Many of these WiFi-LED lamps contain esp8266 devices, which have a lot of open source alternative firmware available, like esphome[0] or tasmota[1]. You can reflash them by opening them & connecting a cheap (1$) usb-to-tty adapter.
If that isn't an option (for reasons like not wanting to permanently damage them or being afraid of electrical shocks) a lot of them come with tuya firmware, which you can (still) often exploit and convert with TUYA-CONVERT [2].
I found the Tasmota Device Templates Repository[3] to be a really valuable resource, although I've been using zigbee devices for lightbulbs.
I think I'm missing a few major points. I wonder if someone here might be able to clarify.
1. The real meat of this "pwning" was (it seems) a google search to identify the WEB API endpoint. Then it turns out that sending POST requests to this endpoint can turn the light on/off, change its temperature, and change its brightness.
2. In order to turn a light on/off using the "found" api, it is first necessary to connect to the lamp's network. So if I were doing this on my own linux machine, which cannot as far as I can tell connect to multiple wireless networks at the same time, my script to change the settings on the light would include disconnecting from my true wifi network, connecting to the lamp's network, sending the signal to the lamp, disconnecting from the lamp, and then reconnecting to my own network. Is that right? Is this what the bash scripts and apps mentioned in the post are doing?
3. If I lived in the apartment above the OP's (say), and I were malicious, I could even now also access the lamps' networks and, say, set their values to be whatever I wanted. And there is simply no way of stopping this (S in IoT, after all).
This is pretty much how I read it, but I thought maybe it's worse: I would bet that when you connect to the lamp's network and set it up to connect to your network as you should the lamp's internal WiFi ceases to broadcast, and you'd need the reset switch to enable setup again.
What this guy seems to have found out is possibly (and how, I don't know--the article is horribly lacking in detail) that the lamp accepts API calls /when it is in hotspot mode for setup/ as well as in HAZ_EXT_CONNECSHUN=1 mode
So what I think is that /anyone/ close to the lamp can send the API calls and affect it. Because the lamp is in perpetual setup mode with its unsecured hotspot active...
"A browser hitting that returned a page to connect the lamp to local WiFi. That is a no-go, so maybe there is a web API…" he said
the dumbass
e: Sorry, I misread your post on the lamp network part. I'll leave this here but now you know I spotted it. My apologies.
Yeah this is so far from pwning that it’s hilarious to be presented as such. This is literally authorized access. He built an integration for his smart bulbs the same way Google Home or HomeKit would access it but with some weird Wi-Fi paranoia that actually made him less secure.
The security model of pretty much all smart lighting "if you can reach me on the network you're trusted" just like the security of light switches "if you can reach the switch you can flip it."
I mean the alternative was installing the propietary app so I would say this is still a big win. But also yes, any wifi capable device in your home with no authorization is clearly a disaster waiting to happen.
I don't disagree that it's a huge improvement over some proprietary app but I still don't think "using the light's API as designed" counts as pwning it.
It's the same API that openHAB or Home Assistant would consume to control it.
One way to solve 3 and maybe 2 would be adding to the ecuation an ESP32/8266 and use it as an access point for the lamps. Then you might create any physical controls for the lamps or with some network magic add it to your infrastructure through a segmented network. I'm not sure if this can be done with an ESP alone (hence "network magic") or you could just use a second ESP connected to your private network and passthrough your commands via a serial port to the Lamp's ESP AP.
ESP32's are fairly cheap, easy to use and can even be programmed through micropython.
I thought it was mostly sales for "for PureOS and the Librem 5" on "my Librem 5 phone as well as Librem Mini desktop" to do something an alias to curl performs perfectly fine.
One thing I haven't seen mention much with these "smart" devices is how inconvenient lack of physical buttons is. Instead of just reaching over and adjust the volume/brightness whatever, I now have to unlock the phone, find the app and do some gestures to achieve same results, all of which now requires some mental bandwidth for these banal tasks.
That's just bad smart home planning. Any smart home device should work on top of existing physical control. Don't buy smart bulbs that require you to use your phone or voice to control them. Instead, buy smart switches that work just like normal wall switches but also give you smart home/automation possibilities (and work perfectly fine for guests or if the whole smart home system is down).
Don't buy some garage opener that requires internet access to control your garage, hook a smart relay into the existing garage opener.
Make sure there's a physical remote for your TV or sound system in addition to phone control. You can buy third party remotes just for this purpose.
Etc., etc., etc.
Pretty much any smart home project can be done in a way that keeps all physical control in place. Yes, it costs a little more and requires a little more work, but it's the only reasonable solution.
This is exactly right. If you set out with some requirements such as 1) everything must be able to still work without internet access and 2) it must be simple enough that my mom/grandma/whatever can still use it, then you can still benefit from the convenience of these devices without all the downsides.
This is what I do. I insist that any “smart” whatever be strictly additive; that is, it must only add functionality but not remove anything. I will never buy a product that can’t be controlled physically or that requires Internet access. The net result is pretty great!
Yup. With this approach the only thing that goes wrong is you start to rely on some of the automations and it's a bit annoying if one stops working for some reason.
Yup. One of the reasons I still tolerate the obtuse GUI of HomeSeer is it's 100% local to me, yet can also still interface with a few proprietary cloud bits I fell for like Nest's thermostats.
Never again. I only have a couple of cloud controlled devices but never again - I'll either have something that can be controlled without any reliance on the cloud whatsoever or I'll just continue to go without that thing being automated. I really can't think of anything that would not be automatable without the cloud
Agree. My first rule of smart home is that the device must continue to work as if there was no smart home layer. The only place I violate this is for devices like outdoor holiday lights where I’d have to walk outside to flip the switch - though you should also be able to do that, if needed.
Just yesterday, I replaced the smart thermostats on my radiators with old-fashioned manual ones, and removed the window sensors, control hub and everything else associated with it. The whole eQ-3 ecosystem will be shut down soon anyway, and replaced with a full-scale intelligent house-type product line.
I have ordered new thermostats that are electronic and support daily/weekly schedules, but have no networking aside from Bluetooth, which you have to manually turn on via a button on the thermostat, if you want to make changes to their programming.
Aside from that they function more or less like the good old manual thermostats, you turn a dial to select the temperature you want, but they display the selected temperature in degrees instead of a scale from 1 to 5, and they automatically turn down the heating if they sense a temperature drop when you open the windows to air out.
Intelligent but not "smart" thermostats. If the app disappears for some reason or you just don't want to use it, they will still function just fine as an improved version of the old-fashioned manual thermostats. According to the manufacturer, they also calibrate themselves to know when to turn on and off to match your programmed schedule, based on how quickly your house heats up and cools down, and something about finding the exact position at which your radiator valve opens, for more precise control. Nifty stuff and it still doesn't require an internet connection or a nebulous cloud account.
100% agree, this is how I approach all of my home automation toys. Periodically I disconnect my HA server and then the Internet connection just to verify that the fallback position for my house that everything still works manually just like you expect.
Sure, lots of reasons you can’t create the most very optimal experience. But even if you can’t swap out the switches in your rental there are other options if you keep “physical first” in mind. There are even smart switches made to stick over a regular light switch so you can keep people from turning it off (and this deactivating the smart bulb) and still have a physical switch, but it’s actually controlling a smart light.
Starting with a hard requirement of physical control still leaves lots of things on the table.
When your hands are occupied by cooking or some such, it's nice to bark orders at a voice assistant for timers, lighting adjustments, adding to the shopping list, etc.
I have a few 'smart' things in my house. One is my living room mood lights, but that's a combination of a simple RF plug relay switch on the one hand, and an ikea (also RF?) spot system, no internet required.
The other thing is my thermostat, where it's mainly convenience to control it remotely via my phone. I'm not comfortable with it, it has a dongle directly in my router giving the company behind it access to it and its data. I mean the charts are convenient, but I think the whole thing could be made offline as well. Anyway, that one has a simple screen (LED light matrix?) and touch buttons so anyone can adjust the temperature until the next time block, making just the unit without the app as useful as the old dial thermostat it replaced.
Final 'smart' thing I have is my wifi router, which I can manage via my phone; a big improvement over the old router/modem which had a very 2000's looking web interface.
