Hacker News new | past | comments | ask | show | jobs | submit login
Amazon, Apple, Google, and the Zigbee Alliance to develop connectivity standard (apple.com)
740 points by _quhg on Dec 18, 2019 | hide | past | favorite | 355 comments



For someone who thinks Zigbee already is an open standard, well, it is NOT really open though. A standard being publicity available does not always make it open-source friendly.

Linux considers it a proprietary protocol [1] so Zigbee driver cannot be part of Linux kernel. Although Zigbee spec allows non-commercial individuals to freely use it, a commercial organization must be a member of the Zigbee Alliance in order to use Zigbee, which violates the GPL standard. [2]

At least the article speaks out "an open-source approach", let's see if things will get better.

[1]: https://www.kernel.org/doc/html/latest/networking/ieee802154...

[2]: https://archive.freaklabs.org/index.php/blog/zigbee/zigbee-l...


There's also the bit where Zigbee devices have to share a secret key to talk to each other, mostly to prevent competition from low cost devices manufactured in China.


Yeah! They want you to use the high cost devices manufactured in China.


Or mostly the same cheap devices manufactured in China but sold through your friendly middlemen.


No, American Marketing Companies (Apple, Amazon, Google, Etc) want to use the Cheap China Manufacturers, they just dont want consumers to be able to buy them direct


When they kept the already known secret key for pairing bulbs in the new supposedly secret version of Zigbee it was obvious they didn't care about security at all


After all the "S" in IoT stands for Security.


I literally have an SSID on my Ubiquiti WAP with that as the name.


> mostly to prevent competition from low cost devices manufactured in China.

mostly to prevent competition from patent-infringing clones manufactured in China.

FIFY


I actually worked at Ember for a bit before leaving when they get bought by Silicon Labs. The reason, internally, really was the fear that there would be a flood of low quality products that would make ZigBee look bad.


For that, you need certification, not gatekeeping.

Publish a set of tests a device must pass, broadly, to be certified compliant.

Allow manufacturers test their devices, for a fee, and win a certificate, or know where they failed. Much like you can take a language exam (say, TOEFL).


> fear that there would be a flood of low quality products

That's mental gymnastics. The fear is having to compete against cheaper products (possibly low quality, but possibly not). Even broken DRM is an excellent anti-competitive tool because no one can legally sell a competing product.


as opposed to ZigBee making ZigBee look bad as it stands now. Only big names looking for a lockin pick ZigBee.


Key exchange for IoT devices is a tricky problem.

IoT devices don't support public key infrastructure, e.g. something like GnuPG or the SSL certificates used by web browsers.

It's a very practical solution to have a shared secret between the device and a central server, and, at registration time, have the central server make a key for both the hub and the device.

Without some kind of key exchange, people could set off your alarm, turn on your lights, open your door...


The solution is to have a pairing mode that allows the device to be paired with a control device (e.g. your phone) via wireless while you're in the same room as it. That would only have to be done once when it's installed and require pressing a physical button on the device while being in wireless range so that nobody can hack it remotely.


I will no longer install apps on my phone to pair devices. The reason is that then everyone wants to link my phone number to the device and create an account. There is nothing that intrinsically says they have to, but companies cannot resist asking for a unique identifier that happens to be linked to everything else in your life. No thank you.


So who says you should need their app? It should be a published protocol, and then you use whatever app you want that speaks the protocol instead of some heinous dreck from the manufacturer.


The part where they can't resist?

So no, there will not be a published protocol.


Isn't the topic of the article that they are trying to create a standard?


Isn't the topic about amazon, apple and google?

Probably most toxic companies on earth? Yeah, I'm sure it will be a wonder of openness.


Like ZWave has done for the last several years.

I know it has other issues, but particularly since ZWave2, the security model on ZWave far surpasses bluetooth or zigbee


Out-of-band pairing is a better idea, e.g. some key on the bulb has to be entered or scanned or read on the device.


The trouble with that is that you can't change it in case e.g. some temporary visitor to your house snaps a picture of the key.


If you as an individual has visitors who come to your house and snap pictures of codes in your devices... I wouldn't be more expectant of Zigbee or any other standards, rather I would be more keen on the visitors I allow into my house.


That shouldn't do them any good. The device should require it to be in pairing mode for the key to do anything.


But then what do you need the key for? In theory somebody else could try to pair with it while you have it in pairing mode, but they would have to be on your property for that and could potentially see the key anyway. So you go slap them with a trout or call the police or something, and then go back to setting up your future garbage.


So that that initial pairing is more secure.

Zigbee etc. tries to get around the whole thing by requiring that the pairing process is done from a 5cm or something distance.

Imho that is good enough but I don't know how far you could extend it with directional antennas etc.

That anyone can reclaim a device they hold in their hand is a feature.


I'm not a fan. If I get a new hub, the last thing I want to do is unscrew every light switch to find the picture on it to scan and if I buy a house with pre-existing hardware I don't want to rely on the last owner having taken pictures associated with every switch and left it for me.


OOB pairing could have rolling keys, but that's more expensive. In general the problem is difficult, every solution has a nasty caveat, be it taking over during installation or what your described.


If you look at the Zigbee member list, there are many China based companies. They don't need to 'steal' anything as members.


The comment mentioned nothing about stealing.


True. I was looking at TheKarateKid comment about infringing companies. The country where most stuff is manufactured, white labelled and sold at a premium by brand names :)


I'm sort of reminded of the book "Schiit Happened" from the Schiit guys (they make cool headphone amps). They documented how they started their business.

One thing they mentioned is that apart from RCA jacks, all the surround sound standards are tied up and closed.


Anyone else knowing any industries where "standards are tied up and closed"?


To understand some of the reasoning of what is open and isn't you can look at the different versions of their IPR, testing and use policies. There used to be 'profiles' but they were merged into one version: 3.0 IPR version 4 allowed anyone to use the specs and develop product 'based' on Zigbee and didn't protect anyone from IP enforcement from the many patent holders. This caused a lot of issues around 'interoperability' and end user adoption. "It says Zigbee but it doesn't work with other 'Zigbee' devices." IPR version 5 moved to improve interoperability and enable members to increase development by increasing protections. It granted RANDZ between all members. It improved interoperability by only allowing the use of the name and logo if the device was certified by an approved test house. This did increase deployments and reduced interop issues. Now there is IPR version 6, which allows for the growth of other protocols, providing the IP protection developers, manufacturers and retails want and could enable further industry consolidation - which is good for the end consumer. The average Joe and Jane just want stuff that works without having to be a technical expert. Any open source move is probably about getting more developers exposed and involved to help grow the base both creators - and consumers.


Well, it also talks about using Thread, which I just learned has the same "must be a member of blahblahblah" restrictions (https://en.wikipedia.org/wiki/Thread_(network_protocol)).


It reminds me of the old "FireWire vs USB."

Firewire was an originally open standard, but there came Apple and demanded to exact a symbolic 1$ per device payment.

Despite FireWire being an indisputably better standard from technical standpoint, that 1$ completely ruined the mood with OEMs, and they lost the market.

USB on the other hand, was not really open, but Intel's central leadership in it guaranteed that there were no disarray with association peers throwing random capricious demands.

Most USB implementers were random Taiwanese OEMs who never formally joined the USB-IF, but nevertheless Intel was smart enough to close eyes on that.


>Firewire was an originally open standard, but there came Apple and demanded to exact a symbolic 1$ per device payment.

What? Firewire was a project initiated by Apple in mid-1980s, which then was further developed by the IEEE P1394 Working Group. Patents and pooling was part of it from the very beginning, with the primary drivers being Apple, Panasonic, Philips, and Sony (there were also a half-dozen odd smaller contributors). I don't remember there being any sort of "originally open standard" part to it whatsoever. Yeah, Apple owned the trademarked name "Firewire" for IEEE 1394, while Sony and TI used "i.LINK" and "Lynx" respectively, and Apple initially tried charging extra for that which was really stupid (but late 90s Apple was pretty dysfunctional). But even without that wasn't there still the standard $0.25/unit manufacturer royalty?

If you've got some other sources I'd be happy for the trip down memory lane because it's been a really, really long time since that particular battle. I'm not disagreeing that Apple's charge definitely harmed momentum, just that it's not like they came out of nowhere. Though it's worth noting that Firewire was inherently more costly anyway since it required dedicated silicon rather than handing everything off to the CPU. At the time that also gave it vastly more reliable real performance and latency vs USB, and Firewire 400 would typically obliterate USB 2 despite the latter having a sticker speed of 480 Mbps. But it was more inherently costly IIRC.


1394TA was open as far as I remember


HEVC, VVC, H.264 are also Open Standards, does not mean it is patents free or Royalty free.

While VP8, VP9 arguably isn't as much of of Open Standards, it is not patents free ( Neither is AV1 ) but Royalty Free.


Margins on most consumer electronics are extremely small. $1 per device may seem symbolic, but it starts looking like real money at scale.


I own many USB gadgets that I bought for less than $10. Paying 10% of the retail price for the privilege of using a specific port/protocol seems out of the question. Even for low-end computers (~$300) $1 for a license is a lot of money.


FireWire also had a few port types which required different cables and connectors, while USB at the time only had one (this was before Mini and Micro USB). Apple even included dongle converters with their iPods.

USB also had the advantage of Intel pushing it, resulting in almost every PC with an Intel CPU (large majority) having USB ports.


> USB also had the advantage of Intel pushing it, resulting in almost every PC with an Intel CPU (large majority) having USB ports.

In the mid to late 1990s, USB was scarce. It didn't take off until after Apple replaced its ADB (Apple Desktop Bus) port with USB in the first iMacs. Once that happened, manufacturers flooded the market with consumer products (e.g. CDRW drives) and PC makers followed suit. Up to that point PC makers had standardized on the serial port.

I don't have contemporaneous links at the moment but the second paragraph of a relatively recent (2015) article summarizes:

> But Apple shocked the computing world when it swept its old connectors away with the original 1998 iMac. The bulbous computer adopted a then-struggling standard developed by Intel called USB (Universal Serial Bus). In a hint of what was to become the company’s ability to make or break certain technologies, USB would go on to live up to its “universal” descriptor and become the most prevalent connectivity standard in the world. The solid-and-hollow stacked rectangles of its “A” connector now appear in everything from alarm clocks to airplanes. [0]

[0] https://www.fastcompany.com/3044088/apple-and-usb-a-history-...


That neglects to mention that Microsoft Windows 95 OSR2 launched a few months before (97) and that entire release was centered around better USB support for a broader range of components. (e.g. CDRW Drives)

I don't think its fair to say PC "Followed suit" in using USB.


If I remember at the time peripheral manufacturers had USB devices ready to go for the Win95 launch and Microsoft fucked up and couldn't get USB support ready in time. So Win95 shipped without it and peripheral manufacturers were utterly livid.

The next couple of releases of Windows included totally redesigned USB support.


Once Windows 98 hit though, USB was well supported on the platform. During a brief stint in late 98 through 99 I worked at a consumer electronics chip manufacturer (56K modems and DSL) and we had good support for USB on Windows 98 and Windows NT at that time.


> I don't think its fair to say PC "Followed suit" in using USB.

I didn't say that. I said, specifically, "PC makers followed suit".

Microsoft may have supported USB in their OS, but PC manufacturers lagged.


I doubt Apple had anything to do with pushing USB's widespread adoption. Apple was at one of its lowest points during this time period, and it was pre OSX.

The poor support in Windows, as well as peripheral OEMs still using other ports slowed its adoption.


I think the problem was that USB can charge only @ 5 v vs firewire @ 12 v


There is just one open standard. User having root access to the IOT device and scripting there whatever it wants. Any 3rd party dependence is a way of collecting and selling data (google and fitbit acquisition) and should be prohibited. Vote with your wallet, dont buy devices that prohibit you root access and make 3rd party servers access mandatory. Simple as that.


10 years in the trenches here.

Apple’s smart home protocol famously does not support multiple users. Amazon is choosy on what features you can implement (turn on alarms but not turning them off, locking doors but not unlocking them). Google loves using radio hardware no one else supports. Zigbee has delightful legacy security vulnerabilities and consortium drama.

I look forward to these groups putting aside their differences, coming together, and creating a new standard that combines the best of all these anti-patterns.


That was very well put. I eager await the new standard, released in 2033, that allows me (but not my wife) to lock our door using handcrafted 1.38GHz radios that require FCC licensing on the per-unit level.


> Amazon is choosy on what features you can implement

Allowing someone to holler into an open (or recently broken) window to open my front door sounds terrifying.


I, on the other hand, am on the 17th floor. Anyone who can holler at a smart device in my apartment has already compromised something important, and could probably get in anyway.

Also, just require a passphrase? To go full star trek, "[Alexa/Google/Siri], unlock the front door, authorisation singingboyo Alpha Pi Pi Zulu" sounds workable.


IIRC Amazon does allow for this. I use Smartthing + Homebridge for operating my lock (Prompts me on my phone to unlock the door when I get near the house and locks the door when I close it) but I do have Alexa as well and I at least looked into using it to lock/unlock. For the unlock I have to read off a pin, it will lock without needing a pin.


We truly live in the future.


I’m not sure if you are joking/mocking but for me at least it’s super convenient to tap a notification on my watch as I pull into my driveway and way directly into my house (detached garage I don’t park in so I enter through the front door). It’s also nice to know anytime I close the door it will lock behind me. I quite enjoy living in the future.


Or you could use voice authentication... or require that known phones are within range, or best yet don't link your smart speaker to your door lock (when do the pros outweigh the cons here?)


I use a password to deactivate my Ring via our Echo.


I bet you sleep fine knowing anyone can simply pick your locks to get in using knowledge easily obtained on YouTube and using tools readily available.


That statement is equally true for fancy "smart" systems.

https://www.aliexpress.com/item/32815036036.html

sleep tight.


Yes. So they are both susceptible to being compromised. So it'd be up to user preference as to what method they want to lock / unlock their door with then?


To sleep fine you can use the type of a lock that only opens from inside with turn of a knob (deadbolt?).


I keep thinking back how in the dark ages my parents never locked the door. Much less windows. No one had time for that.


If they broke your window they’d probably crawl through it.


What about throwing a small speaker through the window that blasts out “Alexa, unlock front door ... Siri, unlock front door” ? (I’m no criminal mastermind, but just a random thought)


> Apples smart home protocol famously does not support multiple users.

Can you clarify this? I set up my "home" and was able to share it with my wife, who sees all of the same controls in the Home app that I do. We don't have any family sharing, etc set up.


I think that they mean there is no way for your wife (or more practically, a kid) to see a different set of controls, it's all or nothing.


> Apple’s smart home protocol famously does not support multiple users.

It does? I'm added to my dad's account and can access everything just fine along with my own stuff.


>everything


Is there an alternative today, like a de facto standard based on open specs/protocols?


When it comes to smart home tech cost-cutting it's all about simplifying the small-but-many pieces. That's where RF 433 Mhz comes in.

Why should I pay $40+ for a zigbee/z-wave/smart-things/wifi-enabled door sensor when I can get a $35 RF Sonoff bridge and get each sensor for around $4-$8 from china.

So you can save a lot of money by using that tactic with door sensors/window sensors/PIR Sensors/Alarm systems/Sirens/Switches etc. because those will add up massively. You can't use that for TV/Speakers/Cameras ofc but you can bring everything together onto home assistant.

As far as I'm concerned, only the community can decide which protocol will win and these big techs should just put their weight behind a protocol built with the community instead of closed-door-consensus.

https://www.youtube.com/watch?v=OfSbIFIJPuc

https://www.home-assistant.io/components/


How about Bluetooth 5.0 (with mesh)?


Z-Wave?


Z-wave is about as far as you can get from open. Until 2018 when SiLabs acquired it from Sigma, all silicon had to be purchased directly from Sigma.


The hardware is far from open, but the issue of the interface being 'licensed' was cleared by SiLabs, which was very nice.


> The goal of the Connected Home over IP project is to simplify development for manufacturers...

> The industry working group will take an open-source approach for the development and implementation of a new, unified connectivity protocol and increase compatibility for consumers.

Curious if I as a hobbyist will benefit from this? Or if this will become a: it works perfectly, but only if all your devices connect to our certification servers kind of thing, like Chromecast is becoming.


My guess: first of all, "for security reasons" your DIY device will need to be certified, any existing SBCs will need to be replaced/extended to support new type of network and due to bloated protocol specs with a myriad of abstraction levels will render it almost impossible to implement it on your own and the open source library that can do that will implement the standard as specified whereas all proprietary solutions will have some quirks and little differences from official standard making it very hard to connect to anything from your open source lib. Also the sophistication of the new standard will exceed the capabilities of any arduino forcing you to replace any boards you have with new ones that have AVR uc with Connected Home hardware support.


Believe me, they will it will never find adoption. How to say, they are free to make whatever standards, but they will not matter much if nobody will use them.

Their entire ecosystem together have less devices shipped than even some OEM nonames, not to say of Xiaomi or Huawei or Tuya who tower over them.

All kinds of "smart assistants" like Alexa end up in drawers very quickly after initial novelty passes, and it creeping up you in the middle of a conversation gets annoying. From data I have, sales of those smart speakers is already starting to taper off.

In Russia, there is an idiom "to divide the cake before it's baked." And those guys are doing exactly that: people don't even know what those "connected home" devices are and which ones sell well, yet they are already eager make up standards for them.


Apparently at least Apple is turning over a new leaf; they just open sourced HomeKit: https://news.ycombinator.com/item?id=21831259


Andreas Gal? What a surprise.

That's the guy who flopped with Silk Labs labs.


I thought the russian idiom was something about splitting the hide before youve shot the bear.


Don't know much about russian idioms, but "splitting the <rewards x> before <accomplishing risky thing y>" sounds a lot like that stock thing the dutch east india company created


My experience is the opposite, basically every home I go to has an Alexa or a google home. It’s not doing too much typically managing lights/smart switches, and playing music.


Can confirm. My alexa went in the drawer after she was offering to call the crisis line for me during a spirited session of gaming.

I genuinely think the Amazon team (at least in that particular regard) want to do some good. But until they can teach their machines how to understand context, I just don't want my unfiltered conversations going around potentially to medical institutions or law enforcement.


I am surprised this is how we have ended up. We have already had a pretty good looking model for this sort of voice activated computer interaction thanks to Star Trek: TNG.

It would be far more palatable for the devices to wait for a command cue ("Computer--") to respond with an activation bleep. After the bleep, the commands begin to be interpereted.

Instead we have a listener always awaiting commands. What could be a helpful and invisible servant is instead some kind of jerk who interjects with the most literal interpretations of normal conversations.

If I wake up in the morning feeling grumpy (every day) and say some crazy crap (totally possible) on my way to the can, will an apple contractor employee be able to figure out what the hell I really wanted by reviewing the seconds of audio?

I have made death threats to wall hanging photographs in those 30 minutes before my medication kicks in. There is no checkbox for this in the privacy settings. I know with some of these smart things you can change the prompt, but this feels like not the best we can come up with.


> command cue ("Computer--") to respond with an activation bleep

This can be turned on in the Home app → Accessibility → "Play start sound" (as well as "Play end sound").


> Can confirm. My alexa went in the drawer after she was offering to call the crisis line for me during a spirited session of gaming.

Wait, what? Please explain more.

It feels like you're saying Alexa heard you being ... passionate, and got concerned. But my understanding was that Alexa listens only after the trigger word. I'm really confused by what you've said and wish to know more context.


If you've ever owned a device like Alexa or Google Home what he said isn't confusing at all. They trigger accidentally all the time. His Alexa simply triggered when it wasn't supposed to and then reacted to what he was saying. Given he was gaming it was likely something about killing himself or someone else.


Huh, interesting. I have an amazon echo. My problem with it is not that it activates when I don't say trigger word, it's that I have to try very many times to get it triggered (usually by speaking louder).


It's impossible for me to say with certainty if it didn't just interpret something I said as it's trigger. Nevertheless, I was playing Halo online and yelling about a match going badly, saying something to the effect of "we might as well kill ourselves, this match is just not going our way" while laughing, and Alexa interpreted it as me contemplating suicide, and offered to connect me to a crisis line.


Great, now we need another device recording all sounds so we can play then back to reverse engineer smart speaker behavior :(


Has anyone found Alexa way too easy to trigger? As someone who frequently talks about people with a similar name, I'm amazed at how often Alexa chimes in. I think 'OK Google' is at a sweet spot (although my parents for ages were convinced 'hi google' would work if they tried enough :)


Don't have an Alexa so can't comment on how easy it is to trigger, although I don't know any Alexes so it'd unlikely be a problem for me.

What I can say about the google equivelent is that I find saying 'Hey Google' everytime I want it to do something is a bit of a mouthful especially if you want to do several things is shortish succession.

And my other problem is that I apprently say 'OK Cool' too often when I'm on the desk phone at work as my google account is full of recordings of bits of my work phone convo's where I've triggered it unwittingly.


Sometimes mine starts responding to... nothing. As in, in the midst of silence in the middle of the night, like a dog barking at ghosts, it'll answer a question literally nothing asked.




Id say yes. I just switched from google and feel like google was too buggy and slightly too hard to trigger. Alexa is too easy to trigger and has too many notifications.


"Hey Google" is a valid trigger for some versions of the assistant, so they weren't that far off and may have seen that in action before.


Pretty sure you can change the name she responds to.


It's a limited set of options though, like 'Computer', which is hardly an uncommon word.


For clarity, Alexa responded to my comments without being triggered. It's always listening (which makes sense, by virtue of listening for the trigger) but in this case, it reacted without the "Alexa" key word.


> any existing SBCs will need to be replaced/extended to support new type of network and due to bloated protocol specs with a myriad of abstraction levels will render it almost impossible to implement it on your own and the open source library that can do that will implement the standard as specified whereas all proprietary solutions will have some quirks and little differences from official standard making it very hard to connect to anything from your open source lib.

Whoa, is it really necessary to call BlueTooth out like that?


BT v1 to v3 maybe, but BTLE/v4 solved a lot of the problems afaik.


You're probably right. It's been a while since I had the misfortune of working with BT.



For anyone not following the the link, cptskippy has given a user perspective that summarises things nicely in my view:

“It's easier to tell when you're not using BLE. :) The Tesla Model 3 uses traditional Bluetooth for phone calls and streaming but the Phone as a Key functionality is BLE. When you walk up to the car and try to open it and the car says FU then BLE isn't working. When your Xiaomi Mi Band smartwatch hasn't buzzed all day but you pull your smartphone out of your pocket and have 8 missed calls, 100 messages, and 500 emails then BLE isn't working. When you're at a Tech Conference and the Conference App uses BLE Beacons to help navigate you indoors and it can't determine your location then BLE isn't working.”


Apple's existing standard (HomeKit) is relatively 'open' - the specification is published, and several open source implementations exist. I've used the Python one to implement automation on the smart-home devices I've built myself. However, you do need to be certified to distribute a product otherwise you get a warning in the app when you add the device.

This seems like a fair compromise to me.


A self-plug for my own HAP C library: https://github.com/andoma/libhap

I've been using it on a Raspberry Pi to control various things and recently decided to shape it up and release it to the public.


Seems fair indeed. I did a quick search and HomeKit seems to work without an internet connection (on lan at least, not remote), what's your experience with that?


Yeah, it works completely locally on the lan - there's a MDNS discovery and then pairing process between devices and the phone.

You can access stuff remotely if you have an Apple device which is paired to the homekit stuff and connected to the internet (e.g. an Apple TV, we use an iPad which is always at home).

I've deliberately designed my system to work offline as while our connection's pretty reliable I don't see why I should need an internet connection to turn on a light! :)


> I don't see why I should need an internet connection to turn on a light!

I hope manufacturers see it the same way.

I don't mind devices having to be certified, I mostly want to buy hardware of the shelve anyways for safety and convenience reasons and build the controlling/automation part myself. So my biggest worries are not having a local API, data exposure and having to invest in a ecosystem and having the manufacturer brick it remotely, wasting my money.


At least for HomeKit, manufacturers have no choice but to support local network access to get certified. This has cause issues, especially with Cameras since HomeKit requires that camera streams not go through the cloud first.



> The HomeKit Open Source ADK is an open-source version of the HomeKit Accessory Development Kit. It can be used by any developer to prototype non-commercial smart home accessories. For commercial accessories, accessory developers must continue to use the commercial version of the HomeKit ADK available through the MFi Program.

So only the "device" part, sadly not the "controller" part. So you'll still need a iOS device to setup stuff in your house, I tried it yesterday with only my iMac to no avail.

But still it's a step in the right direction.


FYI: Homekit requires you to by a DRM chip from Apple to basically do a hanshake with Iphone and nothing else.

Not a good idea with OEMs, and that's why I believe they gave up the white flag now: no adoption.

They are either jump on the smart home bandwagon now, or never.


It was a hardware auth chip, not DRM and it hasn’t been required for 2 years now. Software auth went live in iOS 11.3. Apple doesn’t encourage the chip anymore and AFAIK no one uses it (except legacy devices obviously). Software auth rules the day.


Well too late now, the boat has sailed.

Most OEMs chose APP + own protocol approach


I think most major HA hardware providers support Homekit at this point, with the exception of ones that don't because of competitive reasons (Nest, maybe Ring, etc) or because of strict certification requirements (like camera streams being local, $$$).


Perhaps. The Phillips Hue lights use an open standard, I bought a usb device that could talk it (ZigBee Light Link) but then it turned out that production devices used a master key.

Here's a discussion of the master key being leaked:

https://news.ycombinator.com/item?id=9249753

But I looked it it before that and never tried to look it up again.

So likely so, and with today's encryption it probably won't get hacked for hobbyists to use/learn/play but of course I guess the argument is that the Hue Bridge and other devices will have an API.


I can recall something along the lines: used to be like that with Light Link but as of Zigbee 3 it’s really interoperable all round (Hue hub registering third party devices and Hue lamps working with generic hubs.)

I’m still looking for other devices to mesh into a ZB3 network: I’d love to see an Opentherm capable controller able to use any connected thermometer and heating element valves to modulate heat flux production and distribution around my flat. Might be overthinking though... it’s so well thermally insulated.


> This Tweet from @MayaZigBee has been withheld in response to a report from the copyright holder.

oooooo.

Also, using mobile.twitter.com (as linked) I see a single reply, if I delete `mobile.` I see no replies. Interesting.


I really hope they recognize the need that people want to keep their data on their lan. Actually that would be required by the GDPR if they won't let me sign anything. My derived data is my own people, it does not belong to who ever collects it.

I.e. I just want a thermostat the is a big rotating button and speaks mqtt. It does not exist. If you want it to look good you end up with a Nest thermostat. Home Assistant needs to talk to the Nest online API, not to the device itself. Really annoying and unnecessary. I wish I could just pay 50$ more and get a Nest that does let me talk to it locally. Or whatever are they going to earn with my data? I'd probably pay it straight up.


https://iot.mozilla.org -- can easily install the WebThings Gateway on a Raspberry Pi, or in a Docker container, or CLI install to a Linux box. It runs locally in your home. No cloud account, no cloud data center dependency, command and control accessible from the web UI served up by the home gateway. Local voice commands are possible too. My "home smart home" stays in my home. :)


Hubitat seems to be trying to be a SmartThings without the data in the cloud [1]. They seem to have a pretty active community.

[1] https://hubitat.com/


If your device supports opentherm (which is not as open as you might think, btw) you might want to look into OTGW [0]. It probably works with Nest to if the Nest allows to run without internet at all.

[0] http://otgw.tclcode.com/


My central heater is a simple on/off model. Nest will work offline with it but afaik you can't write target temperatures to it then.


To bad, my old heater had opentherm, with the OTGW I could intercept the packets between the heater and thermostat, change values (eg: date/time), issue commands (set room temperature) and add missing functionality (outside temperature for heating curve), it was ideal in every way. But I moved and my current heater has a proprietary protocol over rs485 so its a no-go for the OTGW.


In the EU there are no systems without opentherm by law luckily.

That does mean some systems are not available at all, so "luckily".


I use Venstar thermostats with Home Assistant. They're totally fine, but wifi only I believe. Local API, so no cloud nonsense. I've been running them for about a year with no major problems.


They don't seem to be available in Europe, the thermostat market is surprisingly local, i.e. we also don't have Ecobee here. The Venstars do looks nice indeed.


Hmmm maybe eBay (i got one of mine there)?


I had several Google Home devices, and you could not even boot them up unless you had a phone with an account that was opted into location history, web history, search history, and youtube watch history. Google has completely lost any concept of privacy.


At least for the ecobee, hass can add it as a local homekit device


Yeah I hope ecobee gets to Europe before I get a nest :)


>I really hope they recognize the need that people want to keep their data on their lan. Actually that would be required by the GDPR if they won't let me sign anything. My derived data is my own people, it does not belong to who ever collects it.

GDPR is a joke and easily bypassed because users are overwhemingly dumb and agree to anything without reading. By making it online service dependent they don't have to care, the experience will be horribly degraded without signing in.


Something tells me it won't work with privacy oriented systems like hass.io (https://www.home-assistant.io/hassio), but I'd be happy to be wrong.


> The project is built around a shared belief that smart home devices should be secure, reliable, and seamless to use. By building upon Internet Protocol (IP), the project aims to enable communication across smart home devices, mobile apps, and cloud services and to define a specific set of IP-based networking technologies for device certification.

Yet I don't see any mention of making those being able to work completely offline/standalone.

We rely too much on cloud services that ultimately get turned off after an undetermined about of time.

There is no way I am buying home automation equipment I cannot control myself, especially in a situation where the giants like Google could simply decide to terminate my account because I said or did something they didn't like and take down related systems with it.


"Since your recent comment does not meet our Community Standards(tm) your account has been suspended for a period of 28 days*. Additionally you will not be able to turn on the lights during that period and your microwave usage will be limited to 90 seconds daily."


I am personally really against my IoT devices being able to "speak" TCP/IP, I want them to use dumb radios (Z-wave or if I must, Zigbee) that cannot talk to the internet. I get the draw of Wifi/IP devices but I avoid them at all costs. I don't want 10's or 100's of devices on my network that all are talking to servers in China.

I bought a few cheap POE Chinese cameras that I use with Zoneminder but they are all blocked from any internet access except talking to Zoneminder (local).


I would agree but there is quite a benefit to having these smart devices connect to technology already in the home. With the absence of a proprietary radio, it's easier for me to control them as well. I currently have firewall rules on my network that blocks all communication between my smart devices and the internet. They can only communicate on the LAN and cannot send/receive information outside of the network. I feel like if more proprietary communication protocols were implemented it would be hard to determine which devices were communicating, and which are accessing the internet(for example if a device has an embedded LTE chip to make up for lack of WiFi connectivity).


>I don't want 10's or 100's of devices on my network that all are talking to servers in China.

I definitely agree, although I'd expand that to "talking to any servers at all anywhere for anything I don't explicitly grant permission for". However for that very reason I prefer WiFi/IP devices, because it makes it very easy and straight forward to apply all the powerful network management tools we have for everything else. All devices can go on their own VLANs for example, with careful management and logging of how they communicate. The real shame is that there aren't better, more consumer friendly tools for managing that more visually/automatically.

Custom radios aren't any inherent defense there, already there have been demonstrations of getting right into Z-wave/Zigbee networks using customized SDRs. They have a purpose from an ultra low energy and meshing point of view, but you should be suspicious of what security practices for such things will actually be. WiFi/IP at least has the benefit of tons of open attention and development for security critical situations already.


You've made some very good points and better explained what I really want. I also will admit that using existing tools to create VLANs to "quarantine" the devices is an option. That said (and you touched on this) the average consumer is not prepared to deal with any of that, maybe that will change but as of today it's not easy or even possible with most consumer-grade hardware.

As for Z-wave/Zigbee, I could be missing a potential security hole but personally I am less concerned with my Z*-devices being hacked and more concerned with IP-devices being hacked and being able to talk to other IP-based devices on my network.

For example, it would suck to have someone be able to hack my door or lights but it wouldn't be the end of the world AND it requires physical access/proximity. This is quite different from someone on the other side of the globe being able to hack a device, hack other devices on my network (non-IoT), and then do something malicious (ransomware, identity theft, etc).


>That said (and you touched on this) the average consumer is not prepared to deal with any of that, maybe that will change but as of today it's not easy or even possible with most consumer-grade hardware.

Right, at one point it looked like something like UniFi could show the way there, but Ubiquiti unfortunately has turned into a development dumpster fire and really lost its way, and I don't know of anyone else attempting something similar. The principle remains though that it's another path forward, there are already powerful tools for network control and management, and there are accessible open standards there. Putting a better UX on that is worth considering alongside other solutions is all.

>As for Z-wave/Zigbee, I could be missing a potential security hole but personally I am less concerned with my Z-devices being hacked and more concerned with IP-devices being hacked and being able to talk to other IP-based devices on my network. For example, it would suck to have someone be able to hack my door or lights but it wouldn't be the end of the world AND it requires physical access/proximity.

A lot depends on where you live. A few years ago for example there were a bunch of articles and demonstrations coming from research into and discovery of vulnerabilities in the ZigBee protocol itself. Because the whole point of it is meshing, if you're in an urban or even suburban environment with sufficient density, then a neighbor being hacked could then hack their neighbors etc in a chain reaction. And of course people had fun immediately putting SDRs on drones and doing a fresh new take on good 'ol war dialing, flying around owning anything they came across. Random example article:

https://www.theverge.com/2016/11/3/13507126/iot-drone-hack

Picked verge vs NYT since I don't think they're paywalled? Lots more though a quick DDG away covering the same thing at the time.

With meshing though, you do have to be somewhat careful about the concept of "proximity" and so on if there are protocol layer problems, which is less of a concern on WiFi for better and for worse. Your home might be locked down, but are you sure your neighbor or neighbor's neighbor and so on and so forth down the chain all have no entry point? I 100% grant it's more of a long term scalability consideration right now for many people, but hey, we're talking about a future protocol here!

Gonna be another exciting decade I guess :)


I haven't followed the AmpliFi line closely to know if it has easy VLAN support but yeah... I really like the UniFi offerings but a fulling working UniFi system (excluding the UDM) costs ~$800 from my last estimate. I'm saving for it but that's cause I'm a weirdo who enjoys those kinds of things.

If you don't mind me asking what networking stack are you using?

Also thank you for the very well thought out and reasoned reply! I wasn't fully aware of some of those attack vectors.

Lastly I think I've been so anti-wifi IoT because of the inherent security issues with literally everything currently on the market. I see the wifi IoT as a bubble about to pop unless routers gain security features for IoT or some other major changes are made to how they work today.


Depends on what you mean by "Fully Working"

I have a UniFi AP for WiFi, and a EdgeRouterX for route/switch. Of course the EdgeRouterX does not have the Fancy UniFi Management Portal but...

That was alot less than $800, I think I maybe have $125 in the hardware


Yes I mean:

* Cloud key

* 4-port POE switch

* Security gateway

* WiFi AP

I wanted to go all-in if I did it.


Sorry for the slow reply, and I see you've got (and made) one other response. As far as what stack I'm using, on my test lab it's a big mix of course, but my main personal stack right now is UniFi dating back from quite a few years ago. However, I really want to reemphasize my "dumpster fire" aside: I strong DON'T recommend getting into UniFi right now if you're starting fresh, or at least, if you do be really careful about it. It hasn't been that obvious from the outside if you didn't know what to look for, but from an community and heavy use perspective it's clear Ubiquiti has been having major internal developer issues for a few years now at least. The CEO is apparently pretty toxic, but whatever the reasons are the result has been a major stagnation of the line, both for hardware and software, rapidly increasing technical debt, and a lot of extremely confused moves that seem to amount to easy bikeshedding because real engineers weren't available. I started to get into some of the gory details but am just deleting that paragraph, it's not really relevant here. But to take a specific example, that security gateway you were looking at, which is necessary if you want to use UniFi for L3 features, basics like DNS (which incidentally is also half-assed) etc, is a good 5 years old now. They introduced the "UniFi Security Gateways" and then refreshed them... never. The software for those is stagnant, and core software (like Strongswan for VPN) are often horribly out of date. It chokes doing much of anything interesting, would be obliterated in perf by a current RPi. The switches aren't in quite so dire straights, but for the money they too now have the smell of obsolescence. Ubiquiti has no decent L3 story for 2019/2020, no move to competitive faster networking, and a lot of cruft built up because they like to introduce new things but not just update and replace old ones.

Having said all that, their PtP/PtMP links are still nice. Their APs are solid overall, and do have nice industrial design (though no word on WiFi 6, which for a new install I'd consider fairly important). The interface has degraded significantly over the last few versions, but it's still better and more unified than any other I know of. I mean, I'm still running it myself after all. But if you go that route know what you're getting into and look hard for open box and used stuff that'll be cheap. And I'd honestly suggest not bothering with the cloud key and just running the controller yourself, on an RPi or similar if you want something dedicated but cheap or else spin up a VM or container, or even just run native I guess if you've got a server you run otherwise. The CK is also ancient.

In summary: I adored UniFi, and the potential was(is?) fantastic, and their old vision was fantastic, and at one point they were a really solid venture all around. And I know of nothing else with the same vision either. Yet even so I'm expecting to have to dump it overall in the next few years, which sucks. But long bitter experience has taught me that glorious turnarounds are much more the exception than the rule :(.


Holy shit this an amazing reply and I couldn’t be happier you took the time. I had read some about of the issues you you talked about but you highlighted even more.

I might go down the secondhand/used route if I do decide to do it. Right now I’ve got a single all-in-one router running LEDE and I like it but I’m not able to reach more than 60% of my fiber internet so I’ve been looking to upgrade. I decided that if I was going to throw a couple hundred at it I figured I might as well go all in.

It’s always sad to see a company throw away such a promising future. I saw their new AmpliFi “Alien” router and I’m half tempted to buy that and wait a few more years for a better option to present itself. Or even the UDM but it seems like a very odd offering to me... I guess I’ll keep looking, thank you again for the advice.


Any suggestions on where to go instead of unifi? Was looking at starting fresh and they were still looking like the best option...

Was hoping to start with an extra AP or two for wifi coverage and then build out the rest in time.


Oh wow I just wrote a very similar comment before reading the previous replies. All good points!


Seems like there might be a market for something like pihole that detects connections to shady IoT servers.


I'm not sure what you are expecting here. CHoIP would define messaging that certified products must implement, meaning that an Amazon device and an Apple device would send the same message to a Phillips light to turn it on, and that message would be carried over IP.

The messaging would be agnostic of where the source is. It could be a device in the local network, or it could be a cloud-based service (assuming you open up your network).

HomeKit, for example, works locally, either over BLE or WiFi.


I still have to have an iCloud account to use HomeKit. So does it really matter if it works locally or not?


Reading though it seems like a common universal standard that fully removes the need for third party services as all devices will adhere to a common standard. (I"m sure all of these will offer third party apps and all that still) but if you look at something like Homekit smart plugs, you can configure many of them without ever using anything but the Home App, just scan and go. Done right, this standard could make these devices never need third party services, just local networking. Seems like the goal, obviously I agree with you that it should be a stated priority.


FYI: This is the project's official homepage: https://www.connectedhomeip.com


Trivia: I had never seen this Apple logo used before, looks like the name of the company using a San Francisco font.

I wonder if it's official or just a workaround due to the fact that all the other logos have names and not just an icon like the standard Apple logo.


Apple doesn’t tend to hand out their logo for industry groups and open source projects. That’s fine, it’s their support that matters. And it’s not like their name lacks brand recognition!

Here’s another example; same idea, different font:

https://aomedia.org/membership/members/


They have been a principal organizer and sponsor of the LLVM Developers Meeting for years and even then they did not use their own logo.



I feel like this violates Apple's brand guidelines..


On the contrary, by not using the brand at all it ensures that third parties are not in a position to violate Apple’s brand guidelines.


That's totally Myriad Pro.


It actually makes me feel better about the project seeing Legrand on the list of companies than it does any of the 3 tech companies in the title.


Per the official homepage:

> The goal of the first specification release will be Wi-Fi, up to and including 802.11ax (aka Wi-Fi 6), that is 802.11a/b/g/n/ac/ax; Thread over 802.15.4-2006 at 2.4 GHz; and IP implementations for Bluetooth Low Energy, versions 4.1, 4.2, and 5.0 for the network and physical wireless protocols.

> The Project intends to leverage development work and protocols from existing systems such as: Amazon’s Alexa Smart Home, Apple’s HomeKit, Google’s Weave, Zigbee Alliance’s Dotdot data models

Dotdot is basically ZCL over IP (in a way), but comes with a lot of legacy from ZCL.

Thread was my hope for a unified smart home network layer, but it didn't really get the adoption I'd hoped, and from a manufacturer's perspective, it did not include any application-layer messaging.

It looks like the goal is to standardize the application layer messaging (of which Dotdot was an attempt). Maybe call it Dotdot v2, but with better backing.


I bought a home and the previous owner used Z-Wave for everything. The whole thing worked irregardless of internet working or not. Whatever they invent if it is useless without internet access its a step back from something that has already worked.

All my home automation / smart home integrations will have to be Z Wave compatible or I will not use it. If my internet goes out will all my things be useless without it?


First, personally my philosophy is to have any smart home type stuff have a dumb backup. You never know what might happen to your smart hub or whatever so having physical switched lights/ appliances is important.

Second, hopefully this doesn't come across as patronizing but based on your post it sounds like you aren't sure about this. IP is not "The Internet". You can have your own little private IP network which runs without the internet. If this is an open standard there should at least be the option to create a local only hub which only requires your local network is online.

That's not guaranteed considering who is backing this project, but it should be possible.


Z-wave takes less time to get working and once it does it stays working. I've bought Wifi switches that worked for as little as 2-3 months before dying. I've never had a Z-wave device die. Zigbee maybe be open but if it can't penetrate walls then it's just not worth the hassle.


Just a nit - it's regardless not irregardless.


Sadly, the lunatics at Amazon, Apple and Google live in their tech company campuses where internet is vast and plentiful. 99% of the country however has shit internet. Among many many other reasons.


Zigbee works fine without internet. And Z-wave is proprietary - only one company makes the controllers.


I didn't realize Z-Wave was proprietary. It is useful though, I can control things around my house with a USB adapter and a Rasbperry Pi.


LOL ... there has been a standard for years for smart home devices, it is called KNX (https://en.wikipedia.org/wiki/KNX_(standard)) ... what is wrong with KNX? Hundreds of companies already support it, so why not join them instead of re-inventing the wheel?

I think I know what im talking about, because my (smart) home automation is based on KNX, I use Alexa voice commands or a KNX app on my mobile devices to controll all my KNX compatible devices, a server gets the commands and allows me to control the lights (on/off/dimming), to inquire an set the temperature in each room, to control the inner blinds as well as the outer shutters (open/close), to get data of water consumption, electricity consumption from many devices like the cooking plate, the owen, the lights, the AC, ... to get values from my weather station like wind speed, wind direction, sun intensity and much more ... I also have fire detection sensors, movement sensors, air pollution and water leak sensors which can trigger alarms... I can inquire on my phone if I forgot to turn off the owen in the kitchen, if the main door is being or has been left opened. Through Alexa I have also connected my Roomba as well as my TV and all the media devices connected to it (using the Logitech Harmony hub) but those two things are not KNX, everything else is.

Being able to control all this through Alexa is super fun. When I go to bed I just need say "Alexa good night" and Alexa tells my KNX shutters to move down to 100%, all my lights in any room to 0%. When I leave the house I say "Alexa, good bye" and Alexa checks if my appliences are turned off, turns the lights off and lowers the heating in all the rooms a bit. Also as im super lazy, if I finish cooking and throw myself on the couch but forgot to turn of the kitchen lights I just need to say "Alexa turn of the kitchen lights and turn on netflix".

What is also nice is that I can program (control and combine) everything myself. I currently use NodeRed (https://nodered.org/). So I can program routines, like "if the time is > this and the front door gets opened send me an email or SMS", if the wind speed is above a certain threshold open the shutters to avoid damage, ...


I enjoyed the description of your home automation setup! I learned about the wide range of sensors and devices that can be incorporated, and that technically it's possible for the owner to programmatically control everything. I can see you're riding the edge of the coming wave.

Looking at the differences between the KNX standard and the "Connected Home over IP" project.. From the latter's home page [0]:

> By building upon Internet Protocol (IP), the project aims to enable communication across smart home devices, mobile apps, and cloud services and to define a specific set of IP-based networking technologies for device certification.

This seems like a higher level of abstraction than KNX (unless "smart home devices" in the above description includes the kind of individual sensors you mentioned) - and exclusively focused on using the Internet Protocol.

Reading the Wikipedia article on KNX, it does sound like it has all the elements needed for home automation, including what this new standard aims to achieve.

[0] https://www.connectedhomeip.com/

---

EDIT: Now reading about the ZigBee specs, I find there's a big overlap in protocols/functionality. As a complete newcomer, it's hard to disentangle the pros/cons of these standards.

https://en.wikipedia.org/wiki/ZigBee


Yes I'm riding the automation wave, but only because after working for 20 years as a developer I was finally able to afford buying an apartment and wanted to try to push automation to it's limits. I haven't done it all and could go even further, which is why I like KNX, it's not closed or bound to a single company so I can buy add even more stuff from a lot of providers (see some example of companies in my other comment).

The alexa bridge is not perfect, sometimes it has hald a second of delay. Twice a year the servers are down and it doesn't respond for few hours, but besides that I'm very happy with it. B.t.w. I used this server from PRO KNX to connect my Alexa(s) to the KNX server: https://proknx.com/en/news/2017/realknx-2-0-voice-control-al... (it is also compatible with Google Home as well as Apple Homekit).

Thx for the clarifications about the differences. I don't know much about the KNX standard. I fiddle around a lot with NodeRed (nodejs / javascript) and use some Alexa routines but I never tried to implement the standard myself. As far as I understand it, KNX is also using IP Networks, because all my devices have IP addresses and my servers are open on different ports.

