
I bought some awful light bulbs so you don't have to - compsciphd
https://mjg59.dreamwidth.org/40397.html
======
georgefrick
So, you could; buy lots of these. Take the bulbs and hub and modify the
software further. Since they come in a 'box'; you can put them back in the box
and then give them to people as gifts or promotional items.

You are now behind their firewall.

If you are a hacker and you manage to get into a factory in China or Taiwan or
wherever that is making these; you swap out the base firmware with one of your
own that dials home. You are now behind the firewall of all customers.

Just some random thoughts before bed.

~~~
api
IoT is yet another reason firewalls are obsolescent as a security measure. A
device is secure or it is not. There is no such thing as a safe network. Never
really was, but now there really ain't.

~~~
ultramancool
Uh, pretty sure firewalls are exactly how we can fix this. Use your firewall
to enforce each device can only talk to what it needs to and can't do any harm
internally.

Without firewall: Here's direct access to everything on my network.

With firewall: Oh no, you can hack all my smart lightbulbs and change their
colours.

This kind of thing is exactly you need firewalls for. Without a firewall this
could pose a serious threat, with a firewall it's probably a good practical
joke at best.

~~~
jessaustin
Haven't read TFA yet, but I think you're expecting too much from your firewall
here. These bulbs are hosts, and they're inside the perimeter. They have been
hacked, so they send malicious traffic to other inside hosts. What the hell is
a firewall going to do about that?

~~~
ultramancool
I'm not talking about an edge firewall - I'm talking internally, firewalls are
able to trivially stop traffic from reaching the hosts which they could
attack. Now, depending on your network configuration this may need to be done
partially by the switch (ie: separate VLAN for such devices) and edge
firewall, by separate NATs or by firewalls on the hosts themselves.

EDIT: My simple solution (the one I had in mind) is to make a firewall box - a
cheap linksys router with custom firmware can be set up to act as a switch but
will also follow iptables rules. This serves the same sort of purpose as a
hardware firewall in the middle of a corporate network but at lower
performance. Bulbs connect to switch/WAP outside of firewall, hosts connect
inside it. Everything behind it is then restricted from accessing the bulbs or
viceversa.

~~~
jessaustin
Haha that's not what I thought of when reading a response to api's comment. If
you want to call it a "firewall on the host" after 'api called it a "secure
device", then perhaps the disagreement is merely one of terms. Either way, the
host uses some method to ignore unwanted packets. I don't think this new "on
the host" version of "firewall" is very much in keeping with etymology, which
is probably why I was confused.

~~~
ultramancool
Well as I mentioned there it doesn't necessarily have to be on the host,
that's just one option. At home I use the linksys based solution I mentioned
in my edit which was more the way I was thinking - and probably more
comparable to commercial firewall appliances like you might be thinking of but
deployed internally and on a cheaper scale.

------
harryjo
I am shocked, shocked to learn that the _iSuper iRainbow001_ brand is being
tarnished by a substandard product.

~~~
wiredfool
On the bright side, it hasn't burst into flames yet.

~~~
adrianN
"Candle mode"

------
lucaspiller
If you are after some cheap 'ok' wireless bulbs take a look at MiLight /
LimitlessLED (they have various brand names). You can pick up bulbs for under
$15 and the bridge for about the same from AliExpress.

They have the same issue as these in that white and RGB are seperate modes (so
you can't control the saturation), but other than that they work fine and
don't have any cloud "features".

The protocol of the bridge / app has been reverse engineered, and there are
various libraries on GitHub:

[https://github.com/mwittig/node-milight-
promise](https://github.com/mwittig/node-milight-promise)

~~~
schlarpc
Beware: the bridge for Milight bulbs also communicates outbound to a mystery
server for Internet control of the bulbs. The actual RF protocol has been
documented and implemented as Arduino code, though, which is what I use for my
installation.

[https://github.com/henryk/openmili](https://github.com/henryk/openmili)

~~~
legooolas
I have one of these and this is why I blocked the wifi bridge from any
outgoing network access. The mystery server then just uses the MAC address of
the bridge as the "authentication" of where you get to control the lights via
the app.

Having a separate wifi network (and separate VLAN for wired) IoT devices
sounds like a good idea, and is something that I'll be doing this weekend...