I don't really mind having less buttons to accidentally push on my phone or other devices that go in my pocket, but I can't stand this when it comes to car dashboard interfaces. Thankfully I still drive a car from before this trend but in newer cars where e.g. changing the radio station requires fiddling with a touch screen. With physical buttons or knobs I can do this almost unconsciously, but with a touch screen I have to take my eyes off the road to even see what I'm poking on the screen.
With this kind of stuff, it always makes me wonder why it's there in the first place. Surely there's not much demand for touch screens in cars, and it must be more expensive to produce than analog buttons and knobs. Why has it become so ubiquitous?
This problem will depend on the vendors you buy your products from.
Having a few brands of smart home devices which are all compatible with homekit, I just swipe down on my lockscreen and have all of them as shortcuts in the single native interface or use my watch to operate them with voice.
Android seems to have the Google Home app for this exact same reason, but I have no idea how well that works.
I absolutely second this. "IoT" is a keyword to furnish up cheap hardware where the price of physical switches would have harmed the profit margin too much. This is not really ironic: Physical switches (with a price of probably 0,2 USD per component) are more expensive then SoC having Wifi implemented. Also it's cheaper to hire software-only developers to do as little hardware engineering as possible. It's all about cutting the price per unit down.
It probably costs more to add physical knobs/switches. They will end up taking more space/require more material to manufacture than the IoT device itself.
> Pretty sure that title was coined by Steve Gibson on his Security Now! podcast
In your source he explicitly says he does not know who the originator is.
> I don't know who the originator was because I saw it coming from several different sources over the past week. But I just love this. I mean, I liked the acronym IDIOT, I-D-I-O-T, which of course stands for I Don't Internet of Things. But I think even better is this slogan: "The 'S' in IOT Is for Security."
If you want to, you can turn it into a Home Assistant plugin (or even add it to the core). It's a great project that aims to provide this kind of interface for all kinds of "smart" devices in a user-friendly way.
I have found Home Assistant to be very user unfriendly and difficult to use. I have about $1000 in switches that are among the most popular Z-Wave devices on the market that I have not been able to get working, as well as other devices. I'm admittedly clueless with hardware, but I build software for a living. The few things that do work required hours of spelunking on forums into incomprehensible details of configuration. It's not a system I'd recommend to a typical consumer.
I had a similar experience with Home Assistant a couple years ago, but they’ve made a ton of progress on UX recently. I still wouldn’t recommend for a typical consumer, but should be easy for someone building their own apps.
Agreed! It was really terrible, it's much better now - at least you don't need to fiddle with YAML anymore for most things. There's still a ways to go, but for the audience reading this, it should be accessible.
HA is not the easiest system to get into, but once you are there is is fantastic.
It is a state machine that I also use for some other software, not to mention that it has tons of integrations.
I use Zigbee and it took me 10 minutes to have it successfully running (via MQTT autodiscovery, or via the ZHE module (which I tested byt keep with MQTT)).
It certianly is not something would suggest to my parents, but someone who is technical (especially with software, and especially-especially with Python) it is not difficult.
The main issue is how the docs are organized, it takes quite sometime to understand the way the whole thig works. After that it is downhill.
Finally there is a strong move to the UI where many things become click-n-go.
It's not that nobody heard of it, the problem is that it's not cheap to get stared since the devices are pretty expensive and you usually need to run wiring.
> It is administered by the KNX Association cvba, a non-profit organisation governed by Belgian law which was formed in 1999. The KNX Association had 443 registered hardware and software vendor members from 44 nations as at 1 July 2018. It had partnership agreements with over 77,000 installer companies in 163 countries and more than 440 registered training centres.[2] This is a royalty-free open standard and thus access to the KNX specifications is unrestricted.
It looks to me like it is competing with systems like Control4 in US since usually you want somebody to install and set it up for you.
Having said that I do believe that it is a good standard and I hope I will be able to implement it in my next home for the fundamental (must work) things like heating, blinds and lighting (maybe with DALI).
This is a great article explaining the need for open standards and non-proprietary approaches to IoT just like we have in the digital world. Vendor lock-in is a real issue for security and non-dependancy as well.
i took it as a google search, which made me laugh at how much I read before i got to the point. I enjoyed reading this post actually but there is very little meat to what actually happened.
Agreed, talking about how he discovered this API is what I would have wanted to read. He said the only opened port was 8xxx and it was a dead-end, so what port was this API running on then? How did he discover it without sniffing packets from the app? various, etc
And if the browser "404'd", that means there's actually a web server listening (different to connection refused/timed out error messages). So was it a 404 or something else but you don't understand HTTP so you just called it 404?
From the writing my impression is this is a guy flexing his "I know tech" muscles. Calling it "pwn"? Talking about his Librem phone/desktop? Well done 1337 hacker! /s
IKEAs zigbee devices are cheap, realiable and accessible and works great with Home Assistant + the deCONZ usb dongle. No WiFi connected devices, not internet access. When I'm out of the house I "phone home" with a VPN to adjust the temperature and turn off the lights if I forgot. I have automated several basic things, like the color temperature of the lights and the temperature of my heaters when electricity prices spikes.
Unfortunately this is not really accessible for regular consumers, only for nerds who know their way around a terminal and vi(m).
Another problem: Even when the device is working as it should, there needs to be a "lock" mode that says, "don't download new firmware." Nothing like having your smoothly-functioning lighting setup FUBARed by an unnecessary and buggy firmware update - especially if you're far away from home when it happens.
What if we built simpler systems that are less prone to security issues, without the cpre assumption that we can 'just patch it up' whenever after it's shipped off?
What if we were born without the need to consume or generate matter? I think it's easy to generate idealistic scenarios, but not so easy to implement them in reality. There's a couple counter-pressures to your question. The first being that the average consumer has come to expect and demand a higher level of functionality out of even simple devices. The next is that there's no monetary incentive in creating the perfect system from the start, especially when you can just use premade things. Finally, hackers (whether they be nation-state actors or your neighbor's bored teenager) are CONSTANTLY on the prowl for vulnerabilities in all things connected to the internet. With that in mind, it's not quite as easy to develop the perfect, unhackable system.
I imagine it's mentioned elsewhere in this commentary, but the key point I think this chap missed was not connecting to a wifi network under his control.
"A browser hitting that returned a page to connect the lamp to local WiFi. That is a no-go ..."
You can buy prosumer routers nowadays for $99 USD which enable one to setup different subnets and VLANS such that a device is accessible on the network but unable to access the internet.
I'm not afraid of IoT like some other tinfoil types commenting here - just make sure they can't call home (I'm looking at you Samsung TV)
Software needs to be updated though, certificates need to be checked and all that. That's only possible with Internet - unless you run your own CA, Package Mirror on the local network. That said, there is also a trade off between having a having ports open for REST vs. having a gateway (whether that's on the local network or on the Internet). Also it's probably a difference whether one plans to update the installed system every now and then or whether that should be fully automated...
This is true, but honestly I have almost never seen an IoT device getting updated for security reasons - instead they seem to update things OTA to just add more crap to it.
In any case, a CA lasts ~20-30 years. Hopefully the IoT device will be dead by then
Can you believe Generac standby generators need you to download an app and receive an activation code which no doubt you key into the generator before it will work. I nearly got caught out with this when we were looking to replace our cottage genny. We don't have internet access how stupid a concept is this. Thankfully I found out before completing the purchase so I bought a different brand but I'm with this guy all the way. I'm not connecting my lightbulbs, toaster or intelligent microflushing loo to anything internet just to use the product.
Chipset developers like Silicon Labs* are developing very advanced but approachable security capabilities into their latest products (secure boot, secure debug, physical protection (DPA countermeasure, anti-tamper), key management, key storage, crypto engine, etc.)*.
The tools are there now to address this, and this should go a long way toward actually securing the application, the data, the IP, and overall simplify lifecycle management.
Unfortunately I've often found these capabilities end up being used against users as much as, if not vastly more than, they are used in their favour.
