For all the network engineers, designer, sysadmins that day to day are connecting devices among network branches, this could be a really interesting story to share to any decision maker in any company.
It is a technical article, a small extract.
From this, he looked at its software and operating system, and that’s where he discovered the dark truth: his smart vacuum was a security nightmare and a black hole for his personal data. First of all, it’s Android Debug Bridge, which gives him full root access to the vacuum, wasn’t protected by any kind of password or encryption. The manufacturer added a makeshift security protocol by omitting a crucial file, which caused it to disconnect soon after booting, but Harishankar easily bypassed it. He then discovered that it used Google Cartographer to build a live 3D map of his home.
Should be carefully readed, IMO.
I’m adding a my personal take
If an app is mandatory for configuration, device should not be in any green or blue network
Mostly depends on network structure you’re going to implement.
For any CPE that the provider delivers I always “neuter” it disabling wifi, uPNP, and forwarding only the ports needed for internet access.
Otherwise, some ISPs allows to replace the CPE with your owned device, which sometimes delivers more grunt or functions. It gets more complicated if the contract delivers phone calls (FXS ports to configure) and IPTV/OTT services with multicast.
Anyway, I like to add a ethernet discharge device between router and firewall if the ISP delivers a VDSL connection (copper) rather than actual fiber to the premise. Lightnings are still a thing, they cook hardware like no user can do (most times)
If the only accepted option is keep the CPE delivered… good luck with that?
Italian most prominent ISP TIM delivered crap for 10+ years, now devices are far better, but mostly are ZTE boxes.
I guess I will get a OpenWRT device, hook it up on one of the provider router ethernet ports, and disable the rest of the ethernet ports, wifi and other network related functionalities, and work consider my OpenWRT device as the primary device to start fiddling with network (ethernet and WiFi) segmentation, firewall and all other goodies. Basically virtually bricking the ISP router on the LAN side except for 1 ethernet port → OpenWRT and 1 FXS port → Phone only.