(Also will port-scan the MiLight bridge to see if it's got any other
interesting services on it)

~~~
lucaspiller
Do you have any details of the outgoing network access, as I couldn't find
anything?

You can also remove the wifi part, and communicate with the bridge via serial:

[https://servernetworktech.com/2014/09/limitlessled-wifi-
brid...](https://servernetworktech.com/2014/09/limitlessled-wifi-
bridge-4-0-conversion-raspberry-pi/)

------
endgame
I'm surprised that this isn't up on the internet of shit twitter yet[1].

[1]: [https://twitter.com/internetofshit](https://twitter.com/internetofshit)

~~~
patrickk
The future awaits, ladies and gentlemen:
[https://twitter.com/ow/status/701528914691227648](https://twitter.com/ow/status/701528914691227648)

~~~
yxlx
[https://pbs.twimg.com/media/CbxU0EzWAAIA2Dq.jpg](https://pbs.twimg.com/media/CbxU0EzWAAIA2Dq.jpg)

Guy with the macbook looks _really_ grumpy.

------
codeulike
_" Everything is awful, which is why I just ordered four more random bulbs to
play with over the weekend."_

------
daurnimator
Heh, I read this in Matthew's voice, this article is written exactly as he
talks.

Sadly, no surprises here about the internet of insecure things.

------
todd8
The biggest risks to my home network are my kid's friends. They bring their
gaming laptops over and connect to the house network. No telling what is going
on within my perimeter!

I used to run several internal networks, each with their own static external
IP addresses, all mediated by pf on OpenBSD. There was a network for the kids,
one for my wife and a couple for me. That was so much work and my wife always
teased me that my machines always had better quality of service so I've gotten
lazy and don't enforce security in the internal networks like I should--I'm
even thinking about putting in a Ring doorbell.

------
skoczymroczny
The better question would be why would lightbulbs need wireless connectivity.

~~~
wpietri
I've had some of the Hue bulbs for a year or so, and I definitely wouldn't go
back.

I now see two distinct kinds of lighting: task and ambient. For task lighting,
I still want fast manual control, for which dumb bulbs are fine. But for
ambient lighting, I want it to be almost entirely automatic.

In the morning, my lights gradually come on, starting very dim and warm. In
the middle of the day, they're bright and like daylight in color. In the
evening, they slowly dim and shift toward red. They go out on their own about
when I want to go to bed.

One good part is that I don't have to mess with lightswitches all the time.
But the much more valuable part is that it helps me establish a strong diurnal
body clock. I now wake up on time without an alarm, I get enough sleep, and my
mood is more even.

One alternative would be to put the smarts in the switches, as early home
automation had it. But my old wiring isn't compatible with that. And even if
it were, that at best gets you brightness control, not color temperature
control.

If anybody's curious, my code is here:
[https://github.com/wpietri/sunrise](https://github.com/wpietri/sunrise)

~~~
tekromancr
Wow, I did something similar with the Hue bulbs, but I just used the rules api
on the bridge combined with the virtual 'sunlight sensor' (and really long
transition times) to trigger the light shifts. Similar setup to yours in
effect though.

~~~
wpietri
Ah, cool. I think they added the rules API later, otherwise I could well have
done that. That's in some ways better; last year when my router died, my
lights stuck on.

For what it's worth, I avoided tying the lights to actual daylight hours. In
winter I tend to get a bit gloomy, and so part of my goal was to make my brain
think that it was never really winter. It seemed to help this winter, although
it's hard to say for sure.

How are you liking your setup?

~~~
tekromancr
Pretty good. My first pass at this did a very similar thing where I had a
script running on a raspi to change the lights. Completely fair point about
wanting to extend the lights during the winter. They switch to evening mode
way too early lately and I kind of wish the rules api allowed you to do date
based conditionals. That said, I have to do exactly 0 maintenance on it since
I got the rules configured, so overall its pretty solid.

~~~
wpietri
Fab. If you're interested in collaborating, drop me a note. I wrote my current
software in Scala as an experiment, but I'm unlikely to do future work in
Scala. I've been meaning to rewrite sunrise in something else, and I'm open to
suggestion.

------
chei0aiV
The manufacturer exhibited such disdain for the GPL. Amazing.

