Use multiple VLANs and SSIDs, and only punch holes or route between them (and to the WAN) if/when absolutely necessary.

It does make it harder to use these things. Some things may even become impossible to use effectively.

The simpler method is just to never trust anything, ever, but that's just a long-winded path that asymptotically approaches having a completely disconnected (airgapped) home.

But the usual default method is even easier. Just use the stuff on the default WLAN that is provided by the ISP like a commoner, have no local services at all (what homelab? what file server? what printer?), and fuhgetaboutit.

So what if the botnet spreads from the Android TV box to the light bulbs? As long as all of the things keep performing their primary roles (rule #1 of a successful infection: don't kill the host), then the bliss of ignorance will be complete.

Consumer vendors for routers/firewall combos are trash, but I think they'd go a long way in helping people by having an easy to turn on IoT vlan.

Matter devices run without internet access (at least this is the whole point of the spec, some manufacturers have fewer features without using the cloud based app, but to be Matter certified it must run locally to some extent), so blocking the vlan should be okay with a lot of IoT devices.

Random dodgy streamer box does need internet access though, so I think at best having a vlan (probably one just for it sadly) that doesn't have access to the rest of your internal network would be the only realistic solution. Still won't help prevent it from using your connection as part of a botnet though. It's a hard problem.

Unfortunately users are very adverse to learning anything about how their devices work, so I don't have any idea what can be done about the problem.

Maybe we have to rely on the state going after sellers of such pre-compromised devices? I'd say hold the users somewhat liable, maybe a small fine, when they are part of a botnet, and wave them when it's a "legit brand" that gets compromised outside of the users control? Pressure would need to be done on "legit" consumer manufacturers to actually provide security updates to somewhat older devices and not abandon them the minute the latest model is released.

I'm surprised how many people are happily buying and using WiFi smart lamps from questionable origin. It would be somewhat hilarious if Western internet gets sabotaged by lightbulbs in the case of a military conflict.

But yeah, it's hard to secure home networks. One step would be if expert users and ISP boxes would make a separate WiFi network/VLAN for IoT devices. Second, there should be more regulation and education about not connecting crap devices to your network and/or Western sellers (Amazon, Best Buy, etc.) should be liable if they continue selling a device once it is known that it is malicious.

You should not assume that no one on your network is compromised. This is part of the thinking behind 0 trust.

> Trusting a random vendor, even on your home network, seems crazy.

Random vendors who promise unlimited free streaming, no less. Even if they're pirating the content, video streaming infrastructure still costs good money to run, so they're obviously making up for it by monetizing the boxes in some other way.

You can use a diy mini pc with OpnSense for a router along with a dedicated AP box... most commercial AP boxes can configure for separate SSIDs and VLAN configurations... this can allow you to monitor, configure and block certain access to the devices on your network into different trust groups.

Also, just having a pihole configured for your dhcp dns helps a lot with some traffic, but it can interfere with some legit services (CBS was a really bad one in my experience).

That said, if you don't have the technical skills or desier to learn these things... as you said, don't buy anything that gives you "easy" or "cheap" access to pirate content. It is pretty crazy.

>But how do you secure a home network?

Not being glib, but by not buying "smart" devices whatsoever. Manual streaming boxes might actually stop being viable for Linux as different services crack down. But, if you cared about privacy or security you wouldn't roll the dice with this stuff. I don't mean that in a rude or self-righteous way. Rather, I think people don't really care about privacy or security very much. Giving up streaming sounds like a big sacrifice to a lot of people, but if you contrived some scenario (really just for the sake of the argument) where your streaming devices were giving your kids mercury poisoning, you'd have no trouble giving them up. (and giving them up would really be the least of your worries) You might complain that mercury poison is not even remotely similar in severity it privacy or security concerns, and you'd be correct. But, that's the point I'm making. If people really cared about these issues then abstaining would be an easy decision. People claim to care, but don't actually take any action, and so I think they don't actually care that much.

That's a little over reaction.

Most wifi routers have a guest network mode, that does the first few good steps.

Devices on the guest network can't see or ping devices on your main home network.

But... if appropriately configured the home network should be able to see the devices on the guest network.

There's a few great guides out there that help plan out your home network for such undertakings.