"Mobile phone weakest device"

Hello Guys,

I saw a video from mister lawrance about putting the device is the IoT-VLAN.
Unsecure devices by unsecure devices right?

But a phone is a bit more personal, doyou want realy your phone in there?
What is best practise, just put it on the office network or a separate vlan. (Phone/pc less easier te com,imoccate…

KInde regads,


I think that your phone is the weak link right, so adding it to a vlan with devices / data you don’t want interfered with probably isn’t a good idea. I keep my android devices on an IoT vlan, or in the case of a tablet I don’t have any additional apps installed which I us on my main vlan.

My problem is that I have no idea what is going on with my phone, and in fact have no idea where to even begin, as soon as I switch features off, apps start crashing.

Phone are IOT devices and also modern phone are designed to be secure in unknown networks and don’t accept incoming connections.

A phone is made to be used in insecure environments. When you’re on the road, it’s on your mobile provider’s network, and when you’re on someone else’s Wi-Fi network (which I wouldn’t do), you’re dependent on the security of that network.

The biggest threat on your phone are all the apps you probably have installed that connect to all sorts of services. If you want more security, you should install as few apps as possible, use as few services as possible and avoid all the IOT stuff that is automagically configuring things via some cloud service. And if you do use such services, you should probably not control them with the same device which you are using for sensitive data.

Otherwise putting the phone in a separate network is not of much use, because your phone would still be the place where everything is linked together. This means the biggest risk is, just like with desktop PCs, that a malicious actor would grab sensitive data directly from your phone, by using some compromised service or a malicious app. In comparison, it is much less likely that some other device on your network could be used as a starting point to hack your phone.

1 Like

I understand you. But IOT is sometimes called “internet of insecure things”. A phone is more vulnerable between other IOT devices since they reside in the (most unsafe) common subnet. A hacker could start a tcp session from a compromised IOT-device since the broadcast domain is the same, the phone will probably react on the three-way TCP handshake and could be targeted with malicious payload.

Am I wrong in here? Should you not be better off with a VLAN just for phones and not even hosts in it.

Or should client-isolation be enough when putting it in IOT-vlan?
I watch regularly YouTube-movies and see inconsistent use of where to put your phone regarding VLANS…
(I have always the thought “if Mr. Lawrence it says, it is true”)

Well I guess it depends, what you count as an IOT device, and what devices you have. The only IOT devices I use are multimedia related. Smart TV, nvidia Shield, Audio Receiver, Plex Server etc… which I keep in a separate VLAN together with my phones and tablets.

I have separated my network as follows:

LAN → PCs and laptops
IOT → TV, Receiver, Phones, Tablets, Plex Server…,
PUBLIC → Public facing services like Nextcloud, XMPP Server etc…
INTERNAL → various internal services
SERVER → My Proxmox VM hosts
STORAGE → TrueNAS, Proxmox Backup Server
MGMT (no internet access) → Management interfaces of my Network Decices, IPMI interfaces etc…
PCMGMT (no direct internet access) → Jump Host that has access to all networks.