For someone who thinks Zigbee already is an open standard, well, it is NOT really open though. A standard being publicity available does not always make it open-source friendly.
Linux considers it a proprietary protocol [1] so Zigbee driver cannot be part of Linux kernel. Although Zigbee spec allows non-commercial individuals to freely use it, a commercial organization must be a member of the Zigbee Alliance in order to use Zigbee, which violates the GPL standard. [2]
At least the article speaks out "an open-source approach", let's see if things will get better.
There's also the bit where Zigbee devices have to share a secret key to talk to each other, mostly to prevent competition from low cost devices manufactured in China.
No, American Marketing Companies (Apple, Amazon, Google, Etc) want to use the Cheap China Manufacturers, they just dont want consumers to be able to buy them direct
When they kept the already known secret key for pairing bulbs in the new supposedly secret version of Zigbee it was obvious they didn't care about security at all
I actually worked at Ember for a bit before leaving when they get bought by Silicon Labs. The reason, internally, really was the fear that there would be a flood of low quality products that would make ZigBee look bad.
For that, you need certification, not gatekeeping.
Publish a set of tests a device must pass, broadly, to be certified compliant.
Allow manufacturers test their devices, for a fee, and win a certificate, or know where they failed. Much like you can take a language exam (say, TOEFL).
> fear that there would be a flood of low quality products
That's mental gymnastics. The fear is having to compete against cheaper products (possibly low quality, but possibly not). Even broken DRM is an excellent anti-competitive tool because no one can legally sell a competing product.
IoT devices don't support public key infrastructure, e.g. something like GnuPG or the SSL certificates used by web browsers.
It's a very practical solution to have a shared secret between the device and a central server, and, at registration time, have the central server make a key for both the hub and the device.
Without some kind of key exchange, people could set off your alarm, turn on your lights, open your door...
The solution is to have a pairing mode that allows the device to be paired with a control device (e.g. your phone) via wireless while you're in the same room as it. That would only have to be done once when it's installed and require pressing a physical button on the device while being in wireless range so that nobody can hack it remotely.
I will no longer install apps on my phone to pair devices. The reason is that then everyone wants to link my phone number to the device and create an account. There is nothing that intrinsically says they have to, but companies cannot resist asking for a unique identifier that happens to be linked to everything else in your life. No thank you.
So who says you should need their app? It should be a published protocol, and then you use whatever app you want that speaks the protocol instead of some heinous dreck from the manufacturer.
If you as an individual has visitors who come to your house and snap pictures of codes in your devices... I wouldn't be more expectant of Zigbee or any other standards, rather I would be more keen on the visitors I allow into my house.
But then what do you need the key for? In theory somebody else could try to pair with it while you have it in pairing mode, but they would have to be on your property for that and could potentially see the key anyway. So you go slap them with a trout or call the police or something, and then go back to setting up your future garbage.
I'm not a fan. If I get a new hub, the last thing I want to do is unscrew every light switch to find the picture on it to scan and if I buy a house with pre-existing hardware I don't want to rely on the last owner having taken pictures associated with every switch and left it for me.
OOB pairing could have rolling keys, but that's more expensive. In general the problem is difficult, every solution has a nasty caveat, be it taking over during installation or what your described.
True. I was looking at TheKarateKid comment about infringing companies. The country where most stuff is manufactured, white labelled and sold at a premium by brand names :)
I'm sort of reminded of the book "Schiit Happened" from the Schiit guys (they make cool headphone amps). They documented how they started their business.
One thing they mentioned is that apart from RCA jacks, all the surround sound standards are tied up and closed.
To understand some of the reasoning of what is open and isn't you can look at the different versions of their IPR, testing and use policies. There used to be 'profiles' but they were merged into one version: 3.0 IPR version 4 allowed anyone to use the specs and develop product 'based' on Zigbee and didn't protect anyone from IP enforcement from the many patent holders. This caused a lot of issues around 'interoperability' and end user adoption. "It says Zigbee but it doesn't work with other 'Zigbee' devices." IPR version 5 moved to improve interoperability and enable members to increase development by increasing protections. It granted RANDZ between all members. It improved interoperability by only allowing the use of the name and logo if the device was certified by an approved test house. This did increase deployments and reduced interop issues. Now there is IPR version 6, which allows for the growth of other protocols, providing the IP protection developers, manufacturers and retails want and could enable further industry consolidation - which is good for the end consumer. The average Joe and Jane just want stuff that works without having to be a technical expert. Any open source move is probably about getting more developers exposed and involved to help grow the base both creators - and consumers.
Firewire was an originally open standard, but there came Apple and demanded to exact a symbolic 1$ per device payment.
Despite FireWire being an indisputably better standard from technical standpoint, that 1$ completely ruined the mood with OEMs, and they lost the market.
USB on the other hand, was not really open, but Intel's central leadership in it guaranteed that there were no disarray with association peers throwing random capricious demands.
Most USB implementers were random Taiwanese OEMs who never formally joined the USB-IF, but nevertheless Intel was smart enough to close eyes on that.
>Firewire was an originally open standard, but there came Apple and demanded to exact a symbolic 1$ per device payment.
What? Firewire was a project initiated by Apple in mid-1980s, which then was further developed by the IEEE P1394 Working Group. Patents and pooling was part of it from the very beginning, with the primary drivers being Apple, Panasonic, Philips, and Sony (there were also a half-dozen odd smaller contributors). I don't remember there being any sort of "originally open standard" part to it whatsoever. Yeah, Apple owned the trademarked name "Firewire" for IEEE 1394, while Sony and TI used "i.LINK" and "Lynx" respectively, and Apple initially tried charging extra for that which was really stupid (but late 90s Apple was pretty dysfunctional). But even without that wasn't there still the standard $0.25/unit manufacturer royalty?
If you've got some other sources I'd be happy for the trip down memory lane because it's been a really, really long time since that particular battle. I'm not disagreeing that Apple's charge definitely harmed momentum, just that it's not like they came out of nowhere. Though it's worth noting that Firewire was inherently more costly anyway since it required dedicated silicon rather than handing everything off to the CPU. At the time that also gave it vastly more reliable real performance and latency vs USB, and Firewire 400 would typically obliterate USB 2 despite the latter having a sticker speed of 480 Mbps. But it was more inherently costly IIRC.
I own many USB gadgets that I bought for less than $10. Paying 10% of the retail price for the privilege of using a specific port/protocol seems out of the question. Even for low-end computers (~$300) $1 for a license is a lot of money.
FireWire also had a few port types which required different cables and connectors, while USB at the time only had one (this was before Mini and Micro USB). Apple even included dongle converters with their iPods.
USB also had the advantage of Intel pushing it, resulting in almost every PC with an Intel CPU (large majority) having USB ports.
> USB also had the advantage of Intel pushing it, resulting in almost every PC with an Intel CPU (large majority) having USB ports.
In the mid to late 1990s, USB was scarce. It didn't take off until after Apple replaced its ADB (Apple Desktop Bus) port with USB in the first iMacs. Once that happened, manufacturers flooded the market with consumer products (e.g. CDRW drives) and PC makers followed suit. Up to that point PC makers had standardized on the serial port.
I don't have contemporaneous links at the moment but the second paragraph of a relatively recent (2015) article summarizes:
> But Apple shocked the computing world when it swept its old connectors away with the original 1998 iMac. The bulbous computer adopted a then-struggling standard developed by Intel called USB (Universal Serial Bus). In a hint of what was to become the company’s ability to make or break certain technologies, USB would go on to live up to its “universal” descriptor and become the most prevalent connectivity standard in the world. The solid-and-hollow stacked rectangles of its “A” connector now appear in everything from alarm clocks to airplanes. [0]
That neglects to mention that Microsoft Windows 95 OSR2 launched a few months before (97) and that entire release was centered around better USB support for a broader range of components. (e.g. CDRW Drives)
I don't think its fair to say PC "Followed suit" in using USB.
If I remember at the time peripheral manufacturers had USB devices ready to go for the Win95 launch and Microsoft fucked up and couldn't get USB support ready in time. So Win95 shipped without it and peripheral manufacturers were utterly livid.
The next couple of releases of Windows included totally redesigned USB support.
Once Windows 98 hit though, USB was well supported on the platform. During a brief stint in late 98 through 99 I worked at a consumer electronics chip manufacturer (56K modems and DSL) and we had good support for USB on Windows 98 and Windows NT at that time.
I doubt Apple had anything to do with pushing USB's widespread adoption. Apple was at one of its lowest points during this time period, and it was pre OSX.
The poor support in Windows, as well as peripheral OEMs still using other ports slowed its adoption.
There is just one open standard. User having root access to the IOT device and scripting there whatever it wants. Any 3rd party dependence is a way of collecting and selling data (google and fitbit acquisition) and should be prohibited. Vote with your wallet, dont buy devices that prohibit you root access and make 3rd party servers access mandatory. Simple as that.
Apple’s smart home protocol famously does not support multiple users. Amazon is choosy on what features you can implement (turn on alarms but not turning them off, locking doors but not unlocking them). Google loves using radio hardware no one else supports. Zigbee has delightful legacy security vulnerabilities and consortium drama.
I look forward to these groups putting aside their differences, coming together, and creating a new standard that combines the best of all these anti-patterns.