For example, secure boot and anti-tamper measures are often used to lock out users from being able to examine or modify equipment and software for their own benefit. Sure, these measures can be argued as ways to "protect" the user from themselves (preventing inadvertent/unsupported changes of hardware causing malfunction, or preventing the installation of malware, and so on), but to rob the users of their agency to decide what's best for themselves in these circumstances is fundamentally disrespectful.
Nonetheless, I hope your employer is in a position to be part of a movement to buck the trend here, but based on what I've seen in the industry over the years, I've learned to be very skeptical whenever I hear of such "security" capabilities being thrown around as universally beneficial for everyone.
The issue here isn't hardware capabilities, it's that vendors like to make their gadgets centrally connected for convenience and analytics and then on top often don't care about hygiene (e.g. no crypto at all).
Would it only allow for the lamp to be "secure" in the sense that the owner would not be able to take back control anymore? If that's the case, that's a "solution" worse than the problem, that's even unethical as hell given this will short/medium term accelerate the ecological nightmare.
I don't care how "secure" one can make an internet-connected lamp. I don't want or need a lamp to connect to the internet to change its operating conditions. The problem is that we, as a society, are being so suckered by cheap consumer devices that it's becoming difficult to even FIND NON-connected devices in some categories. Like the lamp in the article, I'm willing to bet that he looked for something with purely physical controls, and couldn't find one in a comparable price point. I honestly don't get it. I can't fathom what some company could possibly be doing with my usage data from some internet-connected LAMP, or why they would go about designing all the infrastructure to make it work. It would be orders of magnitude more easy to just put some buttons on the side of the unit. At this point, I guess someone out there thinks, "Oh, neat!" but this sort of situation is paving the way for it to be impossible to buy ANY consumer electronic device that doesn't phone home in the very near future.
Shameless plug:
We are working on the solution! Our motto is actually "Put the S into IoT" :D by working with security researchers on an automated tool which can scan and find vulnerabilities in all kinds of IoT firmwares. Check it out: https://www.iot-inspector.com/
Our old UI is "not very nice", but we already have a GraphQL API and pretty UI very soon.
If you are a security researcher or IoT shop, you should contact us!
AppleTV Airplay kind of fits this for me. Maybe it's secure, but, and MacOS Big Sur surfaced this for me. I click the screen sharing icon on my Mac and my 2 shares show up. I go to select the one I always select, asynchronously MacOS scans for more Airplay receivers. It finds my neighbors and adds them sorted alphabetically to the menu in real time. Result, 50-70% of the time I click the AirPlay device for another apartment since by sorting the list the positions change under my mouse. I've learned to click the screen share menu, then wait about 3 seconds for my neighbors' devices to appear, since the position of the device I want to click will move.
But, here's the thing. AFAIK a display pops up on my neighbor's TV showing a code I'm supposed to type into my Mac. Further, AFAIK, if the TV was off the device (usually an AppleTV) will turn on the TV on via HDMI. So, I've possibly interrupted my neighbors viewing. Or if it's late at night I just turned on their TV (no idea if it shuts it self off).
I know Apple has this feature to make it zero configuration but I'm not convinced it's the best feature. I've thought about figuring out how to send the same packets and building a small device/app that tries to connect to every Airplay device constantly. Then I could drive around the Apple campus and interrupt meetings.
Or, I could just put the app on my phone and walk around and hope that Apple will get enough complaints from users about "why does this code keep popping up on my TV" until Apple fixes the issue.
I think the issue is that the AppleTV uses Bluetooth as an extra communication channel to setup a session and you can turn it off but I suspect most users have not.
Is that a security issue that I can turn on my neighbors TVs and AppleTVs remotely?
I don't see a veil on a blog post where the author's name and CEO position in the company is the first thing you see.
Sure you can argue Purism won't exactly publish something that doesn't agree with their marketing, but at the same time I prefer seeing a blog post than some other product page on here. And they're not the only one, in fact right now the very top post on HN is a blog entry by Mozilla about a new feature in their product.
Let's be thankful that they are, in fact, using ESP32 for a central control chip and use a very simple REST protocol. It could be a lot worse, a lot more proprietary.
These are simple devices, but expensive as far as lights go. You can very easily get dumb lights that have only physical controls. For a lot cheaper too.
IoT runs across a range of use cases and connections. There is a lot of emphasis on WiFi IoT applications, but this makes things hard in other places.
I'm working on various IoT sensor products that require a cellular connection - NB-IoT is preferred for this use case due to the good penetration characteristics. But the problem is that UDP is recommended as the NB-IoT transport layer due to the problem with TCP ack timeouts due to NB-IoT latency. That means that you are practically reduced to MQTT-SN as a data protocol, which in turn means you lose TLS.
There are partial solutions - we whitelist our MQTT data sources (i.e. only the Cellular provider's NB-IoT gateway), and we can verify and whitelist the IDs of all connected devices). But it is a partial and imperfect solution.
Is there a curated list of IoT devices from a security perspective? Like is the firmware flashable with open code, how chatty is the device/callhome, update frequency (if any) etc?
https://foundation.mozilla.org/en/privacynotincluded/ is the "*privacy not included" guide from Mozilla. However, the main "creepiness" score is based on user votes, so it's not particularly useful (people rate brands they like highly, regardless of actual security).
https://templates.blakadder.com is a repository of devices flashable with Tasmota (an open firmaware for devices with ESP8266 or ESP32 which are very common chips for wi-fi based IoT devices
https://zigbee.blakadder.com is a repository of Zigbee devices, which don't connect to internet at all by design. You can use them with a Zigbee gateway.
Good point by the author, but iiuc neighbors can just walk up and control the lamp too if operating on the lamp's presumably open wifi?
Missing from the home IoT security works is a decentralized auth infrastructure story. I don't fully subscribe to the notion that people do this because they want to monetize... That may be the case sometimes but here I tend to believe you get to this kind of solution if you want something that is usable by average consumers and has some form of auth.
Just out of curiosity, if that web API request is made while connected to the lamp via its WiFi access point, I am guessing that means whenever they wanted to control the lamp using this custom app, they'd have to make their phone disconnect from the main WiFi, reconnect to lamp WiFi, do actions, then reconnect back to main WiFi (I suppose that could all be automated within the custom app) Wish the lamp would just put that control as a knob on the lamp..
Well, hacking such devices gets immediately easier when you can google the API endpoint, and that endpoint is REST (or REST-like).
I have a wifi radio (Ocean) and I tried several times to hack it so that I can programmatically start and configure it but failed every time because the whole system is completely closed and non standard.
I would love to buy a radio that has an API (actually I would buy three right away)
Usually the factory default WiFi network that IoT devices create during setup is open. No password required. It seems the author left the device in that state when he reverse-engineered the API. So anyone in the vicinity of the network can connect to his lamp and control it. I wouldn't call this "secure."
Ok.. so he needs to scan for an unique AP first and then send the command to the device on this network. Is the phone capable being connected to multiple 2.4 networks or does controlling the light mean having to first scan and the connect to a network? This approach sounds slooow.
My way to deal with IoT devices: A virtual "guest" WiFi w/ AP isolation using DD-WRT. Devices in there can access the Internet. That's it. They can't see other devices in my local networks. That makes me sleep better.
The S in IoT should be for "Stop buying stupid disposable junk." I can't listen to anyone complain about climate change while they fill their homes with cheap consumer electronics from globalized supply chains that spy on them.
I also can't imagine letting an internet connected anything in my home, and I keep all internet electronics in one room. Sure, other people can live in a surveillance zoo, but I prefer to keep mine limited.
It's difficult to even find non-internet-vendor-locked in sensors/controls/lights... (sensors/controls ideally running on batteries with sane local network API)
So far I've been lucky with cheap zigbee devices but these seem to be getting phased out in favor of locked in items...
and before people suggest - no, I don't have the willingness to build/maintain my own devices with raspberry pis or ESP etc
Ikea sells Zigbee bulbs and control devices as well as a Zigbee bridge. Seeing how they joined the Zigbee alliance's boards of directors I don't think they're going away. In my experience they work fine and are reasonably priced.
They support HomeKit and while their own API technically isn't open, it's documented and has libraries to interact with it programmatically.
