I also can't imagine letting an internet connected anything in my home, and I keep all internet electronics in one room. Sure, other people can live in a surveillance zoo, but I prefer to keep mine limited.
If it has a circuit, stow it.
So far I've been lucky with cheap zigbee devices but these seem to be getting phased out in favor of locked in items...
and before people suggest - no, I don't have the willingness to build/maintain my own devices with raspberry pis or ESP etc
They support HomeKit and while their own API technically isn't open, it's documented and has libraries to interact with it programmatically.
Errors. A screen full of errors barfed everywhere. I look at the repository for some basic debugging, and without some serious dedicated time, I can't fix the issue.
This is why people don't want to fiddle with a Pi for these things. Time is dedicated to get the system up, but you're not given any kind of guarantee that it will work out of the box.
The BT510 It has crazy range and has only dropped 10mV battery in 14 days.
It CAN be done, because sensor makers have no interest in reporting home: costs are too high!
We need more open source projects to enable people to automate their homes with a list of suppliers who provide "dumb" edge node sensors.
I get the frustration, but this is a narrow perspective. _Consumer_ IoT is still waiting for some good use cases. But IoT touches a lot more industries than that: medical, earth science, manufacturing, heavy industrial, logistics, energy... they are all being improved with useful IoT solutions. And we need solid security in all these areas, not just the home.
I'd also note that privacy and security, while related, are separate issues. Most IoT solutions don't factor in either concern well.
Who is we who need solid security?
I haven't met them. They don't sign a check for security. They don't do anything other than put "Security" on a PowerPoint slide and forget about it.
We make our shipping IoT stuff secure because it's a point of pride and point of competence. But we built the whole architecture around that idea, and it definitely slowed us down at the start.
Until people start cutting checks for actually secure IoT, it's going to remain a giant field of cow dung.
It’s heating and cooling, transport, and food. Maybe cement as well. If you buy a new conventional car, I have more to question you on climate change over.
It’s important that everyone Reduce, Reuse, Recycle properly in order to reduce our impact to the environment.
Maybe that's still not much compared to other industries, but in the context of the conversation here, its still something that an individual who might complain about climate change does have a little control over. I mean, if I complain, but then don't change MY behaviour, even if that change wouldn't by itself change anything, why should I expect companies to change theirs?
The joke is that there is no S, which means you're saying we shouldn't stop buying.
I am totally worried about the day it will break down.
I’ve dramatically slashed my personal gadget footprint. Phone, watch cause I like the exercise data, a Linux box I barely touch, old iPad for movies and video chat.
I pickup the guitar rather than sit at the TV or computer. Learning an instrument connects both sides of the brain like no other skills based activity.
No ads, acoustic road trips easy enough, no worry about charging, smart speakers would hear some bad covers of Wonder Wall.
It’s a life changing experience.
So when the TV breaks, maybe consider replacing it with $500 digital piano to get weighted keys and decent built in sound instead of paying for an ad distribution device.
My friend recently got a new TV and I was appalled at the controls, picture (soap opera effect), "smart features" (how it instantly goes into this app like experience that you can't ever get out of). So many things bother me about modern TVs. If my TV ever dies, I don't know what I'll do.
Every month or so, they would make a video about the ongoing projects and show what kind of features are already available. Partner with manufacturer companies that can provide pre-assembled systems. For those that don't care about the DIY part, offer a subscription-based option where they can get early review units, prioritize their change requests, troubleshoot support, personalization options, discounts for bulk buys, etc.
The revenue from these subscriptions should be more than enough to fund the team of open source developers/designers and to make up for the "lost" revenue of a video made that is sponsored by any of the big tech companies. The most interesting though would be to see if this could lead to a change in consumer demand: could an influencer changed the public's perception of what is really "hot"? Would we start seeing things like "/r/mechanicalkeyboards" for all sorts of products like TV panels, wireless speakers, home automation light systems, F/OSS-based smartphones?
Home automation is a mess, IoT or not. There are standards like KNX, but the problem is the same as it was 30 years ago when the idea of home automation arose: manufacturers want captive markets and can't agree on a single standard. As a result, I can't buy any A/C unit, rolling shutter, light fixture and thermostat and just connect them to my home network, the selection of "smart" appliances is actually very limited.
I mean, home installation is thought out on the scale of decades, because renovation is a pain. People want something simple and reliable, that is the reason why some taps, switches, sockets, etc... are 10 times more expensive than others while looking the same and people still buy them. It is the complete opposite from what Silicon Valley is pushing.
There's a discussion to be had to on placing every basic action on our daily lives on a finicky smartphone.
