Understanding the home network security
--
We talked in the past about a few traps we can fall into while pursuing privacy, one of them being to consider Linux and open-source as a privacy magic bullet. You use Linux on all your home devices, host your files on a home server and you are done: privacy regained. We saw that that’s not really the case and that privacy needs to be a way of life, a set of behaviors and a continuous exercise.
But we never did consider another topic: security. And this one is attracting more and more attention. You host everything on your home server, but how safe is it? How safe is your home network from different types of attacks? We did recommend to close down the home network to any access from outside and have a single, undetectable door open. But could that be enough? Let’s strap in, take it from the top, and uncover how the home network works. This way we may learn it’s weaknesses and maybe resolve the issue: can there be privacy and security at the same time?
The “safe” home network
To start, let’s consider a typical home network with hosted services. We have file sharing enabled on the home server, an email archive solution, a calendar and contacts server, and a media server. All of this works fine inside the network and all network participants are able to access each of these services. We also want access from the Internet to all this, so instead of opening all the ports, we also enable a VPN service. This allows us to open a single port, and any device connecting to our network on this port gets a home network IP, along with access to all home services. Great.
The above scenario is the safest option we have when hosting our own services in the home network. No ports are open to the Internet except one which we can control and monitor. All our data is safely stored on our home server, maybe even backed up to an external drive and maybe backed up again to another disconnected external drive. We have full privacy as all our private stuff is stored on our devices, so there is no data exfiltration possible.
True, some devices like phones cannot talk with our file server because they don’t talk NFS or SMB, but we can use Syncthing to get the data we want on those devices and be happy. Or we can use manual data transfer via a data cable if we are so inclined. We can close our eyes to this process and just call it an inconvenience, the inconvenience of privacy for example and move on with our life. But even though we just finished describing the best bet we have for a private and secure home network, we carefully avoided a key issue.
Hosted services and open ports
You see, we keep installing service after service on our home server. And it’s ok, that’s what the server is supposed to be doing, to support our home network with everything it needs to function: files, media, calendars and so on. But each service means another bit of software running. With each software comes another open port. But wait, this is not a port open to the Internet, it’s just another port open in our safe internal home network. How could it do any harm?
Being closed to the Internet, for a safe home network with safe devices, these open ports mean nothing. Data leaves my laptop and gets to the home server and back. I am in my home, I should not worry about third parties snooping in on my network traffic. But this is the exact spot where I make a huge assumption: that every network participant in my house, every device I own and I connected to my home network is safe, clean and un-compromised.
Of course we dealt with this in the past: the devices we are unsure of, like vacuums, washing machines, TVs and other “smart” technology, we keep isolated from our main network. We create a guest network and connect them there. This keeps my main network free of such trouble makers. But I still don’t get rid of the main assumption.
Assuming too much about safety
We wrote on this blog about a lot of software we should use daily or weekly to help us scan for compromised devices. Why should we do that since we own all devices that participate in our home network? Precisely because we cannot asume their safe and well behavior. Software gets updated, bugs are fixed while others are created, pieces of code we thought was perfectly safe for decades suddenly gets exploited. This means safety is changing. What is safe today may be a hazard tomorrow.
That’s why we need to think about our home devices as potentially corrupt or exploited. I am not inviting paranoia here and we should not jump to conclusions. But I am saying that just because we took all precautions and made our network safe and fully inaccessible from the Internet, it will always stay that way. It’s a good exercise to keep track of the connections made around the home network from time to time, and thinking little of such exercises is a sure invitation to a personal security nightmare.
If a single device in the network is compromised, the way is clear for the attacker to access everything in it. All the trouble we took to make our data private is for nothing then. Calendars, photos, media, everything is fully accessible once a single device in the network is hacked. I will say it again: one single compromised device is all it takes for all our personal stuff to be open fully to an attacker.
Can we easily detect compromise?
So if the issue is this serious, let’s just find a quick and sure way to detect compromised devices in our network, right? We already talked about some ways we can monitor traffic in our network to get a benchmark and a sense of how it runs. Surely there must be a way to know precisely what is the security status of any device participating in the home network. But get ready for the disappointing reality check as the truth is a bit complicated.
First of all, sure, we have laptops and desktops in our network. We use the latest Fedora Linux fully patched and we don’t mess around weird web sites. That’s all very nice and you may think you are doing a great job. But here’s the question: do you run Wine, the Windows compatibility API? Do you run Proton with Steam to play games? I know I do! Did you know that almost all Windows vulnerabilities are available to attackers via Windows compatibility APIs? But this is just the beginning. Let’s proceed further.
Maybe you don’t use Wine and maybe you are an expert Linux system designer who is excellent at securing their laptops and desktops. Maybe you use an anti-virus, able at least to give you some clue as to wheather the system is compromised. But there is another home network participant that is much harder to check: your phone. Because phones rarely run Fedora Linux, they become a small black box for which you need to rely on their manufacturer for security. In this sense, they are not much better than your “smart” TV or washing machine. There is not a lot you can do to improve their security. There is also not a lot you can do to determine if they have been compromised or not.
As we said before, there is an easy fix for such devices: the guest WiFi network, a fully isolated network that stops any access to the real home network where all our files are. And for TVs and other weird accessories that’s fine because they don’t need our network files anyway. But this is not really the case for our phones when all our photos, music, calendars and documents are on the home server.
So yes, there may be a single point of entry from the Internet into our home network that we define, our VPN server, but this does not mean it cannot be simply bypassed using a compromised device that freely has complete access to everything we hold dear and private on the home server. Remember, hackers don’t care about the legal door inside our home server, they care about vulnerable devices that can be forced into an illegal behavior, enough to grant access.
What is the solution to all this? Understanding and benchmarking is the first step. But there is more, and we will talk next time about the alternative architecture, the “cloud”: what makes it safe and how we can learn from it. See you next time!