That was very well put. I eager await the new standard, released in 2033, that allows me (but not my wife) to lock our door using handcrafted 1.38GHz radios that require FCC licensing on the per-unit level.
I, on the other hand, am on the 17th floor. Anyone who can holler at a smart device in my apartment has already compromised something important, and could probably get in anyway.
Also, just require a passphrase? To go full star trek, "[Alexa/Google/Siri], unlock the front door, authorisation singingboyo Alpha Pi Pi Zulu" sounds workable.
IIRC Amazon does allow for this. I use Smartthing + Homebridge for operating my lock (Prompts me on my phone to unlock the door when I get near the house and locks the door when I close it) but I do have Alexa as well and I at least looked into using it to lock/unlock. For the unlock I have to read off a pin, it will lock without needing a pin.
I’m not sure if you are joking/mocking but for me at least it’s super convenient to tap a notification on my watch as I pull into my driveway and way directly into my house (detached garage I don’t park in so I enter through the front door). It’s also nice to know anytime I close the door it will lock behind me. I quite enjoy living in the future.
Or you could use voice authentication... or require that known phones are within range, or best yet don't link your smart speaker to your door lock (when do the pros outweigh the cons here?)
Yes. So they are both susceptible to being compromised. So it'd be up to user preference as to what method they want to lock / unlock their door with then?
What about throwing a small speaker through the window that blasts out “Alexa, unlock front door ... Siri, unlock front door” ? (I’m no criminal mastermind, but just a random thought)
> Apples smart home protocol famously does not support multiple users.
Can you clarify this? I set up my "home" and was able to share it with my wife, who sees all of the same controls in the Home app that I do. We don't have any family sharing, etc set up.
When it comes to smart home tech cost-cutting it's all about simplifying the small-but-many pieces. That's where RF 433 Mhz comes in.
Why should I pay $40+ for a zigbee/z-wave/smart-things/wifi-enabled door sensor when I can get a $35 RF Sonoff bridge and get each sensor for around $4-$8 from china.
So you can save a lot of money by using that tactic with door sensors/window sensors/PIR Sensors/Alarm systems/Sirens/Switches etc. because those will add up massively. You can't use that for TV/Speakers/Cameras ofc but you can bring everything together onto home assistant.
As far as I'm concerned, only the community can decide which protocol will win and these big techs should just put their weight behind a protocol built with the community instead of closed-door-consensus.
> The goal of the Connected Home over IP project is to simplify development for manufacturers...
> The industry working group will take an open-source approach for the development and implementation of a new, unified connectivity protocol and increase compatibility for consumers.
Curious if I as a hobbyist will benefit from this? Or if this will become a: it works perfectly, but only if all your devices connect to our certification servers kind of thing, like Chromecast is becoming.
My guess: first of all, "for security reasons" your DIY device will need to be certified, any existing SBCs will need to be replaced/extended to support new type of network and due to bloated protocol specs with a myriad of abstraction levels will render it almost impossible to implement it on your own and the open source library that can do that will implement the standard as specified whereas all proprietary solutions will have some quirks and little differences from official standard making it very hard to connect to anything from your open source lib. Also the sophistication of the new standard will exceed the capabilities of any arduino forcing you to replace any boards you have with new ones that have AVR uc with Connected Home hardware support.
Believe me, they will it will never find adoption. How to say, they are free to make whatever standards, but they will not matter much if nobody will use them.
Their entire ecosystem together have less devices shipped than even some OEM nonames, not to say of Xiaomi or Huawei or Tuya who tower over them.
All kinds of "smart assistants" like Alexa end up in drawers very quickly after initial novelty passes, and it creeping up you in the middle of a conversation gets annoying. From data I have, sales of those smart speakers is already starting to taper off.
In Russia, there is an idiom "to divide the cake before it's baked." And those guys are doing exactly that: people don't even know what those "connected home" devices are and which ones sell well, yet they are already eager make up standards for them.
Don't know much about russian idioms, but "splitting the <rewards x> before <accomplishing risky thing y>" sounds a lot like that stock thing the dutch east india company created
My experience is the opposite, basically every home I go to has an Alexa or a google home. It’s not doing too much typically managing lights/smart switches, and playing music.
Can confirm. My alexa went in the drawer after she was offering to call the crisis line for me during a spirited session of gaming.
I genuinely think the Amazon team (at least in that particular regard) want to do some good. But until they can teach their machines how to understand context, I just don't want my unfiltered conversations going around potentially to medical institutions or law enforcement.
I am surprised this is how we have ended up. We have already had a pretty good looking model for this sort of voice activated computer interaction thanks to Star Trek: TNG.
It would be far more palatable for the devices to wait for a command cue ("Computer--") to respond with an activation bleep. After the bleep, the commands begin to be interpereted.
Instead we have a listener always awaiting commands. What could be a helpful and invisible servant is instead some kind of jerk who interjects with the most literal interpretations of normal conversations.
If I wake up in the morning feeling grumpy (every day) and say some crazy crap (totally possible) on my way to the can, will an apple contractor employee be able to figure out what the hell I really wanted by reviewing the seconds of audio?
I have made death threats to wall hanging photographs in those 30 minutes before my medication kicks in. There is no checkbox for this in the privacy settings. I know with some of these smart things you can change the prompt, but this feels like not the best we can come up with.
> Can confirm. My alexa went in the drawer after she was offering to call the crisis line for me during a spirited session of gaming.
Wait, what? Please explain more.
It feels like you're saying Alexa heard you being ... passionate, and got concerned. But my understanding was that Alexa listens only after the trigger word. I'm really confused by what you've said and wish to know more context.
If you've ever owned a device like Alexa or Google Home what he said isn't confusing at all. They trigger accidentally all the time. His Alexa simply triggered when it wasn't supposed to and then reacted to what he was saying. Given he was gaming it was likely something about killing himself or someone else.
Huh, interesting. I have an amazon echo. My problem with it is not that it activates when I don't say trigger word, it's that I have to try very many times to get it triggered (usually by speaking louder).
It's impossible for me to say with certainty if it didn't just interpret something I said as it's trigger. Nevertheless, I was playing Halo online and yelling about a match going badly, saying something to the effect of "we might as well kill ourselves, this match is just not going our way" while laughing, and Alexa interpreted it as me contemplating suicide, and offered to connect me to a crisis line.
Has anyone found Alexa way too easy to trigger? As someone who frequently talks about people with a similar name, I'm amazed at how often Alexa chimes in. I think 'OK Google' is at a sweet spot (although my parents for ages were convinced 'hi google' would work if they tried enough :)
Don't have an Alexa so can't comment on how easy it is to trigger, although I don't know any Alexes so it'd unlikely be a problem for me.
What I can say about the google equivelent is that I find saying 'Hey Google' everytime I want it to do something is a bit of a mouthful especially if you want to do several things is shortish succession.
And my other problem is that I apprently say 'OK Cool' too often when I'm on the desk phone at work as my google account is full of recordings of bits of my work phone convo's where I've triggered it unwittingly.
Sometimes mine starts responding to... nothing. As in, in the midst of silence in the middle of the night, like a dog barking at ghosts, it'll answer a question literally nothing asked.
Id say yes. I just switched from google and feel like google was too buggy and slightly too hard to trigger. Alexa is too easy to trigger and has too many notifications.
For clarity, Alexa responded to my comments without being triggered. It's always listening (which makes sense, by virtue of listening for the trigger) but in this case, it reacted without the "Alexa" key word.
> any existing SBCs will need to be replaced/extended to support new type of network and due to bloated protocol specs with a myriad of abstraction levels will render it almost impossible to implement it on your own and the open source library that can do that will implement the standard as specified whereas all proprietary solutions will have some quirks and little differences from official standard making it very hard to connect to anything from your open source lib.
Whoa, is it really necessary to call BlueTooth out like that?
For anyone not following the the link, cptskippy has given a user perspective that summarises things nicely in my view:
“It's easier to tell when you're not using BLE. :)
The Tesla Model 3 uses traditional Bluetooth for phone calls and streaming but the Phone as a Key functionality is BLE. When you walk up to the car and try to open it and the car says FU then BLE isn't working.
When your Xiaomi Mi Band smartwatch hasn't buzzed all day but you pull your smartphone out of your pocket and have 8 missed calls, 100 messages, and 500 emails then BLE isn't working.
When you're at a Tech Conference and the Conference App uses BLE Beacons to help navigate you indoors and it can't determine your location then BLE isn't working.”
Apple's existing standard (HomeKit) is relatively 'open' - the specification is published, and several open source implementations exist. I've used the Python one to implement automation on the smart-home devices I've built myself. However, you do need to be certified to distribute a product otherwise you get a warning in the app when you add the device.
Seems fair indeed. I did a quick search and HomeKit seems to work without an internet connection (on lan at least, not remote), what's your experience with that?
Yeah, it works completely locally on the lan - there's a MDNS discovery and then pairing process between devices and the phone.
You can access stuff remotely if you have an Apple device which is paired to the homekit stuff and connected to the internet (e.g. an Apple TV, we use an iPad which is always at home).
I've deliberately designed my system to work offline as while our connection's pretty reliable I don't see why I should need an internet connection to turn on a light! :)
> I don't see why I should need an internet connection to turn on a light!
I hope manufacturers see it the same way.
