Honeywell's commercial offering should be the gold standard here in my opinion. Its fully ipv6 and ipv4, and relies on time tested probes and monitors to determine what the hell is going on. You cant force it to short-cycle motors until they burn up, and it cant be forced offline from the control interface if environmental conditions are outside a certain range (Desert summer, for example.) Januaries update even included EC25519 for console and PFS support for the web interface. Best of all, if something is egregiously screwed up in the system, it failsafes to a simple thermostat or pulls settings from a cluster.

I hope that advances made in security for these commercial systems (by necessity) trickles down into the residential space, sort of like how "dumb" construction techniques, high-efficiency window glazing, etc., have all made their way into the residential sector over time.

The difference is that commercial and industrial buildings already try to minimize costs. In the residential space, occupants often aim for comfort over cost - sometimes missing out on opportunities to retain comfort while minimizing cost. So there may be more relative opportunity to cut costs in the residential sector than commercial or industrial. Of course the sector with the largest opportunity is probably transportation.

Despite loving cool tech, I have nothing like Nest in my house for exactly the reasons you stated.

Maybe Honeywell should move downmarket with your post as the basis for their marketing. I might actually consider it then.

There's more money to test in that side of the industry, I'd wager. Unless the people developing commercial HVAC are simply better software/hardware developers than consumer companies' solutions.

Sometimes this is true, relative to the purpose at hand. Take a mediocre web developer and ask them to build a smarthome system, and you end up with a wire protocol of raw, unverified, unfiltered Python code in plain trxt, running under eval() on a grossly underpowered microcontroller (true story, was fixed eventually AFAIK, not naming names).

There's something to be said for the discipline that comes from working in a resource-constrained hardware/software project. We could benefit from more cross-pollination between industries, as long as experienced engineers are sanity checking the resulting ideas (Python is not a protocol!).

If a go kart manufacturer made a kart whose roll over cage failed in any circumstance we would not excuse it by saying that there is more money to test in the automotive side of the industry.

Where's the analysis of Nest? Where's the pentesting of SmartThings? Where's the article about how they tried 12 different ways to get into another reputable brand?

Don't think for a second that I'm saying anyone should get a pass, they shouldn't, but this to me seems like the equivalent of reviewing $3 luggage locks and talking about how insecure they are, then concluding that all locks are insecure and you shouldn't use them...

I will say that this article is better than most at keeping the criticism specific to these devices (except for the headlines), but they don't name the devices, so the analysis isn't doing any good (I still have no idea which device it is, and therefore can't protect myself by not buying it...)

Re the light bulb, you can see the strings "mi-img" and "yeelight", so it's pretty definitely a Xiaomi Yeelight, maybe this one: https://www.gearbest.com/smart-lighting/pp_361555.html

The Zipabox retails for 199 EUR, Yeelights are ~15 EUR a pop on Gearbest... Definitely not the cheapest, shadiest and worst IoT devices.

I'd argue that xiaomi isn't a trustworthy brand by a long shot, there are plenty of examples of these kinds of issues with their stuff, and if more researchers would point out why a specific device is bad, and provide options that do it better, they might be incentivized to improve it, or at least people will be warned to not buy them.

Zipabox does seem like a good product at a very quick first glance of their website, and I do rescind my "shadiest and worst IoT devices" comment for them, but it still annoys the hell out of me that they release this research but don't provide a way (without a bunch of searching like you had to do) for me to check if i'm vulnerable!

The are waiting for the fix to come out first, I presume.

On the more expensive devices, while I have a limited sample, my short career in IOT security has shown me that your $100-$300 devices have pretty serious security implications.

And I think there are a couple reasons why this is the case:

Atleast some (most?) of these products are being built by average developers with average exposure to security, so like other areas of tech, should be just as vulnerable as everything else.

IOT is a young industry, so you don't have the same set of best practices and common code that you can leverage. Ever wanted to encrypt sensor data, on a cpu that's designed to operate for a year on a coin battery? Turns out you can't just run openssl and TLS to secure that low power wireless connection. And that sensor might be the one telling you're security system to trigger.