I hope the Google, Apple, ... alliance decided to do create a new standard for good reasons, but I have doubts as I can't find someone that explains me what is so bad about the existing standard. Why Apple, Google and the others don't just join the KNX foundation and why this already open and royalty free KNX standard can be built upon!?


Is KNX affordable? I did some searching to see how to control Philips Hue lights via KNX, and found something called an "ise Smart Connect KNX HUE" for this. I found a few sites online selling this, all in Europe.

Most would not show me a price without me first creating an account and logging in, but I did find one German site that would show me a price, which after converting Euros to USD, came out to a little over $300. I also found a UK site that would show a price. That, after Pounds to USD conversion, was over $500.

I did a little searching to try to find out how lights are handled in KNX without bridging out to some completely different system like Hue. All I was able to find was lighting fixtures with KNX control built in. I didn't see bulbs with it built in.

Does this mean that if someone without any home automation decides that they want a couple of smart lights, to do it purely with KNX that have to replace some light fixtures?

That's not how most people in the US add some smart lights. Most here do it by buying bulbs that screw into fixtures meant for regular bulbs, and implement the smart stuff in the bulb itself. There is no need to replace fixtures (which you may not be allowed to do if you are renting).


KNX is a standard not a brand, hence you can just say KNX costs 10 euro or 1000 euro. KNX via an adapter can control regular lights, at least on/off not sure about dimming. But KNX is best used with compatible lights, which means you need special lights and different cables. I think in my appartment there are two cables, I assume one is for control and the second is the regular power source. For example some companies that in my opinion have good products are BAP Tech (https://www.bab-tec.de/), Gira (https://www.gira.com/en/gebaeudetechnik/systeme/knx-eib_syst...), Jung (https://www.jung.de/en/820/products/technology/knx-system/) ... to find companies near you I would recommend using the official KNX website: https://www.knx.org/knx-en/for-professionals/community/manuf.... the system for the lights is called DALI (https://en.wikipedia.org/wiki/Digital_Addressable_Lighting_I...), for example OSRAM has a Dali/KNX website here with more information: https://www.osram.com/ds/highlights/knx/index.jsp ... to find prices I would recommend using a website like https://www.eibmarkt.com/ (set the country to United States and the currency to US Dollar)


“I” in KNX stands for inexpensive.


Zigbee is already an open standard, but some Zigbee devices don't work with others. Yet, with Z-Wave they all tend to work and there isn't that much of a price difference (between Zigbee and Z-Wave devices). The biggest problem with Zigbee is that is uses 2.4 GHZ which doesn't travel long distances or through walls very well. Z-Wave uses a lower frequency that does. (edited for clarity)


I have about 20 Z-Wave switches in my home, spread across 4 models and 2 brands. There were noticeable differences in response time, both from the physical button and over Z-Wave, when comparing brands. And even the most reliable brand for me (Aeotec) has had issues with the network being a little laggy. That's still a success in my books, though; I have bought Z-Wave devices that do not play nicely at all.

On the other hand, my Philips Hue lights have all been absolutely flawless. They fire on time, every time.

I think implementation of the standards matters a lot more than the standard itself, in practice.


I agree that the lag time is a bit higher on Z-Wave, partially because of the slower transmission speed. Plus does help that a bit. The number of hops can affect it as well, though they are limited in Z-Wave vs Zigbee which allows for more.


In a real situation this usually doesn't cause issues. Most of the zigbee devices that you're gonna have (such as light bulbs) are also acting like a zigbee router and it creates a mesh network.

You can even visualise the network if you're using zigbee2mqtt with zigbee2mqtt/bridge/networkmap


That is true provided that you have devices that correctly act as routers. Sometimes it requires extra repeaters to make the network function correctly as well. Then there is the interference issue from WIFI and Bluetooth devices.


Most zigbee light bulbs are terrible routers. Just because it's supposed to work doesn't mean it does.


Even bigger problem with 2.4 GHz is that the frequency is oversaturated and most Zigbee channels at least partially overlap with WiFi channels. I had pretty bad interference in my home before I moved my Zigbee and 2.4G wifi channels as far apart as possible.


Zigbee 3.0 will use the guard channels if there are collisions and allowed to auto select channels.


Zigbee can use sub-GHz as well.


Oh, I did not realize that. Are there any implementations that actually use that?


The UK, national smart meter effort. Sub gig, supported by three silicon providers did Zigbee sub-gig for the last mile, tough to penetrate homes and buildings. Running 3.0 on which means it will port very easily but sub-gig is much more regulated country by country than 2.4. You can search. This article covers the initiative but doesn't call out the sub-gig detail: https://telecoms.com/opinion/467631zigbee-and-the-smart-mete...


Hmmm. Now what am I going to do with my laboriously (and lovingly) put together zigbee2mqtt/HomeKit setup? :)

Seriously now, I see this as a good thing, if only because we're likely to get an interoperability stamp of approval of some kind.

Right now, and were it not for my using an Open Source solution for my Zigbee gateway, it would be impossible for me to hook up Hue, Xiaomi, IKEA and other devices to Homekit without a bunch of different gateways (because some Zigbee endpoints simply refuse to talk to anything other than their own peers).

I also hope that they manage to do this without going the Google way of having everything open up ports on your router (some of the newer Nest-branded stuff already knows how to talk to peers on a LAN, but the security model for Google/Alexa integrations is fundamentally broken for me - WeMo support excluded).

So far HomeKit can run _completely_ on-premises, with all devices interacting on the LAN, which is great (except for remote connections through the Home app to your Apple TV home hub, and Siri voice recognition to trigger scenes), and that is why I decided to stick with it.


> were it not for my using an Open Source solution [...], it would be impossible for me to hook up [...] and other devices to Homekit without a bunch of different gateways (because some Zigbee endpoints simply refuse to talk to anything other than their own peers).

And worse, in my "casual" case, because some sort of Philips/Apple agreement outright prevents it :/

E.g. add a "Hue compatible", but non-Philips bulb to your Hue hub. It will work in the Hue app and via Amazon Echo, but Homekit will refuse to see it.

A way to "trick" homekit to be able to use the bulb with it, is to create a Hue scene, and sync it to homekit, but that is terrible for per-bulb control. This stuff is apparently all Zigbee, but the usability situation is an absolute mess.

(Widely reported, for many years, not a bug).


HomeKit must really be struggling for Apple to publicly join this consortium. I don’t say this just as a snarky dig at Apple’s preference for walled gardens, but because this announcement more or less Osbornes all the HomeKit devices in the market right now.

Despite its walled-garden nature, I’m sad to see HomeKit go. It was the only home automation standard I’d trust in my home, though hopefully Apple’s participation in this new initiative means it will share HomeKit’s emphasis on security, cloud independence, and privacy.


I hope security is at the top of their list.

I want a super secure hub that everything connects to. The hub is the only thing that speaks to my router. The hub is super secure & doesn't let devices send data back to their manufacturer. If I buy cheap devices off a flea market like Amazon, I want to sleep safe & know that the hub is preventing that device from messing with any other devices or accessing the internet. The hub can send me notifications and I can send it requests. It would be cool if I could choose to have the main hub database & software based in the cloud or on my local network.

Not sure if this is already possible. If it is, I would love to hear more.


This is how ZigBee and Zwave work. The devices form their own network for inter-device communication (it can be setup so a switch talks directly to a bulb, so even if the network is unreachable it still works) and then you use a hub to orchestrate that and provide functionality such as phone control via an app. That can be something simple like a Philips Hue hub, or something more complex like SmartThings, or you can roll your own using Home Assistant and a dongle.

The problem with these protocols is although they are more or less open, device manufacturers need to pay to be certified.


Even if the hub was actually secure this still does not prevent from someone near to your house to talk to the devices directly (this applies especially to wireless devices). The hub you described would prevent from the remote attacks only


Security is a never ending rabbit hole. I am more concerned about the bigger threat, global attacks.

I get if you live in a densely populated area that drive-by type attacks would be very concerning.


>drive-by type attacks would be very concerning

not only that. One insecure system in the area could be infected and then controlled to attack other networks in the area. With a high density of IoT devices you could have malware spreading wirelessly device-to-device. Also with a wide IoT adoption with such devices being used by public/utilities companies (smart street lamps, leakage monitoring in pipes, smart electric grid etc) you don't even need a densely populated area to have that problem.

>I am more concerned about the bigger threat, global attacks.

I once read something among the lines that IT security needs its own Pearl Harbor event. I can neither quote it exactly or attribute it to any source


I'll tell you this. You already have a hub, it's called WiFi router.

I see zero reasons to rationalise the need to buy yet another white box for the buyer.


Wifi is a poor choice for this because it uses a lot of power. Lots of things that connect to a smart hub are tiny sensors that use expensive batteries.


The consumer have a choice, a device that works right away, or a better, more expensive one that doesn't

Think why they can't sell much of these


what do people mean when they say security for smart home devices? if the "launch ICBM" port is open on a device on your LAN doesn't an attacker still have to traverse your router to get to it? Otherwise, an attacker would have to get access to your LAN. Is something like that what you mean?


People would prefer

1. Their lightbulbs to not be co-opted into DDoS attacks 2. That their cameras are only used by them 3. That others can't control their devices 4. That their devices receive security updates 5. That their devices don't contain back-doors 6. That their devices can be used when isolated from the Internet

... I imagine.


Well said


Apple, Amazon, and Google are fundamentally opposed to a model that sells devices that don’t phone home - their whole purpose is to capture value by creating lock-in for surveillable hosted services


This is not exactly the case for HomeKit. Apple didn't even add the ability to control devices when you are off your home network until recently.


Yep. And it's Apple that's pushing for a HomeKit router [1].

Reading between the lines of how Apple's been handling the "smart home" business, they've been focusing on privacy and security relative to competitors, but it's been holding them back.

I think the market has kind of shown that privacy (e.g. devices that aren't streaming to / dependent on the cloud) and security have not been primary concerns of the people who buy smart home devices, but solving those problems better may be key to enlarging the "smart home" market to include normal people.

[1] https://www.computerworld.com/article/3446197/why-we-need-ap...


Seconded. Apple, Amazon and Google have very different goals for your data. This is just a transport layer. Your privacy from the mother company isn’t impacted by the transport layer, but rather where they put the “brains” of your smart home.

While all using the same transport layer they can continue to utilize different “brain” strategies.

Apple’s “brain” has always been in your home where your data belongs and should stay. Google started with the cloud but is moving towards the same model.

On the other hand Amazon seems to have no qualms slurping everything out of your home to their servers and no plans to change.

The more you know.


Not sure I understand. I am pretty sure you have been to remotely control Homekit since the beginning, originally by utilizing an Apple TV 3rd generation, and subsequently with iPads, Apple TV 4th gen/Apple TV 4K, and now HomePods.


Google and Amazon are like that. Apple is more into cross-selling you other Apple products and locking you into the Apple ecosystem.


If they actually pull it off, it'd be huge. The single greatest thing holding back home automation is a lack of compatible standards (coupled with the fact that when an automation company dies, its proprietary standards die with it).

I used Z-wave for my home, but I'm not doing it "on the up and up;" my hub is homebrewed and using an unlicensed radio. It's a pain in the ass to maintain, but since I can't trust any hub company to survive past five years, it seemed the right call.


I've used SmartThings more or less since their original Kickstarter in 2013. I gave my v1 hub to a friend who can still use it (I have a v2 and they have a v3 out now).

I try to only buy Z-wave devices and fallback to zigbee if I have to. It's been a very pleasant experience for me overall. I have 5 z-wave light switches, a handful of zigbee bulbs, zigbee door/temp sensors, and 2 z-wave locks. I plan on replacing all my light switches eventually (I've got like 5 left but all in low-traffic areas of my house).


In other news, "Wolves, Lions, Tigers and Leopards develop Open Standard for Sheep Housing."


It is a group incentivized to make sure the sheep are happy, healthy, and within easy reach. ;)


If I suspect that there is any chance my family's private information is going to get leaked, then I will not touch it. Appliances should never have internet access. Software updates, if required, should be delivered one-way through open trusted auditable software (something like ofw).

Big tech have already tricked me into supporting them with their "open platform" bait-and-switch before (android), that trick wont work on me twice.


They talk about this being secure by default, but the standard will only ensure the communications is secure. This won't fix the bigger issues with IoT devices which is that many are built on crappy/ insecure software stacks. If your wifi video camera gets hacked, it doesn't matter if it's using https to communicate securely with your phone or cloud storage provider.


As someone who is perfectly happy with Home Assistant and Z-Wave, I worry that a bunch of mega corps getting together to create a standard will crowd out the market, and prevent non-local, privacy-honoring options from continuing to be manufactured.

If average consumers are told to simply "look for the CHIP logo", and the CHIP standard includes facilities for must-phone-home messages akin to streaming DRM, I'm afraid we'll just get pulled further into the corporate surveillance dystopia.


I think people who expect Home Assistant to be useful to the general consumer are delusional. Home Assistant is an amateur piece of software with severe UX shortcomings and broken auto-update functionality (it phones home continuously and often bricks itself after auto-updates).

I appreciate the enthusiasm in the home automation community, and I agree there's a need for an offline solution, but Home Assistant is not it, and we'd be better off scrapping that codebase and starting something better.


Don't you think delusional is a bit strong... There is a real company, nabu casa, hiring real developers to work on making a 1.0 release that's easy for others to use. Yeah right now it's complicated, but check out some of the projects they're working on like stanford's almond integration. https://www.home-assistant.io/blog/2019/11/20/privacy-focuse...


You're focusing too much on the home assistant part, and not enough on the local control part. There are solutions with hubs such as some parts of the Wink hub that do work locally without internet. I'm sure there are professional-grade installers who install various pieces of software that use Z-Wave and/or Zigbee to setup a locally controlled home automation solution.

Needing connected to the internet (and all the latency associated with it) is an anti-feature that most consumers aren't even aware of or think of, hence why I hope solutions that have the feature aren't crowded out before the market for home automation truly takes off


Sorry if I wasn't clear. I agree with you that local-only solutions are needed. Home Assistant is sucking up too much of the air in the room. I don't think it will ever be accessible or usable to the general population. If not for Home Assistant, I think the community would have developed better local-only solutions by now.


You are perhaps taking about a particular distribution of HA and not HA itself. I run mine out of Python venvs on Ubuntu LTS.

I can't remember hearing of autobricking installs on hass.io which might be what you are referring to but I doubt it.

Citation please.


They are actively working to make Home Assistant much more user-friendly. I suggest watching the "state of the union" presentation: https://www.youtube.com/watch?v=tc17q1Zn0Xs


this is a good step. i worked in automation/controls (commercial, residential and industrial) for almost a decade (2000-2009) and personally dealt with the nightmare of interop. the number of times i had to glue disparate control systems together with relay closures and switch inputs was insane. and yeah, we had these issues with wireless. it was compounded by the company i worked for supporting enocean, zwave and zigbee.


I am curious if they will include cameras (security / door), because the characteristics of the payload are quite orthogonal to the characteristics of the payload of other smart home devices.


There are two aspects to most security cameras. The one everyone thinks of is video streaming - there’s plenty of standards for that, most notably RTSP and recently WebRTC. That’s probably out of scope for smart home protocols.

Totally in scope is provisioning, configuration, and notification of things it can detect such as motion. I’d anticipate those being managed as part of this new protocol, with streaming simply being to provide an endpoint address and maybe an authentication token to connect.


I doubt some of they PHYs have the bandwidth to support streaming video, but there have been some good efforts in the IETF to maximize streaming protocols over low-bandwidth connections.

But the whole point of CHoIP is that PHY doesn't matter, so you can configure your camera using IP messages over BLE, and then the camera connects to services over WiFi to stream.


>because the characteristics of the payload are quite orthogonal to the characteristics of the payload of other smart home devices.

how so?


A camera requires orders of magnitude more bandwidth and power than other devices that might be connected over a low-power, low-cost radio network. It needs to transmit that payload 24/7.

Currently, home automation typically uses a variety of custom protocols built on IEEE 802.15.4 (not 802.11*). It's a simple protocol that can be implemented by a cheap 8-bit microcontroller from 2 decades ago. Devices from one manufacturer may or may not communicate with those from another, and the network architecture is typically a hub with spokes - there's limited or no support for multi-router, multi-access point, or mesh networked setups.

This style of network honestly works pretty well for motion sensors, lights, outlets, temperature sensors, thermostats, etc. The master node might query a device every few seconds for a couple bytes of status, or might only send a short command when a user interacts with the device. Most smart home devices send a few bytes of data four times a day when you push "light on" and "light off" on the hub. This is great for operating for months or years on just a couple AA batteries. A camera sends a few bytes per pixel times (simplifying) 720 pixels down times 1280 pixels across times 30 frames per second times 86400 seconds per day, and can only run for an hour or two on a larger battery. That's almost 8 terabytes vs. 8 bytes.

But to use 802.15.4 networks, you need a hub, which is a barrier to entry - instead of one $20 light, you need a $15 light and a $50 hub. You likely already have an 802.11 router that could be the hub if the devices were smart enough to talk to it. And (tinfoil hat on) I think these companies would rather have their servers be the hub, rather than a device in your home they can't monitor and profit off of.


This is a very Hacker News answer, in that you wrote three dense paragraphs that are all technically correct, yet also completely divorced from our practical reality that has smart home cameras in it.

What is the obvious implementation out there? They just have both. They have the cheap 8-bit microcontroller from 2 decades ago transmitting on the low-bandwidth home automation network, and when it is decided that the camera should stream, it wakes up the beefy Ambarella or Socionext SoC to send its video feed over classic WiFi to the vendor cloud, and whoever wants to receive it just gets a stream URL back.


Yeah, there's no reason to saturate the control channel with high bandwidth data.


Higher bandwidth. Not sure if that is 'orthogonal' though, seems like the requirement is on the same dimension, just bigger...


I think you’re right. Typical smart home coms being short little on/off or temperature up/down type commands vs. streaming/recording video and audio with some having two-way audio up to and including machine learning/AI for object detection which most likely is done remotely.


Lights and switches are generally basic async polling and commands versus live streaming video and constant video uploading to a cloud storage service.


Since Apple just added support to HomeKit for cameras I am sure this new standard they are making will support them too.


Homekit has had support for cameras for a while. The recent support was for a cloud integration to store video securely.


Seems like the sorta thing which has tons of buy in from teams that don't matter and the teams that actually need to be using this won't and it'll get abandoned in a few years.


Google (specifically, Nest) and Apple are both looking to displace other solutions in the market.

"Teams that don't matter" today. This market is absolutely rife with opportunity for someone to steal the whole thing with better UX and an interop promise.


Why not openthread? It's already there, it's open source, and from my somewhat limited experience, works well.


The licensing is a bit poor. While openthread is open source, and the spec is public: > "Membership in Thread Group is necessary to implement, practice, and ship Thread technology and Thread Group specifications."[1]. This seems to be a similar limitation to what prevents Zigbee from being in the Linux kernel, as commented elsewhere[2] in this thread.

In contrast, the Bluetooth SIG only requires a fee to be paid when you actually ship, as a once off not a yearly fee. The cost is roughly similar.

[1] https://www.threadgroup.org/ThreadSpec [2] https://news.ycombinator.com/item?id=21825822


Openthread is purely a networking solution. It does not address application-layer messaging. This effort is to unify the application layer. (ie, "light = on" messages).


It looks like Connected Home over IP will be compatible with Thread - they are developing the stack on top of WiFi, Bluetooth and Thread: https://www.connectedhomeip.com/


Openthread uses the zigbee radio. Hence zigbee being involved.

On the surface this "appears" very similar.

EDIT: Yes I'm aware the software layer is different, I was inferring the radios are the same.


This is incorrect. Openthread uses nothing from Zigbee, but does use 802.15.4 radios, the same as Zigbee does.


OK, let me be more specific since that is what I was inferring.

Yes the software layer is different.


right, but Zigbee just uses a generic 2.4GHz radio. There is nothing about the radio that "involves Zigbee". Some silicon vendors sell 2.4GHz radios that can run a BLE, Zigbee, or Thread networking stack.


Can anyone recommend a method* without Wifi? Isn't there a method for "smart outlets", main scheduler, etc over electrical lines rather than bluetooth, wifi, etc? Method* == standard, or product line. [yes i used pointer and equality symbols oddly]

Edit: basically looking for a way to avoid more wireless transmitters in the house. Or are all outlets "receive only"?


The previous generation of smart home devices was called X10, and it used signals over power lines.

I gather it was:

- slow

- might have required you to make a connection in your circuit breaker

- and was designed in the 1970s, when home electrical systems weren't very noisy (apparently all the switching power adapters we have today make a ton of noise and make it hard for the signal).

I don't see why something newer like this couldn't be done -- we have powerline modems, right? Probably not as fast as wifi, but it does go where it is needed and requires physical access to hack.

Some devices are using Zigbee (a different wireless system), but I understand it was developed without security and isn't hard for third-parties to hack into.


> - slow

Yep, that's inherent.

> - might have required you to make a connection in your circuit breaker

That's one way to do it. Another way just requires a bypass and filter at your circuit breaker what is much simpler and doesn't have to connect anywhere else.

> - and was designed in the 1970s, when home electrical systems weren't very noisy

This is where things got worse, and then they got better. Yes, electrical lines are very noisy, but the 200Hz - 100kHz band is only getting cleaner. Electric motors will interfere with it, so you may need a filter on your blender (but even it is much better now), but this is the prime band for electrical wiring.

Also, on chasd00 comment that it requires capacitors bypasses on transformers, that's only true on the higher bands, and only on devices you want connected to the network. So only the smart devices need to adapt.


To expand on the circuit breaker item above: Because most of the outlets in your home are split between two phases of AC, it meant that the X10 transmitter would only be able to talk to half your power outlets (and you didn't know which half ahead of time), unless a phase coupler was wired into your breaker box that would repeat the signal on the outlets connected to the other phase.


I remember X10! The whole "over powerline" thing was a real possibility back in the day but it required all transformers to have a small modification done to them and that killed it IIRC. You could certainly do it in your home though.


Insteon is the closest thing to a successor to X10, and it still supports a lot of the old protocol. You can certainly setup an insteon system for basic stuff (Scenes, etc) without an Internet-connected hub at all.


LoRa (not LoRaWan) could be a Method. Or PJON.


How will this relate to 6lowpan, the already existing IP standard for IoT? Or will CHoIP sit on higher level (like eg mqtt)?


6lowpan only addresses running IPv6 over 802.15.4 PHYs. It defines how to compress IPv6 headers to fit into 802.15.4 MTUs.

CHoIP will define application-layer messaging that runs over IP, regardless of PHY.

So, you can run CHoIP over 6lowpan (this is essentially what CHoIP on Thread would be).


6lowpan is also used for ipv6 over bluetooth le

https://tools.ietf.org/html/rfc7668


As long as those companies are the ones designing the spec I'm totally disengaging from smart home devices.


Strategically this works out best for Apple whose HomeKit seems to have the fewest compatible products. Everything seems to integrate with Alexa, even a microwave that can order popcorn. I wonder what Amazon and Google gain from this, though.


It would be nice if such standard supported Publisher-Subscriber style of messaging. For example alarm could subscribe to events from motion sensors and security cams (a camera in addition to providing a stream could push events like motion detection) or heating controller could subscribe to temperature change events. To make security of that realistic this would need some form of ACL, probably centrally[0] controlled.

[0] central as in "home router" not as "somewhere in the cloud"


I expect that MQTT is that standard. ( http://mqtt.org/ )

I have just been playing around with IoT devices and was just trying to set it up.


Thanks, it looks really interesting and seems to do what I just described. The thing it lacks though is - in my opinion - RPC-style messages. For example an alarm controller could subscribe to motion events, but when such an event occur it should be able to turn on sound-device immediately or shut some locks. The one-to-one communication as described here: https://github.com/mqtt/mqtt.github.io/wiki/one_to_one seems more like a hack than a proper solution.


MQTT is a nice transport layer, but to be really useful this needs standard message templates and topics.


Another thing I'd like to see is a distributed shared state standard (not just for IoT):

https://en.wikipedia.org/wiki/Distributed_shared_memory

https://en.wikipedia.org/wiki/Software_transactional_memory

https://en.wikipedia.org/wiki/Consensus_algorithm

https://en.wikipedia.org/wiki/Raft_(computer_science)

https://en.wikipedia.org/wiki/Distributed_hash_table

The current trend of using async logic via message passing to maintain state is extremely error-prone and I personally consider it nondeterministic if it uses timeouts (which is pretty much the entire internet currently).

A much better system works more like Firebase, where clients can subscribe to change events but also have access to a single tree that holds the latest agreed-upon state. I'd recommend something like a distributed hash table (DHT) so that the entire state doesn't have to be downloaded by each client. The state itself should probably be binary JSON to start with, but the standard should be loose and allow for XML or anything else. This would take us to something more UNIX-like, where devices can be thought of as processes interacting via a single shared memory, and abstract away the tedious/brittle/insecure interconnect layer. It should also support unreliable message passing like UDP for realtime support, which is required for simulations and gaming (there is a higher than 50% risk of the protocol omitting this or getting it wrong).

After writing this out, I just realized that what I really want is an Actor model for IoT, where each device is completely isolated but communicates over channels like Elixir/Erlang or Go. I've come to reject both async and concurrent shared mutable memory because they each have major drawbacks. But I think that synchronous functional programming with primarily immutable variables and no shared mutable memory, building up a last known-good state inspectable by anyone with privileges is the future. The state could/should have something like an access control lists (ACL) and/or a permissions system. Ideally this should be hierarchical just like Firebase, and probably use a similar rule-based logic, to facilitate assigning roles to each client.

It's trivial to demonstrate that once you have this, you can build any other seemingly complex abstraction above it like a database or game server. We have been missing this abstraction for several decades so we keep witnessing company after company reinvent the wheel. As far as I know, the only attempt to do this is RethinkDB:

https://en.wikipedia.org/wiki/RethinkDB

Unfortunately, I'm not sure if it's still supported:

https://rethinkdb.com/blog/rethinkdb-shutdown/

https://lwn.net/Articles/713716/

As usual, I would gladly work on a project like this, but there is currently no funding mechanism to support foundational open source projects like this with market-rate pay.


How would you solve access permissions in DHT? What if a node in DHT holds data that it is not granted to read? This would imply encryption of the data to prevent unauthorized reads - this does not really seem as a complicated problem - the data could be encrypted with only the nodes granted the read access having the decryption key(s). What seems harder to me is write permissions - if the data is encrypted/signed, only those nodes that have been granted permissions (and thus have copies of keys) would be able to overwrite/change that data. So the node that holds the data would not be able to overwrite it if it does not have r/w access to that piece of data. Nothing prevents from removing this data though. (I'm assuming the possibility of some nodes being malicious)


I'm not sure for DHT. But in Firebase the permissions are handled as user access rules written in Javascript, returning boolean true or false if the user has the ability to read/write the node and if the data being written passes a validation check:

https://firebase.google.com/docs/rules

https://firebase.google.com/docs/rules/rules-language

So Firebase permissions really have more to do with the identity layer than keeping the data secret.

I think that probably everything should be encrypted anyway. This was a largely solved problem even in the 90s, and embedded devices are about as powerful as the 386 and 68030 computers popular then.

We really need a distributed SSL identity layer though. Something like letsencrypt.org except the client's identity would come from the social proof of its peers instead of a central organization. Maybe this is already a solved problem in OpenSSL? I only understand symmetric key encryption, but not the man in the middle protections that SSL certificates provide. To me, p2p identity and encryption should have been a foundational pillar of the internet, not some controversial afterthought like we think of it today.


> What seems harder to me is write permissions

The usual solution for this is that the data must be signed by a specific private key; possession of that key grants write permission. A generation count or timestamp is embedded in the signed data to ensure that newer data cannot be replaced with obsolete data. Malicious nodes can still block updates from being distributed, though, so you need more than one path to seed the data into the network.


The reason I can say my smarthome is relatively secure is explicitly because it doesn't use IP. It's good they're trying to standardize, but you're gonna have a problem when you try to use a firewall to inspect what these devices are up to and find that they're all making encrypted tunnels back to their home bases and won't work without them.


I've been gradually retiring my wifi smart devices in favor of Z-wave because I find them far more reliable and much easier to maintain and manage.

It's also a little annoying having a pile of wifi devices whose only purpose is to manage an on-off state consume IP addresses on my network.


I share your need to name all my devices in the controller view. Hopefully zwave has better security support than typical IoT devices. I'd really prefer to use certificates rather than WPA passwords because password rotation requires a) I give vendors my passwords which they may not really secure in any way, b) often requires I use a vendor tool to rotate said password.

It would be much preferable to have a standard way to store a certificate to the device. Today when the inevitable happens and someone leaves customer WPA passwords on an open S3 bucket, or they're exposed via cyber security break I have to update every device. It would be so much nicer to just go update my compromised device's certificate rather than the password for everything. Frankly I'd prefer certificates to passwords anyway because sooner or later I'm sure WEP2 itself will be broken.


[flagged]


Pretty much everyone (especially at home) is using only IPv4. IPv6 is always perpetually on the horizon.

The better argument would have been that using a /23 or /22 subnet should probably be enough for most home automation setups.


5 years ago your comment was spot on. Now in the us it is common to see dual stack v4 v6 on residential and mobile connections.


Comcast and Verizon will dual stack you, sure. As the largest two ISPs, they're out of addresses. But a lot of other ISPs won't, my ISP doesn't support IPv6 at all.


I’m more talking about what people are actually aware of. Yes, most systems have IPv6 enabled and use it when possible, but it’s mostly invisible. When you login to a device to setup the IP address, it’s still almost always IPv4. That’s just for the internal networks, which is what most home users are thinking about on this topic.


I'm on IPV4. It's not about how many IP addresses I have available, it's that all those smart devices can pollute the list of devices connected my wifi network.

I like to know what's on my wifi network, and because my memory isn't what it's used to be, I find myself having to assign names to all the smart wifi devices in my Unifi controller.


A common solution (and one HomeKit enabled routers implement) is to relegate all IoT products to their own network


Sure, but I would still want to check that network's clients as well, so I would still want to identify the devices on that network to ensure that only my devices are on it.

Either way, it's still an additional step compared to Z-wave. Other than the hub, I don't need to set up an IP network for my Z-wave devices to connect to at all.


I mean, I’m using Z-wave too, but you’re describing the same level of complexity. Either you set up a dedicated WiFi network and check that to see the status of IoT devices, or set up a dedicated Z-wave network and check that for the status of devices.


For a z-wave device to pair to my hub, I need to put the hub itself in pairing mode.

Unlike wifi devices, a zwave device can't just join my hub by knowing an SSID and password.

Yes, I could do something similar with a wifi network and whitelisting mac addresses etc, but that's not nearly as simple as the way z-wave works.

[addendum] When I talk about checking my network, I'm also not talking about status. With wifi, I'm checking to look for unexpected clients. I occasionally have a temporary freakout when I see an unknown device on my wifi that ended up being something that I bought, added and forgot about (like a media player), etc. That's not a concern I ever have with a z-wave network.


Some internet providers restrict users to the number of devices they may have connected to their WiFi network.

Not sure if this is what they’re referring to, but possible.


How would that even be possible? Plus another router in an NAT everything behind it.


Most wireless "smart" devices are IPv4 only but the RFC1918 space is sufficiently huge for a gone network. The annoying part comes in when you have to change the DHCP pool (lots of home hardware doesn't support multiple pools) and possibly re-ip your network. Why much with your network, just to reduce security? I'm a fan of zwave.


Even if you're on ipv4 and using the 192.168/16 network you've still got >65,000 addresses to work with.


And 10/8! And 172.16/12!!


This is false sense of security. Industrial SCADA and CAN networks have been found full of vulnerabilities because people assumed they were magically secure by simply not using IP.

You can easily isolate an IP network and inspect its traffic.

You cannot easily inspect less common protocols.

Obscurity and lack of tools never helps security.


The reason I can say my smarthome is relatively secure is because I don't allow any of the devices to access the internet. IP or not seems irrelevant.


The high level of sophistication of IP networking and the fact that one small mistake could mean your devices access the Internet is why a network that doesn't talk IP is almost inherently safer than one that does.


There is a great point here you haven’t made yet.

It may seem trivial for those of us on HN to block IP devices from the internet, but the average user will not know how to do that effectively. They are also the ones who’s devices probably remain on a botnet undetected by their owners.

That said, most hubs (required for these types of devices) connect to the internet by default anyway. It does reduce risk a bit as vulnerability in a node isn’t exploitable remotely.


There's no sophistication: just plug a Wifi router to an outlet but not to the Internet cable.


I think any home automation system should not have to rely on the home owner having a CCNA cert in order to be secure.


Buying a Wifi router and not plugging it to the Internet doesn't require a CCNA cert.

Yes, it's an extra device, but so is the Zigbee hub.


Most people are not going to buy a dedicated WiFi AP just for their home automation.

The benefit of Zigbee, even when using a hub, is that you don’t have all the actual devices on your network, calling home, and possibly opening up NAT traversal streams. You just need to worry about the hub. With WiFi devices, you need to worry about all of that for all of them.


Given how closed Apple is with HomeKit, and how Google removed the Nest API, I don't have high hopes for whatever this is exactly.


HomeKit isn't that closed. You can basically add anything to HomeKit yourself as a hobbyist. The only restriction is on commercial sales of products. There's dozens of HomeBridge plugins that act as a glue for non HomeKit devices.


I hope whatever standard they come up with does not require a home WiFi network to operate. Mobile internet is already faster than your average home internet line and there is an increasing trend where people rely entirely on their mobile phones for network connectivity.


> there is an increasing trend where people rely entirely on their mobile phones for network connectivity

There is? Is it any meaningful percentage of households?


I can't see how going hub less would work. You'd have to configure all the devices to connect to a hotspot on your phone and get your phone to reliably create a wifi network every time you get home. Dealing with multiple users would be a massive headache.

You could have a home wifi network which doesn't connect to the internet. Wifi routers are dirt cheap and don't need to be connected to the internet.

That said, the logistics of this would be super weird because smartphones are mostly designed to treat connected wifi as their internet source. Also, if your devices don't have at least an indirect internet connection you can't do anything remotely which is a pretty big functionality hole.


I think it is the other way around. If you want to have your connected devices in a reasonable safe setup, create a wifi network for them and you decide if and how they connect to the internet. This could be a mobile uplink, if you desire to, but I really wouldn't like each device on its own have an internet connection I cannot control.


Wow, just when I thought the average HN reader could not get any more out of touch with the general population....

Here's some data that backs up my point. Sorry if this doesn't match your anecdotes from your bubbles.

https://www.pewresearch.org/internet/fact-sheet/mobile/

https://www.cnbc.com/2019/01/24/smartphones-72percent-of-peo...

https://www.comscore.com/ita/Public-Relations/Blog/Number-of...


That's a bold statement. Anecdotally, I know of no one that relies entirely on mobile connectivity for their home.

While mobile internet may be becoming faster, it's still severely hindered by data caps and throttling.


"Seattle and Cupertino, Mountain View and Davis, California" is a really weird dateline.


https://en.wikipedia.org/wiki/ZigBee

> Physical range 10 to 20 meters

Pretty crappy compared to other low-power protocols...


I buy zwave smart switches instead of WiFi ones because I know those devices won't be able to snoop my LAN. Home automation over IP is a step backwards IMO.


We are building a new house right now.

All subcontractors know the rules - no "smart" devices or "wifi enabled" appliances or mechanicals. All lightswitches are plain-old hi-voltage only switches. Thermostats are dumb, unprogrammable, with no memory or scheduling or timing. The locks on the doors use physical keys.

The smartest thing we have are the sonos speakers and we pug those in with ethernet.

Everyone will be pleasantly surprised when they interact with our house. This is what luxury will come to look like as time goes on ...


Not having programmed schedules on thermostats seems ludicrous to me.

I don't have "smart" thermostats, they can only be programmed with the buttons on the front of them and they cannot talk to one another, but how do you turn down the heat when you leave for the day? or even set different temperatures for daytime and nighttime? manually?


We're cheating a bit here because we live in California ... so we don't need AC mechanicals (which is a big win for simplicity) and when we leave the house we simply turn off the heat.

If we lived in Duluth we could probably do the same thing for day-long absences, provided the house was very properly insulated, but you are correct - we would need a timer/schedule on the thermostats for any longer absences.


> Everyone will be pleasantly surprised when they interact with our house.

...you're aware that the vast majority of homes are not 'smart homes' already?


Do you not have any mobile devices, or do you rely on 4G? Or do you use the device Edward Snowden recommended to connect your phone to the internet via ethernet cables?


Well, we do have a wifi access point for our single wireless network ... and the only clients that connect to it are actual humans with devices they are using. Nothing to do with mechanicals or appliances or "smart home".

Also, totally unrelated and not really relevant, but we don't have mobile phone service out here ... zero bars of ATT and maybe one bar of VZW, depending on where you stand ...


Interesting that Mozilla is not on the list. They are one of the few companies I'd genuinely trust with smart home data.


Especially since Mozilla has been working on WebThings which is home automation protocol over HTTP.

There is a place for both WebThings and this new protocol. WebThings is too heavy for low-power devices and mesh networks like Bluetooth and Thread. But would be nice to have standard API for web services and gateways. The ideal world would be this new protocol on the local network and WebThings across the internet.


They have their own IOT platform they are working on called WebThings. I took it for a spin and it is pretty cool, although it still had some rough edges last I looked.

The gateway runs on an RPI and they give you a URL so you can access it from anywhere.

I'm surprised it hasn't got more attention here.


Smart home is the poster child for "The good thing about standards is there are so many to choose from."

Randall gets it [1].

[1] https://xkcd.com/927/


i wish the harder i pressed the trackpad the more votes you would get. I remember smart home standards being talked about and published around 1999. Like another poster mentioned, X10 was a big thing around then even though it came out in the 70s.


I am planning on wiring my house with ZWave and OpenHAB. Anyone have any experience doing this? Does it work well?


I have 40+ ZWave+ devices and they work great with Home Assistant. From lights to fans to all kinds of sensors, the mesh network seems to have good range and latency (as long as your controller isn't really close to interference).

Definitely don't use older ZWave devices, only ZWave Plus certified ones. This ensures the network is fully encrypted and allows for greater range and throughput.

My next fun project is automating the watering of pots and the garden. Going to combine a ZWave-controlled solenoid with drip irrigation and some Home Assistant smart logic (daily rain, sun hours, humidity, temperature) to handle it.


ZigBee has worked much better than Zwave for me.


this is funny because we installed a ring in the office for its Google home integration. but now that it's owned by Amazon that no longer works :/


I hope they address security requirements beyond layer 2.


it's not to late?


In case no one noticed : https://xkcd.com/927/


Obligatory XKCD: https://xkcd.com/927/


Considering Apple, Amazon, and Google are already members of the Zigbee alliance, it makes you wonder why it had to be a new working group and not a new group within Zigbee.

Its like saying Cowboys, 49ers, Patriots, and the NFL join together to create a new football league.


I think the keyword is "over IP". My understanding is that Zigbee works at the lower layers.


> My understanding is that Zigbee works at the lower layers.

Zigbee is not IP. It's a completely different network, which is why many Zigbee based solutions often require a hub/gateway (which speaks both IP and Zigbee) to enable control via smart-phone apps or stuff like that.

To be honest, I'm pretty happy about that. The less my smart-devices has to do with my local wifi/LAN, the happier I am.

Not really sure I like the direction this is heading.


I’ll probably end up firewalling off a zone just for this type of traffic in the future.


But that way they can still report back to the cloud, on top of what their actual function is.

In that regard I much prefer non-IP based devices.


I'd assume the average person has no clue what Zigbee is. I know I'd never heard of it


From what I’ve read, Zigbee is for the rest of the world what Z-Wave is for the US, in terms of market share. Not sure how accurate that is, but from what I’ve seen, there are a lot more Zigbee devices here in Germany than Z-Wave, while most US sites talk about Z-Wave.


What Zigbee devices can you buy apart from Hue lamps? ZWave has been dominant for many years because there are hardly any Zigbee devices, be it in the US or in the EU. FWIW I'm in the Netherlands and have all ZWave, and when you look at e.g. the symcon.de forums, there are plenty of ZWave users in the EU (and Germany specifically).


Looking at amazon.de, I see switches, dimmers, thermostats, plugs, motion/humidity/pressure sensor and of course lights.

And Google Trends has zigbee far higher up than z-wave for google trends in Germany [0] vs USA [1}

[0] https://trends.google.com/trends/explore?geo=DE&q=zigbee,z-w...

[1] https://trends.google.com/trends/explore?geo=US&q=zigbee,z-w...


IKEA Tradfri devices are probably the biggest user of ZigBee.


Xiaomi Aqara Amazon Echo Plus etc as a Zigbee hub Tradfri/HomeSmart from Ikea

I'm not sure I see much z-wave stuff (at least here in Australia)


Not sure what the general state is now, but as a brand name it was one of the top most popular for at least a good year or two, back when I first got interested in home automation.

(The other two at the time were Z-Wave and X10, with X10 recommended against as obsolete/dying; I ended up settling on Z-Wave, so I stopped paying attention to Zigbee and other competitors)


Just because the 'standard' is open doesn't mean it will be free software. See: HTML5.


First we need an acronym for this alliance. I think GAZA will be appropriate. Secondly, regarding your future standard: Cool, thanks guys. I'll hack that.


I will never use these devices. I think those that do are opening themselves up to hackers, law enforcement and criminal abuse. This is clearly something that should be Open Source/ Open Bonnet or closed to my home.


You need to tell Marshall this. ;-)

It seems entirely possible to put voice recognition on local machines with downloaded updates, but of course they're never going to do this.


I assure you chime and amazon and google have all been caught sending back the audio


I'd never use it myself excepting maybe video only for a burglar alarm, but because Marshall worked on home automation protocols, he loves this stuff. I always had nightmares the damn "smart light bulbs" in the 2nd street office were listening in on our conversations.


Oh now i know what marshall you are talking about.Yea, that's just dumb


In the past 10 years, I haven't seen even one Zigbee device sold in retail besides IKEA remote.

Zigbee is pretty much a zombie standard now


I think Zigbee is in the uptick. Philips Hue works with it. Ikea is aggressively pushing products. There is (was? website recently went down, perhaps it has something to do with this announcement) DotDot (https://en.wikipedia.org/wiki/ZigBee#Cluster_Library) based on Thread. Which is used by Nest/Google.


Zigbee is used all the time in smart lights, plugs, doorbells, temperature sensors and the such. It's a very popular standard.


I personally have seen more Z-Wave devices than Zigbee in the wild.


Just yesterday Aqara (Xiaomi) launched their Amazon storefront. All their devices are Zigbee and had mostly only been available from places like Aliexpress. Zigbee is far from a dead standard.


The vast majority of budget devices I have found are ZigBee:

- Philips Hue

- Xiaomi

- IKEA

- Sonoff


Ha. Them? Forget it. The "Open Standard" will require phoning home to the manufacturer or it's "not certifiable". Trust these guys like your drug addict former friend.


> Apple, Microsoft, Dell, Tesla and Google's parent company, Alphabet are named in the lawsuit

The comma misuse is legendary.

https://www.amazon.com/Eats-Shoots-Leaves-Tolerance-Punctuat...

Fixed: Apple, Microsoft, Dell, Tesla, and Google's parent company, Alphabet, are named in the lawsuit


That's why I wore a shirt like this in college

https://www.teepublic.com/t-shirt/637761-i-write-code-progra...


Wrong thread, you're looking for https://news.ycombinator.com/item?id=21824178


O_O

I posted it in that thread. What the fuck?


What we really need is a legislation for those devices, that force all manufacturer to:

- have a hardware switch for everything

- have 2 microphones. One is always on, and only listens to the keyword, and is not linked to the rest of the device. If it detects the keyword, it triggers a hardware switch that activate the second microphone.

- text recognition is done from a local unit, not a remote server. This local unit analyse the voice then send proper commands to the rest of the device, but never share the words, and cannot receive data from the rest of the hardware except during signed updates.

- all devices share a stanadrd color code for a mandatory indicator light giving the state of it and a standard activation/confirmation sound

- all devices must be able to be controlled from a provided remote with a button instead of a keyword, which can be deactivated

- all devices must have a BT kill switch, if a phone send a signal saying "I don't want to be listened to", the device will no activate.

- any data sent to server must be encrypted from the client with a key the server doesn't have

And once it's done, do something similar for phones, e-health devices, etc.

We can't expect big companies to act decently, and technology is not going to save us.


We don’t need that.

You’re right that technology isn’t going to save us though. You can just, you know, not use Alexa. Normal light switches continue to work. Windows still exist for checking the local weather and are probably more reliable than Alexa is.


I don't have any kind of smart speakers or camera at home.

The problem is that many other people I visit do.

It's the same issue with Google products in general: I don't have a gmail address. My phone don't even have an email tied to it and I don't use the official store. But because my contacts mostly do those things, google still has a log of all my conversations, my face in pictures, my positions, etc.

But even then it's not just about me: people take bad decisions all the time, companies as well. We don't let people own a radioactive materials, we have laws for that. We don't allow companies to sell radioactive materials to the public, we have laws for that.


Yeah but <insert jingoistic hopeful statement about the future that completely ignores how dystopian the technology these companies build is increasingly becoming>!!!!1111eleventyomgz

"Just don't buy it hahahaha checkmate" completely ignores the fact that even though I now choose not to do business with Google, I am still many times a day forced to use their Captcha or visit sites that host their ads (which I block, btw).

Saying "we don't need that you just need not to buy it" is exactly the same situation. All we are asking for is a reasonable way to opt out - and actually opt out. These technologies are made viral by design to collect maximally valuable data from their users, and the very idea that someone might want to opt out is totally ignored.

I personally don't own any of these devices and will never allow one in my home. I feel sorry for my kids that they will grow up with all their friends talking about them and not be able to share in it - and I will explain to them why.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: