Encrypting everything means that IoT devices represent an unknown threat - your "smart" TV connects to Sourceforge and downloads... something every week. What for? Your "smart" thermostat calls the IP of the vendor, maybe to get firmware updates, but it also calls the Disney corporation - what for? You can't snoop any of this because it's using encryption with pinned keys, so MITM doesn't work. Obviously hardcore reverse engineering is possible, but it's extremely expensive. So in practice it won't get done.
But, if we can popularize a safe option, we can just flag all the unsafe approaches that are popular today. We can teach vendors that this is a bad idea and they shouldn't do it, and (cross fingers) it might go away, like X-ray shoe sizing.
/me grumpily clicks link
I am not a lawyer, but I think under european privacy laws those approaches are probably ilegal, too.
If some manufacturer (probably chinese) wants to grab data from people in Europe, they must comply with EU laws even if they don't have an office in the EU.
Not beign able to sell to a huge market is probably a better tactique, but not the only one to use.
We don't have to make everything bad impossible. We can make it a bit harder to do the wrong thing, and then the regulator says "Hey, do the easy thing these nerds recommend or else if we find you did the wrong thing you're in bad trouble".
But a Federal Prosecutor can tell a judge these are the only Smart TVs that do that, and he thinks it's because they're violating the Tialaramex No Snooping Act of 2025, so he wants a warrant to see what HBO receives.
The warrant doesn't magically decrypt the packets - but refusing to obey the warrant is contempt of court, for which you can go to jail. An HBO employee shows the Prosecutor their database labelled "snooping" full of data from Foo Corp TVs that sure enough violates the No Snooping Act.
In today's IoT world where basically everybody does all this potentially shady stuff sending encrypted data to who knows where, and with no legislation on the books saying they mustn't, you would not get anywhere trying to obtain a warrant.
But if things like WebThings Gateway were to make that unusual, so that as I said there aren't other Smart TVs sending mysterious stuff directly to HBO - that changes the balance of probabilities, and it also changes the incentive to regulate / legislate behaviours that are now less common and still undesirable so that what they're doing isn't just immoral it's illegal too.
Circumstances change. In 1975 the idea that you shouldn't smoke cigarettes inside a train, deep under the ground, in a crowded city, was a bit weird. By 1983 it was illegal in London. In 1985 somebody who'd cut a few corners and was lighting a cigarette on the escalator out of the Underground caused a fire in which a lot of people died (a lot of other things went wrong, but none of them would have mattered if not for the cigarette). Today when we're trying to explain that fire to children it doesn't make a lot of sense to them. They don't remember it ever being legal to smoke cigarettes inside a building - it smells bad and looks obviously dangerous - why would somebody be doing it not just inside a building but so deep underground?
But both of those approaches are very difficult and resource-intensive. The first requires many, many hours of reverse engineering to find a security hole which allows you to write unsigned firmware to the device (or find a way to sign your own firmware and then upload it), then hack the firmware to do your snooping (good luck if the firmware updates are encrypted!).
The second is so fiddly and awkward, I've never heard of anyone actually doing it.
Correct, from the moment the IoT device puts a packet on the line, it is encrypted end to end. This is a fundamental aspect of TLS to prevent snooping. To view unencrypted data, you have to access it prior to being sent out on the network which requires you to gain root privileges on the IoT device.
If these closed-source devices send un-encrypted data, you can MiTM these devices when they're on your network. But if they're encrypted, you're SOL.
You find out after you purchase the device, are you going to send it back? What if data collection policies change?
Besides, SSH begins with encryption, how do you audit an SSH connection?
The path to the platform you want looks like the iOS App Store.
- Machine to completely do my dishes. End to end. It puts them from the sink to the dishwasher. Runs the dishwasher. Takes them out of the dishwasher and puts them in the cabinet. I do not care if this takes 5 hours - it can run overnight. I just don't want to think about it.
- Lets the dog out. If I can do this manually, say when I'm on vacation or something, cool. I saw a post about some dude who used facial recognition software on his cat's door flap to see if the cat was bringing in a dead rodent: it barred the cat from entering unless he dropped the rodent. That's a good start. But I don't want to hire a dog sitter. Just have siri or Alexa or whatever home assistant you have do it.
