Hacker News new | past | comments | ask | show | jobs | submit login
Amazon, Apple, Google, and the Zigbee Alliance to develop connectivity standard (apple.com)
740 points by _quhg on Dec 18, 2019 | hide | past | favorite | 355 comments

For someone who thinks Zigbee already is an open standard, well, it is NOT really open though. A standard being publicity available does not always make it open-source friendly.

Linux considers it a proprietary protocol [1] so Zigbee driver cannot be part of Linux kernel. Although Zigbee spec allows non-commercial individuals to freely use it, a commercial organization must be a member of the Zigbee Alliance in order to use Zigbee, which violates the GPL standard. [2]

At least the article speaks out "an open-source approach", let's see if things will get better.

[1]: https://www.kernel.org/doc/html/latest/networking/ieee802154...

[2]: https://archive.freaklabs.org/index.php/blog/zigbee/zigbee-l...

There's also the bit where Zigbee devices have to share a secret key to talk to each other, mostly to prevent competition from low cost devices manufactured in China.

Yeah! They want you to use the high cost devices manufactured in China.

Or mostly the same cheap devices manufactured in China but sold through your friendly middlemen.

No, American Marketing Companies (Apple, Amazon, Google, Etc) want to use the Cheap China Manufacturers, they just dont want consumers to be able to buy them direct

When they kept the already known secret key for pairing bulbs in the new supposedly secret version of Zigbee it was obvious they didn't care about security at all

After all the "S" in IoT stands for Security.

I literally have an SSID on my Ubiquiti WAP with that as the name.

> mostly to prevent competition from low cost devices manufactured in China.

mostly to prevent competition from patent-infringing clones manufactured in China.


I actually worked at Ember for a bit before leaving when they get bought by Silicon Labs. The reason, internally, really was the fear that there would be a flood of low quality products that would make ZigBee look bad.

For that, you need certification, not gatekeeping.

Publish a set of tests a device must pass, broadly, to be certified compliant.

Allow manufacturers test their devices, for a fee, and win a certificate, or know where they failed. Much like you can take a language exam (say, TOEFL).

> fear that there would be a flood of low quality products

That's mental gymnastics. The fear is having to compete against cheaper products (possibly low quality, but possibly not). Even broken DRM is an excellent anti-competitive tool because no one can legally sell a competing product.

as opposed to ZigBee making ZigBee look bad as it stands now. Only big names looking for a lockin pick ZigBee.

Key exchange for IoT devices is a tricky problem.

IoT devices don't support public key infrastructure, e.g. something like GnuPG or the SSL certificates used by web browsers.

It's a very practical solution to have a shared secret between the device and a central server, and, at registration time, have the central server make a key for both the hub and the device.

Without some kind of key exchange, people could set off your alarm, turn on your lights, open your door...

The solution is to have a pairing mode that allows the device to be paired with a control device (e.g. your phone) via wireless while you're in the same room as it. That would only have to be done once when it's installed and require pressing a physical button on the device while being in wireless range so that nobody can hack it remotely.

I will no longer install apps on my phone to pair devices. The reason is that then everyone wants to link my phone number to the device and create an account. There is nothing that intrinsically says they have to, but companies cannot resist asking for a unique identifier that happens to be linked to everything else in your life. No thank you.

So who says you should need their app? It should be a published protocol, and then you use whatever app you want that speaks the protocol instead of some heinous dreck from the manufacturer.

The part where they can't resist?

So no, there will not be a published protocol.

Isn't the topic of the article that they are trying to create a standard?

Isn't the topic about amazon, apple and google?

Probably most toxic companies on earth? Yeah, I'm sure it will be a wonder of openness.

Like ZWave has done for the last several years.

I know it has other issues, but particularly since ZWave2, the security model on ZWave far surpasses bluetooth or zigbee

Out-of-band pairing is a better idea, e.g. some key on the bulb has to be entered or scanned or read on the device.

The trouble with that is that you can't change it in case e.g. some temporary visitor to your house snaps a picture of the key.

If you as an individual has visitors who come to your house and snap pictures of codes in your devices... I wouldn't be more expectant of Zigbee or any other standards, rather I would be more keen on the visitors I allow into my house.

That shouldn't do them any good. The device should require it to be in pairing mode for the key to do anything.

But then what do you need the key for? In theory somebody else could try to pair with it while you have it in pairing mode, but they would have to be on your property for that and could potentially see the key anyway. So you go slap them with a trout or call the police or something, and then go back to setting up your future garbage.

So that that initial pairing is more secure.

Zigbee etc. tries to get around the whole thing by requiring that the pairing process is done from a 5cm or something distance.

Imho that is good enough but I don't know how far you could extend it with directional antennas etc.

That anyone can reclaim a device they hold in their hand is a feature.

I'm not a fan. If I get a new hub, the last thing I want to do is unscrew every light switch to find the picture on it to scan and if I buy a house with pre-existing hardware I don't want to rely on the last owner having taken pictures associated with every switch and left it for me.

OOB pairing could have rolling keys, but that's more expensive. In general the problem is difficult, every solution has a nasty caveat, be it taking over during installation or what your described.

If you look at the Zigbee member list, there are many China based companies. They don't need to 'steal' anything as members.

The comment mentioned nothing about stealing.

True. I was looking at TheKarateKid comment about infringing companies. The country where most stuff is manufactured, white labelled and sold at a premium by brand names :)

I'm sort of reminded of the book "Schiit Happened" from the Schiit guys (they make cool headphone amps). They documented how they started their business.

One thing they mentioned is that apart from RCA jacks, all the surround sound standards are tied up and closed.

Anyone else knowing any industries where "standards are tied up and closed"?

To understand some of the reasoning of what is open and isn't you can look at the different versions of their IPR, testing and use policies. There used to be 'profiles' but they were merged into one version: 3.0 IPR version 4 allowed anyone to use the specs and develop product 'based' on Zigbee and didn't protect anyone from IP enforcement from the many patent holders. This caused a lot of issues around 'interoperability' and end user adoption. "It says Zigbee but it doesn't work with other 'Zigbee' devices." IPR version 5 moved to improve interoperability and enable members to increase development by increasing protections. It granted RANDZ between all members. It improved interoperability by only allowing the use of the name and logo if the device was certified by an approved test house. This did increase deployments and reduced interop issues. Now there is IPR version 6, which allows for the growth of other protocols, providing the IP protection developers, manufacturers and retails want and could enable further industry consolidation - which is good for the end consumer. The average Joe and Jane just want stuff that works without having to be a technical expert. Any open source move is probably about getting more developers exposed and involved to help grow the base both creators - and consumers.

Well, it also talks about using Thread, which I just learned has the same "must be a member of blahblahblah" restrictions (https://en.wikipedia.org/wiki/Thread_(network_protocol)).

It reminds me of the old "FireWire vs USB."

Firewire was an originally open standard, but there came Apple and demanded to exact a symbolic 1$ per device payment.

Despite FireWire being an indisputably better standard from technical standpoint, that 1$ completely ruined the mood with OEMs, and they lost the market.

USB on the other hand, was not really open, but Intel's central leadership in it guaranteed that there were no disarray with association peers throwing random capricious demands.

Most USB implementers were random Taiwanese OEMs who never formally joined the USB-IF, but nevertheless Intel was smart enough to close eyes on that.

>Firewire was an originally open standard, but there came Apple and demanded to exact a symbolic 1$ per device payment.

What? Firewire was a project initiated by Apple in mid-1980s, which then was further developed by the IEEE P1394 Working Group. Patents and pooling was part of it from the very beginning, with the primary drivers being Apple, Panasonic, Philips, and Sony (there were also a half-dozen odd smaller contributors). I don't remember there being any sort of "originally open standard" part to it whatsoever. Yeah, Apple owned the trademarked name "Firewire" for IEEE 1394, while Sony and TI used "i.LINK" and "Lynx" respectively, and Apple initially tried charging extra for that which was really stupid (but late 90s Apple was pretty dysfunctional). But even without that wasn't there still the standard $0.25/unit manufacturer royalty?

If you've got some other sources I'd be happy for the trip down memory lane because it's been a really, really long time since that particular battle. I'm not disagreeing that Apple's charge definitely harmed momentum, just that it's not like they came out of nowhere. Though it's worth noting that Firewire was inherently more costly anyway since it required dedicated silicon rather than handing everything off to the CPU. At the time that also gave it vastly more reliable real performance and latency vs USB, and Firewire 400 would typically obliterate USB 2 despite the latter having a sticker speed of 480 Mbps. But it was more inherently costly IIRC.

1394TA was open as far as I remember

HEVC, VVC, H.264 are also Open Standards, does not mean it is patents free or Royalty free.

While VP8, VP9 arguably isn't as much of of Open Standards, it is not patents free ( Neither is AV1 ) but Royalty Free.

Margins on most consumer electronics are extremely small. $1 per device may seem symbolic, but it starts looking like real money at scale.

I own many USB gadgets that I bought for less than $10. Paying 10% of the retail price for the privilege of using a specific port/protocol seems out of the question. Even for low-end computers (~$300) $1 for a license is a lot of money.

FireWire also had a few port types which required different cables and connectors, while USB at the time only had one (this was before Mini and Micro USB). Apple even included dongle converters with their iPods.

USB also had the advantage of Intel pushing it, resulting in almost every PC with an Intel CPU (large majority) having USB ports.

> USB also had the advantage of Intel pushing it, resulting in almost every PC with an Intel CPU (large majority) having USB ports.

In the mid to late 1990s, USB was scarce. It didn't take off until after Apple replaced its ADB (Apple Desktop Bus) port with USB in the first iMacs. Once that happened, manufacturers flooded the market with consumer products (e.g. CDRW drives) and PC makers followed suit. Up to that point PC makers had standardized on the serial port.

I don't have contemporaneous links at the moment but the second paragraph of a relatively recent (2015) article summarizes:

> But Apple shocked the computing world when it swept its old connectors away with the original 1998 iMac. The bulbous computer adopted a then-struggling standard developed by Intel called USB (Universal Serial Bus). In a hint of what was to become the company’s ability to make or break certain technologies, USB would go on to live up to its “universal” descriptor and become the most prevalent connectivity standard in the world. The solid-and-hollow stacked rectangles of its “A” connector now appear in everything from alarm clocks to airplanes. [0]

[0] https://www.fastcompany.com/3044088/apple-and-usb-a-history-...

That neglects to mention that Microsoft Windows 95 OSR2 launched a few months before (97) and that entire release was centered around better USB support for a broader range of components. (e.g. CDRW Drives)

I don't think its fair to say PC "Followed suit" in using USB.

If I remember at the time peripheral manufacturers had USB devices ready to go for the Win95 launch and Microsoft fucked up and couldn't get USB support ready in time. So Win95 shipped without it and peripheral manufacturers were utterly livid.

The next couple of releases of Windows included totally redesigned USB support.

Once Windows 98 hit though, USB was well supported on the platform. During a brief stint in late 98 through 99 I worked at a consumer electronics chip manufacturer (56K modems and DSL) and we had good support for USB on Windows 98 and Windows NT at that time.

> I don't think its fair to say PC "Followed suit" in using USB.

I didn't say that. I said, specifically, "PC makers followed suit".

Microsoft may have supported USB in their OS, but PC manufacturers lagged.

I doubt Apple had anything to do with pushing USB's widespread adoption. Apple was at one of its lowest points during this time period, and it was pre OSX.

The poor support in Windows, as well as peripheral OEMs still using other ports slowed its adoption.

I think the problem was that USB can charge only @ 5 v vs firewire @ 12 v

There is just one open standard. User having root access to the IOT device and scripting there whatever it wants. Any 3rd party dependence is a way of collecting and selling data (google and fitbit acquisition) and should be prohibited. Vote with your wallet, dont buy devices that prohibit you root access and make 3rd party servers access mandatory. Simple as that.

10 years in the trenches here.

Apple’s smart home protocol famously does not support multiple users. Amazon is choosy on what features you can implement (turn on alarms but not turning them off, locking doors but not unlocking them). Google loves using radio hardware no one else supports. Zigbee has delightful legacy security vulnerabilities and consortium drama.

I look forward to these groups putting aside their differences, coming together, and creating a new standard that combines the best of all these anti-patterns.

That was very well put. I eager await the new standard, released in 2033, that allows me (but not my wife) to lock our door using handcrafted 1.38GHz radios that require FCC licensing on the per-unit level.

> Amazon is choosy on what features you can implement

Allowing someone to holler into an open (or recently broken) window to open my front door sounds terrifying.

I, on the other hand, am on the 17th floor. Anyone who can holler at a smart device in my apartment has already compromised something important, and could probably get in anyway.

Also, just require a passphrase? To go full star trek, "[Alexa/Google/Siri], unlock the front door, authorisation singingboyo Alpha Pi Pi Zulu" sounds workable.

IIRC Amazon does allow for this. I use Smartthing + Homebridge for operating my lock (Prompts me on my phone to unlock the door when I get near the house and locks the door when I close it) but I do have Alexa as well and I at least looked into using it to lock/unlock. For the unlock I have to read off a pin, it will lock without needing a pin.

We truly live in the future.

I’m not sure if you are joking/mocking but for me at least it’s super convenient to tap a notification on my watch as I pull into my driveway and way directly into my house (detached garage I don’t park in so I enter through the front door). It’s also nice to know anytime I close the door it will lock behind me. I quite enjoy living in the future.

Or you could use voice authentication... or require that known phones are within range, or best yet don't link your smart speaker to your door lock (when do the pros outweigh the cons here?)

I use a password to deactivate my Ring via our Echo.

I bet you sleep fine knowing anyone can simply pick your locks to get in using knowledge easily obtained on YouTube and using tools readily available.

That statement is equally true for fancy "smart" systems.


sleep tight.

Yes. So they are both susceptible to being compromised. So it'd be up to user preference as to what method they want to lock / unlock their door with then?

To sleep fine you can use the type of a lock that only opens from inside with turn of a knob (deadbolt?).

I keep thinking back how in the dark ages my parents never locked the door. Much less windows. No one had time for that.

If they broke your window they’d probably crawl through it.

What about throwing a small speaker through the window that blasts out “Alexa, unlock front door ... Siri, unlock front door” ? (I’m no criminal mastermind, but just a random thought)

> Apples smart home protocol famously does not support multiple users.

Can you clarify this? I set up my "home" and was able to share it with my wife, who sees all of the same controls in the Home app that I do. We don't have any family sharing, etc set up.

I think that they mean there is no way for your wife (or more practically, a kid) to see a different set of controls, it's all or nothing.

> Apple’s smart home protocol famously does not support multiple users.

It does? I'm added to my dad's account and can access everything just fine along with my own stuff.


Is there an alternative today, like a de facto standard based on open specs/protocols?

When it comes to smart home tech cost-cutting it's all about simplifying the small-but-many pieces. That's where RF 433 Mhz comes in.

Why should I pay $40+ for a zigbee/z-wave/smart-things/wifi-enabled door sensor when I can get a $35 RF Sonoff bridge and get each sensor for around $4-$8 from china.

So you can save a lot of money by using that tactic with door sensors/window sensors/PIR Sensors/Alarm systems/Sirens/Switches etc. because those will add up massively. You can't use that for TV/Speakers/Cameras ofc but you can bring everything together onto home assistant.

As far as I'm concerned, only the community can decide which protocol will win and these big techs should just put their weight behind a protocol built with the community instead of closed-door-consensus.



How about Bluetooth 5.0 (with mesh)?


Z-wave is about as far as you can get from open. Until 2018 when SiLabs acquired it from Sigma, all silicon had to be purchased directly from Sigma.

The hardware is far from open, but the issue of the interface being 'licensed' was cleared by SiLabs, which was very nice.

> The goal of the Connected Home over IP project is to simplify development for manufacturers...

> The industry working group will take an open-source approach for the development and implementation of a new, unified connectivity protocol and increase compatibility for consumers.

Curious if I as a hobbyist will benefit from this? Or if this will become a: it works perfectly, but only if all your devices connect to our certification servers kind of thing, like Chromecast is becoming.

My guess: first of all, "for security reasons" your DIY device will need to be certified, any existing SBCs will need to be replaced/extended to support new type of network and due to bloated protocol specs with a myriad of abstraction levels will render it almost impossible to implement it on your own and the open source library that can do that will implement the standard as specified whereas all proprietary solutions will have some quirks and little differences from official standard making it very hard to connect to anything from your open source lib. Also the sophistication of the new standard will exceed the capabilities of any arduino forcing you to replace any boards you have with new ones that have AVR uc with Connected Home hardware support.

Believe me, they will it will never find adoption. How to say, they are free to make whatever standards, but they will not matter much if nobody will use them.

Their entire ecosystem together have less devices shipped than even some OEM nonames, not to say of Xiaomi or Huawei or Tuya who tower over them.

All kinds of "smart assistants" like Alexa end up in drawers very quickly after initial novelty passes, and it creeping up you in the middle of a conversation gets annoying. From data I have, sales of those smart speakers is already starting to taper off.

In Russia, there is an idiom "to divide the cake before it's baked." And those guys are doing exactly that: people don't even know what those "connected home" devices are and which ones sell well, yet they are already eager make up standards for them.

Apparently at least Apple is turning over a new leaf; they just open sourced HomeKit: https://news.ycombinator.com/item?id=21831259

Andreas Gal? What a surprise.

That's the guy who flopped with Silk Labs labs.

I thought the russian idiom was something about splitting the hide before youve shot the bear.

Don't know much about russian idioms, but "splitting the <rewards x> before <accomplishing risky thing y>" sounds a lot like that stock thing the dutch east india company created

My experience is the opposite, basically every home I go to has an Alexa or a google home. It’s not doing too much typically managing lights/smart switches, and playing music.

Can confirm. My alexa went in the drawer after she was offering to call the crisis line for me during a spirited session of gaming.

I genuinely think the Amazon team (at least in that particular regard) want to do some good. But until they can teach their machines how to understand context, I just don't want my unfiltered conversations going around potentially to medical institutions or law enforcement.

I am surprised this is how we have ended up. We have already had a pretty good looking model for this sort of voice activated computer interaction thanks to Star Trek: TNG.

It would be far more palatable for the devices to wait for a command cue ("Computer--") to respond with an activation bleep. After the bleep, the commands begin to be interpereted.

Instead we have a listener always awaiting commands. What could be a helpful and invisible servant is instead some kind of jerk who interjects with the most literal interpretations of normal conversations.

If I wake up in the morning feeling grumpy (every day) and say some crazy crap (totally possible) on my way to the can, will an apple contractor employee be able to figure out what the hell I really wanted by reviewing the seconds of audio?

I have made death threats to wall hanging photographs in those 30 minutes before my medication kicks in. There is no checkbox for this in the privacy settings. I know with some of these smart things you can change the prompt, but this feels like not the best we can come up with.

> command cue ("Computer--") to respond with an activation bleep

This can be turned on in the Home app → Accessibility → "Play start sound" (as well as "Play end sound").

> Can confirm. My alexa went in the drawer after she was offering to call the crisis line for me during a spirited session of gaming.

Wait, what? Please explain more.

It feels like you're saying Alexa heard you being ... passionate, and got concerned. But my understanding was that Alexa listens only after the trigger word. I'm really confused by what you've said and wish to know more context.

If you've ever owned a device like Alexa or Google Home what he said isn't confusing at all. They trigger accidentally all the time. His Alexa simply triggered when it wasn't supposed to and then reacted to what he was saying. Given he was gaming it was likely something about killing himself or someone else.

Huh, interesting. I have an amazon echo. My problem with it is not that it activates when I don't say trigger word, it's that I have to try very many times to get it triggered (usually by speaking louder).

It's impossible for me to say with certainty if it didn't just interpret something I said as it's trigger. Nevertheless, I was playing Halo online and yelling about a match going badly, saying something to the effect of "we might as well kill ourselves, this match is just not going our way" while laughing, and Alexa interpreted it as me contemplating suicide, and offered to connect me to a crisis line.

Great, now we need another device recording all sounds so we can play then back to reverse engineer smart speaker behavior :(

Has anyone found Alexa way too easy to trigger? As someone who frequently talks about people with a similar name, I'm amazed at how often Alexa chimes in. I think 'OK Google' is at a sweet spot (although my parents for ages were convinced 'hi google' would work if they tried enough :)

Don't have an Alexa so can't comment on how easy it is to trigger, although I don't know any Alexes so it'd unlikely be a problem for me.

What I can say about the google equivelent is that I find saying 'Hey Google' everytime I want it to do something is a bit of a mouthful especially if you want to do several things is shortish succession.

And my other problem is that I apprently say 'OK Cool' too often when I'm on the desk phone at work as my google account is full of recordings of bits of my work phone convo's where I've triggered it unwittingly.

Sometimes mine starts responding to... nothing. As in, in the midst of silence in the middle of the night, like a dog barking at ghosts, it'll answer a question literally nothing asked.

Id say yes. I just switched from google and feel like google was too buggy and slightly too hard to trigger. Alexa is too easy to trigger and has too many notifications.

"Hey Google" is a valid trigger for some versions of the assistant, so they weren't that far off and may have seen that in action before.

Pretty sure you can change the name she responds to.

It's a limited set of options though, like 'Computer', which is hardly an uncommon word.

For clarity, Alexa responded to my comments without being triggered. It's always listening (which makes sense, by virtue of listening for the trigger) but in this case, it reacted without the "Alexa" key word.

> any existing SBCs will need to be replaced/extended to support new type of network and due to bloated protocol specs with a myriad of abstraction levels will render it almost impossible to implement it on your own and the open source library that can do that will implement the standard as specified whereas all proprietary solutions will have some quirks and little differences from official standard making it very hard to connect to anything from your open source lib.

Whoa, is it really necessary to call BlueTooth out like that?

BT v1 to v3 maybe, but BTLE/v4 solved a lot of the problems afaik.

You're probably right. It's been a while since I had the misfortune of working with BT.

For anyone not following the the link, cptskippy has given a user perspective that summarises things nicely in my view:

“It's easier to tell when you're not using BLE. :) The Tesla Model 3 uses traditional Bluetooth for phone calls and streaming but the Phone as a Key functionality is BLE. When you walk up to the car and try to open it and the car says FU then BLE isn't working. When your Xiaomi Mi Band smartwatch hasn't buzzed all day but you pull your smartphone out of your pocket and have 8 missed calls, 100 messages, and 500 emails then BLE isn't working. When you're at a Tech Conference and the Conference App uses BLE Beacons to help navigate you indoors and it can't determine your location then BLE isn't working.”

Apple's existing standard (HomeKit) is relatively 'open' - the specification is published, and several open source implementations exist. I've used the Python one to implement automation on the smart-home devices I've built myself. However, you do need to be certified to distribute a product otherwise you get a warning in the app when you add the device.

This seems like a fair compromise to me.

A self-plug for my own HAP C library: https://github.com/andoma/libhap

I've been using it on a Raspberry Pi to control various things and recently decided to shape it up and release it to the public.

Seems fair indeed. I did a quick search and HomeKit seems to work without an internet connection (on lan at least, not remote), what's your experience with that?

Yeah, it works completely locally on the lan - there's a MDNS discovery and then pairing process between devices and the phone.

You can access stuff remotely if you have an Apple device which is paired to the homekit stuff and connected to the internet (e.g. an Apple TV, we use an iPad which is always at home).

I've deliberately designed my system to work offline as while our connection's pretty reliable I don't see why I should need an internet connection to turn on a light! :)

> I don't see why I should need an internet connection to turn on a light!

I hope manufacturers see it the same way.

I don't mind devices having to be certified, I mostly want to buy hardware of the shelve anyways for safety and convenience reasons and build the controlling/automation part myself. So my biggest worries are not having a local API, data exposure and having to invest in a ecosystem and having the manufacturer brick it remotely, wasting my money.

At least for HomeKit, manufacturers have no choice but to support local network access to get certified. This has cause issues, especially with Cameras since HomeKit requires that camera streams not go through the cloud first.

HomeKit is now open source: https://news.ycombinator.com/item?id=21831259

> The HomeKit Open Source ADK is an open-source version of the HomeKit Accessory Development Kit. It can be used by any developer to prototype non-commercial smart home accessories. For commercial accessories, accessory developers must continue to use the commercial version of the HomeKit ADK available through the MFi Program.

So only the "device" part, sadly not the "controller" part. So you'll still need a iOS device to setup stuff in your house, I tried it yesterday with only my iMac to no avail.

But still it's a step in the right direction.

FYI: Homekit requires you to by a DRM chip from Apple to basically do a hanshake with Iphone and nothing else.

Not a good idea with OEMs, and that's why I believe they gave up the white flag now: no adoption.

They are either jump on the smart home bandwagon now, or never.

It was a hardware auth chip, not DRM and it hasn’t been required for 2 years now. Software auth went live in iOS 11.3. Apple doesn’t encourage the chip anymore and AFAIK no one uses it (except legacy devices obviously). Software auth rules the day.

Well too late now, the boat has sailed.

Most OEMs chose APP + own protocol approach

I think most major HA hardware providers support Homekit at this point, with the exception of ones that don't because of competitive reasons (Nest, maybe Ring, etc) or because of strict certification requirements (like camera streams being local, $$$).

Perhaps. The Phillips Hue lights use an open standard, I bought a usb device that could talk it (ZigBee Light Link) but then it turned out that production devices used a master key.

Here's a discussion of the master key being leaked:


But I looked it it before that and never tried to look it up again.

So likely so, and with today's encryption it probably won't get hacked for hobbyists to use/learn/play but of course I guess the argument is that the Hue Bridge and other devices will have an API.

I can recall something along the lines: used to be like that with Light Link but as of Zigbee 3 it’s really interoperable all round (Hue hub registering third party devices and Hue lamps working with generic hubs.)

I’m still looking for other devices to mesh into a ZB3 network: I’d love to see an Opentherm capable controller able to use any connected thermometer and heating element valves to modulate heat flux production and distribution around my flat. Might be overthinking though... it’s so well thermally insulated.

> This Tweet from @MayaZigBee has been withheld in response to a report from the copyright holder.


Also, using mobile.twitter.com (as linked) I see a single reply, if I delete `mobile.` I see no replies. Interesting.

I really hope they recognize the need that people want to keep their data on their lan. Actually that would be required by the GDPR if they won't let me sign anything. My derived data is my own people, it does not belong to who ever collects it.

I.e. I just want a thermostat the is a big rotating button and speaks mqtt. It does not exist. If you want it to look good you end up with a Nest thermostat. Home Assistant needs to talk to the Nest online API, not to the device itself. Really annoying and unnecessary. I wish I could just pay 50$ more and get a Nest that does let me talk to it locally. Or whatever are they going to earn with my data? I'd probably pay it straight up.

https://iot.mozilla.org -- can easily install the WebThings Gateway on a Raspberry Pi, or in a Docker container, or CLI install to a Linux box. It runs locally in your home. No cloud account, no cloud data center dependency, command and control accessible from the web UI served up by the home gateway. Local voice commands are possible too. My "home smart home" stays in my home. :)

Hubitat seems to be trying to be a SmartThings without the data in the cloud [1]. They seem to have a pretty active community.

[1] https://hubitat.com/

If your device supports opentherm (which is not as open as you might think, btw) you might want to look into OTGW [0]. It probably works with Nest to if the Nest allows to run without internet at all.

[0] http://otgw.tclcode.com/

My central heater is a simple on/off model. Nest will work offline with it but afaik you can't write target temperatures to it then.

To bad, my old heater had opentherm, with the OTGW I could intercept the packets between the heater and thermostat, change values (eg: date/time), issue commands (set room temperature) and add missing functionality (outside temperature for heating curve), it was ideal in every way. But I moved and my current heater has a proprietary protocol over rs485 so its a no-go for the OTGW.

In the EU there are no systems without opentherm by law luckily.

That does mean some systems are not available at all, so "luckily".

I use Venstar thermostats with Home Assistant. They're totally fine, but wifi only I believe. Local API, so no cloud nonsense. I've been running them for about a year with no major problems.

They don't seem to be available in Europe, the thermostat market is surprisingly local, i.e. we also don't have Ecobee here. The Venstars do looks nice indeed.

Hmmm maybe eBay (i got one of mine there)?

I had several Google Home devices, and you could not even boot them up unless you had a phone with an account that was opted into location history, web history, search history, and youtube watch history. Google has completely lost any concept of privacy.

At least for the ecobee, hass can add it as a local homekit device

Yeah I hope ecobee gets to Europe before I get a nest :)

>I really hope they recognize the need that people want to keep their data on their lan. Actually that would be required by the GDPR if they won't let me sign anything. My derived data is my own people, it does not belong to who ever collects it.

GDPR is a joke and easily bypassed because users are overwhemingly dumb and agree to anything without reading. By making it online service dependent they don't have to care, the experience will be horribly degraded without signing in.

Something tells me it won't work with privacy oriented systems like hass.io (https://www.home-assistant.io/hassio), but I'd be happy to be wrong.

> The project is built around a shared belief that smart home devices should be secure, reliable, and seamless to use. By building upon Internet Protocol (IP), the project aims to enable communication across smart home devices, mobile apps, and cloud services and to define a specific set of IP-based networking technologies for device certification.

Yet I don't see any mention of making those being able to work completely offline/standalone.

We rely too much on cloud services that ultimately get turned off after an undetermined about of time.

There is no way I am buying home automation equipment I cannot control myself, especially in a situation where the giants like Google could simply decide to terminate my account because I said or did something they didn't like and take down related systems with it.

"Since your recent comment does not meet our Community Standards(tm) your account has been suspended for a period of 28 days*. Additionally you will not be able to turn on the lights during that period and your microwave usage will be limited to 90 seconds daily."

I am personally really against my IoT devices being able to "speak" TCP/IP, I want them to use dumb radios (Z-wave or if I must, Zigbee) that cannot talk to the internet. I get the draw of Wifi/IP devices but I avoid them at all costs. I don't want 10's or 100's of devices on my network that all are talking to servers in China.

I bought a few cheap POE Chinese cameras that I use with Zoneminder but they are all blocked from any internet access except talking to Zoneminder (local).

I would agree but there is quite a benefit to having these smart devices connect to technology already in the home. With the absence of a proprietary radio, it's easier for me to control them as well. I currently have firewall rules on my network that blocks all communication between my smart devices and the internet. They can only communicate on the LAN and cannot send/receive information outside of the network. I feel like if more proprietary communication protocols were implemented it would be hard to determine which devices were communicating, and which are accessing the internet(for example if a device has an embedded LTE chip to make up for lack of WiFi connectivity).

>I don't want 10's or 100's of devices on my network that all are talking to servers in China.

I definitely agree, although I'd expand that to "talking to any servers at all anywhere for anything I don't explicitly grant permission for". However for that very reason I prefer WiFi/IP devices, because it makes it very easy and straight forward to apply all the powerful network management tools we have for everything else. All devices can go on their own VLANs for example, with careful management and logging of how they communicate. The real shame is that there aren't better, more consumer friendly tools for managing that more visually/automatically.

Custom radios aren't any inherent defense there, already there have been demonstrations of getting right into Z-wave/Zigbee networks using customized SDRs. They have a purpose from an ultra low energy and meshing point of view, but you should be suspicious of what security practices for such things will actually be. WiFi/IP at least has the benefit of tons of open attention and development for security critical situations already.

You've made some very good points and better explained what I really want. I also will admit that using existing tools to create VLANs to "quarantine" the devices is an option. That said (and you touched on this) the average consumer is not prepared to deal with any of that, maybe that will change but as of today it's not easy or even possible with most consumer-grade hardware.

As for Z-wave/Zigbee, I could be missing a potential security hole but personally I am less concerned with my Z*-devices being hacked and more concerned with IP-devices being hacked and being able to talk to other IP-based devices on my network.

For example, it would suck to have someone be able to hack my door or lights but it wouldn't be the end of the world AND it requires physical access/proximity. This is quite different from someone on the other side of the globe being able to hack a device, hack other devices on my network (non-IoT), and then do something malicious (ransomware, identity theft, etc).

>That said (and you touched on this) the average consumer is not prepared to deal with any of that, maybe that will change but as of today it's not easy or even possible with most consumer-grade hardware.

Right, at one point it looked like something like UniFi could show the way there, but Ubiquiti unfortunately has turned into a development dumpster fire and really lost its way, and I don't know of anyone else attempting something similar. The principle remains though that it's another path forward, there are already powerful tools for network control and management, and there are accessible open standards there. Putting a better UX on that is worth considering alongside other solutions is all.

>As for Z-wave/Zigbee, I could be missing a potential security hole but personally I am less concerned with my Z-devices being hacked and more concerned with IP-devices being hacked and being able to talk to other IP-based devices on my network. For example, it would suck to have someone be able to hack my door or lights but it wouldn't be the end of the world AND it requires physical access/proximity.

A lot depends on where you live. A few years ago for example there were a bunch of articles and demonstrations coming from research into and discovery of vulnerabilities in the ZigBee protocol itself. Because the whole point of it is meshing, if you're in an urban or even suburban environment with sufficient density, then a neighbor being hacked could then hack their neighbors etc in a chain reaction. And of course people had fun immediately putting SDRs on drones and doing a fresh new take on good 'ol war dialing, flying around owning anything they came across. Random example article:


Picked verge vs NYT since I don't think they're paywalled? Lots more though a quick DDG away covering the same thing at the time.

With meshing though, you do have to be somewhat careful about the concept of "proximity" and so on if there are protocol layer problems, which is less of a concern on WiFi for better and for worse. Your home might be locked down, but are you sure your neighbor or neighbor's neighbor and so on and so forth down the chain all have no entry point? I 100% grant it's more of a long term scalability consideration right now for many people, but hey, we're talking about a future protocol here!

Gonna be another exciting decade I guess :)

I haven't followed the AmpliFi line closely to know if it has easy VLAN support but yeah... I really like the UniFi offerings but a fulling working UniFi system (excluding the UDM) costs ~$800 from my last estimate. I'm saving for it but that's cause I'm a weirdo who enjoys those kinds of things.

If you don't mind me asking what networking stack are you using?

Also thank you for the very well thought out and reasoned reply! I wasn't fully aware of some of those attack vectors.

Lastly I think I've been so anti-wifi IoT because of the inherent security issues with literally everything currently on the market. I see the wifi IoT as a bubble about to pop unless routers gain security features for IoT or some other major changes are made to how they work today.

Depends on what you mean by "Fully Working"

I have a UniFi AP for WiFi, and a EdgeRouterX for route/switch. Of course the EdgeRouterX does not have the Fancy UniFi Management Portal but...

That was alot less than $800, I think I maybe have $125 in the hardware

Yes I mean:

* Cloud key

* 4-port POE switch

* Security gateway

* WiFi AP

I wanted to go all-in if I did it.

Sorry for the slow reply, and I see you've got (and made) one other response. As far as what stack I'm using, on my test lab it's a big mix of course, but my main personal stack right now is UniFi dating back from quite a few years ago. However, I really want to reemphasize my "dumpster fire" aside: I strong DON'T recommend getting into UniFi right now if you're starting fresh, or at least, if you do be really careful about it. It hasn't been that obvious from the outside if you didn't know what to look for, but from an community and heavy use perspective it's clear Ubiquiti has been having major internal developer issues for a few years now at least. The CEO is apparently pretty toxic, but whatever the reasons are the result has been a major stagnation of the line, both for hardware and software, rapidly increasing technical debt, and a lot of extremely confused moves that seem to amount to easy bikeshedding because real engineers weren't available. I started to get into some of the gory details but am just deleting that paragraph, it's not really relevant here. But to take a specific example, that security gateway you were looking at, which is necessary if you want to use UniFi for L3 features, basics like DNS (which incidentally is also half-assed) etc, is a good 5 years old now. They introduced the "UniFi Security Gateways" and then refreshed them... never. The software for those is stagnant, and core software (like Strongswan for VPN) are often horribly out of date. It chokes doing much of anything interesting, would be obliterated in perf by a current RPi. The switches aren't in quite so dire straights, but for the money they too now have the smell of obsolescence. Ubiquiti has no decent L3 story for 2019/2020, no move to competitive faster networking, and a lot of cruft built up because they like to introduce new things but not just update and replace old ones.

Having said all that, their PtP/PtMP links are still nice. Their APs are solid overall, and do have nice industrial design (though no word on WiFi 6, which for a new install I'd consider fairly important). The interface has degraded significantly over the last few versions, but it's still better and more unified than any other I know of. I mean, I'm still running it myself after all. But if you go that route know what you're getting into and look hard for open box and used stuff that'll be cheap. And I'd honestly suggest not bothering with the cloud key and just running the controller yourself, on an RPi or similar if you want something dedicated but cheap or else spin up a VM or container, or even just run native I guess if you've got a server you run otherwise. The CK is also ancient.

In summary: I adored UniFi, and the potential was(is?) fantastic, and their old vision was fantastic, and at one point they were a really solid venture all around. And I know of nothing else with the same vision either. Yet even so I'm expecting to have to dump it overall in the next few years, which sucks. But long bitter experience has taught me that glorious turnarounds are much more the exception than the rule :(.

Holy shit this an amazing reply and I couldn’t be happier you took the time. I had read some about of the issues you you talked about but you highlighted even more.

I might go down the secondhand/used route if I do decide to do it. Right now I’ve got a single all-in-one router running LEDE and I like it but I’m not able to reach more than 60% of my fiber internet so I’ve been looking to upgrade. I decided that if I was going to throw a couple hundred at it I figured I might as well go all in.

It’s always sad to see a company throw away such a promising future. I saw their new AmpliFi “Alien” router and I’m half tempted to buy that and wait a few more years for a better option to present itself. Or even the UDM but it seems like a very odd offering to me... I guess I’ll keep looking, thank you again for the advice.

Any suggestions on where to go instead of unifi? Was looking at starting fresh and they were still looking like the best option...

Was hoping to start with an extra AP or two for wifi coverage and then build out the rest in time.

Oh wow I just wrote a very similar comment before reading the previous replies. All good points!

Seems like there might be a market for something like pihole that detects connections to shady IoT servers.

I'm not sure what you are expecting here. CHoIP would define messaging that certified products must implement, meaning that an Amazon device and an Apple device would send the same message to a Phillips light to turn it on, and that message would be carried over IP.

The messaging would be agnostic of where the source is. It could be a device in the local network, or it could be a cloud-based service (assuming you open up your network).

HomeKit, for example, works locally, either over BLE or WiFi.

I still have to have an iCloud account to use HomeKit. So does it really matter if it works locally or not?

Reading though it seems like a common universal standard that fully removes the need for third party services as all devices will adhere to a common standard. (I"m sure all of these will offer third party apps and all that still) but if you look at something like Homekit smart plugs, you can configure many of them without ever using anything but the Home App, just scan and go. Done right, this standard could make these devices never need third party services, just local networking. Seems like the goal, obviously I agree with you that it should be a stated priority.

FYI: This is the project's official homepage: https://www.connectedhomeip.com

Trivia: I had never seen this Apple logo used before, looks like the name of the company using a San Francisco font.

I wonder if it's official or just a workaround due to the fact that all the other logos have names and not just an icon like the standard Apple logo.

Apple doesn’t tend to hand out their logo for industry groups and open source projects. That’s fine, it’s their support that matters. And it’s not like their name lacks brand recognition!

Here’s another example; same idea, different font:


They have been a principal organizer and sponsor of the LLVM Developers Meeting for years and even then they did not use their own logo.

I feel like this violates Apple's brand guidelines..

On the contrary, by not using the brand at all it ensures that third parties are not in a position to violate Apple’s brand guidelines.

That's totally Myriad Pro.

It actually makes me feel better about the project seeing Legrand on the list of companies than it does any of the 3 tech companies in the title.

Per the official homepage:

> The goal of the first specification release will be Wi-Fi, up to and including 802.11ax (aka Wi-Fi 6), that is 802.11a/b/g/n/ac/ax; Thread over 802.15.4-2006 at 2.4 GHz; and IP implementations for Bluetooth Low Energy, versions 4.1, 4.2, and 5.0 for the network and physical wireless protocols.

> The Project intends to leverage development work and protocols from existing systems such as: Amazon’s Alexa Smart Home, Apple’s HomeKit, Google’s Weave, Zigbee Alliance’s Dotdot data models

Dotdot is basically ZCL over IP (in a way), but comes with a lot of legacy from ZCL.

Thread was my hope for a unified smart home network layer, but it didn't really get the adoption I'd hoped, and from a manufacturer's perspective, it did not include any application-layer messaging.

It looks like the goal is to standardize the application layer messaging (of which Dotdot was an attempt). Maybe call it Dotdot v2, but with better backing.

I bought a home and the previous owner used Z-Wave for everything. The whole thing worked irregardless of internet working or not. Whatever they invent if it is useless without internet access its a step back from something that has already worked.

All my home automation / smart home integrations will have to be Z Wave compatible or I will not use it. If my internet goes out will all my things be useless without it?

First, personally my philosophy is to have any smart home type stuff have a dumb backup. You never know what might happen to your smart hub or whatever so having physical switched lights/ appliances is important.

Second, hopefully this doesn't come across as patronizing but based on your post it sounds like you aren't sure about this. IP is not "The Internet". You can have your own little private IP network which runs without the internet. If this is an open standard there should at least be the option to create a local only hub which only requires your local network is online.

That's not guaranteed considering who is backing this project, but it should be possible.

Z-wave takes less time to get working and once it does it stays working. I've bought Wifi switches that worked for as little as 2-3 months before dying. I've never had a Z-wave device die. Zigbee maybe be open but if it can't penetrate walls then it's just not worth the hassle.

Just a nit - it's regardless not irregardless.

Sadly, the lunatics at Amazon, Apple and Google live in their tech company campuses where internet is vast and plentiful. 99% of the country however has shit internet. Among many many other reasons.

Zigbee works fine without internet. And Z-wave is proprietary - only one company makes the controllers.

I didn't realize Z-Wave was proprietary. It is useful though, I can control things around my house with a USB adapter and a Rasbperry Pi.

LOL ... there has been a standard for years for smart home devices, it is called KNX (https://en.wikipedia.org/wiki/KNX_(standard)) ... what is wrong with KNX? Hundreds of companies already support it, so why not join them instead of re-inventing the wheel?

I think I know what im talking about, because my (smart) home automation is based on KNX, I use Alexa voice commands or a KNX app on my mobile devices to controll all my KNX compatible devices, a server gets the commands and allows me to control the lights (on/off/dimming), to inquire an set the temperature in each room, to control the inner blinds as well as the outer shutters (open/close), to get data of water consumption, electricity consumption from many devices like the cooking plate, the owen, the lights, the AC, ... to get values from my weather station like wind speed, wind direction, sun intensity and much more ... I also have fire detection sensors, movement sensors, air pollution and water leak sensors which can trigger alarms... I can inquire on my phone if I forgot to turn off the owen in the kitchen, if the main door is being or has been left opened. Through Alexa I have also connected my Roomba as well as my TV and all the media devices connected to it (using the Logitech Harmony hub) but those two things are not KNX, everything else is.

Being able to control all this through Alexa is super fun. When I go to bed I just need say "Alexa good night" and Alexa tells my KNX shutters to move down to 100%, all my lights in any room to 0%. When I leave the house I say "Alexa, good bye" and Alexa checks if my appliences are turned off, turns the lights off and lowers the heating in all the rooms a bit. Also as im super lazy, if I finish cooking and throw myself on the couch but forgot to turn of the kitchen lights I just need to say "Alexa turn of the kitchen lights and turn on netflix".

What is also nice is that I can program (control and combine) everything myself. I currently use NodeRed (https://nodered.org/). So I can program routines, like "if the time is > this and the front door gets opened send me an email or SMS", if the wind speed is above a certain threshold open the shutters to avoid damage, ...

I enjoyed the description of your home automation setup! I learned about the wide range of sensors and devices that can be incorporated, and that technically it's possible for the owner to programmatically control everything. I can see you're riding the edge of the coming wave.

Looking at the differences between the KNX standard and the "Connected Home over IP" project.. From the latter's home page [0]:

> By building upon Internet Protocol (IP), the project aims to enable communication across smart home devices, mobile apps, and cloud services and to define a specific set of IP-based networking technologies for device certification.

This seems like a higher level of abstraction than KNX (unless "smart home devices" in the above description includes the kind of individual sensors you mentioned) - and exclusively focused on using the Internet Protocol.

Reading the Wikipedia article on KNX, it does sound like it has all the elements needed for home automation, including what this new standard aims to achieve.

[0] https://www.connectedhomeip.com/


EDIT: Now reading about the ZigBee specs, I find there's a big overlap in protocols/functionality. As a complete newcomer, it's hard to disentangle the pros/cons of these standards.


Yes I'm riding the automation wave, but only because after working for 20 years as a developer I was finally able to afford buying an apartment and wanted to try to push automation to it's limits. I haven't done it all and could go even further, which is why I like KNX, it's not closed or bound to a single company so I can buy add even more stuff from a lot of providers (see some example of companies in my other comment).

The alexa bridge is not perfect, sometimes it has hald a second of delay. Twice a year the servers are down and it doesn't respond for few hours, but besides that I'm very happy with it. B.t.w. I used this server from PRO KNX to connect my Alexa(s) to the KNX server: https://proknx.com/en/news/2017/realknx-2-0-voice-control-al... (it is also compatible with Google Home as well as Apple Homekit).

Thx for the clarifications about the differences. I don't know much about the KNX standard. I fiddle around a lot with NodeRed (nodejs / javascript) and use some Alexa routines but I never tried to implement the standard myself. As far as I understand it, KNX is also using IP Networks, because all my devices have IP addresses and my servers are open on different ports.

I hope the Google, Apple, ... alliance decided to do create a new standard for good reasons, but I have doubts as I can't find someone that explains me what is so bad about the existing standard. Why Apple, Google and the others don't just join the KNX foundation and why this already open and royalty free KNX standard can be built upon!?

Is KNX affordable? I did some searching to see how to control Philips Hue lights via KNX, and found something called an "ise Smart Connect KNX HUE" for this. I found a few sites online selling this, all in Europe.

Most would not show me a price without me first creating an account and logging in, but I did find one German site that would show me a price, which after converting Euros to USD, came out to a little over $300. I also found a UK site that would show a price. That, after Pounds to USD conversion, was over $500.

I did a little searching to try to find out how lights are handled in KNX without bridging out to some completely different system like Hue. All I was able to find was lighting fixtures with KNX control built in. I didn't see bulbs with it built in.

Does this mean that if someone without any home automation decides that they want a couple of smart lights, to do it purely with KNX that have to replace some light fixtures?

That's not how most people in the US add some smart lights. Most here do it by buying bulbs that screw into fixtures meant for regular bulbs, and implement the smart stuff in the bulb itself. There is no need to replace fixtures (which you may not be allowed to do if you are renting).

KNX is a standard not a brand, hence you can just say KNX costs 10 euro or 1000 euro. KNX via an adapter can control regular lights, at least on/off not sure about dimming. But KNX is best used with compatible lights, which means you need special lights and different cables. I think in my appartment there are two cables, I assume one is for control and the second is the regular power source. For example some companies that in my opinion have good products are BAP Tech (https://www.bab-tec.de/), Gira (https://www.gira.com/en/gebaeudetechnik/systeme/knx-eib_syst...), Jung (https://www.jung.de/en/820/products/technology/knx-system/) ... to find companies near you I would recommend using the official KNX website: https://www.knx.org/knx-en/for-professionals/community/manuf.... the system for the lights is called DALI (https://en.wikipedia.org/wiki/Digital_Addressable_Lighting_I...), for example OSRAM has a Dali/KNX website here with more information: https://www.osram.com/ds/highlights/knx/index.jsp ... to find prices I would recommend using a website like https://www.eibmarkt.com/ (set the country to United States and the currency to US Dollar)

“I” in KNX stands for inexpensive.

Zigbee is already an open standard, but some Zigbee devices don't work with others. Yet, with Z-Wave they all tend to work and there isn't that much of a price difference (between Zigbee and Z-Wave devices). The biggest problem with Zigbee is that is uses 2.4 GHZ which doesn't travel long distances or through walls very well. Z-Wave uses a lower frequency that does. (edited for clarity)

I have about 20 Z-Wave switches in my home, spread across 4 models and 2 brands. There were noticeable differences in response time, both from the physical button and over Z-Wave, when comparing brands. And even the most reliable brand for me (Aeotec) has had issues with the network being a little laggy. That's still a success in my books, though; I have bought Z-Wave devices that do not play nicely at all.

On the other hand, my Philips Hue lights have all been absolutely flawless. They fire on time, every time.

I think implementation of the standards matters a lot more than the standard itself, in practice.

I agree that the lag time is a bit higher on Z-Wave, partially because of the slower transmission speed. Plus does help that a bit. The number of hops can affect it as well, though they are limited in Z-Wave vs Zigbee which allows for more.

In a real situation this usually doesn't cause issues. Most of the zigbee devices that you're gonna have (such as light bulbs) are also acting like a zigbee router and it creates a mesh network.

You can even visualise the network if you're using zigbee2mqtt with zigbee2mqtt/bridge/networkmap

That is true provided that you have devices that correctly act as routers. Sometimes it requires extra repeaters to make the network function correctly as well. Then there is the interference issue from WIFI and Bluetooth devices.

Most zigbee light bulbs are terrible routers. Just because it's supposed to work doesn't mean it does.

Even bigger problem with 2.4 GHz is that the frequency is oversaturated and most Zigbee channels at least partially overlap with WiFi channels. I had pretty bad interference in my home before I moved my Zigbee and 2.4G wifi channels as far apart as possible.

Zigbee 3.0 will use the guard channels if there are collisions and allowed to auto select channels.

Zigbee can use sub-GHz as well.

Oh, I did not realize that. Are there any implementations that actually use that?

The UK, national smart meter effort. Sub gig, supported by three silicon providers did Zigbee sub-gig for the last mile, tough to penetrate homes and buildings. Running 3.0 on which means it will port very easily but sub-gig is much more regulated country by country than 2.4. You can search. This article covers the initiative but doesn't call out the sub-gig detail: https://telecoms.com/opinion/467631zigbee-and-the-smart-mete...

Hmmm. Now what am I going to do with my laboriously (and lovingly) put together zigbee2mqtt/HomeKit setup? :)

Seriously now, I see this as a good thing, if only because we're likely to get an interoperability stamp of approval of some kind.

Right now, and were it not for my using an Open Source solution for my Zigbee gateway, it would be impossible for me to hook up Hue, Xiaomi, IKEA and other devices to Homekit without a bunch of different gateways (because some Zigbee endpoints simply refuse to talk to anything other than their own peers).

I also hope that they manage to do this without going the Google way of having everything open up ports on your router (some of the newer Nest-branded stuff already knows how to talk to peers on a LAN, but the security model for Google/Alexa integrations is fundamentally broken for me - WeMo support excluded).

So far HomeKit can run _completely_ on-premises, with all devices interacting on the LAN, which is great (except for remote connections through the Home app to your Apple TV home hub, and Siri voice recognition to trigger scenes), and that is why I decided to stick with it.

> were it not for my using an Open Source solution [...], it would be impossible for me to hook up [...] and other devices to Homekit without a bunch of different gateways (because some Zigbee endpoints simply refuse to talk to anything other than their own peers).

And worse, in my "casual" case, because some sort of Philips/Apple agreement outright prevents it :/

E.g. add a "Hue compatible", but non-Philips bulb to your Hue hub. It will work in the Hue app and via Amazon Echo, but Homekit will refuse to see it.

A way to "trick" homekit to be able to use the bulb with it, is to create a Hue scene, and sync it to homekit, but that is terrible for per-bulb control. This stuff is apparently all Zigbee, but the usability situation is an absolute mess.

(Widely reported, for many years, not a bug).

HomeKit must really be struggling for Apple to publicly join this consortium. I don’t say this just as a snarky dig at Apple’s preference for walled gardens, but because this announcement more or less Osbornes all the HomeKit devices in the market right now.

Despite its walled-garden nature, I’m sad to see HomeKit go. It was the only home automation standard I’d trust in my home, though hopefully Apple’s participation in this new initiative means it will share HomeKit’s emphasis on security, cloud independence, and privacy.

I hope security is at the top of their list.

I want a super secure hub that everything connects to. The hub is the only thing that speaks to my router. The hub is super secure & doesn't let devices send data back to their manufacturer. If I buy cheap devices off a flea market like Amazon, I want to sleep safe & know that the hub is preventing that device from messing with any other devices or accessing the internet. The hub can send me notifications and I can send it requests. It would be cool if I could choose to have the main hub database & software based in the cloud or on my local network.

Not sure if this is already possible. If it is, I would love to hear more.

This is how ZigBee and Zwave work. The devices form their own network for inter-device communication (it can be setup so a switch talks directly to a bulb, so even if the network is unreachable it still works) and then you use a hub to orchestrate that and provide functionality such as phone control via an app. That can be something simple like a Philips Hue hub, or something more complex like SmartThings, or you can roll your own using Home Assistant and a dongle.

The problem with these protocols is although they are more or less open, device manufacturers need to pay to be certified.

Even if the hub was actually secure this still does not prevent from someone near to your house to talk to the devices directly (this applies especially to wireless devices). The hub you described would prevent from the remote attacks only

Security is a never ending rabbit hole. I am more concerned about the bigger threat, global attacks.

I get if you live in a densely populated area that drive-by type attacks would be very concerning.

>drive-by type attacks would be very concerning

not only that. One insecure system in the area could be infected and then controlled to attack other networks in the area. With a high density of IoT devices you could have malware spreading wirelessly device-to-device. Also with a wide IoT adoption with such devices being used by public/utilities companies (smart street lamps, leakage monitoring in pipes, smart electric grid etc) you don't even need a densely populated area to have that problem.

>I am more concerned about the bigger threat, global attacks.

I once read something among the lines that IT security needs its own Pearl Harbor event. I can neither quote it exactly or attribute it to any source

I'll tell you this. You already have a hub, it's called WiFi router.

I see zero reasons to rationalise the need to buy yet another white box for the buyer.

Wifi is a poor choice for this because it uses a lot of power. Lots of things that connect to a smart hub are tiny sensors that use expensive batteries.

The consumer have a choice, a device that works right away, or a better, more expensive one that doesn't

Think why they can't sell much of these

what do people mean when they say security for smart home devices? if the "launch ICBM" port is open on a device on your LAN doesn't an attacker still have to traverse your router to get to it? Otherwise, an attacker would have to get access to your LAN. Is something like that what you mean?

People would prefer

1. Their lightbulbs to not be co-opted into DDoS attacks 2. That their cameras are only used by them 3. That others can't control their devices 4. That their devices receive security updates 5. That their devices don't contain back-doors 6. That their devices can be used when isolated from the Internet

... I imagine.

Well said

Apple, Amazon, and Google are fundamentally opposed to a model that sells devices that don’t phone home - their whole purpose is to capture value by creating lock-in for surveillable hosted services

This is not exactly the case for HomeKit. Apple didn't even add the ability to control devices when you are off your home network until recently.

Yep. And it's Apple that's pushing for a HomeKit router [1].

Reading between the lines of how Apple's been handling the "smart home" business, they've been focusing on privacy and security relative to competitors, but it's been holding them back.

I think the market has kind of shown that privacy (e.g. devices that aren't streaming to / dependent on the cloud) and security have not been primary concerns of the people who buy smart home devices, but solving those problems better may be key to enlarging the "smart home" market to include normal people.

[1] https://www.computerworld.com/article/3446197/why-we-need-ap...

Seconded. Apple, Amazon and Google have very different goals for your data. This is just a transport layer. Your privacy from the mother company isn’t impacted by the transport layer, but rather where they put the “brains” of your smart home.

While all using the same transport layer they can continue to utilize different “brain” strategies.

Apple’s “brain” has always been in your home where your data belongs and should stay. Google started with the cloud but is moving towards the same model.

On the other hand Amazon seems to have no qualms slurping everything out of your home to their servers and no plans to change.

The more you know.

Not sure I understand. I am pretty sure you have been to remotely control Homekit since the beginning, originally by utilizing an Apple TV 3rd generation, and subsequently with iPads, Apple TV 4th gen/Apple TV 4K, and now HomePods.

Google and Amazon are like that. Apple is more into cross-selling you other Apple products and locking you into the Apple ecosystem.

If they actually pull it off, it'd be huge. The single greatest thing holding back home automation is a lack of compatible standards (coupled with the fact that when an automation company dies, its proprietary standards die with it).

I used Z-wave for my home, but I'm not doing it "on the up and up;" my hub is homebrewed and using an unlicensed radio. It's a pain in the ass to maintain, but since I can't trust any hub company to survive past five years, it seemed the right call.

I've used SmartThings more or less since their original Kickstarter in 2013. I gave my v1 hub to a friend who can still use it (I have a v2 and they have a v3 out now).

I try to only buy Z-wave devices and fallback to zigbee if I have to. It's been a very pleasant experience for me overall. I have 5 z-wave light switches, a handful of zigbee bulbs, zigbee door/temp sensors, and 2 z-wave locks. I plan on replacing all my light switches eventually (I've got like 5 left but all in low-traffic areas of my house).

In other news, "Wolves, Lions, Tigers and Leopards develop Open Standard for Sheep Housing."

It is a group incentivized to make sure the sheep are happy, healthy, and within easy reach. ;)

If I suspect that there is any chance my family's private information is going to get leaked, then I will not touch it. Appliances should never have internet access. Software updates, if required, should be delivered one-way through open trusted auditable software (something like ofw).

Big tech have already tricked me into supporting them with their "open platform" bait-and-switch before (android), that trick wont work on me twice.

They talk about this being secure by default, but the standard will only ensure the communications is secure. This won't fix the bigger issues with IoT devices which is that many are built on crappy/ insecure software stacks. If your wifi video camera gets hacked, it doesn't matter if it's using https to communicate securely with your phone or cloud storage provider.

As someone who is perfectly happy with Home Assistant and Z-Wave, I worry that a bunch of mega corps getting together to create a standard will crowd out the market, and prevent non-local, privacy-honoring options from continuing to be manufactured.

If average consumers are told to simply "look for the CHIP logo", and the CHIP standard includes facilities for must-phone-home messages akin to streaming DRM, I'm afraid we'll just get pulled further into the corporate surveillance dystopia.

I think people who expect Home Assistant to be useful to the general consumer are delusional. Home Assistant is an amateur piece of software with severe UX shortcomings and broken auto-update functionality (it phones home continuously and often bricks itself after auto-updates).

I appreciate the enthusiasm in the home automation community, and I agree there's a need for an offline solution, but Home Assistant is not it, and we'd be better off scrapping that codebase and starting something better.

Don't you think delusional is a bit strong... There is a real company, nabu casa, hiring real developers to work on making a 1.0 release that's easy for others to use. Yeah right now it's complicated, but check out some of the projects they're working on like stanford's almond integration. https://www.home-assistant.io/blog/2019/11/20/privacy-focuse...

You're focusing too much on the home assistant part, and not enough on the local control part. There are solutions with hubs such as some parts of the Wink hub that do work locally without internet. I'm sure there are professional-grade installers who install various pieces of software that use Z-Wave and/or Zigbee to setup a locally controlled home automation solution.

Needing connected to the internet (and all the latency associated with it) is an anti-feature that most consumers aren't even aware of or think of, hence why I hope solutions that have the feature aren't crowded out before the market for home automation truly takes off

Sorry if I wasn't clear. I agree with you that local-only solutions are needed. Home Assistant is sucking up too much of the air in the room. I don't think it will ever be accessible or usable to the general population. If not for Home Assistant, I think the community would have developed better local-only solutions by now.

You are perhaps taking about a particular distribution of HA and not HA itself. I run mine out of Python venvs on Ubuntu LTS.

I can't remember hearing of autobricking installs on hass.io which might be what you are referring to but I doubt it.

Citation please.

They are actively working to make Home Assistant much more user-friendly. I suggest watching the "state of the union" presentation: https://www.youtube.com/watch?v=tc17q1Zn0Xs

this is a good step. i worked in automation/controls (commercial, residential and industrial) for almost a decade (2000-2009) and personally dealt with the nightmare of interop. the number of times i had to glue disparate control systems together with relay closures and switch inputs was insane. and yeah, we had these issues with wireless. it was compounded by the company i worked for supporting enocean, zwave and zigbee.

I am curious if they will include cameras (security / door), because the characteristics of the payload are quite orthogonal to the characteristics of the payload of other smart home devices.

There are two aspects to most security cameras. The one everyone thinks of is video streaming - there’s plenty of standards for that, most notably RTSP and recently WebRTC. That’s probably out of scope for smart home protocols.

Totally in scope is provisioning, configuration, and notification of things it can detect such as motion. I’d anticipate those being managed as part of this new protocol, with streaming simply being to provide an endpoint address and maybe an authentication token to connect.

I doubt some of they PHYs have the bandwidth to support streaming video, but there have been some good efforts in the IETF to maximize streaming protocols over low-bandwidth connections.

But the whole point of CHoIP is that PHY doesn't matter, so you can configure your camera using IP messages over BLE, and then the camera connects to services over WiFi to stream.

>because the characteristics of the payload are quite orthogonal to the characteristics of the payload of other smart home devices.

how so?

A camera requires orders of magnitude more bandwidth and power than other devices that might be connected over a low-power, low-cost radio network. It needs to transmit that payload 24/7.

Currently, home automation typically uses a variety of custom protocols built on IEEE 802.15.4 (not 802.11*). It's a simple protocol that can be implemented by a cheap 8-bit microcontroller from 2 decades ago. Devices from one manufacturer may or may not communicate with those from another, and the network architecture is typically a hub with spokes - there's limited or no support for multi-router, multi-access point, or mesh networked setups.

This style of network honestly works pretty well for motion sensors, lights, outlets, temperature sensors, thermostats, etc. The master node might query a device every few seconds for a couple bytes of status, or might only send a short command when a user interacts with the device. Most smart home devices send a few bytes of data four times a day when you push "light on" and "light off" on the hub. This is great for operating for months or years on just a couple AA batteries. A camera sends a few bytes per pixel times (simplifying) 720 pixels down times 1280 pixels across times 30 frames per second times 86400 seconds per day, and can only run for an hour or two on a larger battery. That's almost 8 terabytes vs. 8 bytes.

But to use 802.15.4 networks, you need a hub, which is a barrier to entry - instead of one $20 light, you need a $15 light and a $50 hub. You likely already have an 802.11 router that could be the hub if the devices were smart enough to talk to it. And (tinfoil hat on) I think these companies would rather have their servers be the hub, rather than a device in your home they can't monitor and profit off of.

This is a very Hacker News answer, in that you wrote three dense paragraphs that are all technically correct, yet also completely divorced from our practical reality that has smart home cameras in it.

What is the obvious implementation out there? They just have both. They have the cheap 8-bit microcontroller from 2 decades ago transmitting on the low-bandwidth home automation network, and when it is decided that the camera should stream, it wakes up the beefy Ambarella or Socionext SoC to send its video feed over classic WiFi to the vendor cloud, and whoever wants to receive it just gets a stream URL back.

Yeah, there's no reason to saturate the control channel with high bandwidth data.

Higher bandwidth. Not sure if that is 'orthogonal' though, seems like the requirement is on the same dimension, just bigger...

I think you’re right. Typical smart home coms being short little on/off or temperature up/down type commands vs. streaming/recording video and audio with some having two-way audio up to and including machine learning/AI for object detection which most likely is done remotely.

Lights and switches are generally basic async polling and commands versus live streaming video and constant video uploading to a cloud storage service.

Since Apple just added support to HomeKit for cameras I am sure this new standard they are making will support them too.

Homekit has had support for cameras for a while. The recent support was for a cloud integration to store video securely.

Seems like the sorta thing which has tons of buy in from teams that don't matter and the teams that actually need to be using this won't and it'll get abandoned in a few years.

Google (specifically, Nest) and Apple are both looking to displace other solutions in the market.

"Teams that don't matter" today. This market is absolutely rife with opportunity for someone to steal the whole thing with better UX and an interop promise.

Why not openthread? It's already there, it's open source, and from my somewhat limited experience, works well.

The licensing is a bit poor. While openthread is open source, and the spec is public: > "Membership in Thread Group is necessary to implement, practice, and ship Thread technology and Thread Group specifications."[1]. This seems to be a similar limitation to what prevents Zigbee from being in the Linux kernel, as commented elsewhere[2] in this thread.

In contrast, the Bluetooth SIG only requires a fee to be paid when you actually ship, as a once off not a yearly fee. The cost is roughly similar.

[1] https://www.threadgroup.org/ThreadSpec [2] https://news.ycombinator.com/item?id=21825822

Openthread is purely a networking solution. It does not address application-layer messaging. This effort is to unify the application layer. (ie, "light = on" messages).

It looks like Connected Home over IP will be compatible with Thread - they are developing the stack on top of WiFi, Bluetooth and Thread: https://www.connectedhomeip.com/

Openthread uses the zigbee radio. Hence zigbee being involved.

On the surface this "appears" very similar.

EDIT: Yes I'm aware the software layer is different, I was inferring the radios are the same.

This is incorrect. Openthread uses nothing from Zigbee, but does use 802.15.4 radios, the same as Zigbee does.

OK, let me be more specific since that is what I was inferring.

Yes the software layer is different.

right, but Zigbee just uses a generic 2.4GHz radio. There is nothing about the radio that "involves Zigbee". Some silicon vendors sell 2.4GHz radios that can run a BLE, Zigbee, or Thread networking stack.

Can anyone recommend a method* without Wifi? Isn't there a method for "smart outlets", main scheduler, etc over electrical lines rather than bluetooth, wifi, etc? Method* == standard, or product line. [yes i used pointer and equality symbols oddly]

Edit: basically looking for a way to avoid more wireless transmitters in the house. Or are all outlets "receive only"?

The previous generation of smart home devices was called X10, and it used signals over power lines.

I gather it was:

- slow

- might have required you to make a connection in your circuit breaker

- and was designed in the 1970s, when home electrical systems weren't very noisy (apparently all the switching power adapters we have today make a ton of noise and make it hard for the signal).

I don't see why something newer like this couldn't be done -- we have powerline modems, right? Probably not as fast as wifi, but it does go where it is needed and requires physical access to hack.

Some devices are using Zigbee (a different wireless system), but I understand it was developed without security and isn't hard for third-parties to hack into.

> - slow

Yep, that's inherent.

> - might have required you to make a connection in your circuit breaker

That's one way to do it. Another way just requires a bypass and filter at your circuit breaker what is much simpler and doesn't have to connect anywhere else.

> - and was designed in the 1970s, when home electrical systems weren't very noisy

This is where things got worse, and then they got better. Yes, electrical lines are very noisy, but the 200Hz - 100kHz band is only getting cleaner. Electric motors will interfere with it, so you may need a filter on your blender (but even it is much better now), but this is the prime band for electrical wiring.

Also, on chasd00 comment that it requires capacitors bypasses on transformers, that's only true on the higher bands, and only on devices you want connected to the network. So only the smart devices need to adapt.

To expand on the circuit breaker item above: Because most of the outlets in your home are split between two phases of AC, it meant that the X10 transmitter would only be able to talk to half your power outlets (and you didn't know which half ahead of time), unless a phase coupler was wired into your breaker box that would repeat the signal on the outlets connected to the other phase.

I remember X10! The whole "over powerline" thing was a real possibility back in the day but it required all transformers to have a small modification done to them and that killed it IIRC. You could certainly do it in your home though.

Insteon is the closest thing to a successor to X10, and it still supports a lot of the old protocol. You can certainly setup an insteon system for basic stuff (Scenes, etc) without an Internet-connected hub at all.

LoRa (not LoRaWan) could be a Method. Or PJON.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact