
Haven: turn old Android phones into security cameras - tosh
https://github.com/guardianproject/haven
======
dansnerd
Was literally going to do a ShowHN later this week for a side-project I've
been working on that hits roughly the same use-cases:
[https://chewcam.com](https://chewcam.com) (just finishing up some last minor
bugs).

Major difference looks to be broad vs narrow feature scope (haven looks very
in-depth, with lots of sensor options, etc), native app vs browser based, and
long-running (security camera) vs short-lived sessions (hour or two here or
there).

Not sure if its appropriate to tack on-to this thread or if I should make a
separate one, but figured its closely enough related that someone interested
in Haven might be interested in chewcam as well.

~~~
dr_kiszonka
I like the project, but have a slightly different use case. I am describing it
in case you were up for adding features to your project or if you could point
me towards something that would help me.

My grandmother has dementia. We would like to install two cameras in her
apartment; one in the hallway and another one in the kitchen to check if she
got out of bed, took her meds, make sure she doesn't let strangers in, and
doesn't wander out of her apartment. Cameras such as Ring and Nest would be
ideal, but we can't afford them. If your app allowed us to both stream the
video continously and store it for at least 48h for up $5 a month, we would
use sign up instantly.

~~~
pengaru
FWIW I've setup Raspberry Pi W cameras [0] as security and garage door opener
(w/relay on GPIO) cameras for friends/family, using MotionEye [1] as the
interface.

I just use a cheap VPS like Vultr [2] to terminate persistent ssh tunnels from
the cameras and run a self-signed https gateway into them. It's under $5/mo
for the cheapest VPS option.

It's a bit of work to get it set up, but nothing crazy hard if you know your
way around something resembling a LAMP stack and ssh tunnels. There's no third
parties integrated so you control the data and have a lot fewer privacy/safety
concerns in general.

If there's no wifi available, at&t offers mobile hotspot prepay service for as
low as $25/mo.

[0]
[https://www.adafruit.com/product/3414](https://www.adafruit.com/product/3414)

[1]
[https://github.com/ccrisan/motioneye](https://github.com/ccrisan/motioneye)

[2] [https://www.vultr.com/](https://www.vultr.com/)

~~~
andrewshadura
I'd recommend to use tinc instead of ssh tunnels.

~~~
pengaru
I've been relying on the command= syntax of .authorized_keys to restrict
what's possible, but I'm not 100% confident in that being impervious to
intrusion should someone get access to the on-camera SSH tunnel private keys.

Wireguard is somewhere on my mental todo list for possible replacement of
these tunnels, but they do the job and SSH is going to be listening either way
to admin the VPS.

------
yyyk
A friend uses an old phone as a power outage detector. The phone is constantly
charged but is set to automatically notify once it's below (IIRC) 97% charge.
If a blackout occurs, the battery would drain and the phone would notify. It's
not an accurate measurement, but works well in practice.

~~~
Enginerrrd
Surely there's a system call that tells whether or not the phone is charging?

~~~
yyyk
There must be, but my friend chose an almost out of the box solution using an
app from the Play Store, and the app only supported alerts per charge level.

~~~
efreak
3c toolbox might possibly be able to do this more flexibly; it allows running
shell scripts in scheduled tasks and "watchers" (run hard on device status).
Shell script can _probably_ be used to send a text message.

~~~
o-__-o
Or automate for android

------
roamerz
This is great. If you use this app on a spare android phone for vehicle
security be careful because in the city where I live if someone sees a phone
in your vehicle- and many people are looking- they will break your window and
steal it. So maybe don’t put it in plain sight or disguise it as something
else.

~~~
ipnon
Which city do you live in?

~~~
telesilla
Which city would you expect you could leave a phone in the car _without_ it
being stolen?

~~~
samoa42
makes one appreciate being a euro. i dont even lock my car ...

~~~
wenc
Which city in Europe?

------
DyslexicAtheist
when haven was first in the news I found a T-Mobile store in my city that had
several android devices on display which had an Internet connection and
allowed downloads so I installed Haven on them and set them up to send
notifications to my phone.

good times.

~~~
movedx
Haha!

How did it go? How long did it last? Were you able to watch the store
remotely?

------
bobbychairs
Aren't you running a graat security risk when you run this on old devices that
often don't receive security updates?

~~~
leoedin
No security updates means potential for exploits, not definitely exploited. If
you don't open yourself up to exploits by using the browser or untrusted apps,
you're pretty unlikely to be compromised even with an older phone.

~~~
beenBoutIT
If this concept gets popular enough eventually the majority of users will
start using the same old model Android phone(Nexus 5, etc.). That's when all
of the unpatched vulnerabilities will become a serious problem that's
difficult to fix.

~~~
jdnenej
It's not difficult to fix. It's just that corporations want you to throw out
and buy a new phone every year. This is what happens when you let the same
company make the software and the hardware.

~~~
bigiain
> This is what happens when you let the same company make the software and the
> hardware.

Not sure that follows, it seems a quite Android-centric view? (Which I guess
is valid in the context of this discussion...)

Apple do a remarkably good job (in my opinion) of providing software/security
updates to older iOS devices. iPhones as old as an SE or 6S are still getting
current versions of iOS.

I have a _much_ harder time keeping similar aged Android devices up to date
(My Galaxy S6Edge has been stuck on Android 7 forever. I'd need to root it and
install a 3rd party ROM to upgrade it. I haven't done that because I use it
still as a mobile app test device, and I don't personally "trust" not stock OS
installations to be particularly valid test devices for work apps...)

------
StavrosK
Has anyone used this for a long time? I wonder how the camera (and phone in
general) will deal with being on 24/7.

~~~
andrewshadura
I tried using some similar app with HTC Desire X, it would become hot and
eventually powercycle.

~~~
o-__-o
I remove the back case on my Samsung s2 and it seems to help drastically

------
3fe9a03ccd14ca5
Any idea if this or another project supports rtsp streaming so it can be
integrated into existing security systems?

------
O1111OOO
I started to write a comment about the poor job _Haven_ is doing defining "old
phone". There wasn't anything on their website, git pages, or online slide
presentation. Then I realized _they_ aren't using "old phone" anywhere...

I could have sworn that when talk of the app first surfaced, they actually
used terms like: "repurpose your old phone". That seems to have vanished
...or... the initial articles (along with the title of this post) are
editorializing.

Still... it would be nice to get a sense of system requirements somewhere on
_Haven 's_ pages. They have not included reqs anywhere. I have a ~5 year old
phone (Android 4.3, 2gb ram, 16gb storage, 720p) that, I guess, I'll pull out
and experiment with.

------
salex89
I really like the idea. However, I wanted to use it last summer and really had
mixed results, and it was a Nexus 5, which is no slouch of a phone. I hope the
detection and reporting (via Signal) has improved over time.

------
e12e
> Note that it is not necessary to install the Signal app on the device that
> runs Haven. Doing so may invalidate the app's previous Signal registration
> and safety numbers. Haven uses normal APIs to communicate via Signal.

Hm, I wasn't aware there was a way to do authenticated e2e encrypted signal
messaging without a phone number? If there's an Api, then any third party app
can send signal messages now?

I can't seem to find anything related to this at signal.org - what am I
missing here?

~~~
RL_Quine
Signal doesn't support messaging without any number, no. You can interact with
it programmatically though if you give it a dummy number (even twilio, etc
work fine). I personally have a REST endpoint running on a server that has its
own number just to be able to get notifications and so forth from my server
when I need it.

I wrote the software with the intention of allowing it to be used as a Twilio-
like service, but I'm not sure how much utility anybody else would get from
it. The messages from the source to the API obviously aren't protected, so the
only use case it has is convenience rather than security. The lack of a signal
implementation in a sane language (I'm interacting with signal-cli, which is a
wrapper around the Java one) makes this a lot more difficult to just drop into
other random tools unfortunately. I might just end up releasing that service
as an open source tool if other people find it as something they'd want to be
using for their own purposes.

Signal also has some pretty heavy rate limiting on things like numbers which
are annoying to hit because things just tend to break. They don't have any
other way of preventing spam and crawling of the service though, so I
completely understand it.

