Here’s an uncomfortable truth that’s been nagging at me since March: millions of knowledge workers are now connecting to corporate networks from home, and their home networks are increasingly populated with IoT devices that have the security posture of a wet paper bag. Smart speakers, security cameras, robot vacuums, smart plugs, connected appliances — all sharing a flat network with the laptop that has VPN access to production systems.
The numbers tell the story. Smart home device sales have surged during lockdown, with IDC reporting strong growth across smart speakers, connected lighting, and home security cameras. People stuck at home are buying devices to make their environment more comfortable and controllable. That’s perfectly rational consumer behavior. But from a security perspective, every one of those devices is a potential entry point.
The Flat Network Problem#
Most home routers create a single, flat network. Every device — your work laptop, your kid’s tablet, the Ring doorbell, the Philips Hue bridge, that off-brand smart plug you bought for €8 — sits on the same subnet, can discover each other, and can communicate freely.
This is fundamentally different from a corporate environment where network segmentation, VLANs, and firewall rules provide defense in depth. In the office, a compromised IoT device in the break room can’t reach the development servers because they’re on different network segments. At home, a compromised IoT device can potentially reach your work laptop, and through the VPN, your employer’s infrastructure.
The attack path is real, not theoretical. Research presented at Black Hat and DEF CON over the past few years has repeatedly demonstrated that consumer IoT devices can be compromised via firmware vulnerabilities, weak default credentials, unencrypted local APIs, and supply chain manipulation. Once compromised, they can perform ARP spoofing, DNS hijacking, or direct network attacks against other devices on the same subnet.
What’s Actually Running on Your Network?#
I spent a rainy Sunday afternoon running nmap scans against my own home network, and the results were educational. Beyond the devices I expected, I found:
- A network printer with a web interface running an unpatched HTTP server
- Two smart plugs phoning home to servers in regions I’d rather they didn’t
- A smart TV making regular connections to advertising and analytics endpoints
- An old Raspberry Pi I’d forgotten about, still running Raspbian with default SSH credentials
That last one was particularly embarrassing for someone who writes about security. But it illustrates the problem: home networks accumulate devices over time, and there’s no equivalent of an enterprise asset inventory or patch management system keeping track of them.
The Shodan search engine regularly catalogs millions of IoT devices directly accessible from the internet — UPnP-enabled routers that have punched holes in the firewall, IP cameras with default credentials, network-attached storage with known vulnerabilities. If your home router has UPnP enabled (it probably does, by default), your IoT devices may be making themselves accessible from the internet without your knowledge.
The Enterprise Response (So Far)#
Some organizations are responding to this reality. I’ve seen a few approaches:
Split-tunnel VPN: Instead of routing all traffic through the corporate VPN, only route traffic destined for corporate resources. This reduces the exposure but doesn’t eliminate the risk of a compromised device on the local network attacking the work laptop directly.
Always-on endpoint detection: Deploying EDR (Endpoint Detection and Response) tools on corporate laptops that monitor for suspicious local network activity. This is probably the most practical approach, but it adds overhead and complexity.
Network segmentation guidance: Some IT departments are publishing guides for employees on setting up guest networks for IoT devices, separate from the network used for work. Modern consumer routers often support guest networks, but they’re rarely configured.
Zero-trust networking: The most forward-looking approach — treat every network as hostile, authenticate and encrypt every connection, and never trust the network layer. Products like Cloudflare Access, Zscaler, and Google’s BeyondCorp implementation represent this direction. But adopting zero-trust is a significant architectural change that most organizations are still evaluating.
Practical Steps for Developers#
If you’re a developer working from home — and statistically, you probably are right now — here are concrete steps to reduce your exposure:
Segment your network: Use your router’s guest network feature to isolate IoT devices. Put your work laptop and any devices you actually trust on the primary network. Everything else goes on the guest network with client isolation enabled.
Disable UPnP: Turn off Universal Plug and Play on your router. Yes, some devices will complain. That’s fine. Manual port forwarding for the few things that genuinely need it is vastly more secure than letting every device punch holes in your firewall.
Audit your devices: Run a network scan. Know what’s on your network. If you find devices you don’t recognize or can’t account for, investigate. Tools like Fing make this easy even without command-line expertise.
Update firmware: Check for firmware updates on your router, your smart home hub, and your most critical IoT devices. Set a calendar reminder to do this monthly. Yes, it’s tedious. So is incident response.
Use a Pi-hole or DNS-based filtering: Running a Pi-hole on your network gives you visibility into what your devices are doing and the ability to block unwanted connections. The telemetry from some IoT devices is eye-opening.
My Take#
The collision between consumer IoT and corporate security was always coming. The pandemic just compressed the timeline from years to months. Most organizations’ security models assumed that employees would connect from relatively controlled environments — corporate offices, maybe a simple home setup with a laptop and a phone. The reality of 2020 is that employees are connecting from networks populated with dozens of devices of varying provenance and security quality.
I don’t think the answer is banning IoT devices or trying to control employees’ home environments — that’s impractical and invasive. The answer is the one the security community has been advocating for years: zero-trust networking, strong endpoint security, and defense in depth. The assumption that the network is safe was always questionable. Now it’s clearly untenable.
The IoT industry also needs to step up. We’re still seeing devices shipped with default credentials, no automatic updates, and end-of-life support measured in months rather than years. The EU’s proposed cybersecurity labeling scheme for IoT devices can’t come soon enough. Until then, every device on your home network is a liability until proven otherwise.