Go in any big box store and you’ll find dozens of smart home appliances. Light bulbs, security cameras, smart outlets, smart switches, LED strip lights, etc. There is no end to it.
So you buy something. Then you have to download the app, and create an account and then you wow your friends by demonstrating how smart your home is becoming. Then you buy another device which means you need another app and another login account. Then you do it again and again and again.
Pretty soon your phone is full of apps and you can’t remember the passwords to all the new accounts you have.
Is it really convenient? There are ways to get all those devices under one roof so to speak with home automation software but this blog isn’t about that. It’s about your security.
All those devices are connected to the INTERNET, aka “The Cloud”. You don’t know who wrote the app. You don’t know if the app has gaping security holes or intentional malware. Also you grant network access to that device. Also when you fill in the app you provide your network credentials to the app. Do you use your wifi password with any other account anywhere? Does the app writer transmit your credentials back to their server?
In 2016 there was an exploit on Internet of Things (IoT) cameras and routers called the Mirai Bot Attack. The attacker focused a Denial of Service (DDoS) attack using HUNDREDS OF THOUSANDS OF DEVICES. That kind of implies that in 2016 there sure were a lot of infected Internet of Things devices. Wonder what that statistic looks like in late 2021. Better? Worse? My educated guess = WORSE.
How can you make it better and more secure?
Get Off The Cloud.
In most cases it requires some tech smarts or you can even buy pre-flashed devices that are controlled with Open Source firmware. The advantage of Open Source firmware is that the code is posted and MAINTAINED. You can look at the code and see if it is doing anything malicious. If it is, or security exploits are found, they are quickly patched by the community that maintains it.
But one thing is for sure. You want local control of these devices. NO CLOUD. NO INTERNET. If they aren’t talking to anything that makes them inherently more secure. Locally controlled devices typically publish a web server that you can access that has controls.
This is a ceiling fan controller configured with Tasmota.
The device is a Sonoff iFan04 which comes out of the box with an app called Ewelink WHICH I DO NOT TRUST.
It might be fine. But I don’t trust it and of course, it is CLOUD CONTROLLED.
That same fan flashed with Tasmota can be controlled from your browser, and if you set it up it can be controlled by Alexa or Google hubs (which I also don’t trust) or under home automation software. Alexa is hooked to the cloud but you can use it locally with Home Assistant.
Here’s what the same fan looks like under automation.
Sonoff iFan under Home Assistant (click pic to enlarge)
So now our smart Fan has flipped from Cloud based control to complete local control. Not only that it has Open Source Code which, while it may not be 10000000% secure, I’ll guarantee it is a lot more secure than the apps that get dumped on your phone for Chinese hardware.
Or you can buy devices pre-flashed with Open Source firmware. Maybe the worst offenders for security are light bulbs. Who doesn’t want a light bulb with a million colors and intensities? The Kauf A21 is one such bulb preflashed with ESPHome which is easily flashed to other Open Source firmwares. So you buy one of these bulbs and you can ensure that it won’t connect to the cloud.
This is the Kauf A21 and I kind of feel like it is revolutionary. Oh you could hack smart light bulbs before but it usually involves getting inside the glued enclosure without messing anything up.
Even then you might have to remove the board and solder on programming cables to flash the firmware.
Guys like me love that shit, but you might not have the tools or the tech foo needed to pull this off.
This lamp has your best interests in mind and it is much for home automation friendly.
I could go on and on with devices that can be flashed to Tasmota or other firmwares but the point is…………The crap you buy at the big box stores is likely not conducive to your network security or personal privacy. Yeah, its fun, yeah the app is cool but right after that you have no idea what is going on. Also if your light bulb company goes out of business how are you going to use that expensive device if their cloud service goes down.
Answer: You’re not going to use it.
Trust me on this one. Don’t bring unsafe Cloud IoT devices into your home.