Tuesday, July 27th, 2021 • Welcome to the 💯 No-Nonsense Tech Zone! • 😷 Get Vaxxed 💉!

Guest Wi-Fi Network Explained: Best Practices (and Your IoT Devices)

I’ve received a lot of questions relating to the Guest Wi-Fi network in the past couple of months, especially since the reviews the Asus ZenWiFi AX of which the feature hasn’t worked as intended.

Most of these questions, though, are not about setting up a router’s Guest Wi-Fi network but instead of why specific IoT devices don’t work.

So, this post will explain Guest networking and how to use it properly. Hint: No, it’s not intended to be a security measure for the Internet of Things (IoT) devices.

Arlo Ultra
You won’t be able to setup your Arlo camera using an isolated Guest Wi-Fi network.

What is a Guest network

A Guest Wi-Fi network is a fancy name for a virtual SSID (network name) that’s, by default, isolated from the primary one you use for your home — your intranet. Device isolation is the keyword here.

Specifically, a device connected to the Guest Wi-Fi has access to the Internet but not your local resources, such as your shared folders or network printer.

As the name suggests, this other network is for your guests to use. The purpose is to keep guest devices separated from your home devices for security and privacy purposes.

Here’s a crude analogy: If your intranet is your home, then the Guest network is that mother-in-law suite at the far-end of your back yard. You know your in-law is comfortable there each time they visit, yet you don’t have to tend to their every move. Everyone is happy.

When a Guest network is not a Guest network

Note that many routers have the option to allow the Guest network the intranet access. With that turned on, the isolation is no longer in effect. The Guest network now works the same as the main network.

(This is like a mother-in-law suite in the backyard that has no bathroom of its own. Guests who stay there will still need to enter your home anyway.)

Why would anyone want to do that, you might ask? Other than they don’t know what they are doing, there are a couple of additional reasons.

First, not everyone needs a Guest network, and sometimes it’s useful to have multiple options so you can segment your devices. For example, you can have a group of clients connect to a particular SSID, and the rest to another.

Another reason is the owner of the Guest network might want to gain access to the guest’s device. The isolation, or the lack thereof, works both ways, and not every guest network is a friendly one. That’s the reason you want a VPN when using public Wi-Fi.

The point here is that, just because it’s called a Guest network, doesn’t mean it’s necessarily isolated. But in this post, for the sake of consistency, we assume that it always is.

How to set up a guest network

By definition, any Wi-Fi network that’s separated (isolated) from your main network is a guest network. And there are many ways to achieve this.

Turn it on

The easiest way is to get a router that has this feature — the majority of home routers have Guest networking these days. In this case, you just need to turn it on via the router’s web interface or mobile app. You’ll find it in a section called “Guest Network” or something to that effect.

Guest Network Setting 1
A Guest Network setting page of an Asus router. Note how the Access Intranet setting is disabled.

Once turned on, by default, the Guest network is isolated, so make sure you don’t change this setting. Most routers’ Guest network feature comes with some other settings, including time access limit, bandwidth limit, and so on. You can configure those or leave them all alone, but it’s always a good idea to secure this network with a password.

Note that when you use a router’s built-in Guest networking feature, chances are all devices connected to the Guest SSID are isolated, meaning not only can’t they access your intranet, they also don’t see one another. In other words, if the guests want their devices to work with each other locally, that won’t happen.

That said, this type of Guest networking is suitable for temporary guests who just need the Internet and nothing else. It’s also the right choice for a public place, like a coffee shop.

But if you want to offer your guests more than just the Internet, this type of Guest networking won’t cut it. Instead, you need a separate Intranet.

Create a separate intranet

If you want your loved one living in the mother-in-law unit to feel even more welcome, you can equip the place with more gadgets, such as a network printer or Wi-Fi speakers. Now, to keep these devices available to your guests, yet separate from yours, you’ll need to build a different intranet for them.

There are many ways to do this, and the easiest is to use a separate router in a double-NAT setup. For more on this, check out this post about using multiple routers on top of each other.

See also  Double NAT vs. Single NAT: How to Best Handle an (ISP-Provided) Gateway

In this case, the guest intranet is separate from your primary network, but its devices are not isolated from one another. And that’s important because most local devices require to be in the same system to work as intended. That brings us to why Guest networking is not for IoT devices.

