Internot of Things

Those of us who are interested in such stuff will be aware that the so-called Internet of Things has an awful lot of buggy, insecure cheap tat that can even be repurposed for use in botnets. At the same time, controlling things by the Internet is useful.
I would like to hear ideas from people who are working on projects to build secure stuff for home automation and the like. Currently I have been building a number of simple automation devices that have no Internet connection at all and do simple repetitive tasks - like watering the greenhouse.
As an example of what I mean, I am thinking at the moment of a way of remote controlling my boiler when I go away in winter that is effectively secure. Basically, I don’t want a Nest type device that, if hacked, could do serious damage. I want something that lets me turn up the heating and heat the hot water a few hours before I get home.
My draft design uses a dumbphone, a microphone and a time relay. Calling the phone will turn on the heat for a period defined by the timer - probably 24h. There is no way to turn it off remotely or interfere with the thermostat. To check the house temperature, I am thinking of putting a thermometer with a large LCD scale right where one of my monitor cameras can see it. Thus the system is completely airgapped; the worst an attacker can possibly do is turn on the heating for a day. Once on, it can’t be turned off except by the timer, so it won’t be possible to damage the boiler by repeated switching.
Now I know this is paranoid design but it is also rather simple and cheap and I don’t have to worry about hacking.

Once I have this one going I’ll publish schematics if anyone wants them, and I’d be interested to hear what other ideas people have had. For the electronics side I tend to use PICs which are grindstone reliable and which are running assembler on bare iron, but that’s just me.


I’m still learning about all of this, myself, but definitely see a lot of potential benefit to finding ways to control bits of my house remotely or automate them. I can’t offer much, except that I am incredibly tired of reading daily articles on The Other Site panic-mongering about “The Internet of Shit”.


Well that’s is Cory more than the site.
I love some of the remote and smart technology but 99% of it does not need to be accessed outside of the internal home network. Sadly we are going to need something that makes mirai look like it was a mere annoyance before it is taken seriously by the end users.

I remember melissa causing a stir at work way back when and my comment was we were lucky it just spamed mail and I had seen similar annoyances on mainframes a decade earlier but the general end user population still didn’t get it till the next variant ILoveYou came and that nuked all their local hard drive data and anything on a mapped drive. Until the infection starts impacting the end users enmasse we are going to have what we have.


From what I’ve seen, so far most of the Internet of Things is the Internet of Shit. The best route seems to be what @Enkita is working on, where you roll your own rather than a complete solution off the shelf. A little like the early days of radio or home computers, I suppose.

I like the point that a lot of this home automation doesn’t need internet access, or at least not the always-on, can’t-change-your-password variety often on offer. The off-the-shelf stuff seems to be always rushed to market.

I’m not into automating much – the condo I live in is too small for that – but I am working on getting all of my data platformed so backups and transfers are no-brainers. Nearly there.


Oh, absolutely, I should have clarified. I pretty much assume anything Cory posts is going to be HuffPo-level hair-on-fire tabloid-speak that’s either entirely made up or greatly exaggerated/misinterpreted.


Cory is correct on this issue. IoT is not ready for prime time. A lot of that has to do with the technology not being mature enough yet, but some of it has to do with the vendors themselves not understanding IoT. A gimmicky single purpose device that’s incompatible with everything is not IoT, and neither is slapping WiFi on something that doesn’t need it.

If Cory is guilty of anything, it’s nutpicking the worst of IoT and writing only about that. IoT has a long ways to go, and I wouldn’t buy anything off the shelf that calls itself IoT, but as a hobbyist I like the concept, and like reading about other hobbyists’ experiences with IoT.


He’s correct in his details, yes. I’m not arguing that he’s wrong in saying that the security of IoT devices is questionable and should definitely be treated carefully by consumers.

Declaring every single household item with wifi or networking built in as “Internet of Shit” is the hyperbole part that I roll my eyes at.


He’s only reporting the negative stuff. He is finding the worst examples of IoT and only reporting on those.

This seems really antithetical to his character and beliefs. What is his issue? Is he worried about the security risks?


Could be. We now live in a world where two superpowers, the US and the UK, have had recent elections swung by data scraping Facebook. The battle for privacy is beyond credit card hacking and camera hijacking. These IoS items just poke more holes into regular citizen’s defences. To me it’s less 1984 and more the dystopia William S. Burroughs described in Naked Lunch and elsewhere.

IoT is a good idea in theory. As always, it’s the implementation that’s the issue.


What about wrong numbers or robocalls? Isn’t your system insecure in other ways?

Remember when Dallas had its emergency alert system hacked by audio, not internet?


The main problem with IoT is consumerism, where solutions-in-search-of-problems are marketed and companies put forth minimal time, effort, or money to properly update devices - as well as using them for rent-seeking and collection of personal data.

One thing I have reminded people about in Cory’s articles (and never gotten him to respond to) is that most Internet of Things have been and are open-source efforts of the maker community. It is only very recently that large corporations have begun to try capitalizing upon the open work that has already been done. Try doing a search on github.


Phone phreaking was a lot of fun. Unfortunately, it’s a thing of the past.


It’s an interesting point of comparison though: Phone phreaking was mostly about using tone control systems in ways that weren’t secured because attacks from that direction weren’t expected.
[Boundary case: the recent UK press “Phone Hacking” was abuse of remote voicemail access on mobile via still-default PINs, because folks didn’t know that remote access to voicemail was a thing. ]

Most of the the IoT system hacks are because the devices are based around embedded systems (usually Linux) that aren’t patched or patchable, or sufficiently locked-down, and too frequently with default passwords that aren’t required to be changed and with hard-coded ‘maintenance’ accounts and credentials.

The IoT issues are foreseeable, because in large part they’re mostly the same as with every other Linux (or even Windows) system, but it costs more/is less ‘plug-and-play’ to enforce security, and test and roll-out remote system and security patching.

Like phreaking, most of the attacks aren’t rocket science, but unlike with phreaking, they are absolutely predictable, preventing it just eats into the bottom-line.


That’s not to say that positive examples of well-made commercial IoT services couldn’t be squeed-over, mind. The ideas are often great - and hey, ‘we liked it and when we threw x/y/z attacks at it, it held up, so it looks safe’ would be a great review. :slight_smile:


Maybe it’s rather difficult to find anything matching that description.


That may be true. :wink:


The worst they can do is turn the heating on for a day. However, I am looking at ways of whitelisting only permitted phones, if it isn’t too inconvenient.


You have to buy the stuff to investigate its security. And most people won’t have the resources.


Yes, and he’s correct to be worried. Between the potential for millions of the devices to be hijacked and the potential for targetted hacking to turn the devices on their owners, the piss-poor security of these little Internet-facing systems is an issue that most consumers aren’t aware of. I would prefer that he spent some time pointing out IoT devices that do follow best security practises, or at least ones that can be hacked/flashed into doing so.

When I move into my new condo I plan on doing some home automation (mainly lights, blinds, security dropcams and media stuff). I’m already expecting to do a lot of DIY/open source tinkering and (on the consumer devices) security hole patching. I’ve come to the conclusion that a secure and highly configurable central router will be the best place for me to start, and that any IoT device I hang off of it will have to play nicely with it rather than vice-versa.


This, but especially this:

The IoT isn’t ready for prime time yet. I get that, we all get that. But if there’s a future for this, and if we will see very clear benefits once it is ready for prime time, how do we get it there? What do we as hobbyists need to do to move this technology forward?

What I don’t get about Cory’s reporting is that he seems to pooh-pooh everything IoT as too complicated, too gimmicky, useless, etc… And a lot of it is, for reasons I mentioned earlier. But his criticism does not really come from a place of honest critique. He sees the privacy risks as so great that he will do whatever it takes to discourage the IoT, even if his concerns are baseless and not related to his main issues.