IoT network segmentation: Why your fridge and HVAC must be disconnected from the internet.

Smart devices and network security: The case for disconnecting your home appliances

The proliferation of smart devices, appliances and gadgets equipped with computing power and network connectivity, has rapidly transformed the modern home. From thermostats that learn your habits to refrigerators that track your groceries, the Internet of Things (IoT) promises convenience and efficiency.

However, a growing concern revolves around the necessity and safety of perpetually connecting fundamental home systems like your refrigerator, stove, microwave, HVAC (heating, ventilation, and air conditioning), and fans to the public internet.

Technically speaking, these appliances perform their core functions perfectly well without an external internet connection. This raises critical questions about data privacy, security, and user autonomy, especially as manufacturers increasingly ship devices with this connectivity built-in, on by default, and often without an easily accessible option to disable it, effectively eroding consumer choice.

The core argument against mandatory internet connectivity for basic household appliances rests on the principle of minimal necessary access. A refrigerator’s primary job is to keep food cold; a stove’s is to generate heat for cooking.

An internet connection offers marginal utility, perhaps remote diagnostics, recipe suggestions on a built-in screen, or remote preheating, that seldom justifies the security vulnerabilities and privacy risks introduced by the connection.

If a device’s essential operation does not require continuous internet access, why mandate it? This unnecessary exposure widens the attack surface of the home network, introducing potential entry points for malicious actors.

One VPN. Limitless possibilities.

Experience true freedom online. Gain unrestricted access to global content, block annoying ads, and safeguard your privacy with a fast and secure VPN.

The risks of unnecessary internet connectivity

Connecting every device in your home to the internet creates an interconnected ecosystem, but it also means that the security of your entire network is only as strong as its weakest link. Many smart home devices are developed with inadequate or rushed security protocols, a phenomenon often observed with budget or generic brands. This lax development can leave devices vulnerable to exploitation.

1. Data privacy and surveillance

Every connected device, by its nature, generates and transmits data. While a manufacturer might claim this data is used for “improved service” or “remote diagnostics”, the reality is that the data collected, including usage patterns, ambient room temperatures, cooking times, and possibly even audio or video if the device has a microphone or camera, can paint a detailed picture of your life. This data is valuable for marketing and could potentially be exposed in a data breach.

Furthermore, if a device is compromised, it could be used as a listening or viewing post within the home. The more devices connected, the more potential streams of personal data are exposed to the risks of aggregation and misuse.

2. Security vulnerabilities and backdoors

Poorly coded firmware or a lack of continuous security updates make many smart devices easy targets for cyberattacks. Unlike personal computers or phones that receive regular security patches, many IoT devices are shipped and forgotten. An exploited smart appliance can be used for a number of malicious activities, including:

DDoS attacks (distributed denial of service): Compromised devices, often without the owner’s knowledge, can be recruited into a botnet, a network of infected machines, to launch massive-scale attacks against websites or services. The Mirai botnet attack in 2016, which relied heavily on insecure IoT devices, is a prime example.

Lateral movement: Once an attacker gains a foothold on a vulnerable appliance, they can use it as a launchpad to scan and attack other, more sensitive devices on your local network, such as computers, network-attached storage (NAS) drives, or other personal devices.

Malicious intent and backdoors: Some devices, especially those from less-than-reputable manufacturers, may contain intentional backdoors, hidden security flaws that allow unauthorised remote access. These are often included for espionage or unauthorised data extraction, and they are particularly difficult for the average user to detect.

Reclaiming control: The ultimate security solution

Given the inherent risks and the lack of user control in modern device design, the most robust solution is to adopt a “zero-trust“ approach for network connectivity, especially for devices whose function does not demand internet access.

This involves the strategy of segmentation, or isolating “unsafe” devices onto a private, restricted network. The definition of “unsafe” in this context is broad, encompassing virtually all smart home appliances (fridges, fans, cameras, etc.) that aren’t critical computing tools like a primary phone or desktop computer.

The goal is to allow these devices to communicate locally within your home network enabling a smart light to talk to a smart switch, for instance, but prohibit their outbound communication to the public internet. This satisfies the desire for local “smart” functionality while eliminating the risks associated with external connections.

Option 1: Creating a separate, segregated network (VLAN)

The most technically sound and secure method is to set up a completely separate network segment, often utilising a VLAN (Virtual Local Area Network), dedicated solely to your IoT devices. This requires a router or a managed network switch that supports VLANs.