Why you shouldn’t automatically use a Guest network for many IoT devices

While it seems sensible to tell folks to put IoT devices on a Guest Wi-Fi network as a security measure, in reality, this advice can be rather idiotic in many cases for a couple of reasons.

1. Being in the same network doesn’t guarantee access

First, it’s important to note that having devices in the same local network (intranet) doesn’t mean they can access one another willy-nilly.

The interaction between network devices varies depending on the applications. Still, all sensitive data access — such as if you want a machine A to access a shared folder on a device B — requires some configuration which determines who can access what and how.

If you don’t do anything, by default, the access is not available. In other words, it takes work to make a computer’s information exposed to others.

2. IoTs are generally low-value targets

IoT stands for Internet of Things and it generally means an Internet-connected thing that’s not a computer or a mobile device.

You’ll find IoT devices all around you. Examples are network printers, IP cameras, smart speakers / TVs / appliances, and so on. All have one thing in common: They generally have limited computing capability, compared to a real computer, that is.

As a result, they generally are low-value targets. Hackers won’t try too hard to hack these devices because even when they are successful, there’s not much they can do with them. On the other hand, hacking a computer warrants a much higher return to their investment.

How about IoT botnet? Isn’t that real?

It was.

Yes, there have been instances where hundreds, if not thousands of IoTs being “hacked” at the same time to create a botnet. In these cases, there was little hacking involved, but mostly the negligence of the owners.

In their early days, IoTs, including many Wi-Fi routers, all worked right out of the box with the default username and password. Consumers got them home, hooked them to the Internet, and use them without bothering to change their default settings. It’s like you get a new safe and use it with the default 1111 combo.

The bad guys took advantage of this and were able to gain control of these devices remotely with little effort. They then used them as bots to send a simple denial-of-service (DoS) command to attack a third party.

A couple of things to note here:

  • No harm was done to the owners of the IoT devices involved in these attacks.
  • Using these IoTs with a Guest Wi-Fi network (and that might have been the case with some of them) wouldn’t have made any difference.

What’s most important is since then, IoTs have come a long way in terms of security. Most of them won’t connect to the Internet unless the user has created a (new) admin password.

(The only IoT device I’ve seen in a long time that works with its default security setting is the D-Link DIR-X1560, which turned out in my testing to be not a great router anyway.)

No, I don’t mean the chance of your IoTs being hacked is zero, but it sure is much lower than that of your computer or your phone. And using them with a Guest Wi-Fi network makes little difference, if at all, on the security front. In this case, though, one thing is more likely: They probably won’t work as intended.

3. Most importantly: Many IoTs needs intranet access to work

That’s correct. Many IoT devices need to be part of your home network to work correctly.

Take a network printer, for example, hooking it to a Guest network will keep it invisible from your other devices — they can’t print. In some cases, you still can print, but you have to do so via the Internet, and that means:

  • You must set up the printer with a vendor login account which can be a privacy concern.
  • You can’t print if the Internet is down.
  • It takes much longer to initiate a print job.

Similar things will happen with other devices. Putting them on the guest network means you disconnect them from your local network. Everything now has to go through the Internet.

Here are some more examples of what might not work if you connect your IoTs to an isolated Guest Wi-Fi network.

  • You can’t wirelessly cast a computer’s or mobile device’s screen on your smart TV.
  • Wi-Fi speakers won’t work.
  • Most IP cameras won’t work, at least the setup process.
  • Local movie streaming (from your own server) won’t work.

The list goes on. So to answer many of your questions: Putting your all IoT devices on a Guest Wi-Fi network can create a lot of headaches. Stop making it a standard practice!

Extra: It’s the matter of degrees

OK, just to be fair. First, there are Internet of Things devices — those that only need Internet and nothing else — that will work just fine when you put them on an isolated Guest network.

Also, if you get cheap ones from sketchy or unknown vendors, especially those from China, with no or bad security, maybe it’s a good idea to isolate them — though it’s best not to use them at all. The truth is, many of these devices come with intentional back-door access.