I think it's only a matter of time before we start seeing more and more of these things with built in cellular modems which can't be disabled. Makes me want to start stockpiling older technology in order to prepare for a time when every single available lightbulb, washing machine, TV, or vacuum cleaner has to be online all the time and controlled by some privacy destroying app.
I'm only half joking when I say that I can imagine a future where something purely mechanical is considered the height of luxury. Look at this! A door lock with a metal key which doesn't log and transmit the comings and goings of your family and friends. Incredible! If only we could afford such a thing, but there are only a few artisans left in the world who can make them...
Instead it's a mish-mash of bespoke proprietary smartphone apps that have terrible security and privacy practices.
Apple makes IoT devices with reasonable default security, but they're also as proprietary as proprietary gets.
...but you can order your IoT to "set a mood" from your phone or speaker and have 5-6 lights in your house change color and some Barry White to start playing like some cheesy 70s playboy's penthhouse.
Who wants to go back to physically walking to close a light? Walking? We've got expensive tredmills we've bought for that purpose!
Your hearing must be better than mine! I didn't hear Todd Weaver, the author of this blogpost, complain about climate change.
IoT thermostats can save an ton of carbon emissions, and spying seems to have nothing to do with climate change. Just put it all on a separate subnet and you can solve a lot of the spying/vulnerability issues though not all.
Out of curiosity, how often is your smartphone resting on a surface within reach @home?
It's just a way of living where you don't give other people a free 24h real time option on your attention.
Helps me sleep (not really. I can’t sleep. Help.)
>In 1975, the first general purpose home automation network technology, X10, was developed. It is a communication protocol for electronic devices. It primarily uses electric power transmission wiring for signalling and control, where the signals involve brief radio frequency bursts of digital data, and remains the most widely available.[4] By 1978, X10 products included a 16 channel command console, a lamp module, and an appliance module. Soon after came the wall switch module and the first X10 timer.
Of course electronics have progressed immensely in 45 years, so we can now do a lot more with a lot less.
I still feel like very little has change in practice though. I find myself actively avoiding "smart" equipment, both because it's overpriced and a bit of a pain to use in my experience. They all have their own software stack, their own apps (which are often cloud-based instead of running locally, adding all sorts of privacy issues) etc...
On top of that you never know when the company is going to go under or stop supporting your device, leaving you with a not-so-smart device in the best case, or a useless plastic brick in the worst.
Don't buy some garage opener that requires internet access to control your garage, hook a smart relay into the existing garage opener.
Make sure there's a physical remote for your TV or sound system in addition to phone control. You can buy third party remotes just for this purpose.
Etc., etc., etc.
Pretty much any smart home project can be done in a way that keeps all physical control in place. Yes, it costs a little more and requires a little more work, but it's the only reasonable solution.
This is what I do. I insist that any “smart” whatever be strictly additive; that is, it must only add functionality but not remove anything. I will never buy a product that can’t be controlled physically or that requires Internet access. The net result is pretty great!
Never again. I only have a couple of cloud controlled devices but never again - I'll either have something that can be controlled without any reliance on the cloud whatsoever or I'll just continue to go without that thing being automated. I really can't think of anything that would not be automatable without the cloud
I have ordered new thermostats that are electronic and support daily/weekly schedules, but have no networking aside from Bluetooth, which you have to manually turn on via a button on the thermostat, if you want to make changes to their programming.
Aside from that they function more or less like the good old manual thermostats, you turn a dial to select the temperature you want, but they display the selected temperature in degrees instead of a scale from 1 to 5, and they automatically turn down the heating if they sense a temperature drop when you open the windows to air out.
Intelligent but not "smart" thermostats. If the app disappears for some reason or you just don't want to use it, they will still function just fine as an improved version of the old-fashioned manual thermostats. According to the manufacturer, they also calibrate themselves to know when to turn on and off to match your programmed schedule, based on how quickly your house heats up and cools down, and something about finding the exact position at which your radiator valve opens, for more precise control. Nifty stuff and it still doesn't require an internet connection or a nebulous cloud account.
If I'm renting a place, swapping out the light bulbs is feasible, swapping out the light switches is not
The other thing is my thermostat, where it's mainly convenience to control it remotely via my phone. I'm not comfortable with it, it has a dongle directly in my router giving the company behind it access to it and its data. I mean the charts are convenient, but I think the whole thing could be made offline as well. Anyway, that one has a simple screen (LED light matrix?) and touch buttons so anyone can adjust the temperature until the next time block, making just the unit without the app as useful as the old dial thermostat it replaced.
Final 'smart' thing I have is my wifi router, which I can manage via my phone; a big improvement over the old router/modem which had a very 2000's looking web interface.
With this kind of stuff, it always makes me wonder why it's there in the first place. Surely there's not much demand for touch screens in cars, and it must be more expensive to produce than analog buttons and knobs. Why has it become so ubiquitous?
Having a few brands of smart home devices which are all compatible with homekit, I just swipe down on my lockscreen and have all of them as shortcuts in the single native interface or use my watch to operate them with voice.
Android seems to have the Google Home app for this exact same reason, but I have no idea how well that works.
1. The real meat of this "pwning" was (it seems) a google search to identify the WEB API endpoint. Then it turns out that sending POST requests to this endpoint can turn the light on/off, change its temperature, and change its brightness.
2. In order to turn a light on/off using the "found" api, it is first necessary to connect to the lamp's network. So if I were doing this on my own linux machine, which cannot as far as I can tell connect to multiple wireless networks at the same time, my script to change the settings on the light would include disconnecting from my true wifi network, connecting to the lamp's network, sending the signal to the lamp, disconnecting from the lamp, and then reconnecting to my own network. Is that right? Is this what the bash scripts and apps mentioned in the post are doing?
3. If I lived in the apartment above the OP's (say), and I were malicious, I could even now also access the lamps' networks and, say, set their values to be whatever I wanted. And there is simply no way of stopping this (S in IoT, after all).
What this guy seems to have found out is possibly (and how, I don't know--the article is horribly lacking in detail) that the lamp accepts API calls /when it is in hotspot mode for setup/ as well as in HAZ_EXT_CONNECSHUN=1 mode
So what I think is that /anyone/ close to the lamp can send the API calls and affect it. Because the lamp is in perpetual setup mode with its unsecured hotspot active...
"A browser hitting that returned a page to connect the lamp to local WiFi. That is a no-go, so maybe there is a web API…" he said
the dumbass
e: Sorry, I misread your post on the lamp network part. I'll leave this here but now you know I spotted it. My apologies.
The security model of pretty much all smart lighting "if you can reach me on the network you're trusted" just like the security of light switches "if you can reach the switch you can flip it."
ESP32's are fairly cheap, easy to use and can even be programmed through micropython.
A brief search of what?
In your source he explicitly says he does not know who the originator is.
> I don't know who the originator was because I saw it coming from several different sources over the past week. But I just love this. I mean, I liked the acronym IDIOT, I-D-I-O-T, which of course stands for I Don't Internet of Things. But I think even better is this slogan: "The 'S' in IOT Is for Security."
The tools are there now to address this, and this should go a long way toward actually securing the application, the data, the IP, and overall simplify lifecycle management.
* - disclaimer, I am an employee * - https://www.silabs.com/security
For example, secure boot and anti-tamper measures are often used to lock out users from being able to examine or modify equipment and software for their own benefit. Sure, these measures can be argued as ways to "protect" the user from themselves (preventing inadvertent/unsupported changes of hardware causing malfunction, or preventing the installation of malware, and so on), but to rob the users of their agency to decide what's best for themselves in these circumstances is fundamentally disrespectful.
Nonetheless, I hope your employer is in a position to be part of a movement to buck the trend here, but based on what I've seen in the industry over the years, I've learned to be very skeptical whenever I hear of such "security" capabilities being thrown around as universally beneficial for everyone.
I had a similar experience with Home Assistant a couple years ago, but they’ve made a ton of progress on UX recently. I still wouldn’t recommend for a typical consumer, but should be easy for someone building their own apps.
It is a state machine that I also use for some other software, not to mention that it has tons of integrations.
I use Zigbee and it took me 10 minutes to have it successfully running (via MQTT autodiscovery, or via the ZHE module (which I tested byt keep with MQTT)).
It certianly is not something would suggest to my parents, but someone who is technical (especially with software, and especially-especially with Python) it is not difficult.
The main issue is how the docs are organized, it takes quite sometime to understand the way the whole thig works. After that it is downhill.
Finally there is a strong move to the UI where many things become click-n-go.
https://en.wikipedia.org/wiki/KNX_(standard)
This classic talk - Learn how to control every room at a luxury hotel remotely (2015) [has eng subtitles]:
> It is administered by the KNX Association cvba, a non-profit organisation governed by Belgian law which was formed in 1999. The KNX Association had 443 registered hardware and software vendor members from 44 nations as at 1 July 2018. It had partnership agreements with over 77,000 installer companies in 163 countries and more than 440 registered training centres.[2] This is a royalty-free open standard and thus access to the KNX specifications is unrestricted.
It looks to me like it is competing with systems like Control4 in US since usually you want somebody to install and set it up for you.
Having said that I do believe that it is a good standard and I hope I will be able to implement it in my next home for the fundamental (must work) things like heating, blinds and lighting (maybe with DALI).
I cant help noticing, the s in IoT comes last, after all other things and is lower case, and not even important enough to appear in the acronym /s
In any case, a CA lasts ~20-30 years. Hopefully the IoT device will be dead by then
I even run tuya-convert to switch over my dozens of light bulbs.