I don't mind devices having to be certified, I mostly want to buy hardware of the shelve anyways for safety and convenience reasons and build the controlling/automation part myself. So my biggest worries are not having a local API, data exposure and having to invest in a ecosystem and having the manufacturer brick it remotely, wasting my money.
At least for HomeKit, manufacturers have no choice but to support local network access to get certified. This has cause issues, especially with Cameras since HomeKit requires that camera streams not go through the cloud first.
> The HomeKit Open Source ADK is an open-source version of the HomeKit Accessory Development Kit. It can be used by any developer to prototype non-commercial smart home accessories. For commercial accessories, accessory developers must continue to use the commercial version of the HomeKit ADK available through the MFi Program.
So only the "device" part, sadly not the "controller" part. So you'll still need a iOS device to setup stuff in your house, I tried it yesterday with only my iMac to no avail.
It was a hardware auth chip, not DRM and it hasn’t been required for 2 years now. Software auth went live in iOS 11.3. Apple doesn’t encourage the chip anymore and AFAIK no one uses it (except legacy devices obviously). Software auth rules the day.
I think most major HA hardware providers support Homekit at this point, with the exception of ones that don't because of competitive reasons (Nest, maybe Ring, etc) or because of strict certification requirements (like camera streams being local, $$$).
Perhaps. The Phillips Hue lights use an open standard, I bought a usb device that could talk it (ZigBee Light Link) but then it turned out that production devices used a master key.
Here's a discussion of the master key being leaked:
But I looked it it before that and never tried to look it up again.
So likely so, and with today's encryption it probably won't get hacked for hobbyists to use/learn/play but of course I guess the argument is that the Hue Bridge and other devices will have an API.
I can recall something along the lines: used to be like that with Light Link but as of Zigbee 3 it’s really interoperable all round (Hue hub registering third party devices and Hue lamps working with generic hubs.)
I’m still looking for other devices to mesh into a ZB3 network: I’d love to see an Opentherm capable controller able to use any connected thermometer and heating element valves to modulate heat flux production and distribution around my flat. Might be overthinking though... it’s so well thermally insulated.
I really hope they recognize the need that people want to keep their data on their lan. Actually that would be required by the GDPR if they won't let me sign anything. My derived data is my own people, it does not belong to who ever collects it.
I.e. I just want a thermostat the is a big rotating button and speaks mqtt. It does not exist. If you want it to look good you end up with a Nest thermostat. Home Assistant needs to talk to the Nest online API, not to the device itself. Really annoying and unnecessary. I wish I could just pay 50$ more and get a Nest that does let me talk to it locally. Or whatever are they going to earn with my data? I'd probably pay it straight up.
https://iot.mozilla.org -- can easily install the WebThings Gateway on a Raspberry Pi, or in a Docker container, or CLI install to a Linux box. It runs locally in your home. No cloud account, no cloud data center dependency, command and control accessible from the web UI served up by the home gateway. Local voice commands are possible too. My "home smart home" stays in my home. :)
If your device supports opentherm (which is not as open as you might think, btw) you might want to look into OTGW [0]. It probably works with Nest to if the Nest allows to run without internet at all.
To bad, my old heater had opentherm, with the OTGW I could intercept the packets between the heater and thermostat, change values (eg: date/time), issue commands (set room temperature) and add missing functionality (outside temperature for heating curve), it was ideal in every way.
But I moved and my current heater has a proprietary protocol over rs485 so its a no-go for the OTGW.
I use Venstar thermostats with Home Assistant. They're totally fine, but wifi only I believe. Local API, so no cloud nonsense. I've been running them for about a year with no major problems.
They don't seem to be available in Europe, the thermostat market is surprisingly local, i.e. we also don't have Ecobee here. The Venstars do looks nice indeed.
I had several Google Home devices, and you could not even boot them up unless you had a phone with an account that was opted into location history, web history, search history, and youtube watch history. Google has completely lost any concept of privacy.
>I really hope they recognize the need that people want to keep their data on their lan. Actually that would be required by the GDPR if they won't let me sign anything. My derived data is my own people, it does not belong to who ever collects it.
GDPR is a joke and easily bypassed because users are overwhemingly dumb and agree to anything without reading.
By making it online service dependent they don't have to care, the experience will be horribly degraded without signing in.
> The project is built around a shared belief that smart home devices should be secure, reliable, and seamless to use. By building upon Internet Protocol (IP), the project aims to enable communication across smart home devices, mobile apps, and cloud services and to define a specific set of IP-based networking technologies for device certification.
Yet I don't see any mention of making those being able to work completely offline/standalone.
We rely too much on cloud services that ultimately get turned off after an undetermined about of time.
There is no way I am buying home automation equipment I cannot control myself, especially in a situation where the giants like Google could simply decide to terminate my account because I said or did something they didn't like and take down related systems with it.
"Since your recent comment does not meet our Community Standards(tm) your account has been suspended for a period of 28 days*. Additionally you will not be able to turn on the lights during that period and your microwave usage will be limited to 90 seconds daily."
I am personally really against my IoT devices being able to "speak" TCP/IP, I want them to use dumb radios (Z-wave or if I must, Zigbee) that cannot talk to the internet. I get the draw of Wifi/IP devices but I avoid them at all costs. I don't want 10's or 100's of devices on my network that all are talking to servers in China.
I bought a few cheap POE Chinese cameras that I use with Zoneminder but they are all blocked from any internet access except talking to Zoneminder (local).
I would agree but there is quite a benefit to having these smart devices connect to technology already in the home. With the absence of a proprietary radio, it's easier for me to control them as well.
I currently have firewall rules on my network that blocks all communication between my smart devices and the internet. They can only communicate on the LAN and cannot send/receive information outside of the network.
I feel like if more proprietary communication protocols were implemented it would be hard to determine which devices were communicating, and which are accessing the internet(for example if a device has an embedded LTE chip to make up for lack of WiFi connectivity).
>I don't want 10's or 100's of devices on my network that all are talking to servers in China.
I definitely agree, although I'd expand that to "talking to any servers at all anywhere for anything I don't explicitly grant permission for". However for that very reason I prefer WiFi/IP devices, because it makes it very easy and straight forward to apply all the powerful network management tools we have for everything else. All devices can go on their own VLANs for example, with careful management and logging of how they communicate. The real shame is that there aren't better, more consumer friendly tools for managing that more visually/automatically.
Custom radios aren't any inherent defense there, already there have been demonstrations of getting right into Z-wave/Zigbee networks using customized SDRs. They have a purpose from an ultra low energy and meshing point of view, but you should be suspicious of what security practices for such things will actually be. WiFi/IP at least has the benefit of tons of open attention and development for security critical situations already.
You've made some very good points and better explained what I really want. I also will admit that using existing tools to create VLANs to "quarantine" the devices is an option. That said (and you touched on this) the average consumer is not prepared to deal with any of that, maybe that will change but as of today it's not easy or even possible with most consumer-grade hardware.
As for Z-wave/Zigbee, I could be missing a potential security hole but personally I am less concerned with my Z*-devices being hacked and more concerned with IP-devices being hacked and being able to talk to other IP-based devices on my network.
For example, it would suck to have someone be able to hack my door or lights but it wouldn't be the end of the world AND it requires physical access/proximity. This is quite different from someone on the other side of the globe being able to hack a device, hack other devices on my network (non-IoT), and then do something malicious (ransomware, identity theft, etc).
>That said (and you touched on this) the average consumer is not prepared to deal with any of that, maybe that will change but as of today it's not easy or even possible with most consumer-grade hardware.
Right, at one point it looked like something like UniFi could show the way there, but Ubiquiti unfortunately has turned into a development dumpster fire and really lost its way, and I don't know of anyone else attempting something similar. The principle remains though that it's another path forward, there are already powerful tools for network control and management, and there are accessible open standards there. Putting a better UX on that is worth considering alongside other solutions is all.
>As for Z-wave/Zigbee, I could be missing a potential security hole but personally I am less concerned with my Z-devices being hacked and more concerned with IP-devices being hacked and being able to talk to other IP-based devices on my network.
For example, it would suck to have someone be able to hack my door or lights but it wouldn't be the end of the world AND it requires physical access/proximity.
A lot depends on where you live. A few years ago for example there were a bunch of articles and demonstrations coming from research into and discovery of vulnerabilities in the ZigBee protocol itself. Because the whole point of it is meshing, if you're in an urban or even suburban environment with sufficient density, then a neighbor being hacked could then hack their neighbors etc in a chain reaction. And of course people had fun immediately putting SDRs on drones and doing a fresh new take on good 'ol war dialing, flying around owning anything they came across. Random example article:
Picked verge vs NYT since I don't think they're paywalled? Lots more though a quick DDG away covering the same thing at the time.
With meshing though, you do have to be somewhat careful about the concept of "proximity" and so on if there are protocol layer problems, which is less of a concern on WiFi for better and for worse. Your home might be locked down, but are you sure your neighbor or neighbor's neighbor and so on and so forth down the chain all have no entry point? I 100% grant it's more of a long term scalability consideration right now for many people, but hey, we're talking about a future protocol here!
I haven't followed the AmpliFi line closely to know if it has easy VLAN support but yeah... I really like the UniFi offerings but a fulling working UniFi system (excluding the UDM) costs ~$800 from my last estimate. I'm saving for it but that's cause I'm a weirdo who enjoys those kinds of things.