1. Invest in VLAN-Capable Hardware: You’ll need a router or firewall (like those running open-source firmware such as pfSense, OpenWrt, or advanced consumer models) that supports network segmentation via VLANs.

2. Define the IoT Network (VLAN): Access your router’s administration interface and create a new VLAN (e.g., VLAN ID 10) for your smart devices. Give this network a separate SSID (Wi-Fi name) and a unique IP address range (e.g., 192.168.10.x).

3. Implement Firewall Rules: This is the critical step. On your router/firewall, configure Access Control Lists (ACLs) or firewall rules for the IoT VLAN (VLAN 10).

Rule 1 (Allow local communication): Create a rule that allows traffic within the VLAN (source: 192.168.10.x, destination: 192.168.10.x). This keeps the smart devices talking to each other for local control (e.g., Apple HomeKit or Matter local connectivity).
Rule 2 (Block internet access): Create a rule that explicitly denies all traffic originating from the IoT VLAN (source: 192.168.10.x) from going to the WAN (Wide Area Network) interface (the internet). This is a “default deny” posture for internet access.
Rule 3 (Allow specific exceptions, optional): If you absolutely must allow an appliance to get firmware updates or use a specific cloud feature, you can create a highly specific, temporary rule allowing traffic from a single device’s MAC address or static IP address to a manufacturer’s known update server on the internet.

4. Connect devices: Connect all your smart appliances (fridge, stove, HVAC, cameras, etc.) only to this new, isolated Wi-Fi network (the IoT SSID). Your phones, tablets, and computers should remain on the primary, trusted network.

Option 2: Restricting access on the router (MAC filtering/firewall)

For users with a less-advanced router that does not support VLANs, a simpler, though less robust, method is to use your existing router’s firewall or access control features to block specific devices.

1. Identify device MAC addresses: Go into your router’s client list and find the MAC address (a unique hardware identifier) for each smart appliance you want to restrict (e.g., the smart fridge, the camera, the AC unit).

2. Assign static IPs: Assign a static local IP address (e.g., 192.168.1.50) to each of these MAC addresses within your router’s settings. This makes the firewall rule more reliable.

3. Configure access restriction: Locate the Firewall, Access Control, or Parental Controls section of your router’s settings.

Look for an option to block internet access based on a device’s MAC address or its static IP address.
Set the rule to deny all WAN/internet traffic for the specific IP addresses or MAC addresses of your restricted smart devices.

This method achieves the same result—local functionality remains, but internet access is blocked without the need for advanced networking gear. It is, however, dependent on your router’s feature set and often less flexible than a full VLAN setup.

Why use a VPN

SECURITY: Our secure VPN sends your internet traffic through an encrypted VPN tunnel, so your passwords and confidential data stay safe, even over public or untrusted Internet connections.

PRIVACY: Keep your browsing history private. As a Swiss VPN provider, we do not log user activity or share data with third parties. Our anonymous VPN service enables Internet without surveillance.

FREEDOM: We created ProtonVPN to protect the journalists and activists who use ProtonMail. ProtonVPN breaks down the barriers of Internet censorship, allowing you to access any website or content.

Get ProtonVPN Now

The matter standard: A glimmer of hope

While the current landscape often forces users into complex security workarounds, the industry is moving toward standards that prioritise local control and improved security. Matter, an open-source connectivity standard backed by major technology companies, aims to unify the smart home and, crucially, to heavily rely on local connectivity (via Wi-Fi, Thread, or Ethernet) whenever possible.

Devices adhering to the Matter standard are inherently designed to operate and communicate effectively without constant reliance on the cloud or external servers. This emphasis on local communication, coupled with a standardised security framework shared across hundreds of brands, offers a much-needed assurance that future devices may be safer and less dependent on continuous internet access for their core “smart” features. For consumers prioritising security and privacy, seeking out devices that use and actively maintain open standards like Matter is a proactive step toward a safer smart home.

In conclusion, the path to a truly smart and secure home requires vigilance. The convenience of an internet-connected refrigerator simply doesn’t outweigh the risk of an insecure entry point into your private network. By employing network segmentation or explicit access blocking, consumers can take back control, ensure their appliances only do what they were built to do, and uphold the sensible policy that if a device works perfectly without the internet, it shouldn’t be connected to it.

_____________________