+1. I run entirely Zigbee devices in my home. They don't have internet access and talk to the Home Assistant[1] instance running on my home server.
The downside of Zigbee is that, as a user, there isn't a strong ecosystem of DIY IoT solutions like there is with, for example, the wifi-connected ESP8266/ESP32 chips. And, of course, it requires a hub and some degree of knowledge to set up.
At the moment I'm evaluating launching a small IoT startup/side-business in an underserved market. As much as I love Zigbee, these devices will probably end up being wifi. I'm not an expert in the hardware side of things, and the ability to pay <$1 for an ESP chip that does everything I need off the shelf is great, and I don't want to create a hub or require users to buy a (often $80+) hub just for my set of (<=$5) devices.
Although it'll be wifi-based, I plan to make these guarantees:
- The cloud service (supported by a small yearly subscription) will stay online for at least 1 year after the last device is sold.
- When the service is shut down, its software and hardware will be released under an open source license.
- The subscription fee will never be increased faster than inflation rate.
- 3rd party analytics software won't be used and data will never be shared with 3rd parties (outside from Stripe during checkout). In all cases a minimum amount of data will be collected.
Maybe this'll make my product slightly less likely to appear on the @internetofshit Twitter account[2].
I think Zigbee is what IoT should be. It doesn't access the internet, it doesn't clutter the frequency band like my 30 WiFi IoT devices, it doesn't need to be in range (since other Zigbee devices can relay the messages)... I'm going to buy some Zigbee devices from IKEA just so I can play around with them.
> The downside of Zigbee is that, as a user, there isn't a strong ecosystem of DIY IoT solutions like there is with, for example, the wifi-connected ESP8266/ESP32 chips.
Luckily, as you probably know, you can connect all those different protocols together with homeassistant. So you can use pre-built solutions for some devices and DIY for others and still easily connect them.
I really don't know anything about the availability of Zigbee chips for DIY projects, but I would just like to say that I paid just 20 EUR for Ikea's gateway [0].
But if you do go Wi-Fi, why use a cloud service at all? Is there a specific reason not to go with mDNS/DNS-SD and handle everything on the local network?
Do you mean they don't as a matter of manufacturing, or that you have blocked them yourself? (I ask because I am also interested in getting some lights, but would also like them to be local-network-only.)
Zigbee devices don't have internet access because they're not on the network. Zigbee is a seperate wireless protocol. Lights and switches implement a pairing step which allows them to interact. If you would like to control such devices from your PC, you'll need a device with a Zigbee transceiver to talk to these devices.
Typically, manufacturers sell you a "bridge" or "gateway", which is a networked device including such a transceiver. You could isolate this single device from accessing the internet or you could just not rely on any closed option. You can buy a USB Zigbee transceiver for 30 EUR and use it with your PC or a Raspberry Pi.
I hate that this dominates the conversation. I tried some stuff with a pi once. It was a nightmare. I fidgeted around with the installation, and after some slight hiccups, I finally get to install the package for my security system.
Errors. A screen full of errors barfed everywhere. I look at the repository for some basic debugging, and without some serious dedicated time, I can't fix the issue.
This is why people don't want to fiddle with a Pi for these things. Time is dedicated to get the system up, but you're not given any kind of guarantee that it will work out of the box.
I feel like anytime a hobbyist says a Pi is the solution to your IoT or cloud problem, it's because they enjoy fiddling with the errors and getting it work. When it does, I'm sure it's rewarding, but a lot of people have other hobbies that they'd rather spend time on.
It's like telling someone who complains about video game DLC to go skiing. Yes, you might enjoy skiing, but skiing isn't a drop in replacement for the person complaining.
I think it’s more telling them to learn to mod their favourite game instead: technically it does solve it, but it’s not even in the same universe when it comes to complexity and time investment
Lack of maintenance is a good reason to use a microcontroller. I can understand not wanting to deal with the complexity of a pi and the associated software updates, but if you just need to read a sensor or toggle a relay and send a few packets you can write arduino code that is effectively set and forget. Most importantly you can be certain its behavior wont unexpectedly change because of some remote update. It's easier now than it ever has been to get started, things have improved alot in just the last 5 years or so.
Yeah, the new microcontroller boards that have Arduino Uno MCU (ATmega328P) and cheap Wi-Fi (ESP8266) bundled on a single board and connected together via UART are really great. I recently got a couple of these from AliExpress for $12 including shipping (for experimenting with sensors), and I noticed that they are really well supported by the Arduino IDE and the open source community in general.
There is enough choice of MQTT-compatible devices, running Tasmota or other (for example Shelly devices). No vendor lock, open protocol, no single point of failure (well, usually people only setup one MQTT broker, but it is possible to publish-subscribe to several brokers at once).
You can join Phillips hue units to your own zigbee network without Internet or even the Phillips hue app.
Zigbee2mqtt and a cheap zigbee dongle is all you need really. You could add home assistant for a better interface but there is no need to involve Phillips or the Internet. One of the huge advantages of zigbee imo.
With reviews being useless lately, many people have gone back to trusting brand names. Though the only reason I brought them up was to point out availability.
One other really cool thing is they have a wireless switch that is powered by the act of pushing the button.
I just bought a Laird BLE temp sensor (BT510) and have complete control over it. I can scan-response it with a Raspberry Pi and get the temperature and display it on a small LCD screen. The pi is also my home automation gateway and it sends this (and other data) to my cloud so I can read it from my personal website (which is password protected).
The BT510 It has crazy range and has only dropped 10mV battery in 14 days.
It CAN be done, because sensor makers have no interest in reporting home: costs are too high!
We need more open source projects to enable people to automate their homes with a list of suppliers who provide "dumb" edge node sensors.
Disagree, as a renter smart bulbs are by far the easiest way to get dimmable lights in my apartment. Being able to dim the lights in the evenings while I watch TV is amazing.
I would totally be down for that, but I don't have access to the breaker box, and I don't feel like trying to install anything into anything that has hot wires.
In the US (or at least the majority of jurisdictions who have adopted it), NEC Section 240.24(B) requires "each occupant shall have ready access to all overcurrent devices protecting the conductors supplying that occupancy unless otherwise permitted in 240.24(B)(1)" (where that is roughly buildings with continuous on-site maintenance supervision can avoid this requirement).
I don't want to add a remote control to my life, the "smart" bulbs are better because I can control them with my phone, watch, and any other devices I might get in the future.
Not to mention, I have ~10 of these bulbs. Can't imagine how a remote control would deal with that. They also aren't connected to the internet, they are controlled by a hub that only has local network access.
We have automation to turn off all lights in the apartment when nobody's home, which saves a lot of energy due to us forgetting to turn of lights quite often otherwise. Also adds nice things like turning on lights on movement in the bathroom and kitchen, where you don't need to have lights on all the time, turning on lights 45 minutes before sunset if somebody's home and turning on lights in the hallway when coming home if it's dark already.
I find all of this extremely convenient and ZigBee is a great platform to do things like this.
I don't know if I'm just that jaded, but it feels like it's more trouble that just using a light switch and getting in the habit of not leaving lights on.
Depends on how many lights you have, and how often you need to do it. I've installed extra wires from all light buttons so one master switch per room, not as flexible but same cost over 10 years. It saves me a ton grief every night turning off all the lamps in the apartment, some partners never learn that light switches can turn something off. The monetary savings are not enough to break even in 20 years, the time saved is priceless. ;-)
I get a lot of subjective value out of being able to adjust colour temperature, brightness, and hue.
For instance, the last hour or two of the day, I have lights in the bedroom and kitchen either dim red or off.
Being able to do the routine of "try to go to sleep, fail, tell my watch to turn the lights red, get a glass of water or a snack, turn lights off" is really nice. Even dim white light would be like splashing cold water on my face.
There are other ways to solve for this, approximately, I guess. This is simple and works, though.
I forgot one more thing I do: a redshift kind of system for the whole house. The lights dim and change their temperature from bright and blue during the day to dim and red in the evening, just like my computer and phone does.
Circadian lighting is the script and it follows the sun to make its decisions.
