Unless you want to live like a luddite, you can find ways to have the best of both worlds.
As a fairly seasoned IT veteran I think it boils down to the tradeoffs between security, privacy, and convenience–just like at work. I’m sure most of us have implemented things in less secure ways to accomodate a business need. When you do that at work, you just try to mitigate that risk as best you can by putting other measures or controls in place. I do that at home.
Everyones tradeoff decision will be different, but at some point, for me, the convenience of some IOT and smarthome devices outweighs the security and privacy concerns. Or at the very least I realized its a weird hill to die on as we use our android phones, google for searches, gmail, instagram, etc. I am sure some of you have completely divested yourself of all of those services and have GrapheneOS installed on your phone and use OpenStreetMaps to get yourself lost. Most of use still use a few of those.
That said, I think the nerdiest and most security privacy saavy among us in the IT field can implement it in a fairly secure way. Pfsense,Ubnt, ofsense,openwrt routers with vlan segregation for traffic. IDS/IPS, pihole local dns, etc. You can absolutely make it so devices only communicate in ways that you approve. With things like VPNs (tailscale), Cloudflare tunnels, etc you can access your stuff securely without exposing any admin things to the public web.
Digital locks are fine, just get one with a mechanical lock too. I have a digital lock on my front door that I can program with keycodes but it also has a key. I can give the cleaners a temp code if I need to. I can give my neighbors a code if they watch the house while I am away for a long time, then I can get expire it when I return. The analogue alternative is arguably less secure.
That is basically my requirement for smarthome or connected devices. I need to be able to control it to a level that I feel comfortable and if it fails or isn’t connected it still needs to work. IE no smart light switches that don’t function if the wifi is down–they still need to be a switch. My nest thermostat still works without wifi. My smart plugs still work without wifi. If any of those things was hacked or compromised, they are completely segregated from anything of actual value on my network–and depending on the device it wouldn’t be able to see anything else at all.
For major appliances, I dont see the value of any ‘smart’ features built in (yet), so I won’t be buying them anytime soon but if I did they’d still have to meet the “still needs to work in ‘dumb’ mode” requirement–smart, connected features are extra not required to function.
Confirmed.
When you understand how things work, you say no.
And not in my car too. Less crap to malfunction.
No, smart everything, Google everywhere.
Yes to all of the above
You can’t just shoot a printer if it makes “unexpected noise”.
It’s a printer for crying out loud. That’s what it does.
I mean, my laser printer has pretty regular sound patterns and usually just does weird maintenance noises sometimes. But I remember the era when everyone had an inkjet, hoo boy, you tried to print a page and then there was a bunch of really incomprehensible noises and then you might get a printout, maybe.
Can indeed confirm. I’m the first (tech enthusiast), slowly becoming the second. My dad is the second. He upgraded from windows 7 to windows 10 a few months ago. Like he knows tech, he just cbf about it. I was the first but then realized that smart home stuff is not worth it for my usecase.
I know some software engineers like that. Some of it is knowing that the companies that make iot devices don’t give a crap about security. Some of it is plain ol paranoia. Mechanical door locks can be picked does that mean you invest in guard dogs? Crime is a thing but so is misanthropy. I think we should take reasonable precautions but believe that there are more good ppl than bad.
It’s not just poor security that’s easily hackable, it’s mainly the unreliability and frustration of having to continue to work when you get home to fix your dam light switch because it doesn’t work because it got out of sync when the microwave is turned on. No thanks.
Mechanical door locks can be picked, but it must be done at the lock in plain view rather than at a distance sitting in a car while you do the majority of the work and then casually walking up and opening the door. Locks are more of an inconvenience than a deterrent, so it should be made as inconvenient as possible. Connecting them to the internet is the exact opposite of that.
I think CGP Grey has a video about this concept. It’s not so much that a mechanic lock is better or more secure.
It’s more that it takes one person
$xseconds to break into one lock.That’s very different than allowing a million people the opportunity to break your digital lock millions of times.
It’s a different threat model.
An average house lock is pretty easy to pick. An average picker of locks could get through in minutes. Someone who trained for years could get through in a few seconds if they’re lucky. Someone using a pick gun, willing to risk damaging the lock, can often get through in seconds. But, each individual lock is different, so you never know how long it will take to get through. Taking any more than 10 seconds to get through a door looks suspicious, so it’s very risky to try to pick a lock if you’re not willing to take a chance at looking suspicious, even if you’re a master lock picker.
With electronic locks, if there’s an exploit for that lock and the person going up to the lock has access to it, they could get through instantly and not look at all suspicious. If there’s no exploit, the person is out of luck. The person trying to break in also doesn’t have to have any expertise. They just need access to the exploits. Also, because people are constantly trying to find exploits, there’s almost guaranteed to be a time when your lock is vulnerable. Making it worse, with an electronic lock, someone can inspect the lock one time, and then just wait for a vulnerability for that particular lock to be available.
