Smart Thermostat - Passing and Blocking Data

coffeecup25 · May 26, 2021, 8:58 PM

I plan to install an ecobee3 lite wifi thermostat soon. It's low cost thanks to a $100 electric company rebate. My concern is iot security as it is rumored to be.

I think it will be no big deal. Advice welcome.

Every device on my network has a static address. The ecobee3 will also have a static address. I plan to make sure it can only address Android phones and not the home servers or any other device. A rule or set of rules should do it I believe ... Pass to Android, block to everything else on LAN. Is it that easy?

Assuming the worst, can a linux thermostat access a windows server using smb? Or would the mfgr remove that feature as unneeded? What are the real world problems. Seriously .... not hysterical replies from someone just guessing? Yes, also I know about the deep voices coming from baby monitors.

I also plan to use 2FA on the ecobee3.

Thank you.

KOM · May 26, 2021, 9:28 PM

@coffeecup25 Create a new IoT SSID, vlan on the AP and vlan on pfSense then put all these smart nonsense devices on that network. This assumes you're using a decent AP that supports multiple SSIDs and vlans. If your network is currently flat then you can't isolate with firewall rules. You need to create a new network, put the ecobee, smart tv, roku etc on it and then you can manage intra-network traffic with firewall rules.

coffeecup25 · May 26, 2021, 10:46 PM

I can do that. In fact, I already have a VLAN prepared.

But, why go to all that trouble if a couple of rules can do the job?

That's the original question.

My research has turned up VLANS, hysterical non answers, over-complicated gobbledygook, talking baby monitors, and nothing very useful in the real world.

What real world risks exist with a wifi thermostat that don't exist with my ROKU, which exists happily on the LAN. And can they be realistically eliminated by some LAN rules?

Assume ecobee is hacked, what might they realistically be able to get at on my network? Can rules help?

KOM · May 26, 2021, 10:43 PM

@coffeecup25 In general, yes, firewall rules can control traffic that passes between networks. It can't control clients on the same network talking to each other.

coffeecup25 · May 26, 2021, 10:54 PM

@kom

Assume LAN rule. ecobee specific address ok to talk to android phone, specific address.

Assume LAN rule, ecobee specific address blocked from LAN all addresses all protocols.

Rules list goes on normally after that.

This looks like ecobee can communicate with WAN, android phone and nobody else.

pfsense allows this quite easily. Does it work as I think it does?

How does ecobee talk to anything else in that config?

SteveITS · May 26, 2021, 11:01 PM

@coffeecup25 said in Smart Thermostat - Passing and Blocking Data:

How does ecobee talk to anything else in that config

On which network is the ecobee and the Windows PC? If they are both on LAN, then it can talk directly to the IP of the PC, and the packets will not touch pfSense at all. To have pfSense route/block traffic the packets have to go through pfSense, so they have to be on separate networks with pfSense in the middle.

coffeecup25 · May 26, 2021, 11:08 PM

@steveits

Got it.

They're talking over the switch. Thanks.

VLAN or don't use as wifi thermostat are only choices unless I leave on home LAN.