Anything that can't run open firmware I control doesn't get to live on my internal LAN.
Sure you can argue Purism won't exactly publish something that doesn't agree with their marketing, but at the same time I prefer seeing a blog post than some other product page on here. And they're not the only one, in fact right now the very top post on HN is a blog entry by Mozilla about a new feature in their product.
https://templates.blakadder.com is a repository of devices flashable with Tasmota (an open firmaware for devices with ESP8266 or ESP32 which are very common chips for wi-fi based IoT devices
https://zigbee.blakadder.com is a repository of Zigbee devices, which don't connect to internet at all by design. You can use them with a Zigbee gateway.
We need an app to control a stupid lamp but at the same time are expected to buy a "smart home" system so that we don't have to pull the phone out of the pocket. Originally smartwatches were marketed for the same purpose, but I guess now there's also the severe risk of having both hands unavailable at the moment so we need to be able to delay the system update via voice command. Of course with tracking so they can "improve the user experience", and the occasional personalised ad.
Meanwhile I'm wondering how people got convinced this is better than just pressing a physical button, but then I remember even $500+ appliances nowadays are built with such cheap buttons that after a few years I'm forced to learn where to smack the fist on the front cover so they work again for a few minutes.
FOMO and PR. I have friends that have plenty of money and read the latest reviews/gadget magazines. They assume whatever is in the recommended area you should be buying it or your neighbours will have it first.
If that isn't an option (for reasons like not wanting to permanently damage them or being afraid of electrical shocks) a lot of them come with tuya firmware, which you can (still) often exploit and convert with TUYA-CONVERT [2].
I found the Tasmota Device Templates Repository[3] to be a really valuable resource, although I've been using zigbee devices for lightbulbs.
[1]https://github.com/arendst/Tasmota
Unfortunately this is not really accessible for regular consumers, only for nerds who know their way around a terminal and vi(m).
"A browser hitting that returned a page to connect the lamp to local WiFi. That is a no-go ..."
You can buy prosumer routers nowadays for $99 USD which enable one to setup different subnets and VLANS such that a device is accessible on the network but unable to access the internet.
I'm not afraid of IoT like some other tinfoil types commenting here - just make sure they can't call home (I'm looking at you Samsung TV)
Our old UI is "not very nice", but we already have a GraphQL API and pretty UI very soon.
If you are a security researcher or IoT shop, you should contact us!
But, here's the thing. AFAIK a display pops up on my neighbor's TV showing a code I'm supposed to type into my Mac. Further, AFAIK, if the TV was off the device (usually an AppleTV) will turn on the TV on via HDMI. So, I've possibly interrupted my neighbors viewing. Or if it's late at night I just turned on their TV (no idea if it shuts it self off).
I know Apple has this feature to make it zero configuration but I'm not convinced it's the best feature. I've thought about figuring out how to send the same packets and building a small device/app that tries to connect to every Airplay device constantly. Then I could drive around the Apple campus and interrupt meetings.
Or, I could just put the app on my phone and walk around and hope that Apple will get enough complaints from users about "why does this code keep popping up on my TV" until Apple fixes the issue.
I think the issue is that the AppleTV uses Bluetooth as an extra communication channel to setup a session and you can turn it off but I suspect most users have not.
Is that a security issue that I can turn on my neighbors TVs and AppleTVs remotely?
Let's be thankful that they are, in fact, using ESP32 for a central control chip and use a very simple REST protocol. It could be a lot worse, a lot more proprietary.
These are simple devices, but expensive as far as lights go. You can very easily get dumb lights that have only physical controls. For a lot cheaper too.
I'm working on various IoT sensor products that require a cellular connection - NB-IoT is preferred for this use case due to the good penetration characteristics. But the problem is that UDP is recommended as the NB-IoT transport layer due to the problem with TCP ack timeouts due to NB-IoT latency. That means that you are practically reduced to MQTT-SN as a data protocol, which in turn means you lose TLS.
There are partial solutions - we whitelist our MQTT data sources (i.e. only the Cellular provider's NB-IoT gateway), and we can verify and whitelist the IDs of all connected devices). But it is a partial and imperfect solution.
Security is hard...
Missing from the home IoT security works is a decentralized auth infrastructure story. I don't fully subscribe to the notion that people do this because they want to monetize... That may be the case sometimes but here I tend to believe you get to this kind of solution if you want something that is usable by average consumers and has some form of auth.
I have a wifi radio (Ocean) and I tried several times to hack it so that I can programmatically start and configure it but failed every time because the whole system is completely closed and non standard.
I would love to buy a radio that has an API (actually I would buy three right away)
:D
