Home network security & privacy recommendations

Basically sink a huge amount of your time to protect yourself from the device.

Time and money.

I am beginning to wonder if it makes sense to wrap one’s home in a Faraday cage (assuming one owns it, of course). In this way one can control access of electromagnetic waves into one’s home and there would be no leakage of wifi outside the home making drive-by snooping ineffective.

Interesting, i’ve often wondered if this would actually be possible to do? Or maybe to create a room in your house that is a faraday cage room?

I’ve heard there is tapestry with copper wires inside for this purpose.

Yesterday I read an article on Ars Technica about Vizio TVs collecting and transmitting data on their owners’ viewing habits: ( https://arstechnica.com/gadgets/2021/05/vizio-tv-buyers-are-becoming-the-product-vizio-sells-not-just-its-customers/ ).

It got me thinking. I would never connect a TV to the internet, but I do connect a Roku streaming device to my TV. After some research, I found a study that analyzed just how much tracking is going on with this and other streaming devices; this article from The Verge has a link to the Princeton University study: https://www.theverge.com/2019/10/11/20908128/smart-tv-surveillence-data-collection-home-roku-amazon-fire-princeton-study (the study is a .pdf). I was shocked/not shocked.

I immediately went to my router’s firewall settings and blocked all the tracking domains listed in the Princeton study. Lo and behold, several channels on my Roku stopped working. (I promptly deleted those particular channels, of course!)

Just imagine how tracking data like this is routinely bought and sold, and can be correlated with all the other available data and identifiers related to an individual. Disturbing, to say the least. (Note that connected TVs can even analyze what you’re watching from a DVD/Blu Ray player.)

I always use a VPN service when connecting my computing devices to the internet, but the Roku is exposed and unprotected, as I don’t have the VPN loaded on the router itself. I knew that there was probably a lot of tracking going on, but was foolishly relying on Roku’s “Limit advertising” setting to provide some level of privacy. Seeing the likes of Google and Facebook in the list of tracking domains quickly brought me to my senses!

powerline network adapters? Let me share some EOP experience: I actually use it since the nineties (the famous blue Devolos; last century!). In theory ethernet over powerline is a bunch of issues lacking performance. The reality is the opposite: Astoundingly reliable, good transmission rates and an almost perfect replacement for real copper ethernet. In a little company we have one workplace w/o physical ethernet wiring. For about a decade now we have WLAN and Powerline-eth in place in parallel. So I can compare them. Powerline ethernet is clearly the winner. Almost the same incident level like physical wires. And much quicker to fix One secret is definitely to use of best quality hardware. I always refused other boxes than Devolo stuff. I’m convinced AVM-Fritz has reached at least the same level of professional performance. All other products are no legitimate options in my limited imagination. And yes, of course there is a Turris Omnia providing the data to both methods of data transmission However, looking back 30 years on these little wall plugs I can recommend powerline ethernet even for all the cases where it is seemingly impossible to use: Works like a charm. Just my experience.

This is the 2nd time I’ve heard mention of the “algo” vpn. I’ve been using Azire for years, but they seem to be getting a bit too large for my taste and often-enough the speed degrades or it disconnects. I’m exited to try this “algo” solution out on Linode.

Thoughts on Rob Braxman’s stuff? BytzVPN, BraxRouter, etc?

Assuming that you don’t want mobile phones to work, or TV or radio (or GPS, or satellite internet) - unless you have an external antenna.

It’s up to you of course but I think @amarok is more on the money. The danger is what is going out the “front door”, transmitted over the internet by untrustworthy blackbox devices that you invited into your home, not what is going out the “back door” in RF leakage etc.

I believe that these days even the meter is read via RF, so when wrapping your home in a Faraday cage, make sure not to enclose the meter box.

The one point I would add to that: EOP should involve a lot of shared bandwidth over what is basically a single logical cable, whereas with wired premises every outlet has a dedicated cable back to a switch. So even if the basic transmission rate is up there towards GbE, the aggregate bandwidth may be well short of GbE.

Since this has become quite the discussion with plentiful amounts of information, can someone please provide a TL;DR summary for those (like me) who are new and inexperienced to this topic/subject but would like to strengthen our home network security and privacy?

Why do you need GPS in the home? All of my mobile devices have wifi adapters. I suppose it depends upon where one lives but TV and radio are largely streamed over the internet. A Faraday cage would allow one to control entry and exit through one single point, namely the router connected to a fixed line internet or if one lives far from everyone with no fixed line, one presumably has an external antenna to receive the internet signal and this would be the single point of entry. Then it permits one to achieve completely what @amarok suggests.

I have no experience with this.

TLDR: It depends.

I know people don’t like hearing that and want a simple response that “just tells me what to do” but if you’re being given that response then you’re either not being given the whole picture or are being lied to. More often the former.

Security is a conversation of balance and priorities. These shift over time and vary by person and environment; and the conversations here show that.

As an example, powerline works well for some, works poorly for others, and isn’t worth the potential unknown risks for still others.
This trend generally holds for any specific recommendation.

From looking at the specs of the omina, that looks like a nice opwnwrt box.

Personally I run OpenBSD on an APU2 as my router/firewall. I keep wireless separate and have two separate wireless networks, 1 for “trusted” devices and one for cloud/guest devices. That’s right guests are relegated to the same network as the couple of cloud devices that I have on my network for one reason or another.

Currently those are vlan’d off but my long term plan is to have that on a second physical network with the only point where they meet being the firewall on their own port.

I am comfortable not having a GUI so this works for me but isn’t a configuration I would recommend for everyone.

Layer 3 switches to have separate vlan’s is a smaller physical footprint, and is generally going to be good enough for separating the different classes of devices.

Firewalls are partially going to boil down to what you’re comfortable learning. OpenWRT has a fairly low barrier to entry (I’d put PFsense on a similar level although a bit harder to learn in my experience) and commercial options are generally a bit easier to learn but now you have to trust the manufacturer which some will say you shouldn’t do because you can’t audit what they say… Whether or not you trust a company saying “trust us”, only you can decide.

I personally self host zoneminder for security cameras which has a steep learning curve but works good enough for my use case. I do prefer it to the commercial options I’ve deployed for work, but it is harder to deploy.

I haven’t yet found a good solution for door sensors/self hosting a physical security system. Any zigbee system can be tied into things like OpenHAB but you’re really just talking to that system not truly self hosting. Also most security solutions include monitoring and most monitoring companies won’t monitor your system only theirs for liability reasons so you have to decide if that matters to you (some regions it matters because of regulations and/or insurance).

Actually, my initial thought was to have a separate network dedicated to my security system with a dedicated cellular plan to stream offsite and send me remote notifications so that I can call the police if need be which is all a professional monitoring service does for you.

on the LAN it could be a switch that sits between the local-terminals and the router/gateway.
it should be one that allows you to configure distinct multi-VPS networking channels for separating between work/play, or encrypted/non-encrypted …

at best it would be a modern, free software/ open-hardware machine that can be remotely managed (i.e doesn’t require you to install a black-box ‘monitoring’ software on your black-box IOT pocket device …

i always thought that vampire movies were silly , but , really, when they show up at your ‘front door’ they ASK for permission otherwise it’s more complicated …

Would you please explain what you mean with “VPS” in this context? Virtual private server?

Based on the context I’m pretty sure the intent was vLAN not VPS.

That’s what I thought, too, but was a little confused.