There are possible ways to make almost all IoT devices work via a guest Wi-Fi network, including those that require to be part of your local recourses. But in this case, why jump over hoops with our hands tied behind your back and risk falling on your face unnecessarily when you can stroll to the same place?

The takeway

The point here is this: You need to understand your device and the Guest network and use them accordingly. The Guest network is not synonymous with better security. And vice versa, using an IoT device within your primary network doesn’t necessarily make your system more vulnerable.

The best way to make sure your IoT devices are safe from hacking is, again, not to get cheap ones from unknown vendors. Then set a secure password for them and use them with their latest firmware. On top of that, keep your router’s firmware up-to-date, too. Finally, if the router has built-in online protection, use that.

And for those who are still adamant about always using IoT with a Guest Wi-Fi network, consider this: Your router, the one that hosts your Wi-Fi networks, including the Guest Wi-Fi, is itself an IoT device. It’s also one of the highest-value targets among IoTs. What are you going to do about this conundrum?

☕ Appreciate the content? Buy Dong a Ko-fi!

30 thoughts on “Guest Wi-Fi Network Explained: Best Practices (and Your IoT Devices)”

  1. No problem, I am actually trying to understand here.

    If you don’t consider your guests a security risk, then why use the guest network at all? Alternatively, why not just give guests access to your primary network?

    In the case of Asus Guest networks there is no difference anyway.

    Best practice for Asus Guest networks would surely then be to disable the guest network and only allow trusted clients access to your primary network?

    For best practice, if you can’t securely allow guests access to the internet without exposing your internal devices, what is the point of the guest network access?

    Reply
    • It’s a matter if degrees, Luke. If you go around taking things as black and white, this Guest Network thingy is the least of your problems. Not that what you said about it is correct. 🙂

      Reply
  2. Dong,

    I am one of those that put most of the IOT devices (~50) onto a guest network. I have two issues wondering if you have any insight to it. Does the guest (virtual) network has the same range? I have a couple of Kasa devices that are located at the perimeter of the house that does not always connect. Wondering if I switch it over to the main network it would stay connected.

    Is the connection on the virtual network as stable? Device dependant?
    Some of my Kasa, Lifx, and a few devices inside the house randomly disconnect and does not reconnect on its own. Wondering if I switch it over to the main network it would stay connected.

    I have an Asus 89x router. Wondering if that is a problem.

    Reply
  3. Ok. Don’t keel over from the length. 🙁

    First and foremost: I am NOT trying to argue or be combative with you. I’m new to all this and am GENUINELY trying to understand and learn.

    At the start of your article you mention that – in terms of the widespread hack of IOT devices back in the day – “using these IoTs with a Guest Wi-Fi network (and that might have been the case with some of them) wouldn’t have made any difference.”

    1) Do you mean it wouldn’t have made any difference because you’re presuming people plugged and played their router out of the box (i.e. didn’t change any default username/passwords on it?)

    2) So, my MAIN home network is my “intranet”? Is that correct?

    *** You go on to say “And enabling a Guest Wi-Fi network… by default, [is] isolated from the primary one (the “intranet” one?). As such “a device connected to the Guest Wi-Fi has access to the Internet but not your local resources, such as your shared folders or network printer.”

    Ok, so this sounds like good security to me so far! IoTs and guest devices on the Guest Network can’t “infect” my main network, yes?

    BUT.

    “First, it’s important to note that having devices in the same local network (intranet) doesn’t mean they can access one another willy-nilly.
    The interaction between network devices varies depending on the applications. Still, all sensitive data access — such as if you want a machine A to access a shared folder on a device B — requires some configuration which determines who can access what and how.
    If you don’t do anything, by default, the access is not available. In other words, it takes work to make a computer’s information exposed to others.”

    Ok….. I didn’t know that.

    BUT.

    3) I’m not necessarily worried that a guest is going to try and log in to my bank account. Still…wouldn’t them being on a Guest Network protect my MAIN network just in case any of their devices have malware or other bad stuff on them?

    This next thing you wrote….. gah. I…I AM SO TOTALLY LOST.:

    “No, I don’t mean the chance of your IoTs being hacked is zero, but it sure is much lower than that of your computer or your phone. And USING THEM WITH A GUEST WI-FI NETWORK MAKES LITTLE DIFFERENCE, IF AT ALL, ON THE SECURITY FRONT.”

    4) What the what? You said that a Guest Network is isolated from the “intranet” (i.e. the MAIN network). Wouldn’t it follow then that IoT devices being on the Guest Network WOULD lessen the chances of a MAIN network getting hacked should the less-secure IoT devices on the GUEST Network get hacked since a Guest Network is isolated from the MAIN network?

    And this is why – if what I wrote in the previous paragraph is true – I’m again TOTALLY CONFUSED by you writing: “The Guest Network is not synonymous with better security.”

    As far as things “likely not to work as intended”:

    1. I don’t own a wireless printer. My printer is connected to my laptop. If anybody needed to print anything they could email it to me and I’d print it for them. Sorted. 😊

    2. My home is far from the Jetsons. I have 2 Smart TVs, some smart plugs, a few smart bulbs, an Amazon Echo and a Dot. That’s about as “high-tech” as things are ever going to get around here!

    3. If I want (I never do) to stream something from my computer to my TV, I have an HDMI cable tucked behind the TV that I plug the laptop in to and voila.

    5) I have Bluetooth earbuds and headphones that I’ve connected to the Echo and the DOT. If I put the ECHO, DOT, etc. on the guest network, will the bluetooth earbuds still connect to those devices? (I warned you I was in over my head.)

    You make a good point about the router itself being an IoT device and what to do about that conundrum!! Creating a complex password and prayer? I don’t know. At a certain point don’t you have to let go and let God? LOL. This stuff can drive you nuts if you let it.

    Erikje commented: “A lot of very cheap iot devices do not have any serious or even funny way of security. So putting them in isolation is a good way to limit damage. A guest network is a simple way to segment your iot devices…. The guest network is one of the simplest way to achieve that security for the normal user. Yes there are much better ways, but they are not accessible for normal users.”

    Cooloutac may not have been the height of gentility when writing:
    “I think people are referring more to devices like amazon echo, blink cams, ring doorbell cams, robot vacuum cleaners, smart home plugs, smart lights, etc… all those things are accessed through the internet not a local lan. Smartcast tv’s and printers are the small minority with houses full of 30-50 iot devices. the only time you might need local access is for initial setup. Sorry to say but what’s idiotic is to say that hackers won’t target iot devices. they don’t use them for their bandwidth. They use them to launch attacks on the rest of your network. Like your phone and computer that you worry about.”

    6) Basically, then, isn’t what they both wrote sound?

    I’m seriously about ready to just throw all of this crap out. Candles and abacuses are looking better and better.

    If you reply I will be completely astounded and deeply, deeply grateful. 🙂

    Reply
    • I have no issue with you being genuine, astounded, grateful, or not, Lori. Franky, I don’t care. But I do feel annoyed when folks see things as absolute, as black or white, and then make me answer their stupid questions. Networking (tech, for that matter) is something you can’t “see.” All the more, it’s not 100% one way or another. Life is a matter of degrees. Take your time, read stuff with an open mind. With something you don’t know, don’t make assumptions. Try to read some more. That’s my advice. And no, I don’t have an answer to your problems, nor have I ever claimed that I would to anyone’s. And I sure don’t take others’ problems as mine. I’m “too old for that shit”. 🙂

      Reply
      • Hi Dong,

        I’m totally with you in one regard: I am also too old for some sh*t.

        Your annoyance is unfounded in terms of my taking anything as “absolute”, “black or white”. The fact that I was posing questions backs up that I wasn’t doing either of those things. I was trying to learn.

        “Make” you answer?

        “Stupid” questions?

        “With something you don’t know, don’t make assumptions.” Again: I ASKED QUESTIONS. That is the furthest thing from “making assumptions” as one can possibly get. It’s trying to LEARN.

        Asking you to “take my problems as your own”? You’re giving yourself much more credit here than is warranted. I was asking questions in full understanding that you’re not an Oracle.

        Ah! I DID make one assumption! I assumed that your having a comments section was so that people not as knowledgeable as you about these sorts of things could ask you questions and learn.

        My bad.

        You likely won’t (VERY likely won’t); but if you re-read what you wrote back to me, you thinking to yourself “God, I came across like a callous, hostile, arrogant a-hole” would be singularly appropriate.

        Reply
        • A couple of things, Lori.

          1. You’re taking things personally. (And that’s your prerogative). I wasn’t talking about you specifcially or entirely in my previous answer.
          2. I get lots of questions every day. Many folks actually ask me to repeat myself, since they would find the answers if they even read the post in its entirety — and every post has related links to explain further any concept.
          3. Nobody can “make” me do anything, so don’t understand the word in its literal sense (again, it’s not always black and white.)
          4. Some questions are indeed stupid. But again, dont’ take it literally.
          5. The comment section is for those who have read the post and related ones and still haven’t found the answer or want to contribute something. In other words, it shouldn’t be abused.

          I guess we’re getting old in different ways and my bluntness is just too much for you. And in that case, you’re not alone. I’m not a shrink and this is not a pychology website.

          Reply
    • Hi Lori – I think am somewhat in the same boat as you -i.e. being new to the concept of network segmentation for the sake of personal security (although I have been building/using computers for the majority of my life).
      I also have to agree that some portions of this article are a bit confusing/contradictory. So let me try to answer ‘some’ of your questions (which would also help me gather my own thoughts):

      1) “using these IoTs with a Guest Wi-Fi network (and that might have been the case with some of them) wouldn’t have made any difference.”

      My answer: Am assuming that Dong was referring to the fact that these users hadn’t bothered to change their default settings – which obviously means that they being on the Guest network (or any network for that matter) wouldn’t have protected them.
      But what if they had actually configured their IoT devices correctly and then put them on the Guest network? Would they have been protected then? Maybe. It also depends on how the rest of their network was configured.

      2) You go on to say “And enabling a Guest Wi-Fi network… by default, [is] isolated from the primary one (the “intranet” one?). As such “a device connected to the Guest Wi-Fi has access to the Internet but not your local resources, such as your shared folders or network printer.”
      Ok, so this sounds like good security to me so far! IoTs and guest devices on the Guest Network can’t “infect” my main network, yes?

      My answer: Yes, but it depends on your router settings. When creating guest networks there should be settings like “enable intranet access” or “isolate from main network”, etc. Configuring this would either isolate the guest network from your main/personal/intranet network, or allow access.
      Some routers also have an additional setting: AP (Access Point) isolation. Enabling this would mean that devices connected to that particular network would not be able to talk to each other (i.e. inter communication – which I think Dong’s article also touches upon).

      3) I’m not necessarily worried that a guest is going to try and log in to my bank account. Still…wouldn’t them being on a Guest Network protect my MAIN network just in case any of their devices have malware or other bad stuff on them?

      My answer: Yes, if your main goal here is to separate ‘your guests’ from your private network, then having a Guest network (which is isolated from accessing the intranet/main network) definitely helps (as compared to having just one big network).
      Any level of network segmentation (done correctly) definitely helps towards achieving better security.

      However, if your goal is to also protect your network from ‘uninvited guests’ (hackers) from the internet, then does the guest network isolation protect you? Only to a certain extent. It would ward of the curious neighbor /casual hacker, but it wouldn’t protect you against a professional dedicated hack. This is because, although the guest network can provide some isolation, its still isolation only at a ‘software’ level. And software can always be cracked with the right resources.
      Additionally – the general design of home routers tend to be inclined more towards convenience than security. (When it comes to networking, there is unfortunately an eternal struggle between convenience and security)

      So then what do you do? How do you proceed? Ask yourself these questions:

      1. Do you simply want to ‘network-isolate’ people who visit your home, whom you may or may not know very well?
      Then by all means go ahead with the guest network – with intranet isolation enabled and strong passwords.

      2. Do you use semi-trusted IoT devices (Alexa, Smart TV from a known brand, Playstation, etc) and don’t think you’re at a major risk of a professional hacker coming after your finances, and want the simplest way to achieve a better level of security?
      Look at configuring multiple Guest networks on your router (with strong passwords – different from each other, and your main network/internet), enabling intranet isolation, and enabling AP isolation (in cases where your IoT devices don’t need to communicate with other devices on that network).
      If you’re looking for a new router I would suggest Asus – as it offers a good level of customization and receives frequent security updates.
      Additionally – also look at updating the software/firmware on all your devices (and configuring strong passwords), and running scheduled antivirus/malware scans on computers and phones.

      3. Do you use un-trusted IoT devices and consider yourself a potential target for a dedicated hack?
      Then you might want to look at something more than the basic-isolation provided by Guest networks.

      From what I have learnt so far, there are two main ways to attain ‘better’ network segmentation/isolation:

      1) VLANS – Virtual LANs – These basically split up your network at a software level (similar to Guest networks), but provides more customizations and is designed more with security in mind. However it needs specific hardware and software knowledge, to setup and configure. You could read up more on these if you’re interested and a bit tech-savy.

      2) Multiple Routers – This is not only (relatively) simpler compared to setting up VLans but is also ‘stronger’ in terms of security. Because this approach provides ‘true’ isolation at a hardware level, which is very difficult (if not impossible) to get through. Each router will have it’s own firewall, physical and virtual addresses, etc.
      But the downside is the additional cost and space for multiple routers (and cabling, etc).

      No matter which route you take, I suggest you do some reading on it. Because somethings done incorrectly (due to lack of knowledge) could potentially make things worse!

      Alright, this is pretty much all I have gathered so far. Hope I was able to add ‘some’ clarity, if not much. Good luck with your journey 🙂

      Reply
    • Consumer grade, even some ProSumer grade all in one routers can’t securely handle this. A true gateway appliance is needed and it can and will through the use of vlans… It is a small learning curve but you can write rules for anything.

      My “trusted” networks can talk with my IoT devices, but not vise versa.

      Let’s say my neighbor and I are at the fence between our properties. I would have to initiate the conversation and we could talk for hours. Now. If we are standing there and I have not initiated and conversation, he can not see me… He could keep calling out my name and I would never hear.

      Now

      Any one logging into my “guest network” can not see each other, or anything else. So, someone comes over, needs to use the internet for something, well no problem. Give them the password, they log in , they are taken to a captive portal, agree to MY terms, and if it isn’t illegal, the have access for a set amount of time. It really isn’t that hard.

      IE… Grandkids come over for a Sunday dinner… They talk, play games, whatever, even on the internet. But when it is close to dinner time, I can tell Alexa to “Stop happy time” , (even though Alexa lives on the Iot vlan) all access is killed, time for the family time. This type of control really isn’t that thought to learn/grasp..

      Oh, the router you get from your ISP could be the worst thing in your LAN, and double NAT should be a last resort, especially when there are so many affordable solutions out there. And by that I mean a gateway that has NO wifi for around $100. The reason for no wifi is because YOU define what rules YOU want. The wifi will be controlled but the gateway.

      Reply
  4. My (admittedly limited) understanding of guest network isolation (at least in terms of a Netgear router) is that – contrary to Netgear documentation – when the guest network option is enabled on the router, it is NOT isolated. Though, as I said, evidently Netgear claims that it is.

    Reply
    • This might differ from one model to another, Lori. But generally, by default, a Guest network is isolated from the main network. Note that the isolation is only limited to the local network and not via the Internet. For example, an iPhone connected to an isolated Guest network can still Facetime to another connected to the main network, or any network for that matter.

      Reply
      • Thanks for replying! Truthfully, I’m so in over-my-head here I should probably keep quiet.

        I have questions but need a little time to organize them better. May I write and ask for your feedback again?

        Reply
      • FYI, Asus Guest Networks as an example are not isolated properly from the main guest network.
        While they may appear to most clients and users as isolated, this isolation can be easily bypassed by anyone.
        All a user needs to do is connect a second Asus router in repeater mode to the Guest network, and they will have full access into the main network.
        e.g. Your primary RT-AX89U router running a guest network, using only the guest network credentials, a RT-AC68U can be connected as a repeater to the guest network, and any devices connecting to the repeater will have full access into the main network. Not isolated at all.
        So I don’t trust Asus guest networks at all. I can’t speak for other manufacturers.

