Kitz Forum
Computers & Hardware => Networking => Topic started by: Weaver on November 16, 2021, 11:18:48 AM
-
My wife Janet has a new television in the kitchen. Just as well since the large one in the lounge has sickened and is near to death, the bottom 4 in of its picture being distorted and unwatchable. The other day Janet asked me about connecting the kitchen TV to the internet. I told her I had a number of concerns about this: TVs ‘phoning home’ in particular guzzling bandwidth when they have a mind to, such as perhaps when they decide to do a software update; but far more important, a vulnerability in the TV when it has opened a hole in my firewall by creating a session.
I want to do this for her but of course not if it creates any kind of security risk or usability nightmare with bandwidth hogging. It has options for ethernet or WLAN connections. I can place it on the guest SSID so the other machines are protected from it at L2. Guidance?
-
If the TV is from a reputable manufacturer then I really wouldn't worry about it. It will likely connect in the early hours each day to check for updates but on most TVs they are pretty infrequent.
If you want to use these devices then you have to trust the manufacturers to a certain extent. Millions of people, myself included, are using them every day without any issues at all.
:)
-
I don’t think they phone home very often and software updates are a rarity even with the latest kit.
I suppose if your concerned DMZ is the answer but it won’t stop downloading
-
I've yet to find a tv that has a 5ghz wifi chipset, I'd recommend ethernet if possible on it's own subnet separate from the rest of the network.
-
I've yet to find a tv that has a 5ghz wifi chipset ...
My 2014 Samsung has one so I don't think it's rare.
-
Presumably if Janet wants to connect it to the Internet, it's to use streaming video apps, which will use far more bandwidth than any software updates (which as others have said, are very rare things in my experience with smart TVs).
If you already have a guest wifi set up (and especially if that isolates clients from each other), then you've already solved the problem I think.
Or for £14/month, get an unlimited 4G connection from Three (including a free router), and connect it to that, completely independently of your home network.
-
My 2014 Samsung has one so I don't think it's rare.
The LG and Sony I have to hand do not :(
-
I have 4 TV's. A 2014 Samsung, a 2016 LG, a 2018 LG and a 2020 LG. They all have 5 GHz.
It's probably harder to find 1 without 5GHz than it is to find 1 with it.
My most recent TV is my LG CX. I wouldn't even consider blocking internet access for the tv.
LG have added half a dozen features since I got the TV and fixed a number of bugs affecting my usage.
I use numerous apps on the tv which wouldn't be possible without internet access.
TV's send random anonymous usage statistics online but you can opt out of that on many TV's.
The TV will use next to no bandwidth unless streaming via an app or downloading an update.
Updates are usually once every couple months at most on a new tv from a well maintained tv brand.
Less or not at all on many other tv's.
If you really have security concerns about connecting your tv to the internet then can I recommend this security device (https://ibb.co/dGgHYWf).
I also recommend turning the toaster around just in case it is watching you.
Just a joke obviously. I've never understood the paranoia regarding certain devices being online or not. Cameras I can understand.
I'm not bothered if some Korean TV company knows I watch Judge Judy or if some Chinese company knows I turned my smart light bulb on.
-
... I've never understood the paranoia regarding certain devices being online or not. Cameras I can understand.
I'm not bothered if some Korean TV company knows I watch Judge Judy or if some Chinese company knows I turned my smart light bulb on.
Couldn't have put it better myself - I have far more important things in my life to worry about.
My advice @Weaver would be to let Janet connect it up using whatever method is easiest and then just forget about it.
:)
-
Thanks. Didn’t want to find out about any software bugs or vulnerability horrors that have come to be known. I’m not worried about legal behaviour of manufacturers.
-
Thanks. Didn’t want to find out about any software bugs or vulnerability horrors that have come to be known. I’m not worried about legal behaviour of manufacturers.
The only issue I remember about smart TVs was a privacy concern some years ago on some Samsung models that had a voice recognition system. There was concern that the company were potentially storing peoples private conversations. I don't remember ever hearing about any nasty bugs or vulnerabilities in them.
:)
-
Stick it in guest if you're worried about it. Same goes for any IoT device.
-
> If you already have a guest wifi set up (and especially if that isolates clients from each other)
The guest SSID does isolate clients from one another as well as from all wired devices and wireless devices outside guest. It’s internet access only.
-
If you really have security concerns about connecting your tv to the internet then can I recommend this security device (https://ibb.co/dGgHYWf).
Absolutely brilliant, there me wonder what security device it was going to be :lol: :lol: :lol:
-
I wouldnt laugh so hard, anything is exploitable.
With that said any TV that doesnt let you download apps should be ok, if its from a reputable brand not some cheap chinese no name company, I wouldnt worry about outbound connections either, I did put my smart bulb on my guest network primarily because its a no name chinese company running the device.
-
I wouldnt laugh so hard, anything is exploitable.
Might as well laugh, before I cry.
-
My wife was involved with a charity that helped people some of whom are genuine security device users, seriously in a bad way. Not good.
We’ve all read about CPE being successfully attacked some years back, albeit from the LAN side, not the WAN afaiaw. Deciding to be worried about something is one thing; wondering whether or not there’s anything to be worried about is just the precautionary principle, no? Having adopted the latter route to wisdom, I sought to call upon the combined brainpower of my kitizen friends and to see if I have missed anything.
-
I removed networking configuration from our TV as I was fed up with it always bitching about software updates being available.
-
but far more important, a vulnerability in the TV when it has opened a hole in my firewall by creating a session.
I didn't mention: this isn't an issue. The outbound session should be over TLS anyway and even if it's not an attacker would have to compromise DNS infrastructure somewhere in order to obtain control over the endpoint the TV is trying to reach. Can't spoof into the connection as would require correct TCP sequence number, alongside the port and IP of the existing session and a way to receive responses.
If an attacker can exploit an outbound TCP flow the TV is the least of your concerns - someone is sniffing all your data.
-
Do smart TVs have a web browser usually?
-
Yes most do
-
Yes most do
You'd have to be desperate to want to use the one on my Samsung TV! :lol:
-
I agree there M most are virtually impossible to use
-
I washing machine has finally died after about 15 years, and I can't fix it, the drum seems to be melting its way through the plastic outer drum, even though the bearings feel fine.
Anyway the main reason I'm posting is because the new one is wifi enabled, a washing machine! Mind you it does look like it will have its uses.
-
I washing machine has finally died after about 15 years, and I can't fix it, the drum seems to be melting its way through the plastic outer drum, even though the bearings feel fine.
Anyway the main reason I'm posting is because its wifi enabled, a washing machine! Mind you it does look like it will have its uses.
They made wifi enabled washing machine 15 years ago? O_o
-
My wife has now set up Kitchen TV on guest WLAN. She even remembered to do some other config in it such as disabling auto software update downloads. I forgot to talk to her about IPv4 address allocation so will do that tomorrow. I’m not going to take its IPv4 out of the small address pool for guests as I don’t want permanent residents eating into it, so I’ll probably allocate its address statically. I will think about that when I’m not so tired.
-
Wouldn't it be better to put the guests behind NAT than spend public IP addresses on them? I presume FBs can do this?
-
Certainly could do that. Would make my config slightly messier, but I think you could have NATed sub-subnet like that, I’d have to ask.
At the moment though I’m not even remotely short of IPv4s. Old kit will hopefully be retiring and be made IPv6-only if possible. Already several old devices have just been retired, freeing up a lot of IPv4 addresses too.’
One reason I don’t like to do that at all is that it would make it far more difficult for me to spy on these devices and any other guest devices. I want to know what they’re getting up to if they use my network. We don’t offer ‘accommodation guests’ internet access now and if we ever do, I would require any such future users to indicate that they understand that we will only ever spy on them for the purposes of network admin and also even then only with their prior agreement.
But as for spying on kit:
- need to find out if it’s phoning home, if so, to where,
- using too much network capacity; especially upstream; suspicious ports or IP protocol numbers,
where,
- is broken - eg horrid NetAtmo weather station that my wife spent good money on, and it kept disappearing from the WLAN and then reappearing and doing an new DHCP request all the time in some crazy fashion.
Say we have a ‘client/user’ category of ‘personal guests - untrusted’, like friends who come to stay and bring kit that I don’t trust - because it could be crawling with nasties. Within this category we have something like ‘long-term resident personal guests untrusted’ and this TV goes into this new sub-sub-category of untrusted long term personal guests. I had part of this design successfully implemented for years until Apple blew the whole thing apart with source MAC address faking, as my design had relied on the insecure, and highly non-maintenance friendly (ie. not sysadmin-scalable) strategy of using certain firewall rules based on whitelisted source MAC addresses.
I need to find out what people do here who know what they’re doing. I’m also thinking about looking into whether or not I can make use of VLANs in my old ZyXEL WAPs which appear to have a feature that looks like it might be useful but who knows what it does because the documentation is a disaster. Written by people who have no idea what it all meant and were too deferential to the gods that are the devs to ask and wouldn’t understand the replies anyway. (From my personal experience of working inside a software company.)
-
They made wifi enabled washing machine 15 years ago? O_o
Nope, I meant the new one, post edited to reflect that.
-
I need to find out what people do here who know what they’re doing.
They use NAT.
Giving devices you don't trust a public, globally routeable IPV4 address isn't the place to start.
-
They use NAT.
Giving devices you don't trust a public, globally routeable IPV4 address isn't the place to start.
Quite agree, which I why I don't worry in the slightest about connecting these devices to my standard wireless network.
-
They use NAT.
Giving devices you don't trust a public, globally routeable IPV4 address isn't the place to start.
Agreed,
Weaver can still audit by looking at the LAN addresses, potentially an option is separate virtual WIFI access point provided to each guest, that has its own DHCP allocation range via its own VLAN and as such each bit of traffic can be pinpointed to each guest room.
-
Agreed,
Weaver can still audit by looking at the LAN addresses, potentially an option is separate virtual WIFI access point provided to each guest, that has its own DHCP allocation range via its own VLAN and as such each bit of traffic can be pinpointed to each guest room.
Auditing may even be easier due to NAT session tracking?
-
I’m not sure I believe that no devices use IPv6. All IPv4-only still, even in these days? Perhaps so.
Looking at the Firebrick’s session records, I can track the IPs be they IPv4 and IPv6. I can see the associated MAC addresses via the ARP/NDP records too. And I can capture traffic using AA’s Firebricks (as opposed to my own), which is a handy little feature.
I was asking about the internal configuration of WAPs.
When I said guest, that was an extremely poor choice of words as it’s highly misleading. I didn’t necessarily mean a human, but rather a host in the guests SSID. My apologies for the confusion.
Therefore I’ve confused Alex completely.
To reply to what Alex said, I’ve no intention of delivering wifi to Janet’s commercial guests, only to personal friends staying with us and to IoT things that I’m not allowing to access the rest of my LAN.
As I think I mentioned, each guest-SSID host is L2-isolated from the rest of the LAN, from all wired and wireless devices and such hosts are mutually isolated at L2 as well. An exception is made for access to the gateway, so they can access the internet and nothing else. It’s all done by the WAPs, the Firebrick used to handle some of it but now it’s easier to do it a different way which is letting the WAPs alone do what they do best. There are two WAPs currently, and a third on standby as a spare.
-
I’m not sure I believe that no devices use IPv6. All IPv4-only still, even in these days? Perhaps so.
I have plenty of devices which claim IPv6 support now, but I don't think any one of them can work without IPv4.
Microsoft claimed almost a decade ago Xbox Live was moving to an exclusively IPv6 stack, but the Xbox Series X wont go online at all if I put it on the IPv6 only VLAN.
-
When I saw the lecture given by Microsoft’s sysadmin for their internal corporate network, she said that they had found no end of similar problems like this, where kit and software did not in practice work without IPv4 even though it does make substantial use of IPv6. This is due to lack of testing by their devs in an IPv6-only environment. They tested IPv6, but only in an environment that also has IPv4 available, so would miss any naughty IPv4 backsliding in such a setup.
BTW/FYI: AA supports customers who want to go all-IPv6 exclusively and they do this by having DNS64 tricky servers and NAT64 protocol converters. The DNS64 servers lie about IPv6 DNS lookups and return the address of the NAT64 protocol converter whenever a host asks for an IPv4 address.
The point is, with enough trickery you can get stupid software to work even though it doesn’t want to.
-
Interesting timing of article.
Cyber-criminals are increasingly targeting products from phones and smart TVs, to home speakers and internet-connected dishwashers. Hackers who can access one vulnerable device can then go on to access entire home networks and steal personal data.
https://www.bbc.co.uk/news/technology-59400762
So yeah seems prudent to stick it on a isolated guest LAN and guest AP.