And my smart lock alerts me when someone unlocks it. Sure it could be hacked, but it is more likely that someone will just kick the door open.
Picking locks takes skill, kicking down a door is higher risk of alerting someone or getting caught. Those both deter a lot of would-be criminals.
Whereas a hack creates a situation where criminals are going to target those devices – it’s “low risk”. Any opportunistic asshole with 2 brain cells can download the hack and go around trying doors until it works.
But more realistically someone robbing your house is going to ring your doorbell to see if someone is home, then just walk around checking for unlocked windows.
True, but again it’s about making it as inconvenient as possible. Manually locking windows and making sure they are locked is effective. In some places they put security bars on the windows. Tall fences can also create obstacles as well.
You won’t stop everyone that wants to break in, but you can create enough trouble to keep out most people. Making it convenient for yourself by connecting everything to the internet just makes it convenient for everyone else too.
Tall fences are usually privacy fences and they can make it really easy for a thief to spend a ton of time unseen in your backyard.
Usually, but not always. I’m thinking more of the bar fence with spikes at the top.
Is the fence going to have a gate, and is that gate going to be locked? If so, you better put a fence around it to be safe.
locks keep people honest, and make thieves pick a house that’s less of a hassle.
You can’t ever stop someone who really wants to get into your home. The best you can do is make your home look too tedious to bother with.
Or make your neighbor’s home more attractive. Try keeping the neighbor’s house key, neatly labelled & with alarm code, under your own doormat. Just in case.
Yes,but you don’t do yourself any favours by leaving the front door open.
Bear theory.
My house doesn’t need to be impenetrable, it just needs to be more of a hassle to get into than yours.
Not even that. It just needs to look like more of a hassle.
They really just let anyone buy those signs that say you have security cameras or an angry dog.
Someone mentioned to me that those angry dog signs are a liability because if someone gets bit they can say you knew you had angry dog, so it’s best just to have a sign that says dog and doesn’t mention it’s mood
Might dependsl on your jurisdiction. But I wouldn’t be worried they’d probably need to prove you had a duty of care to them which you acted outside of which resulted in injuries that could have been avoided by you acting with a reasonable level of care.
Also if you did have a duty of care to them and knowingly had a dangerous dog not warning someone of known dangers (the dog) might constitute a break of your duty of care.
Tldr: It depends, you get what you pay for get your advice from actual local lawyers not random people on the street or the internet (like me).
“Dog with sharp teeth”
In a meeting with a (business) customer regarding security precautions, my coworker had a great suggestion: we buy a mountain in
SwitcherlandSwitzerland, build a bunker there for the servers and hire a private army for protection. The customer liked the idea…Bahnhof has a data centre in Stockholm like that - lots of ex-military bunkers around.
Is Switcherland on the Ethernet continent?
I knew it was a mistake to not to check dow it’s spelled
Dats chrazy
Locks can be picked, but good locks require picking skills far beyond what the average break and entry will have. They can be drilled, but that’s loud and increases the odds of being caught.
A software vulnerability can be triggered silently and will look like you’re an expected guest.
They’ll likely just smash the window in the back yard though so it’s a moot point
actually good mechanical door locks can only be picked by a handful of people in the world with special tools most of whom are locksmiths
And those locks cost hundreds a piece. A “there is a security system here” sign would do more useful work. And a locksmith will tell you that picking is what you try AFTER you just try bypassing the lock entirely. Aka shim the door or break a window. Exactly what a burglar will do if they really wanted in. You do know that your garage door can be disabled with a coathanger threaded inside and grabbing the release hook, right? Or a jack wedged under with a crowbar, right? Or your decorative gnome in the front yard thrown through a window? Locks are a deterrent.
the word “picked” does a lot of heavy lifting here.
Most professional thieves won’t care about damaging your lock. It’s called “breaking” and entering for a reason.
And if your door is super reinforced better hope your wall is too
Yeah but how many people looking for a smash and grab are going to bring tools to cut through a wall instead of just going next door or through the window?
And a properly secured network can’t be compromised by some amateur thief sitting in their car. Point was that foolproof security is a fantasy.
Point is reducing attack surface by not having internet connected lock 🙄
A “hacker” breaking into your house is a fantasy. If some one wants in they are….breaking….into your house. Ie breaking your door or window. Mechanical or not doesn’t make a difference. It’s all security theater. However you can know the status of internet connected locks at least.
I’m not just talking about locks. I’m talking about the concept of IoT itself.
I think the real point is that mechanical locks don’t track when you leave and enter your home like electronic ones do. Not whether they are better or worse than mechanical.
But if my printer ever laughs at my bad jokes I’m keeping my hammer ready, just in case.
I use Home Assistant, but none of my “smart-things” is cloud-based, so it all runs locally. Which also makes it much faster and reliable.
Yep, completely true for me at least. I have a colleague who has everything smart though, so it’s certainly not everyone, but I keep my house intentionally as dumb as possible. The only household thing I have that is “smart” is my robot vacuum, but we hardly ever use it anymore because doing it with a good old fashioned vacuum cleaner is so much quicker.
Edit: I do have a smart tv as well, actually, but with google assistant and the microphone disabled.
Confirming the opposite here. Network is properly separated and locked down. IoT devices do their thing while I enjoy all the benefits.
IoT devices are still tracking and reporting on you and your family.
True to some extent, but I think a lot people give these firms too much credit.
Your microwave will not send your food heating data to NSA. At best the manufacturer uses it to see how people use their appliances.
Voice guided home assistants might send sound to servers for analysis, but even then it’s just the stuff you actively sent to be used as a query. When they’re listening for activation messages “passively”, this data does not get sent outside of the device. This conception really bothers me as it really propagates an illusion that we’ve already lost and have no control.
There’s no need to covertly spy when the biggest data is given voluntarily through the TikToks, Facebooks and Twitters of the world.
I agree with you, but I would add that they also might be doing their best to crosstrack what other products you use and how. Obviously, that’s one of the reasons why you have them quarantined in the first place. I just wanted to mention it in case a reader wants to set up a different network for each potential creepy device. I don’t.
Crosstracking is indeed a thing. Obviously it has its limits, since the other devices have to communicate back. It should be easy enough to see all devices that are on the same network though.
IoT is a popular attack vector. So proper precautions should be made. Perhaps only give them access to your guest wi-fi. Perhaps a separate network entirely.
It’s not that they’re actively spying, it’s just another way that an attacker could get in. You can have a highly secure network setup but if there’s a cheap IoT device with no security connected then suddenly that’s a backdoor in for a real attacker. Maybe that’s John Hackerman at the NSA, maybe it’s some script kiddie scanning for anyone running a device with a known exploit!
And that’s why IoT devices needing internet access don’t have access to other devices on the network and vice versa for devices with a local interface.
Well not if the network is properly separated, that way they can’t ever access the public internet, right?
Anything that needs to access the internet only has that access and to nothing else on the network. Anything that doesn’t need it only has access to the local devices it reports to.
Maybe I misunderstand but the benefits of the IOT things is to access this stuff remotely, from your phone, from anywhere.
I have some smart lighting which I control from my phone, set up timers, automation etc. It’s all local though, I have no need to access it remotely. You can set up a VPN to access your home network remotely if you want to be secure, but I’ve got no need so it’s not worth the effort. But yeah, smart/IoT doesn’t have to mean can talk to the public internet!
For me, they could be trying to report on it, but the firewall blocks them from the internet.
Why have smart home stuff if you can’t use it when you’re not home?
I can. I VPN into my home and the connect to the NAS. The cameras are only allowed to talk to the NAS and any attempt for them to talk directly outside is blocked.
Same. IOT vlan where they can’t talk to each other and can’t talk to the intranet unless the connection was established from the intranet
Maybe. I’m in cyber security, people tell me I’m pretty decent at it. I have smart everything in my house, but I also use opnSense in my hardware router, have a span port to Security Onion and laugh at the logs, repurpose old desktops as servers for media or whatever, keep most things local except for a few backups, and have battery/UPS backups for my intranet and critical systems.
My wife and I don’t use smartphones but use alexa devices. Im not sure at what point convenience wins over the privacy I would want. Wish I had more time to work out better solutions. Sorta funny that in general younger folk tend to accept more than older given that older folk have less to lose. I mean the closer death is the less you need to worry much about what they are going to get off you.
I’m one bad day away from going Amish.
Please don’t start a puppy mill and hitting your partner and shaming your kids. Staying away from too much tech is ok though. Not sure about having a horse, too much work and it is probably as expensive as buying ink for a printer. ;)
I can confirm. I don’t want technology in my house I don’t have full control over. All these “smart devices” that run through smartphone apps in the cloud can fuck themselves. The amount of access most people give these corporations into their lives is insane to me.
I really like the data - to see how weather and my activity influences temperature, air quality, network… I can absolutely see, just in the temperature data, when I get out of bed; air quality shows when I cook, exercise, open windows. Nobody who’s not me needs that data, so all the sensors plug into an RPi or, at most, connect through zigbee/bluetooth. I can’t even imagine what They can infer from Smart TV or wifi refrigerator, and cameras can fuck right off.
But I can see where, if you like the data but can’t figure out how to manage it yourself, cloud devices could seem pretty attractive. Techno-magic and fun to be part of, and there’s so many people saying that privacy just doesn’t exist anymore. Probably people with an IoT security camera in their bedroom.
Agree. That’s why I use ZigBee devices, they have their own offline network.
Softwares like Home Assistant are the only acceptable smart home solution.
Your network is only as secure as it’s weakest link, IoT devices are a liability unless they are on their own isolated network and who has the time to set that shit up to open their blinds from a phone?