        Reply
          • Sorry, mixed up RT-AX86U and RT-AX89X. Regardless, I believe the insecure Guest Networks are part of the AsusWRT code, not specific to individual models.

          • It’s not really a security matter, Luke. It’s like you should not consider your guests as security risk, in which case you shouldn’t have them over as guests. Things are not black and white. The Guest network is a matter of convenience, not security.

  5. iot devices with zero days are known to give access to the local network.
    Or the other way around.. a local privilege escalation grants access to all iot devices to put them in a botnet.
    A lot of very cheap iot devices do not have any serious or even funny way of security. So putting them in isolation is a good way to limit damage.
    A guest network is a simple way to segment your iot devices. The one that do not work on it will shift to the normal network or better a own SSID.
    The guest network is one of the simplest way to achieve that security for the normal user. Yes there are much better ways, but they are not accessible for normal users.
    So there is nothing idiotic in using the guest network for iot. It is in fact a simple and often effective way of protecting your stuff.

    Reply
      • Or, said differently, almost every IoT device in my home needs access.
        Router: Obviously.
        Switches & access points: Obviously.
        Speakers: Yep.
        Google Home/Nest displays: Yep.
        Roku: Maybe not, but I don’t use it now, so I should probably just unplug it.
        Chromecast, Android TV: Yep.
        Printers: Yep (don’t even get me started on what a PITA cloud printing is)
        Weather station console (reports data to Weather Underground): Probably not. Meh. I’ll take my chances that someone goes to all the trouble of hacking such a relatively uncommon device.
        Samsung “Smart” TV: Probably not, but it’s so useless (other than as a monitor) I haven’t even bothered to connect it to my new router.

        I’m sure I’ve forgotten some, but the best security solution for them is probably just to unplug them since I probably don’t use them anyway.

        Reply
      • i think people are referring more to devices like amazon echo, blink cams, ring doorbell cams, robot vacuum cleaners, smart home plugs, smart lights, etc… all those things are accessed through the internet not a local lan. smartcast tv’s and printers are the small minority with houses full of 30-50 iot devices. the only time you might need local access is for initial setup. Sorry to say but whats idiotic is to say that hackers won’t target iot devices. they don’t use them for their bandwidth. they use them to launch attacks on the rest of your network. like your phone and pc that you worry about.

        Reply
          • I mean to say resources, not bandwidth. What you should realize is most people are not idiots. They already know their printers and TVs have to be on the same network if they want to access them. And it is not troublesome to re connect them, unlike the 30 iot devices they might have connected. Printers and TV’s are not even considered “iot” devices by most people. I think that is the confusion.

            But also you should realize there is much a hacker can do with an iot device (smarthome devices). Even something simple like a smartplug is very capable of being a vector to sniff or infect your pc and phone. Its idiotic to suggest hackers would not bother when its the first thing a hacker might do.

            That being said, you are right in the sense they would probably go for the printer and tv first. Since they are more capable and more likely to be on the same subnet. But probably not as easy to compromise as some cheap iot device that has no security at all and doesn’t even get regular updates.

            This is all much more practical then mac address spoofing when you don’t know the wifi password. The cheap iot device is probably more likely to expose the password then the tv and printer.

      • Probably out of scope of what you’re saying, but I feel it’s very important to segment the IoT devices. I just don’t trust the makers of these devices to focus on security. At all. People want security, but they have lousy equipment. You can’t really have it both ways. Get a good router. A real router. For home, a good router is the Netgate SG-1100. Not too expensive at all. Tons of videos on how to set things up and you’ll be a whole lot smarter on this stuff. Get a good wireless access point that supports vlans. Ubiquiti makes really good ones. You don’t even need a managed switch. Again videos on youtube. Iot’s are the low hanging fruit. Their security is lacking and are an excellent attack vector to the private network.

        Reply
  6. Haha…I’m one of those that uses Guest Network for IoT devices. So far 90% of them works including IP Cams, Smart home devices, etc. Chromecast I put them on the main network as you would need to switch to the guest network to cast. Only one that doesnt like Guest Network are my Lifx bulbs. I cant get them to connect to guest.

    Reply

Leave a Comment