I have a few friends running Shelly devices locally with HomeAssistant and other agents. They can also do the cloud thing (and are unfortunately named that), but the local-first functions work. I don't know more, but the hass forums are a good start.
I get the frustration, but this is a narrow perspective. _Consumer_ IoT is still waiting for some good use cases. But IoT touches a lot more industries than that: medical, earth science, manufacturing, heavy industrial, logistics, energy... they are all being improved with useful IoT solutions. And we need solid security in all these areas, not just the home.
I'd also note that privacy and security, while related, are separate issues. Most IoT solutions don't factor in either concern well.
> And we need solid security in all these areas, not just the home.
Who is we who need solid security?
I haven't met them. They don't sign a check for security. They don't do anything other than put "Security" on a PowerPoint slide and forget about it.
We make our shipping IoT stuff secure because it's a point of pride and point of competence. But we built the whole architecture around that idea, and it definitely slowed us down at the start.
Until people start cutting checks for actually secure IoT, it's going to remain a giant field of cow dung.
They really do exist. Believe it or not, just last week I had an actual meeting with an actual paying client who took IoT security seriously because "we've got some hydraulics on this machine that can cause real damage if someone hacks into it."
Unfortunately, I think this is going to be the perspective for a long time: if the customer sees real liability (read: a lawsuit for physical damage) as a possibility, that's probably going to be the only motivating factor to take security seriously.
My grandmother got a new pacemaker installed a while back. She now has a device sitting beside her bed with a 4G modem in it, that talks to her pacemaker at night and sends the data back to some service, which in turn her Doctors can access.
This is apparently the normal thing to do.
What level of security is there in either of those devices?
How do you ensure that there isn't open ports? Does it get security updates pushed to it? (I wouldn't be money on that)
How does one ensure that this can't send malicious commands to the pacemaker?
This isn't just an issue with pacemakers, either - plenty of other medical devices are coming with various wireless chips in them.
For better or worse -- "Buying stupid disposable junk" the absolute central driving force and core of this economy and perhaps our culture and society. I'm with you on the idea, but there's a LOT of work to do...
Doubt that electronic gizmos have much to do with climate change unless you’re running kilowatts for Dogecoin mining or whatever.
It’s heating and cooling, transport, and food. Maybe cement as well. If you buy a new conventional car, I have more to question you on climate change over.
Electronics require lots of metals that are sourced through mining. Mining is an essential but dirty business that often leaves pools of toxic heavy metal water behind. These pools are damned up, but inevitably leak out into the surrounding environment.
It’s important that everyone Reduce, Reuse, Recycle properly in order to reduce our impact to the environment.
You know what requires a lot more metals? Cars and houses and apartments and railroads and highways. When we’re trying to reduce our impact on the environment, we’ve got to not waste time on the small fry while ignoring the elephants. Problems should be attacked proportional to their impact. Don’t think that using metal straws but driving a new gasoline powered SUV is making an improvement.
We are now at the point where everything matters. Industry is responsible for about 21% of GHG emissions globally (more than transportation!)[1]. Reducing that by using simpler technologies is a good thing to look into.
Do you really need to replace your perfectly functional doorbell with a big pile of electronics? Probably not. Would not driving to work every day make a bigger contribution? Yes. Would not doing either be best? Yes.
Using an incandescent light bulb is not “better” than an LED bulb, even though the latter is a “pile of electronics” while an incandescent bulb is just a little tungsten wire. So I really don’t think this is a good rule to follow. Simpler technologies are often far less efficient and often have a far larger ecological impact.
LED bulbs are comically more efficient than incandescent bulbs (by a factor of 5-10), which in turn are comically more efficient (by 10-50 times) than like a candle or oil lamp. “Simple” is actually a terrible heuristic for “low ecological impact.”
It actually might. If the Ring doorbell allows you to avoid opening your door just once or twice a week, the energy savings could exceed the environmental footprint.
A Ring doorbell has a 22Wh battery that lasts about a month or two per charge.
Having the door open for 10 seconds on a cold winter day can easily waste that much energy. About 10kW of heat loss for 10 seconds is 100kJ, higher than that 22Wh.
Likewise, the embodied energy of that 22Wh battery is about 22MJ, and might dominate the embodied energy of the Ring camera. So if it saves you from opening the door 200-300 times in its lifetime, that might be enough to pay for its own embodied emissions.
Plus not having to drive home to pick up a package, etc, etc.
Plus think of other smart devices like smart thermostats that might be part of the whole Ring system. Or perhaps if the Ring device prevents destruction of part of your home from theft.
I don’t even own a Ring doorbell, but I can see how it could actually help. Also, traditional doorbells aren’t that efficient. Especially if they have a little light.
Ring could also replace a window to see who is there, which is a big source of heat leakage.
The argument is that the "simpleness" of the doorbell isn't a good heuristic for the amount of impact.
According to wikipedia [1], the transformer on a standard doorbell can use 2-3 watts of power at all times. That's 1400-2100 watt hours per month — about one hundred times as much as a ring doorbell uses (Less than 20 Wh per month).
The cost and impact of the Ring includes more manufacturing, and I wouldn't be surprised if the Ring ended up having a larger environmental cost, but it's not as clear cut as your incredulity makes it seem.
> According to wikipedia [1], the transformer on a standard doorbell can use 2-3 watts of power at all times. That's 1400-2100 watt hours per month — about one hundred times as much as a ring doorbell uses (Less than 20 Wh per month).
Interesting thing to know because here in Brazil we don't route PELV (Protected Extra-low Voltage) to the doorbell. The external switch just carries the full voltage from the mains (127 Vac or 220 Vac, according to the state). Maybe it's not the safest design after all.
However this constant power usage can be safely removed by using a non-rechargeable 12V battery that would power a relay that will trigger the mains-powered bell when the (purely mechanical) external switch is pressed. This removes the constant power usage and such battery should last for years with a typical usage scenario (less than one second per push or so).
You are missing the point and mischaracterising the problem. Resources are finite. Human attention spans are limited. Emissions from ships in international waters are an absolutely huge problem and addressing that will make a huge impact on future climate.
Funny how no one mentions that but we are all focused on paper straws and smart doorbells.
It is all related, so everything taken together does indeed matter.
When we as consumers insist more on buying locally produced, durable, interchangeable, replaceable, repairable (!) components to build things we're actually likely to use for a long time, we can stem the flow of cargo ships and ditto planes shipping "stupid disposable junk" halfway across the world, thereby limiting all the pollution and waste of (fossil fueled) energy that goes with it.
While we're at it, we should demand to put an end to the senseless hoarding of patents and IP, in particular those that hamper interoperability between components, and for information on interfaces to be made public, so no more proprietary connectors, protocols, APIs, no more artificial restrictions on consumables such as printer ink, etcetera.
I believe the argument is about the refining process and the chemical waste it creates, which is substantially higher when trying to extract 99.99% pure copper, zinc, gold, silver and other industrial elements which are converted into electronics. I'm a hobbyist fan of silver and know just the basics - refining for 99.99% pure silver looks like making crack to my eyes. :) Breaking Bad level chemicals.
I'm to understand the act of creating and "washing" circuit boards also uses a large amount of caustic chemicals, as does the attempted recycling/recovery (to basically eat away the coatings to expose the reclaimable metals). Refining for purity has a high environmental cost to get it from ore -> 99.99% and to reuse/recycle it, I speculate much higher than iron ore (train tracks, etc.) require/use.
Interesting claim, but to justify a few milligrams of metals is worse than literally tons of metal and cement is going to require a quantitative argument.
99.99%, even if you’re right, only gets us to 10kg equivalent if you start with 1 gram.
(And keep in mind that these processes to make bulk materials themselves use alloying agents and specialty materials in cutting heads, etc, to fabricate them.)
It requires tonnes of ore processed to produce ounces of gold (I read roughly 13 tonnes on average, but it's highly dependent on the quality of the deposit and refinement difficulty), there are metrics and studies: https://www.businessinsider.com/tons-of-rock-for-an-ounce-of...
Keep in mind your conventional car’s catalytic converter contains grams of platinum group metals, worth about $1000 or so now ($3000 for older, larger catalytic converters). Due in large part to the spike in rhodium prices.
Platinum is extracted as a by-product of nickel and copper mining (as are other elements) as it's primary source, unlike gold and copper which are mined for their element directly. Not arguing your point (45% of platinum is used in auto) only that how we get Pt and Pd is already in progress to get at the other elements like Cu, Au and Ag.
But IS it a mere byproduct? If it adds significant revenue, it’s no longer a mere byproduct but now part of the business proposition of the mine. About $30 billion of nickel is mined per year. About $8 billion in platinum mined per year. 30 tons of rhodium are mined per year, which at current >$900/gram prices, means the revenue from rhodium is actually HIGHER than platinum and on par with nickel.
So you could as well argue that nickel is a byproduct of rhodium (and platinum group metal) production.
The USA mints alone use roughly 4,400 tonnes of nickel to produce coins every year (one specific industry with one type of output in one country). Around 133 tonnes of platinum and 1,800 tonnes of gold are mined per year in total for all use globally.
Local odeon stopped using plastic straws in their drinks. Paper ones were awful. Bought some metal straws also awful. Ended up taking 2x500ml bottles instead - far more plastic than was used before.
Using them maybe not, but producing them and then shipping them across the globe? Also, as with all things, its not like one iPhone in isolation is a problem, but millions, year after year, that does add up.
Maybe that's still not much compared to other industries, but in the context of the conversation here, its still something that an individual who might complain about climate change does have a little control over. I mean, if I complain, but then don't change MY behaviour, even if that change wouldn't by itself change anything, why should I expect companies to change theirs?
I bought a guitar, TV went unused, sold it, less gadget worry. Bought more guitars!
I’ve dramatically slashed my personal gadget footprint. Phone, watch cause I like the exercise data, a Linux box I barely touch, old iPad for movies and video chat.
I pickup the guitar rather than sit at the TV or computer. Learning an instrument connects both sides of the brain like no other skills based activity.
No ads, acoustic road trips easy enough, no worry about charging, smart speakers would hear some bad covers of Wonder Wall.
It’s a life changing experience.
So when the TV breaks, maybe consider replacing it with $500 digital piano to get weighted keys and decent built in sound instead of paying for an ad distribution device.
Kinda, its an app that trains people to tune guitars in different scenarios. The ads are mostly for pro versions of itself, its sibling apps and a far field mike array for adjusting tuning based on the room. The killer feature is artificial intelligence that learns how the person perceives sound and adjusts the tuning from "technically correct" to "perceptually correct." It is gamified with a blockchain verified leaderboard.
Cheating devalues games. Ambiguity heightens absurdity. Maybe I should have added that the IP has rock solid patents, is open source* and the startup is still in stealth while raising a series G.
* some restrictions apply, please agree to the terms of service to allow super cookies and review that the license SKU matching your service region to a stacked arbitration regime established in the People's Democratic Republic of Korea and Delaware
Relative counterpoint - I'm an online student, all of my classes require a PC, all of my homework requires a PC. My orchestra requires I listen to and play along with recordings (on a PC). The minimum 'personal gadget footprint' for me and many others is going to be quite high. Above a certain level, IoT is unavoidable.
The thing that drives me bonkers about "smart" TVs is how slow they can be. Cheap processor + lots of software to compute = sluggish user experience. It's not not only is it spying on me, it's letting me know that it cares more about making me wait to spy on me before adjusting the frikkin' volume.
Like most other things, it's the good old "you get what you pay for". I got the LG CX OLED few months ago and that thing is lightning fast. Starts up nearly instantly, apps switch without any delay....I have no problems with it being "smart". Compared to my old Sony Bravia which literally took a minute to even start up, urgh.
Now you have to pay more for features that used to come standard, in addition to making tv ownership ad supported.
Nobody had a lighting fast or slow RF remote, the volume just went up and down when you clicked the button (after getting it pointed in the right direction)
Same here. I have a plasma LG that I absolutely love. It has an amazing picture, but it's heavier than wet sand.
My friend recently got a new TV and I was appalled at the controls, picture (soap opera effect), "smart features" (how it instantly goes into this app like experience that you can't ever get out of). So many things bother me about modern TVs. If my TV ever dies, I don't know what I'll do.
Replace with a projector :) you don’t watch OTA channels, do you? So any other media source should be hookable to a projector. Sure you need a dark room to watch stuff, but that’s a plus as it’ll induce you to watch less tv ;)
Also - the soap opera thing can be turned off in decent newer TVs and as discussed in other HN threads you can just deny the TV an internet connection so it behaves dumbly. You might still need to contend with clunky UI but really - just select your video source and start watching, so the pain is minimal.
I got myself a nice chunky laser projector with more than enough lumen output to overpower the sun. In fact I loved it so much I got a second one for basically the same price. Sure it's not 4K, but I get the screen size.
Are they good, though? I, too, want a "dumb" TV, but I still want high color accuracy, refresh rate, viewing angles, etc. I don't necessarily want a Hotel/Office Waiting Room TV.
Also, taking a look at the site, and not a single 4K UHD TV is in stock at the moment. Yikes!
Can't vouch for the TVs, but I owned one of their 1080P monitors in the last 2000s/early 2010s. Upper-middle quality, very basic OSD, great customer service. Used the monitor for ~7 years before upgrading to a 4k, sold it still working with original cables & box.
Most TVs work fine without an internet connection. I recently got a new Samsung TV. It really wanted an internet connection but works just fine without it.
This. All I want out of a T.V. is a dumb monitor. If I want "smart" I'll just plug something in - that's why a TV has HDMI ports. Instead you get something you can't replace, can't fix and can't get rid of.
One of my "please steal my idea" projects is to get any of these Youtube personalities that are famous for commentary on consumer tech (such as Linus from LTT, MKBHD, mrwhosetheboss) and convince them to create a company that would mix together something like drop.com with a "design studio" focused on coming up with high-quality kits for consumer gadgets, with the twist that every kit is open source and freely available.
Every month or so, they would make a video about the ongoing projects and show what kind of features are already available. Partner with manufacturer companies that can provide pre-assembled systems. For those that don't care about the DIY part, offer a subscription-based option where they can get early review units, prioritize their change requests, troubleshoot support, personalization options, discounts for bulk buys, etc.
The revenue from these subscriptions should be more than enough to fund the team of open source developers/designers and to make up for the "lost" revenue of a video made that is sponsored by any of the big tech companies. The most interesting though would be to see if this could lead to a change in consumer demand: could an influencer changed the public's perception of what is really "hot"? Would we start seeing things like "/r/mechanicalkeyboards" for all sorts of products like TV panels, wireless speakers, home automation light systems, F/OSS-based smartphones?
I had a similar idea where devices are all just a bunch of input and output devices that declar themselves via zeroconf on wifi/5G. And you can have a portal on your PC where you choose which software to use one which device and control it all from there.
There's a lot of IoT stuff which doesn't reach out to the internet. You can also reflash some commercial solutions with open firmware. Also, there's quite a few local only solutions using ZigBee / zwave that you can manage from Home Assistant.
You probably mean home automation. IoT is connected to the internet by definition.
Home automation is a mess, IoT or not. There are standards like KNX, but the problem is the same as it was 30 years ago when the idea of home automation arose: manufacturers want captive markets and can't agree on a single standard.
As a result, I can't buy any A/C unit, rolling shutter, light fixture and thermostat and just connect them to my home network, the selection of "smart" appliances is actually very limited.
I mean, home installation is thought out on the scale of decades, because renovation is a pain. People want something simple and reliable, that is the reason why some taps, switches, sockets, etc... are 10 times more expensive than others while looking the same and people still buy them. It is the complete opposite from what Silicon Valley is pushing.
Those who are old enough remember that the Internet is just one example of an internet. Quoting Wikipedia (https://en.wikipedia.org/wiki/Capitalization_of_Internet#The...): "The Internet standards community historically differentiated between an internet, as a short-form of an internetwork, and the Internet: treating the latter as a proper noun with a capital letter, and the former as a common noun with lower-case first letter. An internet is any set of interconnected Internet Protocol (IP) networks. The distinction is evident in Request for Comments documents from the early 1980s, when the transition from the ARPANET, funded by the U.S. Department of Defense, to the Internet, with broad commercial support, was in progress, although it was not applied with complete uniformity."
So an IoT is an internet of things, not necessarily the Internet of all Things.
> You probably mean home automation. IoT is connected to the internet by definition.
Home automation was just an example. I take IoT to mean networked not-general-purpose devices. The internet part is meaningless. If you use that IoT device in the same server room as the controller does it become strictly LANoT? What about private overlay networks? It was never about the internet as in public accessibility.
>but the problem is the same as it was 30 years ago when the idea of home automation arose: manufacturers want captive markets and can't agree on a single standard.
I think the "solution" to this is some sort of open hardware system, where instead of someone manufacturing and selling for a profit, the design includes a standard set of parts you order, and then there's a very simple assembly, Ikea-style.
Literally yes, but come on. "connected home" and IoT are so close in use case, and _because_ most connected home things are Internet-only, let's not pick at terminology too much.
I would love to have a connected home that did not require _any_ external connectivity or web accounts. Why did I need to login with my Google account and enable location services to set up a Chromecast Audio?
There's value in automation across different devices. Just a silly example: I've got a CO₂ monitor in my office. If the level goes above a certain threshold, it triggers a fan and changes the color of an LED light strip to alert me.
Automation is great. What's nice is the thing you described can also be implemented extremely cheaply without any fancy logic or network connectivity, and then it's just a Thing, not an IoT thing.
... Are you really using iot for a co2 sensor of all things? It's one thing if your smart toaster fails to start when your car enters the garage, it's another when a device to save your life decides to do an npm update at the wrong time and you go to sleep. For good.
Sitting in an increasingly concentrated puddle of my own CO₂ when I close the door of my small home office is not a life safety issue. It just seems to affect my cognitive performance at some point. If there were CO₂ tanks or combustion in play, I'd be using a proper industrial CO₂ alarm.
Slightly OT: But what sensor are you using? I've been on the lookout for one for years but always decided they've been too expensive. But now working from home I think it's time to finally get one.
I love that my light turns on in the hallway when sun sets. Or the lock locks/unlocks as I leave or approach the house. Or that I can see my camera over vpn.
I totally understand it for security, as ironic as it is (given the topic). For everything else though, I feel like there's a "honeymoon" effect in place, where the theoretical and immediate convenience overshadow the implications.
To make a silly comparison, it's like buying digital videogames on a console instead of their physical versions, knowing you're trading immediate convenicence while giving away control, ownership and future availability.
I would have much less problems processing IoT if the "I" was scrapped and optional by default.
I guess I have an hard time understanding people relying on the internet at all.
In addition to what the other reply said about going local-only using Zwave/Zigbee, the other key is that home automation should be "in addition to" not "instead of."
Want to control your lights remotely or automate them? Use an in-wall smart switch. They still work as physical switches even if all your automation/smart home stuff is down. Guests don't need to know anything about the smart home, they can just operate them like regular switches. You get smarts "in addition to" the normal light operation that everyone in the world understands.
Smart garage? Hook into a regular, tried and true garage opener using some kind of remotely controllable relay. The button on the wall still works, the opener in your car still works, but you can have smarts in addition to all that.
Replacing regular bulbs with smart bulbs and then requiring a phone or internet connected voice device "instead of" a normal wall switch is insanity.
That's definitely a popular stance in the community of people who care enough to join the home automation and general electronics community, but if 'most people' is a factor, Amazon's best sellers are all "works with alexa" and "no hub required", and all of those products will surely die when their cloud tenancy is turned off.
I personally hate living in a haunted world which is filled with devices watching me, ready to pounce and fill me with delight at their fulfilling my every desire. It's absolute exhausting and downright terrifying when you think through the hell some motivated hacker (or hater) could subject you to.
Is it unthinkable that all this stuff will turn on you one day? What if you become infamous for crossing the wrong person and a viral video sends the firehouse of political hatred from one group or another your way? "Swatting" is a thing. Just wait until people start hacking your house. They could burn it down while you are away by just turning on your oven maybe!
Me? I'd like my bricks, locks, doors, lights, and life to stay dumb.
I like not having to get up and walk across my house to reset the internet because my ISPs modem is garbage and locks up under heavy load.
I like being able to schedule my plant's grow lights to get the appropriate amount of light regardless of season and being able to keep that schedule even when i'm not home
I like knowing that I left my garage door wide open as I drove away because I forgot to look back over my shoulder to see that the button in my car didn't get picked up.
I like being able to unlock the door for my neighbor to let my dogs out if I end up stranded at work longer than I had intended to when I left that morning.
I like that my garage camera turns on and takes shots of whoever is entering though the door when its opened.
I like that my system texts me if a door/window is opened after 10pm (if its me? no biggy. If its an intruder? BIG HELP)
I like that these devices are on a segregated VLAN with firewalling protecting my personal computers/NAS
---
There's a lot of negativity to be said about smart devices, but you can't focus solely on the negativity while ignoring the advantages.
There's also a level of risk and comfort each individual should be willing to set for themselves. I don't 100% trust my garage automation, that's why I have monitored security on my house. I'm not willing to automate devices that can harm my house (oven as your example) but I am willing to monitor their power state (is the oven on?)
Your dual-edged sword is a valid argument, but one can only set the level of risk and comfort iff he/she is aware of the risks in the first place. Look at how busy the Best Buy "Geek Squad" is setting up TVs' and helping new owners with use of their smart remote! :-)
“Ghastly,” continued Marvin, “it all is. Absolutely ghastly. Just don't even talk about it. Look at this door,” he said, stepping through it. The irony circuits cut into his voice modulator as he mimicked the style of the sales brochure. “All the doors in this spaceship have a cheerful and sunny disposition. It is their pleasure to open for you, and their satisfaction to close again with the knowledge of a job well done.” - Douglas Adams, The Hitchhiker's Guide to the Galaxy
People just can't get enough of Alexa and her Genuine People Personality!
The door refused to open. It said, “Five cents, please.”
He searched his pockets. No more coins; nothing. “I’ll pay you tomorrow,” he told the door. Again he tried the knob. Again it remained locked tight. “What I pay you,” he informed it, “is in the nature of a gratuity; I don’t have to pay you.”
“I think otherwise,” the door said. “Look in the purchase contract you signed when you bought this conapt.”
In his desk drawer he found the contract; since signing it he had found it necessary to refer to the document many times. Sure enough; payment to his door for opening and shutting constituted a mandatory fee. Not a tip.
“You discover I’m right,” the door said. It sounded smug.
I'd go further: smart devices are largely a status symbol. You're advertising to your guests that your concerns are those of convenience and luxury, to the point where you won't even use a light switch. That alone is pretty gross before you add in the implicit support for the megacorps.
I use smart home stuff, because:
1. I use it as security device (i have tons of zigbee sensors for motion, and contact).
2. I forget about simple things, all the time. I forget to lock my door, i forget to get my keys etc. All of this is taken care for me in case i forget. I haven't hooked up my garage door yet, but my kid (1 yo) likes to find the remote and press it mindlessly, and i really don't want to leave it open.
3. I like the convenience in general.
If you come to my house, it's definitely not something you'd say a "status symbol". It's only expensive because it's in bay area, otherwise it's a mediocre house.
I have been a programmer for as long as i remember, and these things excite me, that's another aspect.
I agree, but what I dont like is how to function a device needs Internet connectivity. Our smart vaccum cannot work with its app unless its connected to thr Internet. The nice thing is we can see its progress on mobile data, etc, but its a little ott for a 3rd party server to be involved. I'd prefer it to be local only.
I have a roborock(Xiaomi sub-corporate brand) firmware flashed to no longer need internet, hosts "the database" on itself which is great for latency/responsiveness, provides web page functionality so you can use it from your phone, computer etc.
Nice, I have the xaoimi mi vaccum Mop, not sure it's supported by that site just yet, but glad someone has taken up the challenge. It's a great little device.
There are lights in our home that are simply hard to get to, especially in certain cirumstances. I could probably rig up a physical switch with some extension cords (potentially dangerous) or rewire the house (expensive and messy) or I could use a wifi bulb or switch.
And once that was the case, it just made sense to have others for convenience, too. For instance, we can turn off almost every regularly-used light at the same time now when we go to bed. The remaining ones are lights we only turn on for a short time anyhow, so they don't get left on.
I remember when the primary threat you considered when setting up your firewall was hackers trying to infiltrate your network. Increasingly I find myself using my firewall to sandbox devices already on my LAN and preventing them from phoning home to exfiltrate.
My thoughts exactly. And even this seems to be getting harder. I keep reading about "smart" TVs which barely function if they're not allowed to phone home, and IOT devices which query their own hardcoded DNS servers, ignoring whatever your DHCP server has told them to do.
I think it's only a matter of time before we start seeing more and more of these things with built in cellular modems which can't be disabled. Makes me want to start stockpiling older technology in order to prepare for a time when every single available lightbulb, washing machine, TV, or vacuum cleaner has to be online all the time and controlled by some privacy destroying app.
I'm only half joking when I say that I can imagine a future where something purely mechanical is considered the height of luxury. Look at this! A door lock with a metal key which doesn't log and transmit the comings and goings of your family and friends. Incredible! If only we could afford such a thing, but there are only a few artisans left in the world who can make them...
I can't imagine letting non-free software– the proprietor can modify it, but I can't, and under the control of someone else– hexing a piece of property I have bought. It's my property, yet it's cursed by the proprietor.
I would be willing to compromise if at least there was a widely adopted set of standard protocols that I could use to interface these devices with my own favourite controller.
Instead it's a mish-mash of bespoke proprietary smartphone apps that have terrible security and privacy practices.
I get the sentiment. That said, consider that "iOT" is sometimes simply re-implementing something that used a different moniker before. A printer that connects to Wifi to print is "iOT" but the link is just replacing the bulky copper printer cable (or the USB cable). Security cameras on WiFi replace installing labor intensive (expensive) hard wires between cameras and base station. It goes on and on. Basically re-implementing the same things that have sold before but with "improved" logistics that lower cost, add capabilities, or both.
>The S in IoT should be for "Stop buying stupid disposable junk." I can't listen to anyone complain about climate change while they fill their homes with cheap consumer electronics from globalized supply chains that spy on them.
...but you can order your IoT to "set a mood" from your phone or speaker and have 5-6 lights in your house change color and some Barry White to start playing like some cheesy 70s playboy's penthhouse.
Who wants to go back to physically walking to close a light? Walking? We've got expensive tredmills we've bought for that purpose!
> I can't listen to anyone complain about climate change while they fill their homes with cheap consumer electronics from globalized supply chains that spy on them.
Your hearing must be better than mine! I didn't hear Todd Weaver, the author of this blogpost, complain about climate change.
>I can't listen to anyone complain about climate change while they fill their homes with cheap consumer electronics from globalized supply chains that spy on them.
IoT thermostats can save an ton of carbon emissions, and spying seems to have nothing to do with climate change. Just put it all on a separate subnet and you can solve a lot of the spying/vulnerability issues though not all.
Check out Home Assistant and mqtt. If motivated you can actually go pretty far with just on-prem. If home automation floats your boat that is. I'm thinking maybe it's not just the surveillance part that you don't care for but that the whole thing does nothing for you. Which is cool.
> I also can't imagine letting an internet connected anything in my home, and I keep all internet electronics in one room. Sure, other people can live in a surveillance zoo, but I prefer to keep mine limited.
Out of curiosity, how often is your smartphone resting on a surface within reach @home?
Alerts have been 95%+ off for years. Sometimes it's nearby, but it doesn't go to the 2nd floor where bedrooms are. I don't do social media or slack either.
It's just a way of living where you don't give other people a free 24h real time option on your attention.
Keeping your phone on you or at your side to respond to notifications and alerts means you are generating surveillance data the whole time via the accelerometer, mic, camera lighting changes, reachable bluetooth devices, signal changes, wifi availability, and every other onboard sensor.
Having alerts off means you relate to the device differently. Would be curious what you suppose I misunderstand about surveillance and security though.
You do know that you can prevent IOT devices from reaching the internet, right? Our Wemo gear, cameras, etc, get blocked by my firewall. Problem solved while still benefiting from their convenience.
What an amazing solution, so simple and accessible to the average consumer. What's the next revelation, that you can prevent the IOT devices from reaching the internet by reverse engineering and rewriting their software?
An even easier and more accesible solution to move your boot with a high enough acceleration towards the IoT device thereby totally disabling the internet functionality! Doesn't even need any technical skill.
This is where Sigfox has a lot of added value: It is like a simcard, but you only pay per million packages instead of per SIM, and you save the trouble of customers trying to disable your hardware. If you build electronic components and the TV integrator doesn’t want to bother providing ethernet to the power unit, at least the power unit can self-report its location to the grid.
Interesting point. I have also been thinking about how LPWANs could, in theory, be used to exfiltrate data from consumer devices without anyone noticing.
I mean, it would be trivial to hide a tiny Sigfox / LoRa transmitter in kitchen appliances, washing machines, televisions, cars or whatever and claim that you need information like location and how the devices are used for "market research".
It feels like it should be illegal, but I'm not sure if it is or if there are loopholes. Do you, by chance, know of any actual consumer products with covert Sigfox / LoRa transmitters?
No I don’t, I’ve just be loosely afraid of TVs with sim cards, and since I discovered Sigfox I know that will happen someday. Same as the MH370 (I think) which went dark at transponder level but the engines continued to return the technical data for 4hrs.
I don't understand why hate like this gets so many upvotes. IoT devices are in their infancy, it's not fair to constantly berate their inadequacies instead of focusing on the technological marvel that they are, what they can achieve and how they can be made more whole. The resistance to change on HN is real.
Home automation is really not particularly novel. Quoting Wikipedia:
>In 1975, the first general purpose home automation network technology, X10, was developed. It is a communication protocol for electronic devices. It primarily uses electric power transmission wiring for signalling and control, where the signals involve brief radio frequency bursts of digital data, and remains the most widely available.[4] By 1978, X10 products included a 16 channel command console, a lamp module, and an appliance module. Soon after came the wall switch module and the first X10 timer.
Of course electronics have progressed immensely in 45 years, so we can now do a lot more with a lot less.
I still feel like very little has change in practice though. I find myself actively avoiding "smart" equipment, both because it's overpriced and a bit of a pain to use in my experience. They all have their own software stack, their own apps (which are often cloud-based instead of running locally, adding all sorts of privacy issues) etc...
On top of that you never know when the company is going to go under or stop supporting your device, leaving you with a not-so-smart device in the best case, or a useless plastic brick in the worst.
Can't wait for my javascript powered IoT kettle that has a cpu more powerful than my laptop and includes 4gb of ram to load half of npm into memory! The future looks ever so much brighter!
The U in Smart (devices) stands for user-friendly.
We need an app to control a stupid lamp but at the same time are expected to buy a "smart home" system so that we don't have to pull the phone out of the pocket. Originally smartwatches were marketed for the same purpose, but I guess now there's also the severe risk of having both hands unavailable at the moment so we need to be able to delay the system update via voice command. Of course with tracking so they can "improve the user experience", and the occasional personalised ad.
Meanwhile I'm wondering how people got convinced this is better than just pressing a physical button, but then I remember even $500+ appliances nowadays are built with such cheap buttons that after a few years I'm forced to learn where to smack the fist on the front cover so they work again for a few minutes.
FOMO and PR. I have friends that have plenty of money and read the latest reviews/gadget magazines. They assume whatever is in the recommended area you should be buying it or your neighbours will have it first.
If that isn't an option (for reasons like not wanting to permanently damage them or being afraid of electrical shocks) a lot of them come with tuya firmware, which you can (still) often exploit and convert with TUYA-CONVERT [2].
I found the Tasmota Device Templates Repository[3] to be a really valuable resource, although I've been using zigbee devices for lightbulbs.
[0]https://esphome.io/
[1]https://github.com/arendst/Tasmota
[2]https://github.com/ct-Open-Source/tuya-convert
[3]https://templates.blakadder.com/index.html