I have a couple of IoT VLANs that devices gets sorted into by my level of percieved trust. Things like AppleTV and Sonos goes into the trusted one, things like Printers, various chinese IoT like Aquara sensors, Eufy cameras and more are put into the untrusted one. Trusted devices have static DHCP assigned IPs, as well as printers (for AirPrint and mDNS)
Everything in the untrusted VLAN is blocked by MAC address in the firewall in the outbound direction.
I keep a (surprisingly small) spreadsheet of all my firewall rules, so migrating to a new firewall is a matter of spending 30 minutes setting up the 50 or so lines from the spreadsheet, of which most are rules for allowing inter VLAN traffic, i.e. allow AirPlay reverse connections from AirPlay capabale devices.
I should add that i run Eufy cameras in Homekit mode, so they only need access to talk to a HomeKit bridge/hub (AppleTV/HomePod), and only need internet access for firmware updates.
I don't update unless there's a security fix (haha), i have a problem, or a feature i need is released, at which point i simply disable the outbound firewall rule temporarily and "force" an update through whatever controlplane the device has (typically an app).
For security fixes, i usually find out through other channels (here or reddit) about some new 0-day, and i will check for updates after that.
Considering that the devices are not allowed on the internet, and on a very limited network, the risk of a random "drive by shooting" is rather low.
It's either that, or place them in a faraday cage :)
And at some point in the "not too distant future", everything will be running on 5G/6G, and at that point i guess it doesn't matter anymore. I'll revert to the tried and true methods of applying painters tape over cameras/sensors.
Seriously though, i'm also extremely picky with what kinds of IoT stuff i buy. My toothbrush doesn't need WiFi, and neither does a whole bunch of other stuff. I can vote with my wallet, and hope the EU consumer protection takes care of the rest.
I have a couple of IoT VLANs that devices gets sorted into by my level of percieved trust. Things like AppleTV and Sonos goes into the trusted one, things like Printers, various chinese IoT like Aquara sensors, Eufy cameras and more are put into the untrusted one. Trusted devices have static DHCP assigned IPs, as well as printers (for AirPrint and mDNS)
Everything in the untrusted VLAN is blocked by MAC address in the firewall in the outbound direction.
I keep a (surprisingly small) spreadsheet of all my firewall rules, so migrating to a new firewall is a matter of spending 30 minutes setting up the 50 or so lines from the spreadsheet, of which most are rules for allowing inter VLAN traffic, i.e. allow AirPlay reverse connections from AirPlay capabale devices.
I should add that i run Eufy cameras in Homekit mode, so they only need access to talk to a HomeKit bridge/hub (AppleTV/HomePod), and only need internet access for firmware updates.
reply