If you don't mind me asking what networking stack are you using?
Also thank you for the very well thought out and reasoned reply! I wasn't fully aware of some of those attack vectors.
Lastly I think I've been so anti-wifi IoT because of the inherent security issues with literally everything currently on the market. I see the wifi IoT as a bubble about to pop unless routers gain security features for IoT or some other major changes are made to how they work today.
Sorry for the slow reply, and I see you've got (and made) one other response. As far as what stack I'm using, on my test lab it's a big mix of course, but my main personal stack right now is UniFi dating back from quite a few years ago. However, I really want to reemphasize my "dumpster fire" aside: I strong DON'T recommend getting into UniFi right now if you're starting fresh, or at least, if you do be really careful about it. It hasn't been that obvious from the outside if you didn't know what to look for, but from an community and heavy use perspective it's clear Ubiquiti has been having major internal developer issues for a few years now at least. The CEO is apparently pretty toxic, but whatever the reasons are the result has been a major stagnation of the line, both for hardware and software, rapidly increasing technical debt, and a lot of extremely confused moves that seem to amount to easy bikeshedding because real engineers weren't available. I started to get into some of the gory details but am just deleting that paragraph, it's not really relevant here. But to take a specific example, that security gateway you were looking at, which is necessary if you want to use UniFi for L3 features, basics like DNS (which incidentally is also half-assed) etc, is a good 5 years old now. They introduced the "UniFi Security Gateways" and then refreshed them... never. The software for those is stagnant, and core software (like Strongswan for VPN) are often horribly out of date. It chokes doing much of anything interesting, would be obliterated in perf by a current RPi. The switches aren't in quite so dire straights, but for the money they too now have the smell of obsolescence. Ubiquiti has no decent L3 story for 2019/2020, no move to competitive faster networking, and a lot of cruft built up because they like to introduce new things but not just update and replace old ones.
Having said all that, their PtP/PtMP links are still nice. Their APs are solid overall, and do have nice industrial design (though no word on WiFi 6, which for a new install I'd consider fairly important). The interface has degraded significantly over the last few versions, but it's still better and more unified than any other I know of. I mean, I'm still running it myself after all. But if you go that route know what you're getting into and look hard for open box and used stuff that'll be cheap. And I'd honestly suggest not bothering with the cloud key and just running the controller yourself, on an RPi or similar if you want something dedicated but cheap or else spin up a VM or container, or even just run native I guess if you've got a server you run otherwise. The CK is also ancient.
In summary: I adored UniFi, and the potential was(is?) fantastic, and their old vision was fantastic, and at one point they were a really solid venture all around. And I know of nothing else with the same vision either. Yet even so I'm expecting to have to dump it overall in the next few years, which sucks. But long bitter experience has taught me that glorious turnarounds are much more the exception than the rule :(.
Holy shit this an amazing reply and I couldn’t be happier you took the time. I had read some about of the issues you you talked about but you highlighted even more.
I might go down the secondhand/used route if I do decide to do it. Right now I’ve got a single all-in-one router running LEDE and I like it but I’m not able to reach more than 60% of my fiber internet so I’ve been looking to upgrade. I decided that if I was going to throw a couple hundred at it I figured I might as well go all in.
It’s always sad to see a company throw away such a promising future. I saw their new AmpliFi “Alien” router and I’m half tempted to buy that and wait a few more years for a better option to present itself. Or even the UDM but it seems like a very odd offering to me... I guess I’ll keep looking, thank you again for the advice.
I'm not sure what you are expecting here. CHoIP would define messaging that certified products must implement, meaning that an Amazon device and an Apple device would send the same message to a Phillips light to turn it on, and that message would be carried over IP.
The messaging would be agnostic of where the source is. It could be a device in the local network, or it could be a cloud-based service (assuming you open up your network).
HomeKit, for example, works locally, either over BLE or WiFi.
Reading though it seems like a common universal standard that fully removes the need for third party services as all devices will adhere to a common standard. (I"m sure all of these will offer third party apps and all that still) but if you look at something like Homekit smart plugs, you can configure many of them without ever using anything but the Home App, just scan and go. Done right, this standard could make these devices never need third party services, just local networking. Seems like the goal, obviously I agree with you that it should be a stated priority.
Apple doesn’t tend to hand out their logo for industry groups and open source projects. That’s fine, it’s their support that matters. And it’s not like their name lacks brand recognition!
Here’s another example; same idea, different font:
> The goal of the first specification release will be Wi-Fi, up to and including 802.11ax (aka Wi-Fi 6), that is 802.11a/b/g/n/ac/ax; Thread over 802.15.4-2006 at 2.4 GHz; and IP implementations for Bluetooth Low Energy, versions 4.1, 4.2, and 5.0 for the network and physical wireless protocols.
> The Project intends to leverage development work and protocols from existing systems such as: Amazon’s Alexa Smart Home, Apple’s HomeKit, Google’s Weave, Zigbee Alliance’s Dotdot data models
Dotdot is basically ZCL over IP (in a way), but comes with a lot of legacy from ZCL.
Thread was my hope for a unified smart home network layer, but it didn't really get the adoption I'd hoped, and from a manufacturer's perspective, it did not include any application-layer messaging.
It looks like the goal is to standardize the application layer messaging (of which Dotdot was an attempt). Maybe call it Dotdot v2, but with better backing.
I bought a home and the previous owner used Z-Wave for everything. The whole thing worked irregardless of internet working or not. Whatever they invent if it is useless without internet access its a step back from something that has already worked.
All my home automation / smart home integrations will have to be Z Wave compatible or I will not use it. If my internet goes out will all my things be useless without it?
First, personally my philosophy is to have any smart home type stuff have a dumb backup. You never know what might happen to your smart hub or whatever so having physical switched lights/ appliances is important.
Second, hopefully this doesn't come across as patronizing but based on your post it sounds like you aren't sure about this. IP is not "The Internet". You can have your own little private IP network which runs without the internet. If this is an open standard there should at least be the option to create a local only hub which only requires your local network is online.
That's not guaranteed considering who is backing this project, but it should be possible.
Z-wave takes less time to get working and once it does it stays working. I've bought Wifi switches that worked for as little as 2-3 months before dying. I've never had a Z-wave device die. Zigbee maybe be open but if it can't penetrate walls then it's just not worth the hassle.
Sadly, the lunatics at Amazon, Apple and Google live in their tech company campuses where internet is vast and plentiful. 99% of the country however has shit internet. Among many many other reasons.
LOL ... there has been a standard for years for smart home devices, it is called KNX (https://en.wikipedia.org/wiki/KNX_(standard)) ... what is wrong with KNX? Hundreds of companies already support it, so why not join them instead of re-inventing the wheel?
I think I know what im talking about, because my (smart) home automation is based on KNX, I use Alexa voice commands or a KNX app on my mobile devices to controll all my KNX compatible devices, a server gets the commands and allows me to control the lights (on/off/dimming), to inquire an set the temperature in each room, to control the inner blinds as well as the outer shutters (open/close), to get data of water consumption, electricity consumption from many devices like the cooking plate, the owen, the lights, the AC, ... to get values from my weather station like wind speed, wind direction, sun intensity and much more ... I also have fire detection sensors, movement sensors, air pollution and water leak sensors which can trigger alarms... I can inquire on my phone if I forgot to turn off the owen in the kitchen, if the main door is being or has been left opened. Through Alexa I have also connected my Roomba as well as my TV and all the media devices connected to it (using the Logitech Harmony hub) but those two things are not KNX, everything else is.
Being able to control all this through Alexa is super fun. When I go to bed I just need say "Alexa good night" and Alexa tells my KNX shutters to move down to 100%, all my lights in any room to 0%. When I leave the house I say "Alexa, good bye" and Alexa checks if my appliences are turned off, turns the lights off and lowers the heating in all the rooms a bit. Also as im super lazy, if I finish cooking and throw myself on the couch but forgot to turn of the kitchen lights I just need to say "Alexa turn of the kitchen lights and turn on netflix".
What is also nice is that I can program (control and combine) everything myself. I currently use NodeRed (https://nodered.org/). So I can program routines, like "if the time is > this and the front door gets opened send me an email or SMS", if the wind speed is above a certain threshold open the shutters to avoid damage, ...
I enjoyed the description of your home automation setup! I learned about the wide range of sensors and devices that can be incorporated, and that technically it's possible for the owner to programmatically control everything. I can see you're riding the edge of the coming wave.
Looking at the differences between the KNX standard and the "Connected Home over IP" project.. From the latter's home page [0]:
> By building upon Internet Protocol (IP), the project aims to enable communication across smart home devices, mobile apps, and cloud services and to define a specific set of IP-based networking technologies for device certification.
This seems like a higher level of abstraction than KNX (unless "smart home devices" in the above description includes the kind of individual sensors you mentioned) - and exclusively focused on using the Internet Protocol.
Reading the Wikipedia article on KNX, it does sound like it has all the elements needed for home automation, including what this new standard aims to achieve.
EDIT: Now reading about the ZigBee specs, I find there's a big overlap in protocols/functionality. As a complete newcomer, it's hard to disentangle the pros/cons of these standards.
Yes I'm riding the automation wave, but only because after working for 20 years as a developer I was finally able to afford buying an apartment and wanted to try to push automation to it's limits. I haven't done it all and could go even further, which is why I like KNX, it's not closed or bound to a single company so I can buy add even more stuff from a lot of providers (see some example of companies in my other comment).
The alexa bridge is not perfect, sometimes it has hald a second of delay. Twice a year the servers are down and it doesn't respond for few hours, but besides that I'm very happy with it. B.t.w. I used this server from PRO KNX to connect my Alexa(s) to the KNX server: https://proknx.com/en/news/2017/realknx-2-0-voice-control-al... (it is also compatible with Google Home as well as Apple Homekit).
Thx for the clarifications about the differences. I don't know much about the KNX standard. I fiddle around a lot with NodeRed (nodejs / javascript) and use some Alexa routines but I never tried to implement the standard myself. As far as I understand it, KNX is also using IP Networks, because all my devices have IP addresses and my servers are open on different ports.
I hope the Google, Apple, ... alliance decided to do create a new standard for good reasons, but I have doubts as I can't find someone that explains me what is so bad about the existing standard. Why Apple, Google and the others don't just join the KNX foundation and why this already open and royalty free KNX standard can be built upon!?
Is KNX affordable? I did some searching to see how to control Philips Hue lights via KNX, and found something called an "ise Smart Connect KNX HUE" for this. I found a few sites online selling this, all in Europe.
Most would not show me a price without me first creating an account and logging in, but I did find one German site that would show me a price, which after converting Euros to USD, came out to a little over $300. I also found a UK site that would show a price. That, after Pounds to USD conversion, was over $500.
I did a little searching to try to find out how lights are handled in KNX without bridging out to some completely different system like Hue. All I was able to find was lighting fixtures with KNX control built in. I didn't see bulbs with it built in.
Does this mean that if someone without any home automation decides that they want a couple of smart lights, to do it purely with KNX that have to replace some light fixtures?
That's not how most people in the US add some smart lights. Most here do it by buying bulbs that screw into fixtures meant for regular bulbs, and implement the smart stuff in the bulb itself. There is no need to replace fixtures (which you may not be allowed to do if you are renting).
Zigbee is already an open standard, but some Zigbee devices don't work with others. Yet, with Z-Wave they all tend to work and there isn't that much of a price difference (between Zigbee and Z-Wave devices). The biggest problem with Zigbee is that is uses 2.4 GHZ which doesn't travel long distances or through walls very well. Z-Wave uses a lower frequency that does. (edited for clarity)
I have about 20 Z-Wave switches in my home, spread across 4 models and 2 brands. There were noticeable differences in response time, both from the physical button and over Z-Wave, when comparing brands. And even the most reliable brand for me (Aeotec) has had issues with the network being a little laggy. That's still a success in my books, though; I have bought Z-Wave devices that do not play nicely at all.
On the other hand, my Philips Hue lights have all been absolutely flawless. They fire on time, every time.
I think implementation of the standards matters a lot more than the standard itself, in practice.
I agree that the lag time is a bit higher on Z-Wave, partially because of the slower transmission speed. Plus does help that a bit. The number of hops can affect it as well, though they are limited in Z-Wave vs Zigbee which allows for more.
In a real situation this usually doesn't cause issues. Most of the zigbee devices that you're gonna have (such as light bulbs) are also acting like a zigbee router and it creates a mesh network.
You can even visualise the network if you're using zigbee2mqtt with zigbee2mqtt/bridge/networkmap
That is true provided that you have devices that correctly act as routers. Sometimes it requires extra repeaters to make the network function correctly as well. Then there is the interference issue from WIFI and Bluetooth devices.
Even bigger problem with 2.4 GHz is that the frequency is oversaturated and most Zigbee channels at least partially overlap with WiFi channels. I had pretty bad interference in my home before I moved my Zigbee and 2.4G wifi channels as far apart as possible.
The UK, national smart meter effort. Sub gig, supported by three silicon providers did Zigbee sub-gig for the last mile, tough to penetrate homes and buildings. Running 3.0 on which means it will port very easily but sub-gig is much more regulated country by country than 2.4.
You can search. This article covers the initiative but doesn't call out the sub-gig detail:
https://telecoms.com/opinion/467631zigbee-and-the-smart-mete...
Hmmm. Now what am I going to do with my laboriously (and lovingly) put together zigbee2mqtt/HomeKit setup? :)
Seriously now, I see this as a good thing, if only because we're likely to get an interoperability stamp of approval of some kind.
Right now, and were it not for my using an Open Source solution for my Zigbee gateway, it would be impossible for me to hook up Hue, Xiaomi, IKEA and other devices to Homekit without a bunch of different gateways (because some Zigbee endpoints simply refuse to talk to anything other than their own peers).
I also hope that they manage to do this without going the Google way of having everything open up ports on your router (some of the newer Nest-branded stuff already knows how to talk to peers on a LAN, but the security model for Google/Alexa integrations is fundamentally broken for me - WeMo support excluded).
So far HomeKit can run _completely_ on-premises, with all devices interacting on the LAN, which is great (except for remote connections through the Home app to your Apple TV home hub, and Siri voice recognition to trigger scenes), and that is why I decided to stick with it.
> were it not for my using an Open Source solution [...], it would be impossible for me to hook up [...] and other devices to Homekit without a bunch of different gateways (because some Zigbee endpoints simply refuse to talk to anything other than their own peers).
And worse, in my "casual" case, because some sort of Philips/Apple agreement outright prevents it :/
E.g. add a "Hue compatible", but non-Philips bulb to your Hue hub. It will work in the Hue app and via Amazon Echo, but Homekit will refuse to see it.
A way to "trick" homekit to be able to use the bulb with it, is to create a Hue scene, and sync it to homekit, but that is terrible for per-bulb control. This stuff is apparently all Zigbee, but the usability situation is an absolute mess.
HomeKit must really be struggling for Apple to publicly join this consortium. I don’t say this just as a snarky dig at Apple’s preference for walled gardens, but because this announcement more or less Osbornes all the HomeKit devices in the market right now.
Despite its walled-garden nature, I’m sad to see HomeKit go. It was the only home automation standard I’d trust in my home, though hopefully Apple’s participation in this new initiative means it will share HomeKit’s emphasis on security, cloud independence, and privacy.
I want a super secure hub that everything connects to. The hub is the only thing that speaks to my router. The hub is super secure & doesn't let devices send data back to their manufacturer. If I buy cheap devices off a flea market like Amazon, I want to sleep safe & know that the hub is preventing that device from messing with any other devices or accessing the internet. The hub can send me notifications and I can send it requests. It would be cool if I could choose to have the main hub database & software based in the cloud or on my local network.
Not sure if this is already possible. If it is, I would love to hear more.
This is how ZigBee and Zwave work. The devices form their own network for inter-device communication (it can be setup so a switch talks directly to a bulb, so even if the network is unreachable it still works) and then you use a hub to orchestrate that and provide functionality such as phone control via an app. That can be something simple like a Philips Hue hub, or something more complex like SmartThings, or you can roll your own using Home Assistant and a dongle.
The problem with these protocols is although they are more or less open, device manufacturers need to pay to be certified.
Even if the hub was actually secure this still does not prevent from someone near to your house to talk to the devices directly (this applies especially to wireless devices). The hub you described would prevent from the remote attacks only
not only that. One insecure system in the area could be infected and then controlled to attack other networks in the area. With a high density of IoT devices you could have malware spreading wirelessly device-to-device.
Also with a wide IoT adoption with such devices being used by public/utilities companies (smart street lamps, leakage monitoring in pipes, smart electric grid etc) you don't even need a densely populated area to have that problem.
>I am more concerned about the bigger threat, global attacks.
I once read something among the lines that IT security needs its own Pearl Harbor event. I can neither quote it exactly or attribute it to any source
Wifi is a poor choice for this because it uses a lot of power. Lots of things that connect to a smart hub are tiny sensors that use expensive batteries.
what do people mean when they say security for smart home devices? if the "launch ICBM" port is open on a device on your LAN doesn't an attacker still have to traverse your router to get to it? Otherwise, an attacker would have to get access to your LAN. Is something like that what you mean?
1. Their lightbulbs to not be co-opted into DDoS attacks
2. That their cameras are only used by them
3. That others can't control their devices
4. That their devices receive security updates
5. That their devices don't contain back-doors
6. That their devices can be used when isolated from the Internet
Apple, Amazon, and Google are fundamentally opposed to a model that sells devices that don’t phone home - their whole purpose is to capture value by creating lock-in for surveillable hosted services
Yep. And it's Apple that's pushing for a HomeKit router [1].
Reading between the lines of how Apple's been handling the "smart home" business, they've been focusing on privacy and security relative to competitors, but it's been holding them back.
I think the market has kind of shown that privacy (e.g. devices that aren't streaming to / dependent on the cloud) and security have not been primary concerns of the people who buy smart home devices, but solving those problems better may be key to enlarging the "smart home" market to include normal people.
Seconded. Apple, Amazon and Google have very different goals for your data. This is just a transport layer. Your privacy from the mother company isn’t impacted by the transport layer, but rather where they put the “brains” of your smart home.
While all using the same transport layer they can continue to utilize different “brain” strategies.
Apple’s “brain” has always been in your home where your data belongs and should stay. Google started with the cloud but is moving towards the same model.
On the other hand Amazon seems to have no qualms slurping everything out of your home to their servers and no plans to change.
Not sure I understand. I am pretty sure you have been to remotely control Homekit since the beginning, originally by utilizing an Apple TV 3rd generation, and subsequently with iPads, Apple TV 4th gen/Apple TV 4K, and now HomePods.
If they actually pull it off, it'd be huge. The single greatest thing holding back home automation is a lack of compatible standards (coupled with the fact that when an automation company dies, its proprietary standards die with it).
I used Z-wave for my home, but I'm not doing it "on the up and up;" my hub is homebrewed and using an unlicensed radio. It's a pain in the ass to maintain, but since I can't trust any hub company to survive past five years, it seemed the right call.
I've used SmartThings more or less since their original Kickstarter in 2013. I gave my v1 hub to a friend who can still use it (I have a v2 and they have a v3 out now).
I try to only buy Z-wave devices and fallback to zigbee if I have to. It's been a very pleasant experience for me overall. I have 5 z-wave light switches, a handful of zigbee bulbs, zigbee door/temp sensors, and 2 z-wave locks. I plan on replacing all my light switches eventually (I've got like 5 left but all in low-traffic areas of my house).
If I suspect that there is any chance my family's private information is going to get leaked, then I will not touch it. Appliances should never have internet access. Software updates, if required, should be delivered one-way through open trusted auditable software (something like ofw).
Big tech have already tricked me into supporting them with their "open platform" bait-and-switch before (android), that trick wont work on me twice.
They talk about this being secure by default, but the standard will only ensure the communications is secure. This won't fix the bigger issues with IoT devices which is that many are built on crappy/ insecure software stacks. If your wifi video camera gets hacked, it doesn't matter if it's using https to communicate securely with your phone or cloud storage provider.
As someone who is perfectly happy with Home Assistant and Z-Wave, I worry that a bunch of mega corps getting together to create a standard will crowd out the market, and prevent non-local, privacy-honoring options from continuing to be manufactured.
If average consumers are told to simply "look for the CHIP logo", and the CHIP standard includes facilities for must-phone-home messages akin to streaming DRM, I'm afraid we'll just get pulled further into the corporate surveillance dystopia.
I think people who expect Home Assistant to be useful to the general consumer are delusional. Home Assistant is an amateur piece of software with severe UX shortcomings and broken auto-update functionality (it phones home continuously and often bricks itself after auto-updates).
I appreciate the enthusiasm in the home automation community, and I agree there's a need for an offline solution, but Home Assistant is not it, and we'd be better off scrapping that codebase and starting something better.
Don't you think delusional is a bit strong... There is a real company, nabu casa, hiring real developers to work on making a 1.0 release that's easy for others to use. Yeah right now it's complicated, but check out some of the projects they're working on like stanford's almond integration. https://www.home-assistant.io/blog/2019/11/20/privacy-focuse...
You're focusing too much on the home assistant part, and not enough on the local control part. There are solutions with hubs such as some parts of the Wink hub that do work locally without internet. I'm sure there are professional-grade installers who install various pieces of software that use Z-Wave and/or Zigbee to setup a locally controlled home automation solution.
Needing connected to the internet (and all the latency associated with it) is an anti-feature that most consumers aren't even aware of or think of, hence why I hope solutions that have the feature aren't crowded out before the market for home automation truly takes off
Sorry if I wasn't clear. I agree with you that local-only solutions are needed. Home Assistant is sucking up too much of the air in the room. I don't think it will ever be accessible or usable to the general population. If not for Home Assistant, I think the community would have developed better local-only solutions by now.
They are actively working to make Home Assistant much more user-friendly. I suggest watching the "state of the union" presentation: https://www.youtube.com/watch?v=tc17q1Zn0Xs
this is a good step. i worked in automation/controls (commercial, residential and industrial) for almost a decade (2000-2009) and personally dealt with the nightmare of interop. the number of times i had to glue disparate control systems together with relay closures and switch inputs was insane. and yeah, we had these issues with wireless. it was compounded by the company i worked for supporting enocean, zwave and zigbee.
I am curious if they will include cameras (security / door), because the characteristics of the payload are quite orthogonal to the characteristics of the payload of other smart home devices.
There are two aspects to most security cameras. The one everyone thinks of is video streaming - there’s plenty of standards for that, most notably RTSP and recently WebRTC. That’s probably out of scope for smart home protocols.
Totally in scope is provisioning, configuration, and notification of things it can detect such as motion. I’d anticipate those being managed as part of this new protocol, with streaming simply being to provide an endpoint address and maybe an authentication token to connect.
I doubt some of they PHYs have the bandwidth to support streaming video, but there have been some good efforts in the IETF to maximize streaming protocols over low-bandwidth connections.
But the whole point of CHoIP is that PHY doesn't matter, so you can configure your camera using IP messages over BLE, and then the camera connects to services over WiFi to stream.
A camera requires orders of magnitude more bandwidth and power than other devices that might be connected over a low-power, low-cost radio network. It needs to transmit that payload 24/7.
Currently, home automation typically uses a variety of custom protocols built on IEEE 802.15.4 (not 802.11*). It's a simple protocol that can be implemented by a cheap 8-bit microcontroller from 2 decades ago. Devices from one manufacturer may or may not communicate with those from another, and the network architecture is typically a hub with spokes - there's limited or no support for multi-router, multi-access point, or mesh networked setups.
This style of network honestly works pretty well for motion sensors, lights, outlets, temperature sensors, thermostats, etc. The master node might query a device every few seconds for a couple bytes of status, or might only send a short command when a user interacts with the device. Most smart home devices send a few bytes of data four times a day when you push "light on" and "light off" on the hub. This is great for operating for months or years on just a couple AA batteries. A camera sends a few bytes per pixel times (simplifying) 720 pixels down times 1280 pixels across times 30 frames per second times 86400 seconds per day, and can only run for an hour or two on a larger battery. That's almost 8 terabytes vs. 8 bytes.
But to use 802.15.4 networks, you need a hub, which is a barrier to entry - instead of one $20 light, you need a $15 light and a $50 hub. You likely already have an 802.11 router that could be the hub if the devices were smart enough to talk to it. And (tinfoil hat on) I think these companies would rather have their servers be the hub, rather than a device in your home they can't monitor and profit off of.
This is a very Hacker News answer, in that you wrote three dense paragraphs that are all technically correct, yet also completely divorced from our practical reality that has smart home cameras in it.
What is the obvious implementation out there? They just have both. They have the cheap 8-bit microcontroller from 2 decades ago transmitting on the low-bandwidth home automation network, and when it is decided that the camera should stream, it wakes up the beefy Ambarella or Socionext SoC to send its video feed over classic WiFi to the vendor cloud, and whoever wants to receive it just gets a stream URL back.
I think you’re right. Typical smart home coms being short little on/off or temperature up/down type commands vs. streaming/recording video and audio with some having two-way audio up to and including machine learning/AI for object detection which most likely is done remotely.
Lights and switches are generally basic async polling and commands versus live streaming video and constant video uploading to a cloud storage service.
Seems like the sorta thing which has tons of buy in from teams that don't matter and the teams that actually need to be using this won't and it'll get abandoned in a few years.
Google (specifically, Nest) and Apple are both looking to displace other solutions in the market.
"Teams that don't matter" today. This market is absolutely rife with opportunity for someone to steal the whole thing with better UX and an interop promise.
The licensing is a bit poor. While openthread is open source, and the spec is public:
> "Membership in Thread Group is necessary to implement, practice, and ship Thread technology and Thread Group specifications."[1]. This seems to be a similar limitation to what prevents Zigbee from being in the Linux kernel, as commented elsewhere[2] in this thread.
In contrast, the Bluetooth SIG only requires a fee to be paid when you actually ship, as a once off not a yearly fee. The cost is roughly similar.
Openthread is purely a networking solution. It does not address application-layer messaging. This effort is to unify the application layer. (ie, "light = on" messages).
It looks like Connected Home over IP will be compatible with Thread - they are developing the stack on top of WiFi, Bluetooth and Thread: https://www.connectedhomeip.com/
right, but Zigbee just uses a generic 2.4GHz radio. There is nothing about the radio that "involves Zigbee". Some silicon vendors sell 2.4GHz radios that can run a BLE, Zigbee, or Thread networking stack.
Can anyone recommend a method* without Wifi? Isn't there a method for "smart outlets", main scheduler, etc over electrical lines rather than bluetooth, wifi, etc? Method* == standard, or product line. [yes i used pointer and equality symbols oddly]
Edit: basically looking for a way to avoid more wireless transmitters in the house. Or are all outlets "receive only"?
The previous generation of smart home devices was called X10, and it used signals over power lines.
I gather it was:
- slow
- might have required you to make a connection in your circuit breaker
- and was designed in the 1970s, when home electrical systems weren't very noisy (apparently all the switching power adapters we have today make a ton of noise and make it hard for the signal).
I don't see why something newer like this couldn't be done -- we have powerline modems, right? Probably not as fast as wifi, but it does go where it is needed and requires physical access to hack.
Some devices are using Zigbee (a different wireless system), but I understand it was developed without security and isn't hard for third-parties to hack into.
> - might have required you to make a connection in your circuit breaker
That's one way to do it. Another way just requires a bypass and filter at your circuit breaker what is much simpler and doesn't have to connect anywhere else.
> - and was designed in the 1970s, when home electrical systems weren't very noisy
This is where things got worse, and then they got better. Yes, electrical lines are very noisy, but the 200Hz - 100kHz band is only getting cleaner. Electric motors will interfere with it, so you may need a filter on your blender (but even it is much better now), but this is the prime band for electrical wiring.
Also, on chasd00 comment that it requires capacitors bypasses on transformers, that's only true on the higher bands, and only on devices you want connected to the network. So only the smart devices need to adapt.
To expand on the circuit breaker item above: Because most of the outlets in your home are split between two phases of AC, it meant that the X10 transmitter would only be able to talk to half your power outlets (and you didn't know which half ahead of time), unless a phase coupler was wired into your breaker box that would repeat the signal on the outlets connected to the other phase.
I remember X10! The whole "over powerline" thing was a real possibility back in the day but it required all transformers to have a small modification done to them and that killed it IIRC. You could certainly do it in your home though.
Insteon is the closest thing to a successor to X10, and it still supports a lot of the old protocol. You can certainly setup an insteon system for basic stuff (Scenes, etc) without an Internet-connected hub at all.
Strategically this works out best for Apple whose HomeKit seems to have the fewest compatible products. Everything seems to integrate with Alexa, even a microwave that can order popcorn. I wonder what Amazon and Google gain from this, though.
It would be nice if such standard supported Publisher-Subscriber style of messaging. For example alarm could subscribe to events from motion sensors and security cams (a camera in addition to providing a stream could push events like motion detection) or heating controller could subscribe to temperature change events. To make security of that realistic this would need some form of ACL, probably centrally[0] controlled.
[0] central as in "home router" not as "somewhere in the cloud"
Thanks, it looks really interesting and seems to do what I just described. The thing it lacks though is - in my opinion - RPC-style messages. For example an alarm controller could subscribe to motion events, but when such an event occur it should be able to turn on sound-device immediately or shut some locks. The one-to-one communication as described here:
https://github.com/mqtt/mqtt.github.io/wiki/one_to_one
seems more like a hack than a proper solution.
The current trend of using async logic via message passing to maintain state is extremely error-prone and I personally consider it nondeterministic if it uses timeouts (which is pretty much the entire internet currently).
A much better system works more like Firebase, where clients can subscribe to change events but also have access to a single tree that holds the latest agreed-upon state. I'd recommend something like a distributed hash table (DHT) so that the entire state doesn't have to be downloaded by each client. The state itself should probably be binary JSON to start with, but the standard should be loose and allow for XML or anything else. This would take us to something more UNIX-like, where devices can be thought of as processes interacting via a single shared memory, and abstract away the tedious/brittle/insecure interconnect layer. It should also support unreliable message passing like UDP for realtime support, which is required for simulations and gaming (there is a higher than 50% risk of the protocol omitting this or getting it wrong).
After writing this out, I just realized that what I really want is an Actor model for IoT, where each device is completely isolated but communicates over channels like Elixir/Erlang or Go. I've come to reject both async and concurrent shared mutable memory because they each have major drawbacks. But I think that synchronous functional programming with primarily immutable variables and no shared mutable memory, building up a last known-good state inspectable by anyone with privileges is the future. The state could/should have something like an access control lists (ACL) and/or a permissions system. Ideally this should be hierarchical just like Firebase, and probably use a similar rule-based logic, to facilitate assigning roles to each client.
It's trivial to demonstrate that once you have this, you can build any other seemingly complex abstraction above it like a database or game server. We have been missing this abstraction for several decades so we keep witnessing company after company reinvent the wheel. As far as I know, the only attempt to do this is RethinkDB:
As usual, I would gladly work on a project like this, but there is currently no funding mechanism to support foundational open source projects like this with market-rate pay.
How would you solve access permissions in DHT? What if a node in DHT holds data that it is not granted to read? This would imply encryption of the data to prevent unauthorized reads - this does not really seem as a complicated problem - the data could be encrypted with only the nodes granted the read access having the decryption key(s). What seems harder to me is write permissions - if the data is encrypted/signed, only those nodes that have been granted permissions (and thus have copies of keys) would be able to overwrite/change that data. So the node that holds the data would not be able to overwrite it if it does not have r/w access to that piece of data. Nothing prevents from removing this data though. (I'm assuming the possibility of some nodes being malicious)
I'm not sure for DHT. But in Firebase the permissions are handled as user access rules written in Javascript, returning boolean true or false if the user has the ability to read/write the node and if the data being written passes a validation check:
So Firebase permissions really have more to do with the identity layer than keeping the data secret.
I think that probably everything should be encrypted anyway. This was a largely solved problem even in the 90s, and embedded devices are about as powerful as the 386 and 68030 computers popular then.
We really need a distributed SSL identity layer though. Something like letsencrypt.org except the client's identity would come from the social proof of its peers instead of a central organization. Maybe this is already a solved problem in OpenSSL? I only understand symmetric key encryption, but not the man in the middle protections that SSL certificates provide. To me, p2p identity and encryption should have been a foundational pillar of the internet, not some controversial afterthought like we think of it today.
The usual solution for this is that the data must be signed by a specific private key; possession of that key grants write permission. A generation count or timestamp is embedded in the signed data to ensure that newer data cannot be replaced with obsolete data. Malicious nodes can still block updates from being distributed, though, so you need more than one path to seed the data into the network.
The reason I can say my smarthome is relatively secure is explicitly because it doesn't use IP. It's good they're trying to standardize, but you're gonna have a problem when you try to use a firewall to inspect what these devices are up to and find that they're all making encrypted tunnels back to their home bases and won't work without them.
I share your need to name all my devices in the controller view. Hopefully zwave has better security support than typical IoT devices. I'd really prefer to use certificates rather than WPA passwords because password rotation requires a) I give vendors my passwords which they may not really secure in any way, b) often requires I use a vendor tool to rotate said password.
It would be much preferable to have a standard way to store a certificate to the device. Today when the inevitable happens and someone leaves customer WPA passwords on an open S3 bucket, or they're exposed via cyber security break I have to update every device. It would be so much nicer to just go update my compromised device's certificate rather than the password for everything. Frankly I'd prefer certificates to passwords anyway because sooner or later I'm sure WEP2 itself will be broken.
Comcast and Verizon will dual stack you, sure. As the largest two ISPs, they're out of addresses. But a lot of other ISPs won't, my ISP doesn't support IPv6 at all.
I’m more talking about what people are actually aware of. Yes, most systems have IPv6 enabled and use it when possible, but it’s mostly invisible. When you login to a device to setup the IP address, it’s still almost always IPv4. That’s just for the internal networks, which is what most home users are thinking about on this topic.
I'm on IPV4. It's not about how many IP addresses I have available, it's that all those smart devices can pollute the list of devices connected my wifi network.
I like to know what's on my wifi network, and because my memory isn't what it's used to be, I find myself having to assign names to all the smart wifi devices in my Unifi controller.
Sure, but I would still want to check that network's clients as well, so I would still want to identify the devices on that network to ensure that only my devices are on it.
Either way, it's still an additional step compared to Z-wave. Other than the hub, I don't need to set up an IP network for my Z-wave devices to connect to at all.
I mean, I’m using Z-wave too, but you’re describing the same level of complexity. Either you set up a dedicated WiFi network and check that to see the status of IoT devices, or set up a dedicated Z-wave network and check that for the status of devices.
For a z-wave device to pair to my hub, I need to put the hub itself in pairing mode.
Unlike wifi devices, a zwave device can't just join my hub by knowing an SSID and password.
Yes, I could do something similar with a wifi network and whitelisting mac addresses etc, but that's not nearly as simple as the way z-wave works.
[addendum] When I talk about checking my network, I'm also not talking about status. With wifi, I'm checking to look for unexpected clients. I occasionally have a temporary freakout when I see an unknown device on my wifi that ended up being something that I bought, added and forgot about (like a media player), etc. That's not a concern I ever have with a z-wave network.
Most wireless "smart" devices are IPv4 only but the RFC1918 space is sufficiently huge for a gone network. The annoying part comes in when you have to change the DHCP pool (lots of home hardware doesn't support multiple pools) and possibly re-ip your network. Why much with your network, just to reduce security? I'm a fan of zwave.
This is false sense of security. Industrial SCADA and CAN networks have been found full of vulnerabilities because people assumed they were magically secure by simply not using IP.
You can easily isolate an IP network and inspect its traffic.
The high level of sophistication of IP networking and the fact that one small mistake could mean your devices access the Internet is why a network that doesn't talk IP is almost inherently safer than one that does.
It may seem trivial for those of us on HN to block IP devices from the internet, but the average user will not know how to do that effectively. They are also the ones who’s devices probably remain on a botnet undetected by their owners.
That said, most hubs (required for these types of devices) connect to the internet by default anyway. It does reduce risk a bit as vulnerability in a node isn’t exploitable remotely.
Most people are not going to buy a dedicated WiFi AP just for their home automation.
The benefit of Zigbee, even when using a hub, is that you don’t have all the actual devices on your network, calling home, and possibly opening up NAT traversal streams. You just need to worry about the hub. With WiFi devices, you need to worry about all of that for all of them.
HomeKit isn't that closed. You can basically add anything to HomeKit yourself as a hobbyist. The only restriction is on commercial sales of products. There's dozens of HomeBridge plugins that act as a glue for non HomeKit devices.
