Hacker News new | past | comments | ask | show | jobs | submit login
Mozilla debuts implementation of WebThings Gateway open-source router firmware (venturebeat.com)
549 points by cpeterso on July 26, 2019 | hide | past | favorite | 163 comments

This the closest we have so far to an answer to the point raised in the IETF 105 Technical Plenary a few days ago.

Encrypting everything means that IoT devices represent an unknown threat - your "smart" TV connects to Sourceforge and downloads... something every week. What for? Your "smart" thermostat calls the IP of the vendor, maybe to get firmware updates, but it also calls the Disney corporation - what for? You can't snoop any of this because it's using encryption with pinned keys, so MITM doesn't work. Obviously hardcore reverse engineering is possible, but it's extremely expensive. So in practice it won't get done.

But, if we can popularize a safe option, we can just flag all the unsafe approaches that are popular today. We can teach vendors that this is a bad idea and they shouldn't do it, and (cross fingers) it might go away, like X-ray shoe sizing.

I was fascinated by your X-ray example. Here's a link for others: https://en.wikipedia.org/wiki/Shoe-fitting_fluoroscope

Goddammit. The comments are why I browse HN on a daily basis, but sometimes you folks are worse than Wikipedia. I know I shouldn't click that link.

/me grumpily clicks link

here's one more relevant today https://en.wikipedia.org/wiki/Backscatter_X-ray

> if we can popularize a safe option, we can just flag all the unsafe approaches

I am not a lawyer, but I think under european privacy laws those approaches are probably ilegal, too.

If some manufacturer (probably chinese) wants to grab data from people in Europe, they must comply with EU laws even if they don't have an office in the EU.

Not beign able to sell to a huge market is probably a better tactique, but not the only one to use.

One of the things mentioned in that Plenary is that partial technical solutions embolden regulators and legislators.

We don't have to make everything bad impossible. We can make it a bit harder to do the wrong thing, and then the regulator says "Hey, do the easy thing these nerds recommend or else if we find you did the wrong thing you're in bad trouble".

If you can't tell what data is being sent or retrieved, how will you prosecute them?

I can't tell what my 2028 model Foo Corp. Smart TV is sending to the HBO servers or why, it's technically impossible thanks to cryptography.

But a Federal Prosecutor can tell a judge these are the only Smart TVs that do that, and he thinks it's because they're violating the Tialaramex No Snooping Act of 2025, so he wants a warrant to see what HBO receives.

The warrant doesn't magically decrypt the packets - but refusing to obey the warrant is contempt of court, for which you can go to jail. An HBO employee shows the Prosecutor their database labelled "snooping" full of data from Foo Corp TVs that sure enough violates the No Snooping Act.

In your utopian vision corporate executives actually face jail time for violating the law, that if anything seems a more difficult thing to accomplish today.

Don't you need probable cause to get a warrant? This might be different in Europe actually... but it seems a bit thin.

Sure, so it depends on circumstances in the broader society. The judge needs to be convinced that on balance it's more likely the case that the prosecutor is right than not. That's all probable cause is.

In today's IoT world where basically everybody does all this potentially shady stuff sending encrypted data to who knows where, and with no legislation on the books saying they mustn't, you would not get anywhere trying to obtain a warrant.

But if things like WebThings Gateway were to make that unusual, so that as I said there aren't other Smart TVs sending mysterious stuff directly to HBO - that changes the balance of probabilities, and it also changes the incentive to regulate / legislate behaviours that are now less common and still undesirable so that what they're doing isn't just immoral it's illegal too.

Circumstances change. In 1975 the idea that you shouldn't smoke cigarettes inside a train, deep under the ground, in a crowded city, was a bit weird. By 1983 it was illegal in London. In 1985 somebody who'd cut a few corners and was lighting a cigarette on the escalator out of the Underground caused a fire in which a lot of people died (a lot of other things went wrong, but none of them would have mattered if not for the cigarette). Today when we're trying to explain that fire to children it doesn't make a lot of sense to them. They don't remember it ever being legal to smoke cigarettes inside a building - it smells bad and looks obviously dangerous - why would somebody be doing it not just inside a building but so deep underground?

In Europe, with the GDPR, you can just ask the company what they have on you.

"Hey company in shenzen that i suspect is a shady front to illegal data mining business, do you have any data on me? i'm john doe, living at 123 naive st #42, phone number 555-555-555, national registry number 1234556. You can reply to me on this same email address. thank you. PS: maybe i filled this in an webform, so please do not attach this new info to all the traffic/behaviour you previously collected from your TV on this same IP address"

"We can teach vendors that this is a bad idea and they shouldn't do it, and (cross fingers) it might go away" If Mozilla puts the work in and the vendors have to do is copy it, then they'll copy it like everything else they use. FLOSS makes the net go round.

I'm no security expert, and maybe one can explain this to me, but why can't we just inspect the data before it is encrypted? Like isn't it gathered in some way, encrypted, then sent? And on the receiving end it has to decrypt, so we look at that (naively what files change). Unless this is all stored as encrypted I don't see why you can't do this. I mean this should prevent mitm attacks but also let those controlling devices inspect packets. Right? Or am I missing something (if so I'm legitimately interested. Lots of this stuff just seems like black box to me, and I'm sure others)

Sure - just get a root shell prompt on your thermostat and I'd be happy to walk you through the rest.

It is encrypted on the device. How are you going to get access to it?

