeable IPV4 address isn't the place to start.

Quite agree, which I why I don't worry in the slightest about connecting these devices to my standard wireless network.
Title: Re: Safely networking TV on guest WLAN
Post by: Chrysalis on November 22, 2021, 04:39:44 PM
They use NAT.

Giving devices you don't trust a public, globally routeable IPV4 address isn't the place to start.

Agreed,

Weaver can still audit by looking at the LAN addresses, potentially an option is separate virtual WIFI access point provided to each guest, that has its own DHCP allocation range via its own VLAN and as such each bit of traffic can be pinpointed to each guest room.
Title: Re: Safely networking TV on guest WLAN
Post by: Alex Atkin UK on November 22, 2021, 07:32:01 PM
Agreed,

Weaver can still audit by looking at the LAN addresses, potentially an option is separate virtual WIFI access point provided to each guest, that has its own DHCP allocation range via its own VLAN and as such each bit of traffic can be pinpointed to each guest room.

Auditing may even be easier due to NAT session tracking?
Title: Re: Safely networking TV on guest WLAN
Post by: Weaver on November 23, 2021, 03:08:24 AM
Iím not sure I believe that no devices use IPv6. All IPv4-only still, even in these days? Perhaps so.

Looking at the Firebrickís session records, I can track the IPs be they IPv4 and IPv6. I can see the associated MAC addresses via the ARP/NDP records too. And I can capture traffic using AAís Firebricks (as opposed to my own), which is a handy little feature.

I was asking about the internal configuration of WAPs.

When I said guest, that was an extremely poor choice of words as itís highly misleading. I didnít necessarily mean a human, but rather a host in the guests SSID. My apologies for the confusion.

Therefore Iíve confused Alex completely.

To reply to what Alex said, Iíve no intention of delivering wifi to Janetís commercial guests, only to personal friends staying with us and to IoT things that Iím not allowing to access the rest of my LAN.

As I think I mentioned, each guest-SSID host is L2-isolated from the rest of the LAN, from all wired and wireless devices and such hosts are mutually isolated at L2 as well. An exception is made for access to the gateway, so they can access the internet and nothing else. Itís all done by the WAPs, the Firebrick used to handle some of it but now itís easier to do it a different way which is letting the WAPs alone do what they do best. There are two WAPs currently, and a third on standby as a spare.
Title: Re: Safely networking TV on guest WLAN
Post by: Alex Atkin UK on November 23, 2021, 06:13:55 PM
Iím not sure I believe that no devices use IPv6. All IPv4-only still, even in these days? Perhaps so.

I have plenty of devices which claim IPv6 support now, but I don't think any one of them can work without IPv4.

Microsoft claimed almost a decade ago Xbox Live was moving to an exclusively IPv6 stack, but the Xbox Series X wont go online at all if I put it on the IPv6 only VLAN.
Title: Re: Safely networking TV on guest WLAN
Post by: Weaver on November 24, 2021, 06:56:12 AM
When I saw the lecture given by Microsoftís sysadmin for their internal corporate network, she said that they had found no end of similar problems like this, where kit and software did not in practice work without IPv4 even though it does make substantial use of IPv6. This is due to lack of testing by their devs in an IPv6-only environment. They tested IPv6, but only in an environment that also has IPv4 available, so would miss any naughty IPv4 backsliding in such a setup.

BTW/FYI: AA supports customers who want to go all-IPv6 exclusively and they do this by having DNS64 tricky servers and NAT64 protocol converters. The DNS64 servers lie about IPv6 DNS lookups and return the address of the NAT64 protocol converter whenever a host asks for an IPv4 address.

The point is, with enough trickery you can get stupid software to work even though it doesnít want to.
Title: Re: Safely networking TV on guest WLAN
Post by: Chrysalis on November 25, 2021, 06:41:30 PM
Interesting timing of article. 

Quote
Cyber-criminals are increasingly targeting products from phones and smart TVs, to home speakers and internet-connected dishwashers. Hackers who can access one vulnerable device can then go on to access entire home networks and steal personal data.

https://www.bbc.co.uk/news/technology-59400762

So yeah seems prudent to stick it on a isolated guest LAN and guest AP.