------
paulcarroty
Old phones can be used as security "microphone" too, heard people use such
nets for woods security - the sound of pile can be easily detected.

------
FreeHugs
Would love to see something like this but simpler:

A simple open source Android app that I can connect to my WiFi and then
connect to from the outside so I can see what is going on in my premises.

So it should just wait for a connect from the outisde and when I connect (via
a browser) it turns on the camera and streams the video.

The app code should be as short as possible, so I can read and compile it
myself. So I can trust it.

~~~
j1elo
That wouldn't make much sense, the point of these apps is to do security
surveillance (sort of), if you had to consciously connect from time to time to
see what happens in your premises and review that everything is OK, you would
do so the first two days, then would forget about it. Like doing backups by
hand.

What you want is a baby monitor with video.

~~~
FreeHugs

        you would do so the first two days,
        then would forget about it
    

If that happens: MISSION FUCKING ACCOMPLISHED!

Because the whole point is to make me stop worrying about my home when I am
away.

~~~
j1elo
Really then just power off the device and there you go, zero worries :)

Now really, I've had a look and it seems there are a variety of cloud baby
monitor apps, that would allow for the occasional check.

------
ck2
Reminds me there is a reddit thread on how airbnb has a department that just
deals with hidden camera reports because there are so many.

So this can be for great good or great evil (there's another app to sweep for
hidden cameras and look for IR reflection but that's obviously imperfect and
for another thread).

------
batirch
I used Haven in last summer when I went away for holiday. Set up with my old
phone.

It was sending pictures even when light levels of the room changed.

I really liked the app and was sorry when I received the email about closure.
Glad it is back!

------
steveeq1
Does anyone know any open source security software that uses AI to search for
a particular event? ie: "only notify me when "X" person enters the room, but
not my dog"?

~~~
wizzwizz4
You wouldn't need AI; just bias the motion detection system to focus on human
midriff and not dog head height.

~~~
steveeq1
I used an arbitrary example. let's say my roommate comes in and I don't want
it to give a "false alarm" (another arbitrary example)

------
sharpshadow
Fullest respect this is very great, thank you for your work!

------
OrgNet
not all old phones are created equal... some consume more power then the
charger can provide (they can't run continuously in that case).

But I do have a bunch of security footage that I don't want to watch and I'm
looking for software that can extract images from the video that contain
people

------
justlexi93
I think it's a good idea since most people change smartphones every year.

------
amitport
see also [https://www.salient-eye.com/](https://www.salient-eye.com/) \-- a
startup that tried to commercialize this idea and failed

------
corndoge
Defeatable via cell jamming / fiber cut, no?

~~~
sgt
Also via large scale EMP attacks

------
mister_hn
I appreciate such softwares and possibilities, but I would not recommend using
an old smartphone: continuously charging its battery represents a huge risk,
history just reminds us about battery explosion, detective cables, defective
wall chargers.

If you add also that batteries, when aging, are a real risk, then, thanks but
no.

~~~
RL_Quine
It’s really a non concern. Realistically if there was a problem it would
present in normal usage when people are charging them in bed.

The amount of superstition about lithium batteries is crazy, given how many of
them are used in any household on a daily basis. The battery is functionally
not being used if a phone is plugged in and the battery isn’t drained. This
misinformation comes back from when people were using Nickel Cadmium cells
decades ago, those cells _were_ functionally continuously charged because it
caused absolutely no harm to them.

~~~
tjoff
Two major differences:

The battery will be charged to 100% constantly.

The battery will be much older and has worse capacity than most consider even
usable.

~~~
nitrogen
The battery also has a built-in charge controller to prevent overcharging, and
if the capacity is significantly lower, shouldn't the risk of that stored
energy being released also be lower since there's less energy stored?

~~~
RL_Quine
The phone has an on board charger. The battery itself has its own controller
which will disconnect the battery from the charger if it goes over voltage,
under voltage, or over temperature.

The "percentage charge" of a lithium cell isn't really any measure of its
safety. Even at 0% charge the cells can still auto ignite, there's an
incredible amount of energy in them when they're considered to be empty.