My confusion is that I think there has to be a command that is encryptThisDataToBeSent(data). Can't you just look at data? Before it is encrypted? Or is data encrypted at all times? But if that's true, then the difference of sending encrypted data is kinda moot.

If you can root the device and replace the firmware, sure. Or do extremely difficult hardmodding to tap the data buses, perhaps.

But both of those approaches are very difficult and resource-intensive. The first requires many, many hours of reverse engineering to find a security hole which allows you to write unsigned firmware to the device (or find a way to sign your own firmware and then upload it), then hack the firmware to do your snooping (good luck if the firmware updates are encrypted!).

The second is so fiddly and awkward, I've never heard of anyone actually doing it.

Okay I guess that makes sense. If I'm understanding you could get that information but you don't have access to the memory addresses unless you crack the firmware? Though in the case of Mozilla, wouldn't that be open so this wouldn't be that big of an issue?

> you could get that information but you don't have access to the memory addresses unless you crack the firmware.

Correct, from the moment the IoT device puts a packet on the line, it is encrypted end to end. This is a fundamental aspect of TLS to prevent snooping. To view unencrypted data, you have to access it prior to being sent out on the network which requires you to gain root privileges on the IoT device.

That makes sense. Thanks for the explanation!

The threat comes from closed-source devices.

If these closed-source devices send un-encrypted data, you can MiTM these devices when they're on your network. But if they're encrypted, you're SOL.

NULL ciphersuites exist for TLS, but knowing what data is sent is meaningless.

You find out after you purchase the device, are you going to send it back? What if data collection policies change?

Besides, SSH begins with encryption, how do you audit an SSH connection?

> You can't snoop any of this... Obviously hardcore reverse engineering is possible, but it's extremely expensive

The path to the platform you want looks like the iOS App Store.

What's HN's thoughts on IoT? To me it looks like yet another buzzword from the "wouldn't it be neat?" crowd (the same people who previously gave us a lot of hype about Semantic Web and P2P social networks) but as before none of the applications are actually worth the hassle, this prevents critical mass from ever being reached, and in reality it's mostly just a way for appliance companies who are already overcharging me for non-repairable planned-obsolescence-ridden products, to overcharge me a bit more. I'm glad someone without a profit motive is taking a stab at it, but I still fail to see the actual uses of it being worth the hassle.

It's a great idea, but companies are building products that no one wants. Here's a few ideas of products / services / suites of items I would actually buy for my home:

- Machine to completely do my dishes. End to end. It puts them from the sink to the dishwasher. Runs the dishwasher. Takes them out of the dishwasher and puts them in the cabinet. I do not care if this takes 5 hours - it can run overnight. I just don't want to think about it.

- Lets the dog out. If I can do this manually, say when I'm on vacation or something, cool. I saw a post about some dude who used facial recognition software on his cat's door flap to see if the cat was bringing in a dead rodent: it barred the cat from entering unless he dropped the rodent. That's a good start. But I don't want to hire a dog sitter. Just have siri or Alexa or whatever home assistant you have do it.

- I want automated recycling. Basically I don't want to think about organizing my garbage. Apparently there's a long list of items that can't be recycled. I honestly can't remember them all, so forcing me to do this manually is always going to result in error.

Kind of an aside, but I hope such a virtual dog sitter never comes to fruition for the sake of your dog. Dogs shouldn’t be alone for that long!

Agree. Dogs need daily, consistent companionship. If you can't give that to them, you shouldn't have a dog.

The dogs not alone. It has the robot. The robot could let you peer in remotely and say hi. The robot could comfort your dog for you while you’re away. The robot is there for your dog while you can’t be. The robot could 3D print dog friendly toys for it and feed it too.

so it's the robot's dog then?

The robot owns the dog, the human owns the robot, and the human's job owns the human. Just like nature intended.

You clearly know dogs well.

I don’t see what is “IoT” about any of these examples, except the remote-dog-letter-outer perhaps; can you elaborate?

I'd assume the recycle one needs to continually update and check a database somewhere. A centralized database of recyclable goods would be pretty nice. In case you can't read the type of plastic you could have backups like barcodes, and further back a camera reading the item. (That at least gives some incremental approaches to solving the issue and making it more robust)

(1) would be great, but that's "just" a regular appliance, no need for interconnectivity.

as a workaround until (1) gets going you could just get 2x dishwashers, or one of those fancy German jobbies that has 2 separate units for washing. You can then eliminate sink and cabinet and simply transfer your dishes between the two units as you wash them. Consider mounting at waist height so accessing your dishwasher is as easy as accessing your cupboard!

Re 1: I’ve always felt like the easiest approach to this is to replace all the dishes with a standard size largish ceramic cup, then have a machine full of spinning brushes (like what’s used to clean water bottles sans the handle) that scrub all the surfaces (maybe one on the inside and three or so outside) while running soapy water over it. Then you can immediately just put it away.

Just have a robot that sanitizes the floor and eat directly off the floor.

What I mean is, people typically aren't going to make such a radical adjustment to their use of dishes just to avoid washing them.

Have you considered paying an organic automaton to do those things for you?

> I saw a post about some dude who used facial recognition software on his cat's door flap to see if the cat was bringing in a dead rodent: it barred the cat from entering unless he dropped the rodent.

Do you happen to have a link to this? It sounds hilarious and informative. Also a great way to train cats.

I think this is it: https://www.raspberrypi.org/forums/viewtopic.php?t=172114

I read it awhile back. Really interesting.


- Cook a meal from scratch. End to end. Takes the ingredients from the fridge and puts a meal on the table at a specified time. Orders new ingredients when it doesn't have them. Also washes the dishes (see above).

Dudes, this is not IoT. These are appliances, robots.

No but as IoT you could leverage the power of "The Cloud"

Everything synergizes with "The Cloud". When you die, everything about you lives on in the great heavenly cloud.


ITT: Things that aren't IoT

i hate doing dishes too, and have to do them by hand since i'm an apartment dweller without a dishwasher. i've been waiting for this countertop, instant-heating dishwasher to be released: https://myheatworks.com/pages/tetra-specs

IoT is a great success - in industry. At home, from what I can tell, it mostly divides into:

- People who apparently live in warzones and need military-level surveillance of their home

- People who want to feel like they're living in the Star Trek universe

- People with very specific needs, who might take advantage of a commercial IoT device or two in their overall setup

I'd love to have blackout blinds that close every night and open 30 minutes before my alarm goes off. I haven't been able to find a quality (quiet!) product that does this.

I saw IKEA launched some 'smart blinds' a couple of days ago, and this [0] review mentions timers

[0] https://www.trustedreviews.com/news/3865106-3865106

Not available in the US until October, unfortunately. I'll have to wait and see how loud they are.

I have Hunter Douglas Pirouette blinds in my room, controlled by Control4. They are very quiet when going from open to close or vice versa, but loud going up to down. Look at a video to understand the difference. Recommended, but not cheap.

Yeah, you know it's going to be expensive when you have to call and ask for a quote. It's funny that even the expensive options haven't figured out how to make a quiet electric motor. If you don't mind me asking, how much did yours end up costing per window?

Someone else mentioned the ikea shades coming out in October, so I might wait and see how those are. Potentially much cheaper, but no slatted blind effect, so the only option would be to fully raise/lower them (and deal with whatever noise that generates).

Just a thought about a potential mechanism, off the top of my head (which I'm sure has many issues).

Opening blinds is generally a morning thing, and ideally would want to be the quiet option if you could only have one option which was quiet (theoretically speaking). What if the electric motor drove the blinds down by pulling a counter weight. That way in the morning to open the blinds it would only need to release the weight, which wouldn't require any substantial movement and therefore limit noise...?

Yeah I'm bored at work.

A similar effect could be achieved by replacing gravity/counterweights with a simple spring or hydraulic cylinder. My standing desk operates similarly to assist in raising it.

We may be on to something here...

Yes, very much I would love this. I don't care if it opens slowly, just make it as quiet as possible.

I'd also like exterior blinds that can be lowered to reflect away or otherwise counter the effects of direct sun in summer.

smart glass is an alternative (also silent)

You would have to build your own with a small, insulated motor, and a high gear ratio.

You might be able to hire someone at a local makerspace to build something along those lines.

> IoT is a great success - in industry

We're just rebranding gateways that have existed for 20 years.

Everyone was fine with IoT until people started calling it IoT.

Back in the day it was just one feature of a product - "can be controlled via RS-232, USB, or LAN".

> - People who want to feel like they're living in the Star Trek universe

I mean, do you not want to feel like that?

The implementations are disappointing so far. Devices that rely on some vendor internet service are unacceptable. At the very least I'd want a direct connection to the device with a documented API and documented behavior of the firmware. Ideally the firmware itself would (partially) modable. Some safety critical parts may be left inaccessible.

For example, I'd want cookware with temperature sensors and a pressure sensor in case of a pressure cooker, a controllable stove and oven with power monitoring, a kitchen hood wit gas sensors, etc.

What we can instead are gadgets with mobile apps, that are completely undocumented beyond the UI. Kitchen devices for the commercial sector have been somewhat smart for a while, but are a pain to program and again lack documentation.

IoT these days is paying a premium for vendor lock-in.

I don't think so. My guess is that the industry of consumer electronics is moving toward the right direction. I have two pieces of IoT in my household:

1) Robot vacuum cleaner, and I am absolutely felt in love with it. My floor now is always clean during weekdays, when I am busy working, no more visible dust, crumbs, etc. I just have to clean filter and container once a week, otherwise it is fully autonomous. The only thing I want to add is a self-cleaning and automatic floor mopping, but I've seen such a project on Kickstarter, so it is close.

2) Cheap WiFi RGB light-bulb. I have connected it to Homebridge and it is nice to say 'Hey Siri, turn off the floor lamp' or 'Hey Siri, set the floor lamp to 10%', but it is not one of essentials.

There are a lot of questions of course: there should be an option to work completely without proprietary servers and continuous internet connection; 'smart' kettles, hairdriers and so on are useless stuff; security; universal and open protocols; etc.

I also have both a robovac and some smart bulbs, but my experiences differ a bit:

1) I push the clean button on my vacuum when I'm leaving the house. Wireless connectivity wouldn't add anything for me.

2) Siri actually works really nicely for bulbs because it functions locally. As a non-iPhone/HomePod user, I'm stuck with Alexa, where every bulb voice command has an obnoxious delay for communication to the Amazon mothership.

iRobot has made the Braava for a pretty long time to do floor mopping. Or are you talking about a robot that does both?

Both will be cool, but anyway, to use Braava for mopping you should manually install and fill mopping module. You cannot leave it for a week of fully autonomous work. I have a Roborock S50 and it has a similar mopping cartridge, so actually it can do both, but mopping is semi-manual

Ikea has definitely helped make it more "mainstream" and there selection is just getting bigger and bigger and they are relatively open and easy to access from other software and most importantly cheap.