- I want automated recycling. Basically I don't want to think about organizing my garbage. Apparently there's a long list of items that can't be recycled. I honestly can't remember them all, so forcing me to do this manually is always going to result in error.
What I mean is, people typically aren't going to make such a radical adjustment to their use of dishes just to avoid washing them.
Do you happen to have a link to this? It sounds hilarious and informative. Also a great way to train cats.
I read it awhile back. Really interesting.
- Cook a meal from scratch. End to end. Takes the ingredients from the fridge and puts a meal on the table at a specified time. Orders new ingredients when it doesn't have them. Also washes the dishes (see above).
- People who apparently live in warzones and need military-level surveillance of their home
- People who want to feel like they're living in the Star Trek universe
- People with very specific needs, who might take advantage of a commercial IoT device or two in their overall setup
Someone else mentioned the ikea shades coming out in October, so I might wait and see how those are. Potentially much cheaper, but no slatted blind effect, so the only option would be to fully raise/lower them (and deal with whatever noise that generates).
Opening blinds is generally a morning thing, and ideally would want to be the quiet option if you could only have one option which was quiet (theoretically speaking). What if the electric motor drove the blinds down by pulling a counter weight. That way in the morning to open the blinds it would only need to release the weight, which wouldn't require any substantial movement and therefore limit noise...?
Yeah I'm bored at work.
We may be on to something here...
I'd also like exterior blinds that can be lowered to reflect away or otherwise counter the effects of direct sun in summer.
You might be able to hire someone at a local makerspace to build something along those lines.
We're just rebranding gateways that have existed for 20 years.
Back in the day it was just one feature of a product - "can be controlled via RS-232, USB, or LAN".
I mean, do you not want to feel like that?
For example, I'd want cookware with temperature sensors and a pressure sensor in case of a pressure cooker, a controllable stove and oven with power monitoring, a kitchen hood wit gas sensors, etc.
What we can instead are gadgets with mobile apps, that are completely undocumented beyond the UI. Kitchen devices for the commercial sector have been somewhat smart for a while, but are a pain to program and again lack documentation.
IoT these days is paying a premium for vendor lock-in.
1) Robot vacuum cleaner, and I am absolutely felt in love with it. My floor now is always clean during weekdays, when I am busy working, no more visible dust, crumbs, etc. I just have to clean filter and container once a week, otherwise it is fully autonomous. The only thing I want to add is a self-cleaning and automatic floor mopping, but I've seen such a project on Kickstarter, so it is close.
2) Cheap WiFi RGB light-bulb. I have connected it to Homebridge and it is nice to say 'Hey Siri, turn off the floor lamp' or 'Hey Siri, set the floor lamp to 10%', but it is not one of essentials.
There are a lot of questions of course: there should be an option to work completely without proprietary servers and continuous internet connection; 'smart' kettles, hairdriers and so on are useless stuff; security; universal and open protocols; etc.
1) I push the clean button on my vacuum when I'm leaving the house. Wireless connectivity wouldn't add anything for me.
2) Siri actually works really nicely for bulbs because it functions locally. As a non-iPhone/HomePod user, I'm stuck with Alexa, where every bulb voice command has an obnoxious delay for communication to the Amazon mothership.
My uninformed observations on the issue of IoT tech development:
* IoT, in order to be useful, needs to form a common infrastructure first. It's obviously useful for TVs to be able to talk to nearby smartphone directly, to offer rich control. However, if the protocol vary between TV, Micro Oven, Fridge, Washer & Dryer, etc. And each brands of these devices also vary. Apparently no one is going to appreciate the results.
Worse yet, if they are interfaced through smartphones, the sparse physical form factor offered through phones are going to confuse users all the time, even if they manage to build a common infrastructure and enabled a uniform experience. At the beginning, the experience would definitely be worse than the dedicated and well optimized interfaces offered by the individual devices nowadays (not saying they are satisfactory either).
* On the other hand, the manufacturers, in general, is not tech savvy. Nor they are ready to relinquish their hold on their own market segment.
And that worry is justified. Once the common infrastructure is built, they'll be at mercy to the ones who own the tech. As obviously, they are not going to be able to gain that capability themselves.
IMHO, this is also why IoT is often with 5G. As the 5G community is historically closer to the manufacturers, than the Internet community. And 5G is itself a fairly mature tech, and has even broader application than IoT, so presumably, they can ride the wave and make sure they are not commoditized in the process.
Where IoT really comes into it's own is either doing stuff automatically or doing stuff without requiring my presence (remotely). By far my favorite application of this so far has been the ability to turn my air conditioning on or off remotely, that way I can turn it on about an hour or two before coming home to a comfortably cool room. This increases my quality of life without increasing my electricity bill too much. Other things like opening the blinds in the morning a bit before my alarm and either disabling or lowering the volume of my doorbell are pretty good too. Other useful for me applications (that I'm in the process of implementing) would include monitoring water levels, flow, temperature and pressure to control pumps, heaters (I don't use hot water during the day so turning off the heater would make sense until I'm ready to go to bed, for example), detecting leaks and maybe automatically shutting the water/gas supply. Things like automatically watering the garden if needed, smart reminders (remind me to do something only if I forgot about it, keep silent if I already did it), home security (doors, cameras, alarms), etc. are also things that would benefit from IoT integration.
The problem I have right now with most things IoT is that a lot of them are doing their own thing, connecting to their own servers, using their own apps, have different behaviors in the event of power outage and who knows if they'll continue working after the company moves on to newer products, goes bankrupt or gets sold. A lot of modern things you can buy are also pretty trivial in their functionality and don't offer much their regular, manual counterparts. This results in a lot of expensive hardware that's tedious to interact with for little benefit. Someone who actually wants to get a lot out of their smart things (like me), in the current world, can't really go buy off the shelf solutions or even pay someone else to design a solution for them, they have to be technically competent so they can hack existing stuff together, make their own smart things, fix stuff that breaks or stops working, etc. Smart homes are still pretty much the realm of the DIY hobbyist, there's little on the market today that can compete with what a halfway competent hobbyist with some time and money on their hands can cobble together for themselves, particularly with the prevalence of cheap and easy to use hardware platforms (NodeMCU, Arduino, RPi), open source projects in the sphere, cheap and widely available sensors and actuators, good community support, etc.
If IoT wants to move away from the current status as expensive, unreliable gimmicks, companies need to stop focusing on the idea of separate smart things and start thinking in terms of smart homes (like the kind we used to see in old sci-fi talking about the futuristic year 2000). There has always been a push in that direction, but it's never been too successful. What needs to happen is that people need to drop the idea of smart things as hardware and start thinking of them as peripherals. Just like your house now has a breaker panel, a hypothetical smart home should have a house computer, running a "House OS" to which all kinds of sensors, actuators and devices can connect through a universal house bus, pretty much the same way you connect a mouse or a camera to your computer today. This would let device makers focus on their devices and the "House OS" maker focus on other issues like remote access, scriptability, security, etc. When I buy a mouse I'm not worried about it working with my computer, I'm not worried that it'll stop working if Logitech goes out of business, I don't need to worry about it catching malware and DDoSing some website or phoning home with all my mousing data. Why should it be any different if I buy a smart light bulb or a smart air conditioner?
There are numerous projects working in that direction like this one from Mozilla, HomeKit and whatever else, and DIY solutions almost always have a centralized home server for all that stuff too, so I think we will eventually get there, but for now the modern smart home feels very similar to the way the earliest micro computers were in the late 70s and early 80s.
> If IoT wants to move away from the current status as expensive, unreliable gimmicks, companies need to stop focusing on the idea of separate smart things and start thinking in terms of smart homes
Why would they do that? They do want to offer you a smart home, but a home that's entirely under their control, using either their own gadgets or compatible ones (so that they could charge other companies for the compatibility stickers).
There are plenty of protocols, and plenty of apps that support a protocol or two, but not every. Home Assistant and this project from Mozilla attempt to bridge that gap. I don't understand what Mozilla sees in an attempt to fight an established open source project like Home Assistant, but they probably have a reason or two. Such reasons are not yet obvious to me, so I'm going to continue using Home Assistant for my purposes. Every device I've purchased works locally, so I have one device that hosts the server, one interface that controls it (Progressive Web App, to be more precise), and NFC tags plastered over my apartment that trigger stuff without the need to even look at that one interface.
That's the sweet spot for me and it really feels like the future is already here. My choice of gadgets is rather limited (since I refuse to purchase any IoT device that can't be made to work locally), but so far I've yet to face a problem that I'm unable to find a solution for.
That reads like what you really want is a regular physical button or switch.
I think a lot of devices suffer because they try to fit the IoT label instead of just being a smart device without internet or even phone connectivity.
One of the NFC tags on my work desk triggers "focus mode". Lights change to bright white, a (non-local) radio station starts playing in the background, and the volume gets auto-adjusted to something bearable. That saves me like 20 clicks or so on two remotes.
It's all about those small victories that save me a few minutes each day, all without a need to route cables throughout the apartment. When I want to re-purpose an NFC tag, it takes me maybe 30 seconds to do so (instead of having to re-route the cables throughout my home). Physical buttons can do one task and one task only. NFC tags can trigger as many tasks on as many devices as I want them to.
If my Internet goes down, things still work. If I don't want to use my phone, I don't have to (I can achieve the same things from my laptop). I don't have to worry about turning shit off when I leave my home, Home Assistant does that for me (if an nmap scan doesn't detect any trusted device on my network). If a company whose gadget I'm using goes bankrupt, things are still perfectly usable.
I know about it. I have it. I've used it as a trigger before. I've replaced it with NFCs because they are less of a hassle to repurpose. The dimmer still serves its original purpose, while NFC tags are used for everything else.
A timer also can't tell me if my AC is actually on, may fail in the case of a power outage or I may forget to set it, as such using a timer doesn't provide a meaningful improvement over just turning on the AC when I get home and tolerating the heat for half and hour or so.
In the end, a timer has no feedback, so a closed loop system will always be better. I've been burned numerous times by open-loop systems in home automation, so I don't do that anymore. That's the second reason why I spend a lot more effort and money on sensors rather than actuators (the first reason being that graphs are fun).
Given that the load is likely removing peak daytime heat, then sustaining a less-challenging night-time temperature, the net impact is probably even less.
It's not horrible, but that's like half a space heater and most people spring for something bigger.
First hour use may approach peak, but again, most of that is incurred regardless.
5 kWh is $0.50 - $1.00, which is the cost of running an hour long for a day, the worst-case scenario. You'd spend a lot more on IoT kit (the Turris Omnia alone is $300) for minimising that cost.
Timers are cheap.
NAS devices and networked home speakers are incredibly competitive categories in the IoT space, and as anyone who has actually owned e.g. a Sonos knows, you listen to a lot more music and they've supported the same 12 year old hardware throughout its lifespan.
I agree, but I think the goal is to overcharge you “a lot” more. It seems like no matter what the product is, once it’s “smart”, the price floor is $50.
There's lots of interesting niches, the overall term "IoT" and what people use it for is incredibly broad (IMHO to the point of uselessness)
That's my take as well. Complexity for the complexity fetishists among us.
With the advent of cheap wifi mcs and 3d printer, maybe this will help: https://www.frolicstudio.com/portfolio/smartians
Really my only use cases are:
* glancing at the screen to see the weather
* Asking it to turn on or off or change colour of Hue lights
* Timers for cooking
I've since unplugged my google box because I felt the sacrifice of privacy with an always listening box wasn't worth it.
At the end of the day the functionality I use isn't that complex and even basic voice recognition I'm sure doesn't require the internet.
So I hope that there will be or there is a platform I'm not aware of that runs it locally.
Certainly Webthings is answering a good chunk of the question.
For tech people, this is easy to use. Still some UX/UI updates needed for mainstream consumer readiness. Remaining big problem is that smart home devices don't tell you whether or not they are web of things ready (direct or via an addon). Need to check the wiki or ask online.
I presume it’s hard to explain how it fits into the stack when it does a lot of generic IoT sounding stuff.
I've not tested it but have had it in my starred projects for a while now.
I have a cheap xiaomi aqara hub that is homekit compatible, and I want to exports its data. Sadly usually the use case is to connect a non homekit iot to a homekit server from an apple device with homebridge. Here their HomeKit adapter use a lib called hap-controller-node that seems to be a homekit server. I will have to try this.
The S in IoT stands for security.
Mozilla have shown they're not trustworthy in such situations; I think it will take a couple more years to see if they've learnt from their indiscretions.
Something like ble/lora/zigbee for device-gateway comunication and mqtt or similar for gateway-collector is the best for me.
The machine the gateway is running on can also be extended to use your solution of choice, for example ZWave with an ESP8266.
You can also bring your ble/lora/zigbee device-gateway solution with you and have that thing talk to the WebThings Gateway as well, acting as a proxy if necessary.
IMO it doesn't get much better than this -- the ship to have one true communication standard (tm) has already sailed if it was ever even possible, so we're going to have to paper over them if we want devices to interoperate -- whatever does the papering is probably going to be more powerful than the devices themselves, and HTTP has proven to be a pretty easy to grasp and flexible enough interface over them.
All that said, in the lighter-than-http pile of technologies there's also CoAP which I learned about recently that is pretty cool.
For sure I applaud this and will play with it. And hope my cynicism is misplaced.
I don't want webdevs coming and breaking the embedded ecosystem. I don't want my fridge crashing because of somebody's webpack setup going haywire.
It's security. A NodeMCU device can connect to WiFi via build-in password, but I'd prefer per-device certificate credentials in order to control what a device can do. This would mean enterprise WiFi and radius, Maybe VLANs. Making this easier is the main thing for me.
I hope they hurry up though. Consumer router gear is god damn awful. e.g. the 2.4ghz on my Asus router is dead (common) so I'm using a raspberry to create a hotspot.
They are hugely popular, have a huge userbase and are well supported by a lot of hardware (most TP-Link, Linksys, etc).
The Turris OS that runs on Omnia is a customized OpenWrt build that lets a user plug a USB memory stick (with the Mozilla WebThings Gateway image, and only that image on it) into the Omnia, hold down the reset button until the 4th front panel LED lights, let go, and wait until it installs and the "WebThings Gateway XXYY" SSID appears. Then connect to it and proceed with the setup process. Suggest other hardware to potentially support on Mozilla's Discourse "iot" channel. Or the mozilla-iot/gateway repo on github.
- Raspberry Pi
- Turris Omnia
- JS (Node.js)
- C++ (for Arduino)
What's interesting about Thread is that it takes advantage of IPv6 to allow any device on a network to talk to the World Wide Web. Usually, you can only talk to your IoT gateway over the web, and then tell it to control its children. Thread simplifies all of that and lets you directly talk to any child via its IPv6 address.
Compared to some other IoT protocols, Thread also takes a strong stance on security: unlike other protocols such as Bluetooth Low Energy, you cannot create an unsecure Thread network, you must have the correct credentials to talk to any Thread network, and all communications are encrypted.
I believe that Thread is going to be a very important part of the future of IoT, and I'm excited to see what comes next.
But I don’t want every one of my potentially buggy IoT devices to be directly addressable on the Internet.
Ideally they’d each be isolated, with the minimum connectivity needed to the hub.
Additionally, you can configure the firewall on the Border Router as well, which is the device that actually interfaces between Thread and other networks.
I always found the scripting a bit annoying (programmer by day, so I could, if I would want to, but...).
That's why my HA install is accompanied by a NodeRED instance. I really like just clicking my flows together. And if there is something missing, you can be sure that someone already built a matching node.
Are you saying that I should be able to connect to my home directly over the Internet? How does it bypass NAT.
(IPv6 space is big enough that there’s no reason that residential ISPs shouldn’t be assigning everyone larger prefix ranges by default, but that doesn’t mean they will. They probably think they can up-sell it. Thread is a great, simple protocol for the hypothetical world where the residential ISPs give up on this practice. It’s not so great for the world we’re in, unless you’re already using some separate VPN overlay network.)
Whether you want to connect to your home directly over the internet is up to you, in this case.
You've guessed correctly that this is one of the most painful parts of the setup. I use a different open source product for the same purpose (Home Assistant), and it allows me to go around NAT manually (use dynamic DNS service, open up the port on a router, route it to a local device, issue a Let's Encrypt certificate) or pay them a few bucks per month to ease the pain.