Soon: It was a mistake to teach a light bulb to DDoS a hospital.

In a previous life I did Crestron programing and the amount of wiring in the walls brings back memories. Their web interface used to be an IE plugin (1) which was...a choice. The development environment was interesting. It was a windows executable that launched Cygwin(2) to do the cross compile in GCC(3) so you could send the code to a CNMSX(4) over a serial cable. Good times. 1) Their touch panels ran WinCE. Hours of battery life. Hours I say. 2) Or similar 3) Which was an ancient version 4) The brains of the system

I work in government IT and I mostly deal with Windows PCs on the General VLAN. It's always amusing to see "garage openers" appear on the monthly Nessus scans. The "garage openers" are the security gates that can block vehicle traffic from entering or leaving the garage buildings. You would think security would have all their devices on a separate physical network.

This sounds like "parental controls" for iot. I like it. I trust teens on the internet, about as much as I trust a lightbulb.

I love this series. Such a necessity, for now and especially for the future. Hopefully you keep going, and others too.

YOU never told, what spaghetti length you used.

Philips Hue is great, the system seems to work exactly at intended for my parents. Only 4 of the 60+ bulbs have ever become disconnected from the hub, and that only happened after a power cut (and they've had several other power cuts and it has never happened again. The hub also doesn't need any internet access, so if you want to just block it you can. And it all works by ZigBee so it's not the insecure mess that are WiFi bulbs. Oh and it has really good support with Home Assistant and other similar projects.

Next Episode: How to make your own secure processor from scratch for security cameras

Find ESP based devices that can be reflashed with Tasmota - connect to a local MQTT on Home Assistant, and the IoT things never talk to the cloud ever again. Also works when the internet is down.

I have been screaming out about IoT device security for years... however... KZfaqrs push VPN's offering a level of security for their computers and devices... the big problem is educating why these problems exist and why people use them incorrectly... adding another layer is great for us that know how it works... but ultimately these IoT designers need to go back to geek school!! - We are already too deep into this... likely the reason I stay old skewl - damn, I don't even have RGB in my computers! :) ...keep up the great content m8!

You can totally use daisy chained Dallas one-wire protocol to control about 300 x DS2408 8-channel switch boards using 1 data+power wire and ground.

WENDELL THE WHITE BOARD SCENE IS SO SMART!! such a great way to visualize what we know so obviously in our head.

Can’t wait for more episodes of this IoT series! Love it !

I’ve been looking forward to this part 2 Thanks for everything you are doing, L1T!

A great big thumbs up! I 've been asking myself these same questions for a while now and I've yet to find a good answer. These gadgets are so easy to set up but a hell to secure without affecting their functions - they simply were not made to be secure.

Yesss finally part 2!

I like having my "smart" devices dumb. I don't need any cloud-connected devices, I want everything on a separate wired network, inaccessible without plugging a cable into a port or modifying a vlan on a port / in a trunk on a switch or changing a firewall rule (one out of the 3). I used an arduino uno at my workplace to detect movement when inside the premise and open the door (because people are too lazy to push a button and they were getting head-on inside the door). Having that sensor there helps people be lazy and not lose momentum when walking. Best part of it? Doesn't even require a network connection, not to mention internet connection. It's just an arduino with an ultrasonic sensor and a 3v (mechanical) relay (solid state ones are better, but more expensive). And no, you can't open the door from outside, tested it thoroughly with my colleagues. The bad part is that you need to connect a USB if you ever want to change the code or add features (which is basically never at that location). I am thinking of using some old *Pis and wiring some lights in the house and have some cron jobs to turn the lights on in the morning when my clock rings (maybe even make the lights flash, so they are more annoying - for flashing lights, I highly recommend solid state relays). Cameras don't need any introduction, you can do IP cameras and have a samba / nfs server for storage, or buy a DVR with coaxial cameras if you want a more professional setup. Make a VPN and connect to your home network to monitor them, don't use the manufacturers cloud platforms. Lock systems are a little scary, especially if you want to unlock without a key, so I highly recommend old locks. But considering people have garage doors that open with a pretty insecure key, well, you could make a locking system using Pis and relays (again) with electromagnetic locks and either use a VPN to remote home and unlock a specific door, or have a hidden wifi network that you connect to in close proximity to unlock the door. Again, I recommend neither, because the risk of getting cracked into is quite high (and it's pretty easy to scan for hidden wifi networks). Bonus points if you use Mycroft or similar software for voice commands, but your setup gets more complex and you need microphones and speakers. Funny stuff, while a part of me is somewhat excited about making a secure home automation intranet (again, with no access from outside or even from my normal LAN), another part of me is really autistic when it comes to security and I think I shouldn't trust computers and try to do as primitive a setup as possible (up to and including having a rooster wake me up in the morning, instead of an alarm clock - and I can't snooze the rooster).

Have a look at KNX. It's an open-source protocol used for building and home automation that is around for 30 years. I installed it in my home and it works great. Since it's only a protocol it can be implemented either wired, wireless and over IP (again wired or wireless) and there are mutliple companies around the world that produce devices that operate on the protocol and deliver everything from turning on loads (lights, outlets etc.), thermostats, switches, various sensors to interfaces to other protocols (Zigbee, RS485, propietary HVAC device etc.). There are two downsides to it, in my opinnion: 1. rather slow (9600 baud), which is not bad, considering you do not have a lot of traffic flowing (how often do you turn on/off the lighting or how much does your temperature fluctuate, etc.) This short comming can be resolved by optimizing the topology, but it is still slow, in 2020. 2. The software used for commissioning the system (ETS) is only available in Windows and the license is rather expensive (it's meant to be used by certified technicians, even though its not rocket science) and there are no open-source alternatives available, yet. I got certified in KNX after programming the devices in my home as I really think it is a great backbone for a modern home. I use Home Assistant on top of KNX and I can use it to bridge other systems. For example make my robovac to come and clean the kitched by pressing a light switch. If your interested in this I would gladly help you out with getting started.

Great video Wendell, keep this series coming

If you're doing something in the middle you could consider using srt (secure reliable tranaport) on the outbound side of the video instead of rtmp. Resilient to packet loss and encrypted

One thing I think we need is cheaper and smaller switches with fast uplinks. Running tons of wires to one spot where you need a lot of ethernet devices is pretty gross and it'd be nice if we can have switches that just act as traffic aggregators to push all that traffic over a single higher speed link.

Yay! Part 2 is here! I'll see what I can contribute as I too would like to get this going somehow, especially with the Open Source crowd. I believe wireless is the best way to go. You can secure it and deploy devices almost anywhere. Low cost used wireless devices can be had for really cheap on sites like Kijiji. I'm definitely in on this project.

"Look at this guy, he measures all his spaghetti." Hahaha, I lost it.

sweet, I was looking for pretty much exactly this!!

Really enjoying this kinda content, I would love to see more on layer 7 analysis and your ways on how you would go about implementing it into securing a network. OpenAppID on pfsense maybe?

Easiest way is pfsense for VLANs and a managed switch. Run security VLAN for cams not connecting and add iot VLAN for WAN only. 5 mins and done.

Going all-out on filtering system for out-of-the-box gear might be very useful. I've been playing around a bit with replacing firmware on devices but it is a lot of work finding the right gear and you end up having to dig into enclosures to attach to programming ports, etc.

I'll be following this for sure.

For me since I'm not going to open my walls and run separate wires to every device I want to control I have chosen the wifi route. I do have a separate ssid that is on its own vlan that does not have direct access to the outside world. I dual home a Home assistant instance so it can have local control for the devices. So I'm kind of using HA as my WAF, but I also tend to stay away from proprietary devices and protocols. So I flash tasmota and esphome for most of my ESP devices.

I've built a home auto system back a few years as a project to learn IoT, it wasn't great and probably is insecure. But man it was fun, have the door bell turn on a light, the RFID turn off the TV, any switch can be redirected to any light/lights, or any thing controlled by any IR remote that you setup. Just designed and printed new outlet boxes that house a 120v ac to 5vdc board, a raspberry pi 0 w, outlet covers that hold arcade buttons, docker and a bash script that if the pi can't get internet become a hotspot (gotta love nmcli) and host a setup page to give it the Wifi, central host, and the host's public key.

Love this kind of stuff.

This is fantastic.

I used to install Smart Homes. Lutron is top tier for lighting. They do sell a product for homeowners/enthusiasts. I just use a Hue setup.

You should check out KNX it’s a fully hardwired system with a bus line to connect devices like Motion sensors and keypads. It links directly to Home assistant. I’m building a house and I was looking for a hard wired system like control4 without the price and I happen to find. it’s mostly used in Europe but you can get it here too

As a guy who has done network runs in my earlier IT years, I do feel the need to have spaghetti that is the same length before I put it into the pot. I never thought about it until now :(

I watched the whole video because it is very exciting. I also could listen to Wendell talking about tech for hours so thank you ! However, I will never go for IoT in my own home. Won’t need it, I can check things and put the blinds up by myself just fine thanks!

CAN and RS485 can be a good option, SPI although technically feasible is not foreseen for out of system communications, CAN and RS485 are a better match. Also running parallel CAT 6 cables all around ur house seems unnecessary. A Serial/ Star based architecture is a better solution for IOTs.