I hope whatever standard they come up with does not require a home WiFi network to operate. Mobile internet is already faster than your average home internet line and there is an increasing trend where people rely entirely on their mobile phones for network connectivity.
I can't see how going hub less would work. You'd have to configure all the devices to connect to a hotspot on your phone and get your phone to reliably create a wifi network every time you get home. Dealing with multiple users would be a massive headache.
You could have a home wifi network which doesn't connect to the internet. Wifi routers are dirt cheap and don't need to be connected to the internet.
That said, the logistics of this would be super weird because smartphones are mostly designed to treat connected wifi as their internet source. Also, if your devices don't have at least an indirect internet connection you can't do anything remotely which is a pretty big functionality hole.
I think it is the other way around. If you want to have your connected devices in a reasonable safe setup, create a wifi network for them and you decide if and how they connect to the internet. This could be a mobile uplink, if you desire to, but I really wouldn't like each device on its own have an internet connection I cannot control.
I buy zwave smart switches instead of WiFi ones because I know those devices won't be able to snoop my LAN. Home automation over IP is a step backwards IMO.
All subcontractors know the rules - no "smart" devices or "wifi enabled" appliances or mechanicals. All lightswitches are plain-old hi-voltage only switches. Thermostats are dumb, unprogrammable, with no memory or scheduling or timing. The locks on the doors use physical keys.
The smartest thing we have are the sonos speakers and we pug those in with ethernet.
Everyone will be pleasantly surprised when they interact with our house. This is what luxury will come to look like as time goes on ...
Not having programmed schedules on thermostats seems ludicrous to me.
I don't have "smart" thermostats, they can only be programmed with the buttons on the front of them and they cannot talk to one another, but how do you turn down the heat when you leave for the day? or even set different temperatures for daytime and nighttime? manually?
We're cheating a bit here because we live in California ... so we don't need AC mechanicals (which is a big win for simplicity) and when we leave the house we simply turn off the heat.
If we lived in Duluth we could probably do the same thing for day-long absences, provided the house was very properly insulated, but you are correct - we would need a timer/schedule on the thermostats for any longer absences.
Do you not have any mobile devices, or do you rely on 4G? Or do you use the device Edward Snowden recommended to connect your phone to the internet via ethernet cables?
Well, we do have a wifi access point for our single wireless network ... and the only clients that connect to it are actual humans with devices they are using. Nothing to do with mechanicals or appliances or "smart home".
Also, totally unrelated and not really relevant, but we don't have mobile phone service out here ... zero bars of ATT and maybe one bar of VZW, depending on where you stand ...
Especially since Mozilla has been working on WebThings which is home automation protocol over HTTP.
There is a place for both WebThings and this new protocol. WebThings is too heavy for low-power devices and mesh networks like Bluetooth and Thread. But would be nice to have standard API for web services and gateways. The ideal world would be this new protocol on the local network and WebThings across the internet.
They have their own IOT platform they are working on called WebThings. I took it for a spin and it is pretty cool, although it still had some rough edges last I looked.
The gateway runs on an RPI and they give you a URL so you can access it from anywhere.
i wish the harder i pressed the trackpad the more votes you would get. I remember smart home standards being talked about and published around 1999. Like another poster mentioned, X10 was a big thing around then even though it came out in the 70s.
I have 40+ ZWave+ devices and they work great with Home Assistant. From lights to fans to all kinds of sensors, the mesh network seems to have good range and latency (as long as your controller isn't really close to interference).
Definitely don't use older ZWave devices, only ZWave Plus certified ones. This ensures the network is fully encrypted and allows for greater range and throughput.
My next fun project is automating the watering of pots and the garden. Going to combine a ZWave-controlled solenoid with drip irrigation and some Home Assistant smart logic (daily rain, sun hours, humidity, temperature) to handle it.
Considering Apple, Amazon, and Google are already members of the Zigbee alliance, it makes you wonder why it had to be a new working group and not a new group within Zigbee.
Its like saying Cowboys, 49ers, Patriots, and the NFL join together to create a new football league.
> My understanding is that Zigbee works at the lower layers.
Zigbee is not IP. It's a completely different network, which is why many Zigbee based solutions often require a hub/gateway (which speaks both IP and Zigbee) to enable control via smart-phone apps or stuff like that.
To be honest, I'm pretty happy about that. The less my smart-devices has to do with my local wifi/LAN, the happier I am.
Not really sure I like the direction this is heading.
From what I’ve read, Zigbee is for the rest of the world what Z-Wave is for the US, in terms of market share. Not sure how accurate that is, but from what I’ve seen, there are a lot more Zigbee devices here in Germany than Z-Wave, while most US sites talk about Z-Wave.
What Zigbee devices can you buy apart from Hue lamps? ZWave has been dominant for many years because there are hardly any Zigbee devices, be it in the US or in the EU. FWIW I'm in the Netherlands and have all ZWave, and when you look at e.g. the symcon.de forums, there are plenty of ZWave users in the EU (and Germany specifically).
Not sure what the general state is now, but as a brand name it was one of the top most popular for at least a good year or two, back when I first got interested in home automation.
(The other two at the time were Z-Wave and X10, with X10 recommended against as obsolete/dying; I ended up settling on Z-Wave, so I stopped paying attention to Zigbee and other competitors)
First we need an acronym for this alliance. I think GAZA will be appropriate. Secondly, regarding your future standard: Cool, thanks guys. I'll hack that.
I will never use these devices. I think those that do are opening themselves up to hackers, law enforcement and criminal abuse. This is clearly something that should be Open Source/ Open Bonnet or closed to my home.
I'd never use it myself excepting maybe video only for a burglar alarm, but because Marshall worked on home automation protocols, he loves this stuff. I always had nightmares the damn "smart light bulbs" in the 2nd street office were listening in on our conversations.
I think Zigbee is in the uptick. Philips Hue works with it. Ikea is aggressively pushing products. There is (was? website recently went down, perhaps it has something to do with this announcement) DotDot (https://en.wikipedia.org/wiki/ZigBee#Cluster_Library) based on Thread. Which is used by Nest/Google.
Just yesterday Aqara (Xiaomi) launched their Amazon storefront. All their devices are Zigbee and had mostly only been available from places like Aliexpress. Zigbee is far from a dead standard.
Ha. Them? Forget it. The "Open Standard" will require phoning home to the manufacturer or it's "not certifiable". Trust these guys like your drug addict former friend.
What we really need is a legislation for those devices, that force all manufacturer to:
- have a hardware switch for everything
- have 2 microphones. One is always on, and only listens to the keyword, and is not linked to the rest of the device. If it detects the keyword, it triggers a hardware switch that activate the second microphone.
- text recognition is done from a local unit, not a remote server. This local unit analyse the voice then send proper commands to the rest of the device, but never share the words, and cannot receive data from the rest of the hardware except during signed updates.
- all devices share a stanadrd color code for a mandatory indicator light giving the state of it and a standard activation/confirmation sound
- all devices must be able to be controlled from a provided remote with a button instead of a keyword, which can be deactivated
- all devices must have a BT kill switch, if a phone send a signal saying "I don't want to be listened to", the device will no activate.
- any data sent to server must be encrypted from the client with a key the server doesn't have
And once it's done, do something similar for phones, e-health devices, etc.
We can't expect big companies to act decently, and technology is not going to save us.
You’re right that technology isn’t going to save us though. You can just, you know, not use Alexa. Normal light switches continue to work. Windows still exist for checking the local weather and are probably more reliable than Alexa is.
I don't have any kind of smart speakers or camera at home.
The problem is that many other people I visit do.
It's the same issue with Google products in general: I don't have a gmail address. My phone don't even have an email tied to it and I don't use the official store. But because my contacts mostly do those things, google still has a log of all my conversations, my face in pictures, my positions, etc.
But even then it's not just about me: people take bad decisions all the time, companies as well. We don't let people own a radioactive materials, we have laws for that. We don't allow companies to sell radioactive materials to the public, we have laws for that.
Yeah but <insert jingoistic hopeful statement about the future that completely ignores how dystopian the technology these companies build is increasingly becoming>!!!!1111eleventyomgz
"Just don't buy it hahahaha checkmate" completely ignores the fact that even though I now choose not to do business with Google, I am still many times a day forced to use their Captcha or visit sites that host their ads (which I block, btw).
Saying "we don't need that you just need not to buy it" is exactly the same situation. All we are asking for is a reasonable way to opt out - and actually opt out. These technologies are made viral by design to collect maximally valuable data from their users, and the very idea that someone might want to opt out is totally ignored.
I personally don't own any of these devices and will never allow one in my home. I feel sorry for my kids that they will grow up with all their friends talking about them and not be able to share in it - and I will explain to them why.
Linux considers it a proprietary protocol [1] so Zigbee driver cannot be part of Linux kernel. Although Zigbee spec allows non-commercial individuals to freely use it, a commercial organization must be a member of the Zigbee Alliance in order to use Zigbee, which violates the GPL standard. [2]
At least the article speaks out "an open-source approach", let's see if things will get better.
[1]: https://www.kernel.org/doc/html/latest/networking/ieee802154...
[2]: https://archive.freaklabs.org/index.php/blog/zigbee/zigbee-l...