NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

anderpf's avatar
anderpf
Guide
Feb 06, 2026

RS600 latest version, 1.0.6.16 IoT network works like a Guest Network

Well, I got all excited about the new IoT network capabilities in 1.0.6.16. I moved a couple of devices to the new IoT network, and they connected to the internet. Then connected my phone to the IoT ...
rs600
StephenB's avatar
StephenB
Guru - Experienced User
Feb 18, 2026
schumaku wrote:

This must be a bigger security flaw (not only in my opinion).

Well, here's the challenges  

  1. Installation of many of these IoT devices require that the IoT device connect to a phone or PC during the installation process (and often shifting them to a a new network requires re-installation).  These devices can't be installed to an isolated network.  To be sure, that is a flaw with those devices, but it is a fairly common one.  An increasingly common design is to use Bluetooth for installation and management.  But in some ways that just increases the attack surface.
  2. Some classes of IoT devices require ongoing local connections.  For instance, smart TVs and media streamers. (Note these are considered at the top of the list of risky IoT devices).

 

As far as threats go, I think the risks for a home user are somewhat different from enterprise, due in part to the smaller scale, and in part to the difference in "sensitive IT systems". While I get the goal of network segmentation, I think it is not as useful in home deployments.  Just my opinion (and I know that many will disagree).

 

One class of threats are grounded in what the IoT devices inherently know or do.  Smart thermostats know when a home is occupied, and when it is not.  A smart lock knows when the doors are locked and when they are not. Wireless security cameras can provide video and audio, and arm/disarm status also provides information on occupancy.  Smart TVs know what you watch and when you watch it.  Isolating the devices to an IoT network doesn't mitigate this class of risks, since the IoT devices can communicate it directly to cloud servers.  Control of IoT devices by bad actors similarly isn't mitigated by isolation.  A compromised smart lock can open the door whether it is isolated or not.

 

Another class of threats is that compromised devices can be assembled into a botnet that can be used in denial of service attacks.  These are rarely aimed at the owner (on a home network), and won't generate enough local traffic to disrupt the home user.  Not a good thing to be sure, but again, isolating the devices to an IoT traffic doesn't mitigate the threat.

 

The threats you are likely concerned about is that more capable IoT devices can gather information from other devices on the home network.   TVs and media streamers are the most worrisome here, since they are the most capable IoT devices in most homes.  But these devices need often access to local media servers (DVRs provided by the service provider, or home servers with user-owned content).  So while isolation will mitigate the threat here, most users won't install them to an isolated network because they want the features that require local access.  

 

So in general, I think that the devices home users can/will connect to their IoT networks are the ones where isolation offers the fewest security benefits to the home user.

 

 

schumaku's avatar
schumaku
Guru - Experienced User
Feb 18, 2026
StephenB wrote:

Installation of many of these IoT devices require that the IoT device connect to a phone or PC during the installation process (and often shifting them to a new network requires re-installation).  These devices can't be installed to an isolated network.

 

Undoubted, these must be temporary connected to a network without isolation in place.

 

Once configured, the possible attack vectors are marginal or not existing at all - only an outgoing Internet connection with some encrypted traffic in a tunnel is required.

 

StephenB wrote:

For instance, smart TVs and media streamers.

 

For obvious reasons, like a NAS or a DAS, a physical or logical connection is required for the function of these devices. These don't belong to an IoT network - as doing so renders a lot of functionality mostly useless, like methods to Stream to TV or Cast to Media Player ...

 

StephenB wrote:

For instance, smart TVs and media streamers. (Note these are considered at the top of the list of risky IoT devices).
 

 

There was a long-standing issue with devices coming from the factory or some intermediate bad guys, with preinstalled malware, like a botnet connection.

 

These are not typical IoT, because these have a user interface, typically on screen, with a remote control...

 

StephenB wrote:

While I get the goal of network segmentation, I think it is not as useful in home deployments. 

 

You said it all. However, if a manufacturer offers these kind of features (IoT network, Guest network, ...) there should be an control to disable the isolation feature - but it has to be disabled by default - and come with a clear warning what disabling it means...

 

StephenB wrote:

An increasingly common design is to use Bluetooth for installation and management.  But in some ways that just increases the attack surface.

 

Not much surface exposed there, except of the ubiquitous ... users not changing the default PINs, or the attack on the Google Fast Pair Service (GFPS) utilizing Bluetooth Low Energy (BLE) to discover nearby Bluetooth devices. Many big-name audio brands use Fast Pair in their flagship products, so the potential attack surface consists of hundreds of millions of devices. Mitigation? Update all these devices on a regular base...

 

 

  • StephenB's avatar
    StephenB
    Guru - Experienced User
    Feb 18, 2026
    schumaku wrote:

    You said it all. However, if a manufacturer offers these kind of features (IoT network, Guest network, ...) there should be an control to disable the isolation feature - but it has to be disabled by default - and come with a clear warning what disabling it means...

    I agree that the controls should be available, and that the implications of enabling them should be clear.  Not fully convinced on the default settings, but no objection.

     

    On the whole I think network segmentation is a stop-gap, what is really needed is secure IoT devices.   Getting there from where we are likely requires legislation and compliance testing.

     

    schumaku wrote:

    These are not typical IoT, because these have a user interface, typically on screen, with a remote control...

    Hard to say exactly where the boundary for IoT devices is.  FWIW, some reports I've seen include NAS in their IoT classification, but IMO that is just wrong.

     

    I've read a few recent reports on issues with IoT security, and  vulnerabilities in smart TVs and media streamers are at the top of all of them.  I think that is in part due to the fact that these devices have fairly capable processors.  But also the market penetration, since almost every home has at least one. And a lot of enterprise conference rooms have smart TVs.

     

     

    schumaku wrote:

    Once configured, the possible attack vectors are marginal or not existing at all - only an outgoing Internet connection with some encrypted traffic in a tunnel is required.

    Often, but not always.  For example, PoE and wireless security cameras often connect to a local NVR.

     

    Cloud based cameras (for instance Arlo) will stream over the local network when possible.  Many users want that - people using internet services with a data cap, and people who really don't want their video stored on a cloud server