Hardware is a super competitive market, so when it turns out you're basically selling every unit at a loss to try and gain market share, it doesn't leave a huge amount of room to invest in security best practices vs. get it done and shipped. You know that wireless sensor that detects when you're home and changes you're settings, well it's basically broadcasting to the neighbourhood whether you're home or not. It's a theoretical problem (every problem is until it isn't), that someone could use that against you, so do we worry about that, or do we worry about optimizing our code so that the battery doesn't have to be changed every month.

Please keep in mind, I have limited exposure, but in my experience working on this, I think unless companies can prove they're actively investing in security (and not just saying they care about security), we should be suspicious. I can see why the industry as a whole could be failing to protect it's consumers, and probably deserves a poor reputation for security.

And because you don't hear some researcher talking about product x, doesn't mean that product doesn't have abysmal security. A friend of mine keeps telling me, in her experience security researchers on average are cheap, so they're not going to look at the $300 lock, when there is a $3 alternative to pick apart.

No, the article shows that $3 luggage locks exist, and then provides sound general advice on how to avoid those.

> Always change the default password. Instead use a strict and complex one. Don’t forget to update it regularly.

Good advice, but it won't stop the password from being sent over HTTP.

> Don’t share serial numbers, IP addresses and other sensitive information regarding your smart devices on social networks

Again, good advice, but it won't stop the device from storing WiFi credentials after a hard reset.

> Be aware and always check the latest information on discovered IoT vulnerabilities.

I wish I could, but they haven't named a single device that anyone can watch out for, nor have they shared any way that the average user can check for these vulnerabilities.

Your counterarguments address implementation issues, but the advice given to implementors is consistent with your arguments: "No less important is that vendors should improve and enhance their security approach to ensure their devices are adequately protected and, as a result, their users [...]"

It's pointless with that device. The 3 points are general advice, and changing a default password, for example, is definitely sound advice.

> Telling people who want IoT devices to just not use them isn't a valid answer

Where are you getting this from? There's an entire section in the article ("Get Ready") with suggestions on how to securely use IoT devices. There's no mention of not using them.

> and show what users can do to research and avoid devices like them.

That is the entire point of the article.

This is not a reasonable headline if you believe that is all the article is trying to get across.

Regardless, the headline may be poorly chosen, but the interpretation "the entire ecosystem is that bad" is not supported by the article.

Lastly, what's the point discussing luggage security when we can't talk about the $3 luggage locks? How else are we supposed to get rid of them?

Especially in the last year or two when many of these articles focus on the physical access exploits of cheaper manufacturers. If someone is going to break into my house just to ransomware my thermostat, or upload new firmware to my Gen 1 Alexa... someone needs to explain to me how there are not more high value targets/things in either of those cases. Even for surveillance purposes.

Hardware is hard. I think many small IoT companies have figured that out, the larger ones have known it for a long time. Security is harder, but that's why it's important to buy from someone reputable (e.g., the "default password" fiasco on cheap DVR wired camera systems)

Disclosure: I work for a large consumer IoT company.

The same bad practices repeated over and over.

Just because your big, doesn't mean you get it right.

The other side is that the bigger you are the harder the impact when you screw up.

The title could've been worded better in warning people to avoid certain products, than to paint the whole ecosystem badly.

No, it gets a bad name because it moves all the legacy code security problems common in heavy industry into a consumer environment where it is much easier to justify not allocating resources to manage those problems.

Stable, mature, well done, IoT is basically nonexistent. There is no boring Toyota Corrolla running Debian stable in IoT. All you can find are Teslas running Gentoo nightly cross compiled from a $30 Android 2.2 tablet. Anything partially obstructing a lane and a few 18-wheelers will bear the scars.

IoT is going to be a security mess for the foreseeable future. Something that actually harms the companies employing the people writing the spaghetti needs to happen before the ball gets rolling to solve things.