The giant bundle of wire can still be hacked to give you direct access to device protocols, it's just harder. Devices themselves should have either a jumper/tag you remove to put them into post-configure mode, or a way to remotely attest configuration data and OS integrity.

I’d love to see someone make a voice assistant that is offline. Really I only use my echo dots to turn lights on/off and occasionally ask for the weather.

My system is build on a rock64 sbc. It runs fhem for automation. some of sensors and devices I build with the mysensor library for arduinos

that dual cam got me lol

Home Assistant and shelly devices riding on unifi infrastructure. I did start with cheap poe ip cameras on an vlan but may switch to unifi cameras.

My ip cameras have their own managed poe switch that only connects to the Blueiris server. No outside access to the cameras but can still view the feeds through blueiris.

I think the idea of an application firewall is a excellent solution for things like smart tvs were being on the internet is key to their functionality. That said, I'm not sure it makes much sense for things like carera's and smart devices. I agree I don't want those things on the internet so I run a VLan for my cameras and a separate VLan for my IOT devices like dimmers and motion sensors and the like. I then run local servers (Home Assistant and ZoneMinder) that are on the private VLans and but also have internet access if needed. What do you see as the use case for letting Cameras and IOT devices have even limited access to the public internet?

I need a mips madness video definitely.

Why not setup all your IoT cameras on a different subnet within your home and isolate them with a sort of "reverse" DMZ? You could use one of the machines in your home as a terminal server so there's no outbound traffic hitting the internet but you could still access footage through the web GUI? This wouldn't solve your problem with devices like Nest and Ring, but it could be a jumping off point for something more substantial down the road.

What I got from this video. We really really really need a reserved IoT internet layer protocol

What about seperate VLAN for all devices like IoT ? Isn't it the best way (most efficient) to protect your home network ?

great video

KNX and DALI do exist though :D which are open standards so you arent stranded with a single company though its more common here in europe :D and for those networks you can basically have any topology without switches :D

I have recently spent some time converting some of my iot stuff to work with HomeKit. I want something more like you want, but I don’t really have the time to do it correctly.

very interesting video but you mentioned Arista switch and docker which Arista switch ? and go also very interesting i wish you had a video in more depth ? in your research setup capturing this data thanks so much for your broadcasts

I wish more than anything that I had the time to dedicate to this type of stuff.

It's be great to have an open source proxy that can do this, with plugins for new hardware as it becomes available. A nice web GUI to inspect traffic and whitelist things, Runnable in a rocket on a switch or pfsense router or something. Perhaps to make it even simpler, a device like a switch running this software that will automatically recognise and segregate new devices on a vlan to pump through the proxy.

Crazy idea here, since rewiring is an issue is there a way around that? The right approach for IoT is not only open source, but also cheap. So with that in mind, how about implementing a custom data over the power line protocol? It should be quite effective for low bandwidth devices, and as for cameras ethernet there is fine. EDIT: There are pretty cheap IC's that do just that Power Line Communications Modem is one key word to start agooglin'

Don't forget about your Enmodus SSD's guys, deal is today (even for those who didn't pledge)

Steel reinforced slots, well that's just more bling, you know it's plastic where it counts.

For your CAN like network, what about MQTT? Pub-Sub protocol that allows all devices to communicate with each other.

Personally I'm using VLANs to try and keep the IoT stuff separate but it's not really a good solution. I can recommend Maltrail as a potentially useful tool for picking up bad traffic. It's designed for detecting malware attempting to reach out but could be helpful for figuring out if your IoT devices are being used for nefarious purposes.

some wifi lights and switches can work with without internet,put in a vlan,block internet,use home assistant

Will DMX based of rs485 will work for this kind of mesh network?

BACnet MSTP is a master slave Tolkien passing protocol that uses Rs485. Its a protocol that’s been used in industry for many years.... rs485 is very touchy on how it is wired and the converters to ip based communication is expensive

If the IoT connect to the internet but have security loopholes, is it better to keep it on a guest network so it is separated from your home network?

Thanks for the content, I would definitely be interested in contributing some code if you get something going. I don't have the time/money to head up anything but there is a big need for some open source solution. It scares me to think that we may have 100s of these devices in our homes in the future, all waiting for just the right time to launch a denial of service attack.

can you elaborate on why golang is well suited for a wrapper?

2+ years later and guess what, I'm _making_ time for it.

Hikvision, partially state owned.... Umm...

ok you did address most of my concerns in this vid lol, I love how you design your scripts wendell it's really well thought out and super honorable. we need better arguments that speak to the "common man" in terms of explaining the security exploitability of commodity IOT. IOT should be an electricians niche NOT an amazon business model. if we give the power of home wiring to multnational tax evading corporations then we may as well be giving up our houses to the government as they're the ones who control it.

real interesting stuff I'd love to get into but I'm a little too busy to

Surely you just throw control signals down the internal power wires. Most of the signals are going to be off and on, or colour and dimmer signals. The only thing you need high bandwidth for is media and security data.

Esp32 has built in ethernet, perhaps a way to go for your sensors? Flash it with esphome or espeasy and you are good to go. Otherwise some kind of industrial bus, modbus, rs485 or knx would be an alternative.

What about KNX as a communication protocol? It's the standard for big commercial applications and has a lot of devices with support for it

Love this commentary, total tech geekdom, i get it, but most wont AND most dont care.

Hi could you make a tuto for noob's on encryption and certificate. ty

I have over 50 esp based light bulbs for my new house ready to install.. As well as power controls and other relays and sensors. They cost £2-10 each and all work with tuya. Needless to say I'm also scratching my head at the moment on how to safely implement there setup without endangering the world by putting them on the internet. I have carefully picked every light and most of the other devices ensure its esp based so they can be reflashed with another firmware as honestly much though I like tuya, can it really be trusted?!!

Jonathan Oxer (Freetronics) has a KZfaq channel called Superhouse. If you haven't checked that out already, do so. Very interesting ;)

I want a solution that doesn't involve me running cable to a bunch of cameras (because re-doing drywall is my least favorite thing), and stores all data locally for the video (central server on the network, not locally on the camera itself). Anyone know of such a thing?

She is diggin that nahemic audio

I stopped measuring my spaghetti a long time ago. Instead I built a jig with a stop on one end, and on the other end is a diamond encrusted circular blade spinning at 20k RPM's. Like a chop saw, except the blade is running on air bearings. Oh and the entire apparatus is inside a climate controlled box as humidity and temperature caused significant deviations.

Why not use vlans and on your smart switch with firewall rules based off the vlans.

why not slap the cameras on a separate vlan and subnet and then zero out the gateway?

What happened to X10?

Check out Home Assistant if you haven’t already!

Aren’t more and more devices encrypting their traffic? Wouldn’t you have to have something that let you use a cert from your WAF so it could even see the traffic?

Challenging way to approach the problem. For awhile I've been looking at building a plug in for Home Assistant that uses a recently developed globally supported onion routing network offering private access that supports UDP as well as TCP.

My wife put a few of those google spy devices in our house but the smart lightbulbs are in the garage in a box.

Oh yeah we used clipsail networks for lighting at work. That was all essentially a can bus

BACnet/SC?

What bugs me most isn't the ESP8266's and things like that, but the horribly insecure cameras such as baby monitors which use UPNP to punch a hole through your router's NAT. Sure... for anyone smart enough that's not an issue, but for the average consumer I find this really scary. The main problem remains that security and convenience will always fight each other, and most people prefer convenience.

pbffft "same length." successively longer prime-number-of-millimetres lengths also, nice kitchen, wendel.

Feeding the algorithm via likes/sub/bell/etc, keep it up 😁. PSA: make a hotkey to help for free👌

You are correct. The vast majority of people just plug these devices in all over the place and love the novelty of it, but don't get how out of control it could be. It's like the scene in Wall-E where the ship commits mutiny. No one gets that this is a potential problem. I get told to take off my tin foil hat when I tell them their phones are always listening to them, and then when I ask them how the phone knows when you say "OK Google" or "Hey Siri" or whatever, they act like it's magic. #wiretapinmypocket

So what's wrong with zigbee?

4:02 947 PPM CO2 is NOT what I would consider to be in the "good" range. That's definitely in the "acceptable, but you might consider more ventilation" category in my book. It's not at dangerous levels by any means, but it isn't great. Personally, I start to notice cognitive effects as low as 850 PPM, and I _definitely_ feel "off my game" if it's over 1000 PPM and I certainly don't sleep well when it's that high.

My issue with these type of devices is why do people keep placing things they have no clue about in locations they wouldn't want it causing harm. They really see "shinny new thing...let me play with it" and don't think of the issues that could arise due to that introduction to their network.

Please, for the love of everything holy, Level099Techs for idiots like me who love this, but don't have the knowledge base! Drunk Ryan can host and insult us..

I know its not the only problem, but just a thought.. Powerline lightbulbs.

could you lead me to a path to grow expertise so I would actually have stuff to add if I tried helping your team.

Ps - CANBUS is a pretty intriguing template...

A project you will probably find interesting for accessing machines you don't want on the internet at all, but still want VNC access or whatever. It will be a full product soon even: github.com/pikvm/pikvm