Same for me. I don’t really like to expose my home and I don’t understand how people are so eager to plug in shady WiFi stuff into their network. I’ve got one “smart” device with WiFi connectivity I’ve allowed to connect to my network, but I’ve disallowed going online and I’ve put it into a different vlan.
Friend of mine: “let’s set up a camera in our bedroom to check on on the dog when we’re away.”
The one thing I will never use a smart device for is my door lock. I don’t understand how tech literate people really trust that.
I was considering a smart lock for my (armored) front door, but just because there are some locks manufactured here in Italy that can be set to be controlled by external contacts.
Which means I could use and ESP or similar with esphome, now they also support wired, ethernet ones.
That’s way more secure than the shitty lock I have now, I’ve seen videos of people picking that with a decoder device in 30 seconds.
Locks are not secure anyway and even if it is the most secure lock ever built may I present a window. Most break ins at least when I did home alarms where smash window right beside door and unlock it.
I’m gonna guess that you put a decent amount of time into figuring out a good set of smart home products and maybe even put some effort into looking up which products play well together and what configurations are ideal.
And that’s great if you enjoy shopping for, setting up and maintaining all those toys. But we all know there is too much shitty tech out there to think that it’s a good idea to grab a bunch of smart home stuff at Best Buy one afternoon and just plug it all in and call it good.
I think the thing is, folks in tech are less likely to be cool with, for example, exposing their door locks on the internet without doing a decent amount of due diligence. You have to want it enough to put in the work to make sure you have something that you can feel is secure, smooth operating and meets your personal privacy expectations. It kinda has to be a minor hobby. Which is cool if you happen to enjoy it or get enough joy from the result to make it worthwhile.
For me, I have enough hobbies and pastimes. I’ll put in the effort when the payoff is high, like for a home media server. But there’s no way in hell I’m signing up for future chores and headaches just so I can control my window curtains from my phone.
ZigBee, Z-wave and Thread have virtually 0 attack surface from an IoT perspective, and even then what are they gonna do, do radio hacking to turn off and on my lights? It’s not like they can be used in a botnet.
Locks is a bit more risky as an endeavor, but again, it’s probably easier to pick the lock than hack it… Actually with the quality of many smart locks, smashing them is easier still.
Smart TVs are way more problematic devices for example, as soon as they stop receiving updates, you have a bunch of high-speed internet connected devices with unresolved exploits just sitting there waiting for the right chance.
I feel the meme in the post is created by someone pseudoilliterate in technology. But I can guaranty you they have a smart TV connected to the same WiFi as all their computers and maybe a nas or home server.
Setting up zwave or ZigBee networks is not an attack vector.
Ditto. A smart home that can operate even if the Internet is offline was one of my core goals setting this up. And save for a few exceptions, I accomplished it. It’s so jarring now to go on vacation and not have all this automation.
This is exactly the line of thought I think people aren’t seeing as the gap. Y’all are too comfortable expecting the internet to be on 24/7. Or the power, for that matter.
If Cloudflare shits the bed again, are your lights stuck on or off? Can you not turn up the heat? We’re in a period of history where things will bet worse, not better. The last thing I want is “error: can’t connect to internet” being why you can’t turn the things you can touch in your house on and off. I get it if you’ve managed to do the work to have it all locally hosted, but just as-is seems like a bet against one’s self.
When the power is off chances are that whatever is integrated is degraded anyway. And for actuators just choose some that fail gracefully and allow manual handling.
For the rest use HA as much as possible, favour local integrations with no cloud dependencies… and when there are dependencies than make sure the override is available physically (looking at my vaillant HP).
Then stack UPSes or even better home grade batteries (my next endeavour) and have backup connectivity to internet and you’re a peachy as can be.
I work in IT, been a software developer for decades.
I have a full on smart home, all the smart tech you can imagine. All connected and running locally via home assistant.
Smart tech isn’t bad, shitty tech is.
“Why are you sitting in the dark?”
“AWS is down 😞”
Same for me. I don’t really like to expose my home and I don’t understand how people are so eager to plug in shady WiFi stuff into their network. I’ve got one “smart” device with WiFi connectivity I’ve allowed to connect to my network, but I’ve disallowed going online and I’ve put it into a different vlan.
Friend of mine: “let’s set up a camera in our bedroom to check on on the dog when we’re away.”
The one thing I will never use a smart device for is my door lock. I don’t understand how tech literate people really trust that.
I have a couple WiFi devices for smart home like some TVs and thermostat. All blocked from WAN access and used for local control.
I was considering a smart lock for my (armored) front door, but just because there are some locks manufactured here in Italy that can be set to be controlled by external contacts.
Which means I could use and ESP or similar with esphome, now they also support wired, ethernet ones.
That’s way more secure than the shitty lock I have now, I’ve seen videos of people picking that with a decoder device in 30 seconds.
Locks are not secure anyway and even if it is the most secure lock ever built may I present a window. Most break ins at least when I did home alarms where smash window right beside door and unlock it.
True as well, but a broken window or a lockpick my neighbors might be interested in.
The key thing is you have exclusive root access to all of it and spend time on admin.
I’m gonna guess that you put a decent amount of time into figuring out a good set of smart home products and maybe even put some effort into looking up which products play well together and what configurations are ideal.
And that’s great if you enjoy shopping for, setting up and maintaining all those toys. But we all know there is too much shitty tech out there to think that it’s a good idea to grab a bunch of smart home stuff at Best Buy one afternoon and just plug it all in and call it good.
I think the thing is, folks in tech are less likely to be cool with, for example, exposing their door locks on the internet without doing a decent amount of due diligence. You have to want it enough to put in the work to make sure you have something that you can feel is secure, smooth operating and meets your personal privacy expectations. It kinda has to be a minor hobby. Which is cool if you happen to enjoy it or get enough joy from the result to make it worthwhile.
For me, I have enough hobbies and pastimes. I’ll put in the effort when the payoff is high, like for a home media server. But there’s no way in hell I’m signing up for future chores and headaches just so I can control my window curtains from my phone.
Nope ZigBee or zwave cool. Not that hard. Next work offline with home assistant OK.
as a hardware iot security person, that is possible but too much attack surface to manage
ZigBee, Z-wave and Thread have virtually 0 attack surface from an IoT perspective, and even then what are they gonna do, do radio hacking to turn off and on my lights? It’s not like they can be used in a botnet.
Locks is a bit more risky as an endeavor, but again, it’s probably easier to pick the lock than hack it… Actually with the quality of many smart locks, smashing them is easier still.
Smart TVs are way more problematic devices for example, as soon as they stop receiving updates, you have a bunch of high-speed internet connected devices with unresolved exploits just sitting there waiting for the right chance.
Hear hear.
I feel the meme in the post is created by someone pseudoilliterate in technology. But I can guaranty you they have a smart TV connected to the same WiFi as all their computers and maybe a nas or home server.
Setting up zwave or ZigBee networks is not an attack vector.
Ditto. A smart home that can operate even if the Internet is offline was one of my core goals setting this up. And save for a few exceptions, I accomplished it. It’s so jarring now to go on vacation and not have all this automation.
This is exactly the line of thought I think people aren’t seeing as the gap. Y’all are too comfortable expecting the internet to be on 24/7. Or the power, for that matter.
If Cloudflare shits the bed again, are your lights stuck on or off? Can you not turn up the heat? We’re in a period of history where things will bet worse, not better. The last thing I want is “error: can’t connect to internet” being why you can’t turn the things you can touch in your house on and off. I get it if you’ve managed to do the work to have it all locally hosted, but just as-is seems like a bet against one’s self.
When the power is off chances are that whatever is integrated is degraded anyway. And for actuators just choose some that fail gracefully and allow manual handling. For the rest use HA as much as possible, favour local integrations with no cloud dependencies… and when there are dependencies than make sure the override is available physically (looking at my vaillant HP). Then stack UPSes or even better home grade batteries (my next endeavour) and have backup connectivity to internet and you’re a peachy as can be.