Operating systems, networking protocols, serving web content, etc, etc all used to be the wild west at one time too. The problem in IoT is that right now the spaghetti authors are responsible for a huge part of the stack, not just the spaghetti and the sauce. When many IoT projects are reinventing a bunch of wheels it's no surprise that a few of them are square and not very secure. As IoT matures more and more things will be abstracted and the spaghetti that makes your blender smarter than everyone else will run in nice little padded cells where it can't hurt anything.

I expect that eventually most of IoT will be running on a handful of platforms built around a mostly common core stack similar to Linux today (most of IoT uses Linux so they'll probably copy that architecture). There will be plenty of stupid stuff that goes down between now and when IoT starts to mature though.

That convinces me to not buy a smart lightblub. The lifespan of an LED is ~30 years. The lifespan of a IoT/cloud company can be much shorter.

Edit: Amazon sells a pack of 16 Phillips 800 Lumen (brither than YeeLight) for $1.75/blub. The light is brighter, the color temperature is the same, and it's 1/10th the price. Alexa, a smartphone app, and dimming isn't worth $16.25/bulb to me.

Edit: also the projected lifetime of LED bulbs is usually quoted at 50000 hours- about 6 years, not 30. In practice it's 5-10 years. That's all LED bulbs, not just smart ones, and is mostly down to heat causing the LEDs or the power supply to fail.

Who?

I'm not dismissing that there is a market, I'm dismissing that it's the type of product that should be in most homes. I see the value added being worth cost in smart vacuum cleaners, smart thermostats, and IP surveillance cameras for the average home. I don't see a 10x value added for light bulbs.

You're correct about 50,000 hours. Most lights in my home are used less than 5 hours a day, which is the origin of my 30 year number. From my point of view I think about owning an LED for 30 years, but when I communicate the lifespan of an LED to the world I should use a more common measurement.

It's a luxury for sure, but it's one that appeals to some people. Smart lights are definitely over-hyped however, they are far from essential.

I use a window for that. If I didn't have access to sunlight I would consider using bright dimmable programmable leds in my bedroom. Very good point.

dry answer: some people (whether through different preferences, or even exposure to advertising) think that the convenience offered by a smartbulb is worth the $16.25 (or whatever) price. you might not place that much value in that, but obviously enough people do that it's a viable market. it's the same logic why luxury [anything] exists.

They have a really nice build quality, a well-documented API for local control, very nice light with adjustable color temperature. And, they have built in support to simplify things (eg "go to 100% over a period of 3 seconds by dimming slowly", or "fade to 3000K color temp over 10 seconds"). And they cost only about 15€.

The non-RGB variant cannot change color temperature and is in my opinion too cold so I can't recommend it.

Having to (eg) update the firmware on my lightbulbs sounds about as smart as having to hand-wash my clothes. Hours of effort to save myself 2 seconds a day toggling lights? Not too smart, IMO.

Besides, smart bulbs aren't really an effort-reduction tool. You get a lot more control over lighting if you can adjust brightness and colour on the fly, and do a lot to change the mood of a room.

I don't know what the total hours of effort are. But I'm pretty sure they're more than I have when I just screw in a lightbulb, plug in a dumb tea kettle, etc. And so far I haven't heard any compelling use cases.

For me, the "smart lighting" I'd enjoy would be getting a few manual dimmer switches installed. Changing color would be neat if it could be done via a similar dumb switch, but it's not something I'd take up a "smart home hobby" for.

I don't think I'd call that level of investment anything near a hobby. You can go a lot deeper with configuration options and other integrations and _make_ it a hobby, but the core behaviour is barely less trivial than a traditional lightbulb.

Also, try pairing 4 bulbs on the same switch at once... you'll be lucky to get two to join. Or, try running an automation that sends more than 4 individual state updates to the Zigbee network at once... one or two lights will change.

Most of the smart home apps (whether you're using the Hue app or SmartThings or whatever) need a cloud connection for some ridiculous reason to control the lights; and suffer from a chronic case of not knowing the current state of the lights.

All in all, it comes across as very immature technology. It's as unreliable compared to WiFi as WiFi is compared to Ethernet.

The price usually turns them off, however.

* Lower-end D-Link Cameras. Look for screenshots of the web interface on the camera in the manual. * Amcrest

The caveat is that both companies offer a cloud service and their cameras really like to try to phone home. The upside is that if you put them on a network that's unable to connect to the internet they still function normally.

Depending on what you want, there are a couple of options. All of these assume that you do not want to use the cloud service and do not want the cameras to phone home, this is enforced by your firewall/router.

1) Easiest is to give the cameras access to your ISP's mail server and use the camera's onboard motion detection/email features to send you alerts.

2) Another easy option is to give the cameras access to an FTP server and have them send any files there when they detect motion.

3) You can go all out and deploy Zoneminder, Blue Iris, iSpy, or a similar product on your network. Personally, I use Zoneminder, but by all accounts the other products listed work well. QNAP and Synology NAS devices also include camera monitoring software, but I haven't done any serious investigation into either.

All three of these approaches can be mixed and matched, but once you have more than a couple of cameras it's really nice to have everything centralized. Option 3 is definitely the most effort.

The key thing is to read the manual and reviews before you buy and make sure that the camera will work in the manner you want.

Using an android device basically solved the 3rd party integration (e.g. auto-upload, notifications) and being root you could view cameras in real time with some I/O redirection (i.e. tell hangouts that the network camera is the phone camera) and it would have plenty of local storage and battery life. It would be easy enough to do a simple CLI over email or hangouts chat (e.g. "motion detected on camera X, here are snapshots of the last 300sec, reply "hangout camera X" to view the feed with hangouts")

Redirecting video feeds every which way from a Linux-like box is a really dead horse so there's plenty of options and documentation out there on the various details. Options for adding more security/reliability into that sort of stack are also fairly plentiful and well documented.

IP Cameras that are RTSP and TinyCamera or BlueIris compatible.

...they can install a malicious firmware on your smart lightbulb that will forward them your wifi password?

The horror, the horror.

Insurance would cover your stolen items but you're still fucked temporarily, and maybe longer if they were able to steal info to commit identity theft.

Granted they could just smash a window too but this might be easier and make less noise.

I personally do not feel that all IoT-capable devices must be secured to the hilt. If I set min and max temp on a network-enabled thermostat I am not worried that someone will connect and warm (or cool) my home a bit within that range while I am out. At worst I might suffer a minor discomfort when I come in, but the chances are low and the fix is cheap.

Most IoT setups I would consider fall in the same category: low benefit for attacker and low pain if hacked. If so, I take simplicity and reliability over security. And if I ever wanted to build an IoT setup that would be more painful when hacked I would probably put together 2-3 simple, completely distinct systems that report the same data and check for discrepancies to detect intrusions rather than trying to secure one device to the max. Just my 2c.

Will you say the same after I set min/max temperatures to optimize for high cost and change it back in time so you only notice on your next electricity bill?

And how many times are you willing to wake up at 3am in an overheated apartment before you insist that only you should be able to adjust your thermostats?

I am sure there are plenty more ways to abuse even simple things like thermostats to make your life hell. And the more devices are deployed in the wild, the more "pranks" will be thought of and executed.

It has one installed now.

You might think "nobody will do this to me" but the internet is filled to the brim with skids who have nothing better to do than scan your router for any open ports (or in a recent case, attempt to scan your IPv6 /64 subnet, though I'm questioning the sanity of that move).

If they find anything they will blindly shove their shit into your IoT hardware. Maybe it'll work. Maybe it doesn't. They don't care, they've already spammed the next host.

Do not underestimate the probability of someone wanting to ram their script up into your IoT or router.

Some bored script kiddie that found AutoSploit[1] or similar and gets a kick out of the "numbers of hacked hosts". I am not sure that "I was just collateral damage" is comforting after things happened.

[1] https://github.com/NullArray/AutoSploit

I want to know what stuff to avoid what companies don't care about security.

I'm interested in what's exactly specified as "user information". Wikipedia[0] says that it's "any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."

[0]: https://en.wikipedia.org/wiki/General_Data_Protection_Regula...