To me, the IoT is better than AI, in that it enables broad control mediated by humans (with necessary tooling and programming educations). Whereas AI, on the contrary, deprives humans from the ability to control things.

My uninformed observations on the issue of IoT tech development:

* IoT, in order to be useful, needs to form a common infrastructure first. It's obviously useful for TVs to be able to talk to nearby smartphone directly, to offer rich control. However, if the protocol vary between TV, Micro Oven, Fridge, Washer & Dryer, etc. And each brands of these devices also vary. Apparently no one is going to appreciate the results.

Worse yet, if they are interfaced through smartphones, the sparse physical form factor offered through phones are going to confuse users all the time, even if they manage to build a common infrastructure and enabled a uniform experience. At the beginning, the experience would definitely be worse than the dedicated and well optimized interfaces offered by the individual devices nowadays (not saying they are satisfactory either).

* On the other hand, the manufacturers, in general, is not tech savvy. Nor they are ready to relinquish their hold on their own market segment.

And that worry is justified. Once the common infrastructure is built, they'll be at mercy to the ones who own the tech. As obviously, they are not going to be able to gain that capability themselves.

IMHO, this is also why IoT is often with 5G. As the 5G community is historically closer to the manufacturers, than the Internet community. And 5G is itself a fairly mature tech, and has even broader application than IoT, so presumably, they can ride the wave and make sure they are not commoditized in the process.

ESP8266 is essentially an Arduino with WiFi for 2 dollars on AliExpress. With Hass.io and Esphome it becomes trivial to configure these in your home with some sensor or relays. I think once the ecosystem is more ready, you will see more applications. In my view, especially the automations between sensors and actuators are currently bothersome to configure.

Iot is already in consumer electronics space. It is firmly in the present, and it is worth the hassle for a lot of people.

And it's been commonplace in industrial electronics for about 20 years. The reaction to it there was "It has an rs-232 over Ethernet adapter built in? That's convenient."

My take on what makes the modern IoT different from just attaching networking to devices, is the mandatory cloud backend replacing in-house IT infrastructure. That's what's letting networked devices enter the mainstream consumer market.

I look at it as something that's not really a necessity, but has the potential to improve my quality of life. Unfortunately, most current implementations of the idea are pretty bad. Having to take out my phone or speaking to a voice assistant to turn my lights off or on isn't all that useful.

Where IoT really comes into it's own is either doing stuff automatically or doing stuff without requiring my presence (remotely). By far my favorite application of this so far has been the ability to turn my air conditioning on or off remotely, that way I can turn it on about an hour or two before coming home to a comfortably cool room. This increases my quality of life without increasing my electricity bill too much. Other things like opening the blinds in the morning a bit before my alarm and either disabling or lowering the volume of my doorbell are pretty good too. Other useful for me applications (that I'm in the process of implementing) would include monitoring water levels, flow, temperature and pressure to control pumps, heaters (I don't use hot water during the day so turning off the heater would make sense until I'm ready to go to bed, for example), detecting leaks and maybe automatically shutting the water/gas supply. Things like automatically watering the garden if needed, smart reminders (remind me to do something only if I forgot about it, keep silent if I already did it), home security (doors, cameras, alarms), etc. are also things that would benefit from IoT integration.

The problem I have right now with most things IoT is that a lot of them are doing their own thing, connecting to their own servers, using their own apps, have different behaviors in the event of power outage and who knows if they'll continue working after the company moves on to newer products, goes bankrupt or gets sold. A lot of modern things you can buy are also pretty trivial in their functionality and don't offer much their regular, manual counterparts. This results in a lot of expensive hardware that's tedious to interact with for little benefit. Someone who actually wants to get a lot out of their smart things (like me), in the current world, can't really go buy off the shelf solutions or even pay someone else to design a solution for them, they have to be technically competent so they can hack existing stuff together, make their own smart things, fix stuff that breaks or stops working, etc. Smart homes are still pretty much the realm of the DIY hobbyist, there's little on the market today that can compete with what a halfway competent hobbyist with some time and money on their hands can cobble together for themselves, particularly with the prevalence of cheap and easy to use hardware platforms (NodeMCU, Arduino, RPi), open source projects in the sphere, cheap and widely available sensors and actuators, good community support, etc.

If IoT wants to move away from the current status as expensive, unreliable gimmicks, companies need to stop focusing on the idea of separate smart things and start thinking in terms of smart homes (like the kind we used to see in old sci-fi talking about the futuristic year 2000). There has always been a push in that direction, but it's never been too successful. What needs to happen is that people need to drop the idea of smart things as hardware and start thinking of them as peripherals. Just like your house now has a breaker panel, a hypothetical smart home should have a house computer, running a "House OS" to which all kinds of sensors, actuators and devices can connect through a universal house bus, pretty much the same way you connect a mouse or a camera to your computer today. This would let device makers focus on their devices and the "House OS" maker focus on other issues like remote access, scriptability, security, etc. When I buy a mouse I'm not worried about it working with my computer, I'm not worried that it'll stop working if Logitech goes out of business, I don't need to worry about it catching malware and DDoSing some website or phoning home with all my mousing data. Why should it be any different if I buy a smart light bulb or a smart air conditioner?

There are numerous projects working in that direction like this one from Mozilla, HomeKit and whatever else, and DIY solutions almost always have a centralized home server for all that stuff too, so I think we will eventually get there, but for now the modern smart home feels very similar to the way the earliest micro computers were in the late 70s and early 80s.

