Building A Better IoT Part 2: Can We Create A Safe Home Automation System?

Soon: It was a mistake to teach a light bulb to DDoS a hospital.

YOU never told, what spaghetti length you used.

This sounds like "parental controls" for iot. I like it. I trust teens on the internet, about as much as I trust a lightbulb.

In a previous life I did Crestron programing and the amount of wiring in the walls brings back memories. Their web interface used to be an IE plugin (1) which was...a choice.
The development environment was interesting. It was a windows executable that launched Cygwin(2) to do the cross compile in GCC(3) so you could send the code to a CNMSX(4) over a serial cable. Good times.
1) Their touch panels ran WinCE. Hours of battery life. Hours I say.
2) Or similar
3) Which was an ancient version
4) The brains of the system

I work in government IT and I mostly deal with Windows PCs on the General VLAN. It's always amusing to see "garage openers" appear on the monthly Nessus scans. The "garage openers" are the security gates that can block vehicle traffic from entering or leaving the garage buildings. You would think security would have all their devices on a separate physical network.

I love this series. Such a necessity, for now and especially for the future. Hopefully you keep going, and others too.

You can totally use daisy chained Dallas one-wire protocol to control about 300 x DS2408 8-channel switch boards using 1 data+power wire and ground.

Philips Hue is great, the system seems to work exactly at intended for my parents. Only 4 of the 60+ bulbs have ever become disconnected from the hub, and that only happened after a power cut (and they've had several other power cuts and it has never happened again.
The hub also doesn't need any internet access, so if you want to just block it you can. And it all works by ZigBee so it's not the insecure mess that are WiFi bulbs.
Oh and it has really good support with Home Assistant and other similar projects.

I have been screaming out about IoT device security for years... however... TH-camrs push VPN's offering a level of security for their computers and devices... the big problem is educating why these problems exist and why people use them incorrectly... adding another layer is great for us that know how it works... but ultimately these IoT designers need to go back to geek school!! - We are already too deep into this... likely the reason I stay old skewl - damn, I don't even have RGB in my computers! :) ...keep up the great content m8!

A great big thumbs up! I 've been asking myself these same questions for a while now and I've yet to find a good answer. These gadgets are so easy to set up but a hell to secure without affecting their functions - they simply were not made to be secure.

WENDELL THE WHITE BOARD SCENE IS SO SMART!! such a great way to visualize what we know so obviously in our head.

I used to install Smart Homes.
Lutron is top tier for lighting. They do sell a product for homeowners/enthusiasts.
I just use a Hue setup.

I like having my "smart" devices dumb. I don't need any cloud-connected devices, I want everything on a separate wired network, inaccessible without plugging a cable into a port or modifying a vlan on a port / in a trunk on a switch or changing a firewall rule (one out of the 3). I used an arduino uno at my workplace to detect movement when inside the premise and open the door (because people are too lazy to push a button and they were getting head-on inside the door). Having that sensor there helps people be lazy and not lose momentum when walking. Best part of it? Doesn't even require a network connection, not to mention internet connection. It's just an arduino with an ultrasonic sensor and a 3v (mechanical) relay (solid state ones are better, but more expensive). And no, you can't open the door from outside, tested it thoroughly with my colleagues. The bad part is that you need to connect a USB if you ever want to change the code or add features (which is basically never at that location).
I am thinking of using some old *Pis and wiring some lights in the house and have some cron jobs to turn the lights on in the morning when my clock rings (maybe even make the lights flash, so they are more annoying - for flashing lights, I highly recommend solid state relays). Cameras don't need any introduction, you can do IP cameras and have a samba / nfs server for storage, or buy a DVR with coaxial cameras if you want a more professional setup. Make a VPN and connect to your home network to monitor them, don't use the manufacturers cloud platforms.
Lock systems are a little scary, especially if you want to unlock without a key, so I highly recommend old locks. But considering people have garage doors that open with a pretty insecure key, well, you could make a locking system using Pis and relays (again) with electromagnetic locks and either use a VPN to remote home and unlock a specific door, or have a hidden wifi network that you connect to in close proximity to unlock the door. Again, I recommend neither, because the risk of getting cracked into is quite high (and it's pretty easy to scan for hidden wifi networks).
Bonus points if you use Mycroft or similar software for voice commands, but your setup gets more complex and you need microphones and speakers. Funny stuff, while a part of me is somewhat excited about making a secure home automation intranet (again, with no access from outside or even from my normal LAN), another part of me is really autistic when it comes to security and I think I shouldn't trust computers and try to do as primitive a setup as possible (up to and including having a rooster wake me up in the morning, instead of an alarm clock - and I can't snooze the rooster).

Find ESP based devices that can be reflashed with Tasmota - connect to a local MQTT on Home Assistant, and the IoT things never talk to the cloud ever again. Also works when the internet is down.

Can’t wait for more episodes of this IoT series! Love it !

I’ve been looking forward to this part 2
Thanks for everything you are doing, L1T!

For me since I'm not going to open my walls and run separate wires to every device I want to control I have chosen the wifi route. I do have a separate ssid that is on its own vlan that does not have direct access to the outside world. I dual home a Home assistant instance so it can have local control for the devices. So I'm kind of using HA as my WAF, but I also tend to stay away from proprietary devices and protocols. So I flash tasmota and esphome for most of my ESP devices.

Yay! Part 2 is here!
I'll see what I can contribute as I too would like to get this going somehow, especially with the Open Source crowd.
I believe wireless is the best way to go. You can secure it and deploy devices almost anywhere. Low cost used wireless devices can be had for really cheap on sites like Kijiji. I'm definitely in on this project.

I’d love to see someone make a voice assistant that is offline. Really I only use my echo dots to turn lights on/off and occasionally ask for the weather.

Yesss finally part 2!

I've built a home auto system back a few years as a project to learn IoT, it wasn't great and probably is insecure. But man it was fun, have the door bell turn on a light, the RFID turn off the TV, any switch can be redirected to any light/lights, or any thing controlled by any IR remote that you setup.
Just designed and printed new outlet boxes that house a 120v ac to 5vdc board, a raspberry pi 0 w, outlet covers that hold arcade buttons, docker and a bash script that if the pi can't get internet become a hotspot (gotta love nmcli) and host a setup page to give it the Wifi, central host, and the host's public key.

Really enjoying this kinda content, I would love to see more on layer 7 analysis and your ways on how you would go about implementing it into securing a network. OpenAppID on pfsense maybe?

If you're doing something in the middle you could consider using srt (secure reliable tranaport) on the outbound side of the video instead of rtmp. Resilient to packet loss and encrypted

Have a look at KNX. It's an open-source protocol used for building and home automation that is around for 30 years. I installed it in my home and it works great. Since it's only a protocol it can be implemented either wired, wireless and over IP (again wired or wireless) and there are mutliple companies around the world that produce devices that operate on the protocol and deliver everything from turning on loads (lights, outlets etc.), thermostats, switches, various sensors to interfaces to other protocols (Zigbee, RS485, propietary HVAC device etc.). There are two downsides to it, in my opinnion:
1. rather slow (9600 baud), which is not bad, considering you do not have a lot of traffic flowing (how often do you turn on/off the lighting or how much does your temperature fluctuate, etc.) This short comming can be resolved by optimizing the topology, but it is still slow, in 2020.
2. The software used for commissioning the system (ETS) is only available in Windows and the license is rather expensive (it's meant to be used by certified technicians, even though its not rocket science) and there are no open-source alternatives available, yet.
I got certified in KNX after programming the devices in my home as I really think it is a great backbone for a modern home. I use Home Assistant on top of KNX and I can use it to bridge other systems. For example make my robovac to come and clean the kitched by pressing a light switch.
If your interested in this I would gladly help you out with getting started.

Going all-out on filtering system for out-of-the-box gear might be very useful. I've been playing around a bit with replacing firmware on devices but it is a lot of work finding the right gear and you end up having to dig into enclosures to attach to programming ports, etc.

I watched the whole video because it is very exciting. I also could listen to Wendell talking about tech for hours so thank you ! However, I will never go for IoT in my own home. Won’t need it, I can check things and put the blinds up by myself just fine thanks!

"Look at this guy, he measures all his spaghetti." Hahaha, I lost it.

Easiest way is pfsense for VLANs and a managed switch. Run security VLAN for cams not connecting and add iot VLAN for WAN only. 5 mins and done.

One thing I think we need is cheaper and smaller switches with fast uplinks. Running tons of wires to one spot where you need a lot of ethernet devices is pretty gross and it'd be nice if we can have switches that just act as traffic aggregators to push all that traffic over a single higher speed link.

What about seperate VLAN for all devices like IoT ? Isn't it the best way (most efficient) to protect your home network ?

KNX and DALI do exist though :D which are open standards so you arent stranded with a single company though its more common here in europe :D and for those networks you can basically have any topology without switches :D

As a guy who has done network runs in my earlier IT years, I do feel the need to have spaghetti that is the same length before I put it into the pot. I never thought about it until now :(

Next Episode: How to make your own secure processor from scratch for security cameras

You should check out KNX it’s a fully hardwired system with a bus line to connect devices like Motion sensors and keypads. It links directly to Home assistant. I’m building a house and I was looking for a hard wired system like control4 without the price and I happen to find.
it’s mostly used in Europe but you can get it here too

What I got from this video. We really really really need a reserved IoT internet layer protocol

ok you did address most of my concerns in this vid lol, I love how you design your scripts wendell it's really well thought out and super honorable. we need better arguments that speak to the "common man" in terms of explaining the security exploitability of commodity IOT. IOT should be an electricians niche NOT an amazon business model. if we give the power of home wiring to multnational tax evading corporations then we may as well be giving up our houses to the government as they're the ones who control it.

Home Assistant and shelly devices riding on unifi infrastructure. I did start with cheap poe ip cameras on an vlan but may switch to unifi cameras.

sweet, I was looking for pretty much exactly this!!

CAN and RS485 can be a good option, SPI although technically feasible is not foreseen for out of system communications, CAN and RS485 are a better match. Also running parallel CAT 6 cables all around ur house seems unnecessary. A Serial/ Star based architecture is a better solution for IOTs.

Why not setup all your IoT cameras on a different subnet within your home and isolate them with a sort of "reverse" DMZ? You could use one of the machines in your home as a terminal server so there's no outbound traffic hitting the internet but you could still access footage through the web GUI? This wouldn't solve your problem with devices like Nest and Ring, but it could be a jumping off point for something more substantial down the road.

I think the idea of an application firewall is a excellent solution for things like smart tvs were being on the internet is key to their functionality. That said, I'm not sure it makes much sense for things like carera's and smart devices. I agree I don't want those things on the internet so I run a VLan for my cameras and a separate VLan for my IOT devices like dimmers and motion sensors and the like. I then run local servers (Home Assistant and ZoneMinder) that are on the private VLans and but also have internet access if needed. What do you see as the use case for letting Cameras and IOT devices have even limited access to the public internet?

Hikvision, partially state owned....
Umm...

I wish more than anything that I had the time to dedicate to this type of stuff.

The giant bundle of wire can still be hacked to give you direct access to device protocols, it's just harder. Devices themselves should have either a jumper/tag you remove to put them into post-configure mode, or a way to remotely attest configuration data and OS integrity.

Crazy idea here, since rewiring is an issue is there a way around that? The right approach for IoT is not only open source, but also cheap. So with that in mind, how about implementing a custom data over the power line protocol? It should be quite effective for low bandwidth devices, and as for cameras ethernet there is fine.
EDIT: There are pretty cheap IC's that do just that Power Line Communications Modem is one key word to start agooglin'

that dual cam got me lol

I need a mips madness video definitely.

Personally I'm using VLANs to try and keep the IoT stuff separate but it's not really a good solution. I can recommend Maltrail as a potentially useful tool for picking up bad traffic. It's designed for detecting malware attempting to reach out but could be helpful for figuring out if your IoT devices are being used for nefarious purposes.

Thanks for the content, I would definitely be interested in contributing some code if you get something going. I don't have the time/money to head up anything but there is a big need for some open source solution. It scares me to think that we may have 100s of these devices in our homes in the future, all waiting for just the right time to launch a denial of service attack.

Great video Wendell, keep this series coming

It's be great to have an open source proxy that can do this, with plugins for new hardware as it becomes available.
A nice web GUI to inspect traffic and whitelist things, Runnable in a rocket on a switch or pfsense router or something.
Perhaps to make it even simpler, a device like a switch running this software that will automatically recognise and segregate new devices on a vlan to pump through the proxy.

Esp32 has built in ethernet, perhaps a way to go for your sensors? Flash it with esphome or espeasy and you are good to go. Otherwise some kind of industrial bus, modbus, rs485 or knx would be an alternative.

This is fantastic.

BACnet MSTP is a master slave Tolkien passing protocol that uses Rs485. Its a protocol that’s been used in industry for many years.... rs485 is very touchy on how it is wired and the converters to ip based communication is expensive

I'll be following this for sure.

Don't forget about your Enmodus SSD's guys, deal is today (even for those who didn't pledge)

Surely you just throw control signals down the internal power wires. Most of the signals are going to be off and on, or colour and dimmer signals. The only thing you need high bandwidth for is media and security data.

I have recently spent some time converting some of my iot stuff to work with HomeKit. I want something more like you want, but I don’t really have the time to do it correctly.

some wifi lights and switches can work with without internet,put in a vlan,block internet,use home assistant

My system is build on a rock64 sbc. It runs fhem for automation. some of sensors and devices I build with the mysensor library for arduinos

Steel reinforced slots, well that's just more bling, you know it's plastic where it counts.

For your CAN like network, what about MQTT? Pub-Sub protocol that allows all devices to communicate with each other.

very interesting video but you mentioned Arista switch and docker which Arista switch ? and go also very interesting i wish you had a video in more depth ? in your research setup capturing this data thanks so much for your broadcasts

I stopped measuring my spaghetti a long time ago. Instead I built a jig with a stop on one end, and on the other end is a diamond encrusted circular blade spinning at 20k RPM's. Like a chop saw, except the blade is running on air bearings. Oh and the entire apparatus is inside a climate controlled box as humidity and temperature caused significant deviations.

2+ years later and guess what, I'm _making_ time for it.

She is diggin that nahemic audio

What about KNX as a communication protocol? It's the standard for big commercial applications and has a lot of devices with support for it

My ip cameras have their own managed poe switch that only connects to the Blueiris server. No outside access to the cameras but can still view the feeds through blueiris.

Challenging way to approach the problem. For awhile I've been looking at building a plug in for Home Assistant that uses a recently developed globally supported onion routing network offering private access that supports UDP as well as TCP.

You are correct. The vast majority of people just plug these devices in all over the place and love the novelty of it, but don't get how out of control it could be. It's like the scene in Wall-E where the ship commits mutiny. No one gets that this is a potential problem. I get told to take off my tin foil hat when I tell them their phones are always listening to them, and then when I ask them how the phone knows when you say "OK Google" or "Hey Siri" or whatever, they act like it's magic. #wiretapinmypocket

Please, for the love of everything holy, Level099Techs for idiots like me who love this, but don't have the knowledge base! Drunk Ryan can host and insult us..

Jonathan Oxer (Freetronics) has a TH-cam channel called Superhouse. If you haven't checked that out already, do so. Very interesting ;)

Love this commentary, total tech geekdom, i get it, but most wont AND most dont care.

4:02 947 PPM CO2 is NOT what I would consider to be in the "good" range. That's definitely in the "acceptable, but you might consider more ventilation" category in my book. It's not at dangerous levels by any means, but it isn't great. Personally, I start to notice cognitive effects as low as 850 PPM, and I _definitely_ feel "off my game" if it's over 1000 PPM and I certainly don't sleep well when it's that high.

Check out Home Assistant if you haven’t already!

Oh yeah we used clipsail networks for lighting at work. That was all essentially a can bus

i've never been a fan of wireless, even back when i was a radio operator for the Marines. it's to easily blocked, hijacked, cracked. . . . . . . .

My wife put a few of those google spy devices in our house but the smart lightbulbs are in the garage in a box.

My 4 cents on this:
1. You don't need most of the home automation stuff. It may be fun for a while, but basically useless in most cases.
2. Yes, security is a big problem in IoT Devices
3. I disagree on breaking up an encrypted connection on a WAF. For me encryption should be end-to-end. You can still block anything dangerous by source and destination
4. I think it is a bad idea to let an AI decide which traffic is good and which is bad. You will not be able to debug what the AI learned in its neural net.

I have over 50 esp based light bulbs for my new house ready to install..
As well as power controls and other relays and sensors.
They cost £2-10 each and all work with tuya.
Needless to say I'm also scratching my head at the moment on how to safely implement there setup without endangering the world by putting them on the internet.
I have carefully picked every light and most of the other devices ensure its esp based so they can be reflashed with another firmware as honestly much though I like tuya, can it really be trusted?!!

pbffft "same length." successively longer prime-number-of-millimetres lengths
also, nice kitchen, wendel.

What bugs me most isn't the ESP8266's and things like that, but the horribly insecure cameras such as baby monitors which use UPNP to punch a hole through your router's NAT. Sure... for anyone smart enough that's not an issue, but for the average consumer I find this really scary.
The main problem remains that security and convenience will always fight each other, and most people prefer convenience.

Feeding the algorithm via likes/sub/bell/etc, keep it up 😁.
PSA: make a hotkey to help for free👌

why not slap the cameras on a separate vlan and subnet and then zero out the gateway?

BACnet/SC?

Aren’t more and more devices encrypting their traffic? Wouldn’t you have to have something that let you use a cert from your WAF so it could even see the traffic?

real interesting stuff I'd love to get into but I'm a little too busy to

My issue with these type of devices is why do people keep placing things they have no clue about in locations they wouldn't want it causing harm. They really see "shinny new thing...let me play with it" and don't think of the issues that could arise due to that introduction to their network.

can you elaborate on why golang is well suited for a wrapper?

You referenced CO2; did you mean CO (carbon monoxide)?

I think Wendell is jealous ;)

ESP8266 ESPHome Tasmota 👍

I know its not the only problem, but just a thought..
Powerline lightbulbs.

I always thought it was silly to allow IoT devices to access the internet. Some (not all) offer LAN control, and if you're running homassistant as a controller, I feel like that's adequate to do most of what you need. My roomba has no need to EVER communicate with the outside world.

Can I do this by firewalling it off on a VLAN as thats the generally the recommendation for security cameras. Does a WAF and programming all the filtering/encryption yourself really the only way to get it secure? I don't have the education to do that no programming or networking experience. I was going to get some small business ubquity gear and follow some beginner network security and VLAN / firewall / Remote-in w/ VPN / traffic monitoring tutorials especially with all the relatively recent USA government ban on these cameras as a lot of them use huwei chips. Maybe I misunderstand and me using the ubquity security software on the Dream machine pro is basically a WAF. Yet you concluded your video that theirs basically no way to make it secure without your level of extensive knowledge.

Why not use vlans and on your smart switch with firewall rules based off the vlans.

Will DMX based of rs485 will work for this kind of mesh network?

Ps - CANBUS is a pretty intriguing template...

If the IoT connect to the internet but have security loopholes, is it better to keep it on a guest network so it is separated from your home network?

I'm late to the party, but IMO, most of these smart home devices just shouldn't be connected to the internet. There is zero reason for your lights, switches, cameras (especially cameras) to be connected to the internet.
These devices should be on a private network and only communicate directly with a central controller (like homekit, smart assistant, or an NVR). Your controller becomes the only weak link.
Cameras are really off the mark IMO. Their only job should be to send footage to your NVR (and other camera specific things like IR lights, tilt, zoom, etc). The decision of what to record, when to record, motion detection, object recognition, etc should be done by your NVR.
If you want to view your camera footage, control you lights, or turn on the heat, you can do so through your trusted, security audited controller.
Most of these smart devices are simply too smart for their own good.
Even smart TV's shouldn't be connected to the internet. IMO smart TV's shouldn't steam content from the internet, there are plenty of other devices (firestick, roku, apple tv) that can do that. Again, let it connect to a controller so you can control the TV's functions (turn it on/off, change volume, change inputs, etc).
Imagine connecting your TV's, roku, playstation, blu-ray player, plex server, etc to a controller. You could pick which tv is connected to which device, or maybe steam one device to all TV's.
Obviously some devices need to be connected to the internet as a function of what they do, but those are the only devices that should be connected to the internet. Your streaming device needs to be connected to the internet, your TV does not. Your computer needs to be connected to the internet, your mouse does not. Your phone needs to connect to the internet, your headphones do not.