gumby 11 days ago

That cartoon about Siemens and wires etc...it's actually more horrifying than you think. All that industrial control stuff with MODBUS and SCADA and other brain damage: it has even less security than the IoT junk, i.e. none!

I worked on a safety critical system in which we designed security and fail safe right from the beginning. Hardwired state machine controllers for things that could explode. The hardware engineers think that way (thankfully) so we should too. After I left they junked it all and replaced it with Siemens "HMIs" (very expensive Windows XP systems), fancy process control stuff, and then spent even more on fancy consultants every time they wanted to make a change. But at least it was familiar. (I could still access the systems long after I'd left). At least it explains why the real hardware guys (as in actual iron) don't trust the silicon jockeys or software guys: what they have access to us crap.

Bad as home automation is, it is, incredibly, better than your run of the mill industrial automation!

  • MisterTea 11 days ago

    > All that industrial control stuff with MODBUS and SCADA and other brain damage: it has even less security than the IoT junk, i.e. none!

    Right... because industrial automation networks should never be connected to publicly accessible networks without security in between. PLC's and sensors don't need internet or intranet access so why would you connect them?

    The problem is Industrial engineers aren't IT or security experts and that's why we have security issues. Plus they're under constant pressure to get production running and meeting deadlines. Next you'll say "but what about stuxnet! that proved that even air gapping isn't secure enough!" Yup. It also proves that using insecure general purpose operating systems (hint, windows) is stupid as well. But it's cheap and familiar so here we are. The problem isn't with the protocols or hardware, it's ignorance with a side of laziness topped with corner cutting.

    Also many industrial protocols don't run over tcp but instead use raw ethernet packets and have dedicated protocol processors running to keep latencies down to microsecond levels for flipping IO bits. An example is Beckhoff's EtherCAT. So security does not apply to those networks and would be difficult to implement.

    > Bad as home automation is, it is, incredibly, better than your run of the mill industrial automation!

    Apples to oranges.

    We recently bought a machine which has an internal automation network between a Siemens 840d, a Siemens safety PLC and a DSP controller from Adwin. Real time communications is over Profibus and CANopen. between that machine and the rest of the world sits a humble PC Engines box running a custom FreeBSD image that gives them secure remote access to the machine. I'd trust that more than any home automation built on webshit.

    • sansnomme 10 days ago

      >Right... because industrial automation networks should never be connected to publicly accessible networks without security in between. PLC's and sensors don't need internet or intranet access so why would you connect them?

      Clearly stuxnet is a myth and bedtime story to frighten children with.

    • walterbell 11 days ago

      > between that machine and the rest of the world sits a humble PC Engines box running a custom FreeBSD image that gives them secure remote access to the machine

      What hardware + hardened OS would you recommend for jump boxes? OpenBSD, Linux, pfSense?

      • MisterTea 10 days ago

        At work I build, upgrade and maintain existing machines for in house processes so I don't use jump boxes. I have pfSense running on a PC engines APU2 for the company lan, isolated visitor wifi, and isolated 3rd party machine network. We're a small company so I do some IT and contract the rest to an IT pro friend of mine. I do unixy stuff and automation, he does windows stuff. So I would recommend the BSD's as they have been pretty well battle tested in that arena, OpenBSD being my top pick if rolling your own or pfSense if you want easy. PC Engines hardware all around and I order direct.

        As for our 3rd party machines with jump boxes: I view jump boxes as a security risk if directly connected to corporate lan as they can bypass firewalls. So I kept it simple and created an isolated jump box network from the pfSense that gives them 24/7 remote internet access with zero ability to see anything on the company lan.

        Our Internal machines are on an isolated network, all hardwired and have static IP addresses, zero internet access. The engineers frequently have to write new CNC programs so I make it easy to share files while isolating the networks; I bridged them using a Debian server running a SAMBA server with two network interfaces. One is connected to the company lan, the other to the dedicated machine lan. The file server has a single share for the engineers with RW access and each machine gets RW access only to its directory in that share. Operators go to the P (program) drive and retrieve the programs. There is no network bridging or routing between the two networks. As far as they know, it's just a file server. That network also terminates in our office and we can connect to it for programming and troubleshooting.

        One Idea I've been toying with is developing an internal jump box that allows our machines to connect to the corporate lan giving engineers file access while maintaining network isolation. That way I can ditch the second network and go DHCP with reservations all around.

        • walterbell 10 days ago

          > There is no network bridging or routing between the two networks.

          If a fileserver vulnerability helps an attacker to take control of the host, they may be able to move traffic between the network cards.

          Might be better to have two file servers. The less-exposed server could periodically connect to the more-exposed server to sync files. Would not need open ports on the less-exposed server.

          • MisterTea 8 days ago

            This is very true but I look at it like this: If they make it that far, they're in our network so we're thoroughly p0wnd. It's a compromise as air gapping was generating too many complaints from engineers and operators until the boss had enough and said fix it. so we compromised and fixed it.

  • chroem- 11 days ago

    It really amazes me the kind of stuff that will slide in this industry. I have seen the web front ends for the datacenter cooling systems of certain large tech companies where the password is simply password. Nobody cares much about these things, so it goes unnoticed.

    • 908087 11 days ago

      Move fast and leave the front door open for others to break things

  • mlaretallack 10 days ago

    I have a background in traffic control and have just started the SANS ICS410 course. It's scary how much the security depends on the network. No defence in depth.

UtahDave 11 days ago

My favorite quote from the article:

"Remember, S in IoT stands for Security."

  • dsr_ 11 days ago

    The R is for Reliability, and the F is for Fun.

  • Varcht 11 days ago

    what is the "h" for?

    • pmlnr 11 days ago

      Hope. Or hell. Depends on the protocol.

orev 11 days ago

The only way to win is not to play. It is completely daft to me that all these devices require an Internet connection to function. I will never allow something like that into my house (along with home assistants like Alexa).

I have achieved a decent level of automation using simple timer switches (they have ones that adjust on/off times based on your latitude), completely disconnected motion sensing lights, and by simply reading the manual on how to program my thermostats.

I have considered using ZWave to enable me to use some cron jobs or openHAB, but I will not use WiFi.

  • ak217 11 days ago

    Not all, no.

    HomeKit and ZWave don't require an Internet connection. I use a bunch of ZWave devices connected via Ethernet through a Raspberry Pi with hassio and a ZWave USB adapter - controlled from my phone when it connects to my wifi network.

    To protect your wifi network, make sure you have a decent gateway in place. OpenWRT does a great job, but there are many others as well.

    • jpindar 10 days ago

      Phillips Hue lights also don't require an internet connection, I've tested mine.

  • ocdtrekkie 11 days ago

    Yeah, I write off any home automation device that uses Wi-Fi. Currently I use a lot of Insteon devices, which aren't mentioned in the article, but are fundamentally very similar to Z-Wave. They have no software update mechanism and can't talk in an IP protocol, so the amount of impact someone can have on them is pretty bloody limited.

  • muhbags 11 days ago

    I feel the exact same way. Never will anything in my home needlessly connect to some cloud service and give away my data. And even less would I be willing to pay for that...

  • amarshall 11 days ago

    Plenty of them don’t require an internet connection. My Philips Hue and Harmony hubs are both on a VLAN which blocks all outbound traffic (save for MDNS reflection across LAN subnets so they can still be discovered from other subnets).

  • thearn4 11 days ago

    I tinkered with home automation in the past, and had the same worries. I felt comfortable enough with Z-Wave, but drew the line at anything networked.

m463 11 days ago

I love this. Someone who recognizes the cesspool of modern tech and actually gives reasonable advice on how to sort of fulfill the promised future.

It's too bad people forgot how to make and sell a thing, and instead are selling a (surprise!) business model.

T3OU-736 11 days ago

The version in Russian is significantly more entertaining, though it requires native-speaker level at the language to appreciate it fully.

  • pxtail 11 days ago

    Now I'm sad. If translation even slightly resembles original version then I'm sad that I'm unable to read it in Russian due to not knowing language. I like this style of writing, another blog I know where author has slightly similar style is dedoimedo.com

    • tomca32 11 days ago

      Nice recommendation, thanks. Also a great blog name. "Dedo i Medo" literally means "Grandpa and the Bear" in a bunch of slavic languages.

    • thanatropism 11 days ago

      Duolingo, my friend. Takes 15 mins a day. Not a paid endorsement.

  • mikestew 11 days ago

    I found it quite entertaining, after figuring out that the author is Russian, when hearing it in my head with a Russian accent. I thought it well written regardless, with plenty of laughs to start my morning.

  • jimbobimbo 11 days ago

    I didn't know the author was Russian, but then I read "the stop light for a rabbit"... That totally gave it away. :-)

  • mojuba 11 days ago

    True, and the English one is not a literal translation. I wish though the English version had a greater quality.

    • justusthane 11 days ago

      As a native English speaker, I found this really well-written and entertaining. I even signed up for his email newsletter just because I liked the writing style so much.

  • blts 11 days ago

    +1

retSava 11 days ago

Wired vs wireless... With anything securityrelated, it should really be wired. At least cameras. It's very, very easy to just run a simple $2 sniffer (eg an esp8266) that sends de-auth packets and thus kicking devices off the wifi.

In our neighborhood, we've had quite a few thefts of skiboxes (the ones that go on top of the car) recently, and several say the security cameras seemed to be unconnected at the time, hinting at some use of de-auther/jammer.

  • joekrill 11 days ago

    That's just not practical for most people. Wiring a house is difficult and/or expensive. It's also not necessarily an applicable argument for z-wave/zigbee (there may be similar attacks, though, I'm not sure).

    There's also "hybrid" options for usecases like the "unconnected camera": a wireless camera that has local storage, for example.

    • AnIdiotOnTheNet 11 days ago

      > That's just not practical for most people. Wiring a house is difficult and/or expensive.

      That's because we do it stupidly. Why are we running wires in walls where we can't ever get at them? Trim and quarter round could double as conduit.

ratling 11 days ago

This is the most accurate description of IoT I have ever read.

dirktheman 11 days ago

I run Domoticz. While development on, say Home Assistant is a lot more active, Domoticz is far from dead! I chose it because it plays nice with the latest Xiaomi Aqara hub and sensors, as opposed to HA.

egypturnash 11 days ago

This article has a cynicism that feels born of a ton of experience. I’ve only gone as far as a couple different colored lights (Hue and LIFX). And I think I might be replacing most of them with dumb bulbs when I move to a new place in a couple months. They’re just not worth the hassle.

  • eldenbishop 11 days ago

    Yeah, I went all-in on smart bulbs (Philips) and they are just impractical. I do however recommend dimmable dumb bulbs along with smart switches like Lutron. They are easy to install, "just-work" and give you 90% of what you need.

    • T_ReV 10 days ago

      Why are the Philips smart bulbs impractical? I was thinking of buying a bunch of them for use with google home.

      • jpindar 10 days ago

        Good question. I've never had any problems with mine. The official Phillips app has some limitations, such as insisting on using their cloud when you're not on your own LAN. But there are many alternative apps and it's easy enough to write your own. I like one called Hue Pro, which does let you connect from outside without using the cloud.

charlie0 11 days ago

What an entertaining read. I tried it and then gave up on home automation a long time ago. The reason why home automation can't be made 'smart' is because it lacks the ability to create precise situational awareness. Ie, so much of the 'automation' relies on human input. I started on a side project that would use cameras and facial recognition to provide 'eyes' to the home automation system. I planned to use Home Assistant, that way I can keep everything running without an internet connection, but the software was simply not ready. Lots of missing documentation and constant change deterred me. I'm hoping Home Assistant has gotten better over the years.

supergeek133 11 days ago

Oh my god, as someone who works in the consumer IoT space this is hilarious AND informative for people who don't know how MESSED UP this space is. OP expect a donation when I get home tonight.

jugg1es 11 days ago

Entertaining and informative article. Great State-Of-IoT in 2019.

Redoubts 11 days ago

I don't know why this article keeps saying HomeKit doesn't do bluetooth.

https://developer.apple.com/support/homekit-accessory-protoc...

>[HomeKit Accessory Protocol] supports two transports, IP and Bluetooth LE.

  • SwaraLink 11 days ago

    And this article doesn't even mention Bluetooth Mesh. Yes, it's still very new and yet to be deployed to the extent of Z-Wave and ZigBee, but with the ability to directly connect to smartphones Bluetooth Mesh could overtake those protocols in a few years.

m0zg 11 days ago

This is an amazing post. Every couple of years, I look at the massive clusterfuck that is the IoT ecosystem, and decide it's not worth the bother. This post nicely encapsulates why.

rayrrr 11 days ago

"fancy case to hide that you have no live" hahaha

nydel 11 days ago

i moved house recently. people keep buying me IoT housewarming gifts.

i'd rather receive a potato with a telnet chip jammed into it because at least i can turn it into gnocchi.

  • mbrameld 11 days ago

    What is a "telnet chip"? Quick google came up empty.

    • nydel 10 days ago

      not a technical term, had hoped that was clear.

      • mbrameld 6 days ago

        Words have meaning, though, don't they?

        • nydel 5 days ago

          yep. will try to write better jokes in the future.

oulipo 11 days ago

Really good, and if you want to add a 100% on-device and private-by-design Voice AI to your Smart Home, you can take a look at what we are building at https://snips.ai (disclaimer: I'm a co-founder)

It works for english, french, german, japanese, spanish, italian, and there are more languages coming!

  • scoot 11 days ago

    @oulipo, that's literally all you ever post to HN. It's spam. Please stop. (And that's a disclosure BTW.)