I use NFC tags as a trigger. I simply hover my phone over a tag and an action happens in the background. It feels much better than dealing with separate apps and always-on microphones.

> If IoT wants to move away from the current status as expensive, unreliable gimmicks, companies need to stop focusing on the idea of separate smart things and start thinking in terms of smart homes

Why would they do that? They do want to offer you a smart home, but a home that's entirely under their control, using either their own gadgets or compatible ones (so that they could charge other companies for the compatibility stickers).

There are plenty of protocols, and plenty of apps that support a protocol or two, but not every. Home Assistant and this project from Mozilla attempt to bridge that gap. I don't understand what Mozilla sees in an attempt to fight an established open source project like Home Assistant, but they probably have a reason or two. Such reasons are not yet obvious to me, so I'm going to continue using Home Assistant for my purposes. Every device I've purchased works locally, so I have one device that hosts the server, one interface that controls it (Progressive Web App, to be more precise), and NFC tags plastered over my apartment that trigger stuff without the need to even look at that one interface.

That's the sweet spot for me and it really feels like the future is already here. My choice of gadgets is rather limited (since I refuse to purchase any IoT device that can't be made to work locally), but so far I've yet to face a problem that I'm unable to find a solution for.

> I use NFC tags as a trigger. I simply hover my phone over a tag and an action happens in the background.

That reads like what you really want is a regular physical button or switch.

I think a lot of devices suffer because they try to fit the IoT label instead of just being a smart device without internet or even phone connectivity.

You'd think so, but NFCs are far easier to program and re-program.

One of the NFC tags on my work desk triggers "focus mode". Lights change to bright white, a (non-local) radio station starts playing in the background, and the volume gets auto-adjusted to something bearable. That saves me like 20 clicks or so on two remotes.

It's all about those small victories that save me a few minutes each day, all without a need to route cables throughout the apartment. When I want to re-purpose an NFC tag, it takes me maybe 30 seconds to do so (instead of having to re-route the cables throughout my home). Physical buttons can do one task and one task only. NFC tags can trigger as many tasks on as many devices as I want them to.

If my Internet goes down, things still work. If I don't want to use my phone, I don't have to (I can achieve the same things from my laptop). I don't have to worry about turning shit off when I leave my home, Home Assistant does that for me (if an nmap scan doesn't detect any trusted device on my network). If a company whose gadget I'm using goes bankrupt, things are still perfectly usable.

There's nothing inherent about a button that prevents it from being programmable, and Phillips even has a battery-less remote that could as well be wall mounted.

You mean like this one? https://www2.meethue.com/en-us/support/dimmer-switch

I know about it. I have it. I've used it as a trigger before. I've replaced it with NFCs because they are less of a hassle to repurpose. The dimmer still serves its original purpose, while NFC tags are used for everything else.

I mean, that's what insteon buttons with an isy994 are all about right? The button push just tells the controller "I was pushed" and whatever you tell the controller to do with that information is what gets done. The cool thing is you can have a bank of six buttons in a standard 1-gang box format. Seems easier and less complex than NFC and a phone, unless you're using the phone as a form of authentication (something possessed), whereas a physical button is like anonymous/no authentication.

The Alexa platform is going a long way towards giving people an expectation of interoperability. So long as you've got some fairly basic code on your backend Alexa is able to respond to devices updating it on their current state, and you can set up automations to respond to that and change the state of other devices.

Why not use a simple timer for the AC? Do you come home at different times each day?

Yes I do, even when I know when I'll get home, plans can change.

A timer also can't tell me if my AC is actually on, may fail in the case of a power outage or I may forget to set it, as such using a timer doesn't provide a meaningful improvement over just turning on the AC when I get home and tolerating the heat for half and hour or so.

In the end, a timer has no feedback, so a closed loop system will always be better. I've been burned numerous times by open-loop systems in home automation, so I don't do that anymore. That's the second reason why I spend a lot more effort and money on sensors rather than actuators (the first reason being that graphs are fun).

You do realise that power draw likely averages less than 350 watts. Your A/C running for an additional hour or two a few days a month would cost you a dollar or two, max.

Given that the load is likely removing peak daytime heat, then sustaining a less-challenging night-time temperature, the net impact is probably even less.

The average central A/C will use 4000 to 5000 watts. I own the cheapest smallest window unit at the store and I just checked it's about 600W (4.8 amps @ 120V).

It's not horrible, but that's like half a space heater and most people spring for something bigger.

Peak draw. Duty cycle is about 1/3 that typically.

First hour use may approach peak, but again, most of that is incurred regardless.

5 kWh is $0.50 - $1.00, which is the cost of running an hour long for a day, the worst-case scenario. You'd spend a lot more on IoT kit (the Turris Omnia alone is $300) for minimising that cost.

Timers are cheap.

> who are already overcharging me for non-repairable planned-obsolescence-ridden products, to overcharge me a bit more...

NAS devices and networked home speakers are incredibly competitive categories in the IoT space, and as anyone who has actually owned e.g. a Sonos knows, you listen to a lot more music and they've supported the same 12 year old hardware throughout its lifespan.

Why are Sonos speakers instead of simply receivers that your speakers plug in to?

They aren't. Both types of devices exist. (But apparently many people like all-in-one speakers instead of buying multiple separate bits and connecting them)

>it's mostly just a way for appliance companies who are already overcharging me for non-repairable planned-obsolescence-ridden products, to overcharge me a bit more.

I agree, but I think the goal is to overcharge you “a lot” more. It seems like no matter what the product is, once it’s “smart”, the price floor is $50.

If you count Google Home, Amazon Alexa, ... as IoT, you sure a critical mass hasn't been reached yet?

There's lots of interesting niches, the overall term "IoT" and what people use it for is incredibly broad (IMHO to the point of uselessness)

> none of the applications are actually worth the hassle

That's my take as well. Complexity for the complexity fetishists among us.

Given the state of IoT seems to be crap-by-default, maybe making homebrew easier would be the solution; They's be insecure-ish maybe, but no less than commercial offerings.

With the advent of cheap wifi mcs and 3d printer, maybe this will help: https://www.frolicstudio.com/portfolio/smartians

It gets the sweet government grants, at least in Europe.

My wish is to have the equivalent of Google home hub running locally.

Really my only use cases are:

* glancing at the screen to see the weather

* Asking it to turn on or off or change colour of Hue lights

* Timers for cooking

I've since unplugged my google box because I felt the sacrifice of privacy with an always listening box wasn't worth it.

At the end of the day the functionality I use isn't that complex and even basic voice recognition I'm sure doesn't require the internet.

So I hope that there will be or there is a platform I'm not aware of that runs it locally.

Certainly Webthings is answering a good chunk of the question.

It is indeed. Mozilla's WebThings Gateway does everything locally, by default. You and your home are the center of its universe. The add-on system not only enables lots of smart home device interop, but also lets you bring in other web content from the Internet that you might want to tie into your smart home. I pull from USGS for earthquakes >5.0 and within 400km of my lat/lon. I also use my lat/lon for time/date rules, local tide charts, and local weather. A rule tells my (always on mute) Google Home speaker to announce "An earthquake >5.0..." when such an event comes in. I also love the (local) voice add-on. It uses Snips wakeword and speech-to-text and a customized-by-Mozilla intent parser and interface to the web thing API so that when you create a new thing or change a name, the local language model is updated immediately. Works on RPi3 very well. No Internet required. The Snips part of the install is currently a hack though, and broke in 0.9. If you installed using 0.7 or 0.8 it will still work. But otherwise you'll have to wait for the 0.9 installer fix.

For tech people, this is easy to use. Still some UX/UI updates needed for mainstream consumer readiness. Remaining big problem is that smart home devices don't tell you whether or not they are web of things ready (direct or via an addon). Need to check the wiki or ask online.

The Web of Things gateway contains an addon for offline voice control. Search for it in the addons page. You just need to plug an usb microphone to it.

This sounds interesting but I’m curious if needs to be marketed differently or use some better analogies, since it wasn’t super obvious what it did from the homeless.

I presume it’s hard to explain how it fits into the stack when it does a lot of generic IoT sounding stuff.


HomeAssistant can do all that (using Snips for offline voice recognition).

Any articles/tutorials on this?

If you want to use HASS - there's a couple ways to go about it assuming you have an RPi. Either install Home Assistant and add snips.ai [1] or install snips and add HASS [2]. Looks like the Gateway can also do this [3].

[1]: https://www.home-assistant.io/components/snips/ [2]: https://docs.snips.ai/articles/raspberrypi/home-assistant [3]: https://news.ycombinator.com/item?id=20536484

Mycroft [1] looks promising for that use-case.

[1]: https://mycroft.ai/

There are a fair few people trying to create this. The one I've come across that looks the most promising is https://github.com/kalliope-project/kalliope/ .

I've not tested it but have had it in my starred projects for a while now.

It seems to handle a use case I was looking for.

I have a cheap xiaomi aqara hub that is homekit compatible, and I want to exports its data. Sadly usually the use case is to connect a non homekit iot to a homekit server from an apple device with homebridge. Here their HomeKit adapter use a lib called hap-controller-node that seems to be a homekit server. I will have to try this.



What do you mean by export its data?

Get the temperature, humidity, pressure, open/close state of the sensors, live.

It's kind of sketchy to upload your floor plan...or is it just me??


You are uploading it to a device that runs locally on your network. The domain the docs mention are just for tunnelling - nothing is hosted in the cloud.

Oh I missed that part, thanks!

If you use certain vacuum robots that might already have happened: https://www.usatoday.com/story/tech/nation-now/2017/07/25/ro... (Does anyone have a security/privacy overview of IoT things?)

> (Does anyone have a security/privacy overview of IoT things?)

The S in IoT stands for security.


It's uploaded to your device (router / raspberry pi / etc.), it doesn't go to mozilla or other 3rd parties.

Thanks! Totally did not pay enough attention.

At present. Maybe all the routers get auto-enrolled in a 'voluntary' program in the future??

Mozilla have shown they're not trustworthy in such situations; I think it will take a couple more years to see if they've learnt from their indiscretions.

HTTP for IOT is super heavy, on one side it may be simpler for developer to hop in, but performance wise this shouldn't be used for anything large scale or where power/bandwidth constrains are an issue.

Something like ble/lora/zigbee for device-gateway comunication and mqtt or similar for gateway-collector is the best for me.

The great thing about HTTP outside of just being well known and available everywhere for developers is that you can use it to negotiate switches to other completely different protocols, or change content types, as necessary. This doesn't do much to help truly resource constrained environments but honestly as power and performance get cheaper, I think most consumer usecases can spare the cycles.

The machine the gateway is running on can also be extended to use your solution of choice, for example ZWave with an ESP8266[0][1].

You can also bring your ble/lora/zigbee device-gateway solution with you and have that thing talk to the WebThings Gateway as well, acting as a proxy if necessary.

IMO it doesn't get much better than this -- the ship to have one true communication standard (tm) has already sailed if it was ever even possible, so we're going to have to paper over them if we want devices to interoperate -- whatever does the papering is probably going to be more powerful than the devices themselves, and HTTP has proven to be a pretty easy to grasp and flexible enough interface over them.

All that said, in the lighter-than-http pile of technologies there's also CoAP[2] which I learned about recently that is pretty cool.

[0]: https://github.com/mozilla-iot/zwave-adapter

[1]: https://www.instructables.com/id/Mozilla-IoT-Gateway-With-ES...

[2]: http://coap.technology

And we all know some clown will hook up a nuclear launch system to it so the good General can connect via his home WiFi. And the doctor a hospital life support system to "stay informed" at his cabin...

For sure I applaud this and will play with it. And hope my cynicism is misplaced.

I am much more concerned about "Web contagion" and the dysfunction of the "web ecosystem" prematurely turning people off IOT before it can take off.

I don't want webdevs coming and breaking the embedded ecosystem. I don't want my fridge crashing because of somebody's webpack setup going haywire.

There are plenty of IoT devices that are mains powered, and also many modern microcontrollers include an HTTP stack (e.g. the eps32). But yeah I agree it does seem pretty stupid to say "It's easy! Just use http, SSL, websockets and JSON!" when your device might be sending a single bit and running off a coin cell.

the problem with ble/lora/zigbee is they all require extra hardware (radio)

But with lora you can achieve, 5 km range while running on coin size battery. Same with zwave, ble but those have lower ranges (new ble supports meshing). with Wi-Fi based devices you need also extra hardware (access points), and you need power supply for every device (or in another words you can't have "wireless" devices)

I suggest you to take a look at PJON: https://github.com/gioblu/PJON

I'm trying to kit my own apartment out with IoT stuff, my biggest concern isn't voice functionality, or compatibility with social media.

It's security. A NodeMCU device can connect to WiFi via build-in password, but I'd prefer per-device certificate credentials in order to control what a device can do. This would mean enterprise WiFi and radius, Maybe VLANs. Making this easier is the main thing for me.

I would recommend to setup a separate Wifi for IoT devices. This has an additional advantage; you can put it on a different spectrum, meaning your normal Wifi will be more free to handle other traffic and keeps the spectrum cleaner.

What does this offer over stock Turris or OpenWRT builds?

Absolutely nothing, It's worse with fewer features. Mozilla itself says as much. This is for playing around with stuff, not general usage.

I'm a happy HomeKit user with Apple's native solutions. WebThings Gateway claims HomeKit support. What does that mean? Does it replace my native Homekit gateway? Or can it do other stuff? I read the site and couldn't tell.

Seems like it does replace your native gateway; you have to unpair the devices from iOS and pair them directly to the WebThings.



I need to know this as well. Can I use HomeKit automation with it and Siri commands from iPhone?

Been looking into IOT/home auto lately so this is of interest to me.

I hope they hurry up though. Consumer router gear is god damn awful. e.g. the 2.4ghz on my Asus router is dead (common) so I'm using a raspberry to create a hotspot.

Any reason Mozilla is not picking up and supporting one of the DD-WRT/OpenWRT projects ?

They are hugely popular, have a huge userbase and are well supported by a lot of hardware (most TP-Link, Linksys, etc).

The WebThings Gateway does support OpenWrt if the router is beefy enough (decent app processor, RAM, and flash). Most cheap routers wouldn't work. If you are a savvy OpenWrt user see: https://github.com/openwrt/packages/tree/master/lang/node-mo...

The Turris OS that runs on Omnia is a customized OpenWrt build that lets a user plug a USB memory stick (with the Mozilla WebThings Gateway image, and only that image on it) into the Omnia, hold down the reset button until the 4th front panel LED lights, let go, and wait until it installs and the "WebThings Gateway XXYY" SSID appears. Then connect to it and proceed with the setup process. Suggest other hardware to potentially support on Mozilla's Discourse "iot" channel. Or the mozilla-iot/gateway repo on github.

Probably the flexibility of that router having 3 MiniPCIe slots for the wireless card(s), from the standpoint of ease in firmware development. The cheaper routers with embedded radio chipsets range from very good to crappy support for open source firmware. But, few people are going to be interested in a 350$US product, when equivalent is available for a fraction of that.

This was my question as well. Why fork? Why reinvent those parts of the wheel? Good luck reaching device compatibility parity...

TurrisOS is based on OpenWRT with some additional stuff like auto-updates.

Is that compatible with smart home platforms like hass.io?

from what I understood, it is either home assistant, or this WebThings Gateway, it is not possible to use both at the same time

It's definitely possible to use both at the same time. But, there's no reason to.

The article seems to lack a TLDR so here's one. It is a "software distribution for smart home gateways which allows users to directly monitor and control their smart home over the web, without a middleman."

Devices supported:

  - Raspberry Pi
  - Turris Omnia
Protocols supported:

  - HomeKit
  - ZigBee
  - Thread
  - MQTT
  - Weave
  - AMQP
Framework languages supported:

  - JS (Node.js)
  - Python
  - Rust
  - Java
  - C++ (for Arduino)
Home page:


Supporting Thread in particular is an interesting choice, because as far as I'm aware Thread is one of the most open-source IoT stacks[0]. Thread isn't really used in consumer hardware, which is probably the reason it's so obscure within the hacker community, but there's a lot of buzz around it within industry groups. Companies like Google, ARM, Amazon, LG, NXP, Samsung and many others are supporting the development of Thread.

What's interesting about Thread is that it takes advantage of IPv6 to allow any device on a network to talk to the World Wide Web. Usually, you can only talk to your IoT gateway over the web, and then tell it to control its children. Thread simplifies all of that and lets you directly talk to any child via its IPv6 address[1].

Compared to some other IoT protocols, Thread also takes a strong stance on security: unlike other protocols such as Bluetooth Low Energy, you cannot create an unsecure Thread network[2], you must have the correct credentials to talk to any Thread network, and all communications are encrypted.

I believe that Thread is going to be a very important part of the future of IoT, and I'm excited to see what comes next.

[0] https://openthread.io/

[1] https://www.threadgroup.org/What-is-Thread

[2] https://www.threadgroup.org/Portals/0/documents/support/Thre...

> Usually, you can only talk to your IoT gateway over the web, and then tell it to control its children. Thread simplifies all of that and lets you directly talk to any child via its IPv6 address[1].

But I don’t want every one of my potentially buggy IoT devices to be directly addressable on the Internet.

Ideally they’d each be isolated, with the minimum connectivity needed to the hub.

Yes, you can isolate individual devices the same way you'd isolate any IPv6 device on your home network - using a firewall. Normally you would firewall away your entire home network and only open up connectivity to the devices you want.

Additionally, you can configure the firewall on the Border Router as well, which is the device that actually interfaces between Thread and other networks.

That's a shot in the dark, but I may ask it here: Do you have a simple documentation that would tell someone who knows how to route an IPV4 network and avoid the pitfalls, what is the correct way to do it in IPv6? I struggle to find a good summary of the things one needs to know

IPv6 is weird for someone coming from IPv4. Basically every IPv6 address is a public IP address. Your firewall is responsible for blocking inbound traffic from actually getting to the devices at these addresses. This replaces NAT. So, what I do is have a default rule that blocks all IPv6 traffic inbound. Then, instead of a NAT rule, port forwarding, etc., I just allow inbound traffic on certain ports to certain addresses.

Thread uses something called a Border Router to handle the Thread Network / Home Network communication. The end devices can only communicate with the router, which then could make a potential http request or whatever. Giving an end device direct web access would have to be a deliberate move.

Another great open source competitor is Home Assistant [0] which has been around much longer and is relatively mature.

[0] https://www.home-assistant.io/

Yes, that's what I'm running at home for almost a year now. There is so much stuff already in this system, it is amazing.

I always found the scripting a bit annoying (programmer by day, so I could, if I would want to, but...).

That's why my HA install is accompanied by a NodeRED instance. I really like just clicking my flows together. And if there is something missing, you can be sure that someone already built a matching node.

Also z-wave

> without a middleman

Are you saying that I should be able to connect to my home directly over the Internet? How does it bypass NAT.

You configure your router to not use NAT for IPv6, and get your ISP to provide you more than a /128, is how. This is why industry is adopting it and consumer devices aren’t.

(IPv6 space is big enough that there’s no reason that residential ISPs shouldn’t be assigning everyone larger prefix ranges by default, but that doesn’t mean they will. They probably think they can up-sell it. Thread is a great, simple protocol for the hypothetical world where the residential ISPs give up on this practice. It’s not so great for the world we’re in, unless you’re already using some separate VPN overlay network.)

The problem for me in the UK is that most ISPs are dynamically allocating prefixes using DHCP-PD. So I've not got static address I can put in my firewall for the equivalent of ipv4 port forwarding.

"without a middleman" means it won't rely on some 3rd party to work. As a contrast, for example, a SmartThings hub requires an internet connection to work because (almost) everything is sent to Samsung first.

Whether you want to connect to your home directly over the internet is up to you, in this case.

The goal of this is to be hosted on a router. I'm assuming it wouldn't go around NAT as much as replace NAT by replacing router's firmware.

You've guessed correctly that this is one of the most painful parts of the setup. I use a different open source product for the same purpose (Home Assistant), and it allows me to go around NAT manually (use dynamic DNS service, open up the port on a router, route it to a local device, issue a Let's Encrypt certificate) or pay them a few bucks per month to ease the pain.

Mozilla hosts an https tunnel for subdomains that match YOUR-subdomain.mozilla-iot.org where users choose a unique subdomain and a cert for it is auto-installed (using LetsEncrypt) onto the RPi or Turris Omnia during first time setup. In the future once the WebThings Gateway has control over edge firewall rules, then the tunnel can go away in favor of a "hole" for 443 or a port forward rule for https access directly to the gw. Privacy risks are far reduced if we all run our own local smart home gateway in our homes.

They’re constantly coming up with new ways to make money with aggregated data mining. Mostly it’s about crating services by copying established OSS functionality but still - good job!

Okay, so what part of this open source and locally hosted application will do the datamining?

This a fully self-hosted OSS projected. You can run this on a Raspberry Pi.

I wonder why this project exists when Home Assistant is already near perfect, let's put the effort in there!

We at Droplit are building something similar for any of you interested in this area.

https://docs.droplit.io/ https://www.npmjs.com/package/@droplit/sdk

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact