Smart Home

How I upgraded my water heater and discovered how bad smart home security can be

esp32, Features, GitHub, home assistant, home automation, iot, journalism, rinnai, Smart Home, tankless water heater, Tech, Zigbee / Mike M. / May 17, 2024

The bottom half of a tankless water heater, with lots of pipes connected, in a tight space — Enlarge / This is essentially the kind of water heater the author has hooked up, minus the Wi-Fi module that led him down a rabbit hole. Also, not 140-degrees F—yikes.

Getty Images

The hot water took too long to come out of the tap. That is what I was trying to solve. I did not intend to discover that, for a while there, water heaters like mine may have been open to anybody. That, with some API tinkering and an email address, a bad actor could possibly set its temperature or make it run constantly. That’s just how it happened.

Let’s take a step back. My wife and I moved into a new home last year. It had a Rinnai tankless water heater tucked into a utility closet in the garage. The builder and home inspector didn’t say much about it, just to run a yearly cleaning cycle on it.

Because it doesn’t keep a big tank of water heated and ready to be delivered to any house tap, tankless water heaters save energy—up to 34 percent, according to the Department of Energy. But they’re also, by default, slower. Opening a tap triggers the exchanger, heats up the water (with natural gas, in my case), and the device has to push it through the line to where it’s needed.

That led to me routinely holding my hand under cold water in the sink or shower, waiting longer than felt right for reasonably warm water to appear. I understood the water-for-energy trade-off I was making. But the setup wasted time, in addition to potable water, however plentiful and relatively cheap it was. It just irked me.

Little did I know the solution was just around the corner.

Hot water hotspot

Attention!

Kevin Purdy
Nothing’ll happen. Just touch it. It’s what you wanna do. It’s there for you to touch.

Kevin Purdy
The Rinnai Central app. It does this “Control failed” bit quite often.

Rinnai

I mean that literally. When I went into the utility closet to shut off the hose bibbs for winter, I noticed a plastic bag magnetically stuck to the back side of the water heater. “Attention! The Control-R Wi-Fi Module must be installed for recirculation to operate,” read the intense yellow warning label. The water heater would not “recirculate” without it, it noted.

Enlarge / The Rinnai Control-R module, out of bag.

Rinnai

Recirculation means that the heater would start pulling water and heating it on demand, rather than waiting for enough negative pressure from the pipes. To trigger this, Rinnai offered smartphone apps that could connect through its servers to the module.

I found the manual, unplugged the water heater, and opened it up. The tone of the language inside (“DO NOT TOUCH,” unless you are “a properly trained technician”) did not match that of the can-do manual (“get the most from your new module”). But, having read the manual and slotted little beige nubs before, I felt trained and technical. I installed the device, went through the typical “Connect your phone to this weirdly named hotspot” process, and—it worked.

I now had an app that could start recirculation. I could get my shower hot while still in bed, or get started on the dinner dishes from the couch. And yet pulling out my phone whenever I wanted hot water felt like trading one inconvenience for another.

How I upgraded my water heater and discovered how bad smart home security can be Read More »

UK outlaws awful default passwords on connected devices

Biz & IT, connected devices, DDoS, iot, iot passwords, passwords, Policy, Security, Smart Home, Tech / Blake Jones / April 30, 2024

Tacking an S onto IoT —

The law aims to prevent global-scale botnet attacks.

Kevin Purdy – Apr 29, 2024 7: 45 pm UTC

If you build a gadget that connects to the Internet and sell it in the United Kingdom, you can no longer make the default password “password.” In fact, you’re not supposed to have default passwords at all.

A new version of the 2022 Product Security and Telecommunications Infrastructure Act (PTSI) is now in effect, covering just about everything that a consumer can buy that connects to the web. Under the guidelines, even the tiniest Wi-Fi board must either have a randomized password or else generate a password upon initialization (through a smartphone app or other means). This password can’t be incremental (“password1,” “password54”), and it can’t be “related in an obvious way to public information,” such as MAC addresses or Wi-Fi network names. A device should be sufficiently strong against brute-force access attacks, including credential stuffing, and should have a “simple mechanism” for changing the password.

There’s more, and it’s just as head-noddingly obvious. Software components, where reasonable, “should be securely updateable,” should actually check for updates, and should update either automatically or in a way “simple for the user to apply.” Perhaps most importantly, device owners can report security issues and expect to hear back about how that report is being handled.

Violations of the new device laws can result in fines up to 10 million pounds (roughly $12.5 million) or 4 percent of related worldwide revenue, whichever is higher.

Besides giving consumers better devices, these regulations are aimed squarely at malware like Mirai, which can conscript devices like routers, cable modems, and DVRs into armies capable of performing distributed denial-of-service attacks (DDoS) on various targets.

As noted by The Record, the European Union’s Cyber Resilience Act has been shaped but not yet passed and enforced, and even if it does pass, would not take effect until 2027. In the US, there is the Cyber Trust Mark, which would at least give customers the choice of buying decently secured or genially abandoned devices. But the particulars of that label are under debate and seemingly a ways from implementation. At the federal level, a 2020 bill tasked the National Institutes of Standard and Technology with applying related standards to connected devices deployed by the feds.

UK outlaws awful default passwords on connected devices Read More »

Home Assistant has a new foundation and a goal to become a consumer brand

home assistant, home automation, local voice assistant, NVIDIA, nvidia jetson, Open Source, paulus Schoutsen, Smart Home, Tech, voice assistants, z-wave, Zigbee / Mike M. / April 23, 2024

An Open Home stuffed full of code —

Can a non-profit foundation get Home Assistant to the point of Home Depot boxes?

Kevin Purdy – Apr 22, 2024 5: 34 pm UTC

Open Home Foundation

Home Assistant, until recently, has been a wide-ranging and hard-to-define project.

The open smart home platform is an open source OS you can run anywhere that aims to connect all your devices together. But it’s also bespoke Raspberry Pi hardware, in Yellow and Green. It’s entirely free, but it also receives funding through a private cloud services company, Nabu Casa. It contains tiny board project ESPHome and other inter-connected bits. It has wide-ranging voice assistant ambitions, but it doesn’t want to be Alexa or Google Assistant. Home Assistant is a lot.

After an announcement this weekend, however, Home Assistant’s shape is a bit easier to draw out. All of the project’s ambitions now fall under the Open Home Foundation, a non-profit organization that now contains Home Assistant and more than 240 related bits. Its mission statement is refreshing, and refreshingly honest about the state of modern open source projects.

The three pillars of the Open Home Foundation.

Open Home Foundation

“We’ve done this to create a bulwark against surveillance capitalism, the risk of buyout, and open-source projects becoming abandonware,” the Open Home Foundation states in a press release. “To an extent, this protection extends even against our future selves—so that smart home users can continue to benefit for years, if not decades. No matter what comes.” Along with keeping Home Assistant funded and secure from buy-outs or mission creep, the foundation intends to help fund and collaborate with external projects crucial to Home Assistant, like Z-Wave JS and Zigbee2MQTT.

My favorite video.

Home Assistant’s ambitions don’t stop with money and board seats, though. They aim to “be an active political advocate” in the smart home field, toward three primary principles:

Data privacy, which means devices with local-only options, and cloud services with explicit permissions
Choice in using devices with one another through open standards and local APIs
Sustainability by repurposing old devices and appliances beyond company-defined lifetimes

Notably, individuals cannot contribute modest-size donations to the Open Home Foundation. Instead, the foundation asks supporters to purchase a Nabu Casa subscription or contribute code or other help to its open source projects.

From a few lines of Python to a foundation

Home Assistant founder Paulus Schoutsen wanted better control of his Philips Hue smart lights just before 2014 or so and wrote a Python script to do so. Thousands of volunteer contributions later, Home Assistant was becoming a real thing. Schoutsen and other volunteers inevitably started to feel overwhelmed by the “free time” coding and urgent bug fixes. So Schoutsen, Ben Bangert, and Pascal Vizeli founded Nabu Casa, a for-profit firm intended to stabilize funding and paid work on Home Assistant.

Through that stability, Home Assistant could direct full-time work to various projects, take ownership of things like ESPHome, and officially contribute to open standards like Zigbee, Z-Wave, and Matter. But Home Assistant was “floating in a kind of undefined space between a for-profit entity and an open-source repository on GitHub,” according to the foundation. The Open Home Foundation creates the formal home for everything that needs it and makes Nabu Casa a “special, rules-bound inaugural partner” to better delineate the business and non-profit sides.

Home Assistant as a Home Depot box?

In an interview with The Verge’s Jennifer Pattison Tuohy, and in a State of the Open Home stream over the weekend, Schoutsen also suggested that the Foundation gives Home Assistant a more stable footing by which to compete against the bigger names in smart homes, like Amazon, Google, Apple, and Samsung. The Home Assistant Green starter hardware will sell on Amazon this year, along with HA-badged extension dongles. A dedicated voice control hardware device that enables a local voice assistant is coming before year’s end. Home Assistant is partnering with Nvidia and its Jetson edge AI platform to help make local assistants better, faster, and more easily integrated into a locally controlled smart home.

That also means Home Assistant is growing as a brand, not just a product. Home Assistant’s “Works With” program is picking up new partners and has broad ambitions. “We want to be a consumer brand,” Schoutsen told Tuohy. “You should be able to walk into a Home Depot and be like, ‘I care about my privacy; this is the smart home hub I need.’”

Where does this leave existing Home Assistant enthusiasts, who are probably familiar with the feeling of a tech brand pivoting away from them? It’s hard to imagine Home Assistant dropping its advanced automation tools and YAML-editing offerings entirely. But Schoutsen suggested he could imagine a split between regular and “advanced” users down the line. But Home Assistant’s open nature, and now its foundation, should ensure that people will always be able to remix, reconfigure, or re-release the version of smart home choice they prefer.

Home Assistant has a new foundation and a goal to become a consumer brand Read More »

“So violated”: Wyze cameras leak footage to strangers for 2nd time in 5 months

cameras, Smart Home, Tech, wyze / Mike M. / February 20, 2024

Wyze's Cam V3 Pro indoor/outdoor smart camera mounted outside — Enlarge / Wyze’s Cam V3 Pro indoor/outdoor smart camera.

Wyze cameras experienced a glitch on Friday that gave 13,000 customers access to images and, in some cases, video, from Wyze cameras that didn’t belong to them. The company claims 99.75 percent of accounts weren’t affected, but for some, that revelation doesn’t eradicate feelings of “disgust” and concern.

Wyze claims that an outage on Friday left customers unable to view camera footage for hours. Wyze has blamed the outage on a problem with an undisclosed Amazon Web Services (AWS) partner but hasn’t provided details.

Monday morning, Wyze sent emails to customers, including those Wyze says weren’t affected, informing them that the outage led to 13,000 people being able to access data from strangers’ cameras, as reported by The Verge.

Per Wyze’s email:

We can now confirm that as cameras were coming back online, about 13,000 Wyze users received thumbnails from cameras that were not their own and 1,504 users tapped on them. Most taps enlarged the thumbnail, but in some cases an Event Video was able to be viewed. …

According to Wyze, while it was trying to bring cameras back online from Friday’s outage, users reported seeing thumbnails and Event Videos that weren’t from their own cameras. Wyze’s emails added:

The incident was caused by a third-party caching client library that was recently integrated into our system. This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.

In response to customers reporting that they were viewing images from strangers’ cameras, Wyze said it blocked customers from using the Events tab, then made an additional verification layer required to access the Wyze app’s Event Video section. Wyze co-founder and CMO David Crosby also said Wyze logged out people who had used the Wyze app on Friday in order to reset tokens.

Wyze’s emails also said the company modified its system “to bypass caching for checks on user-device relationships until [it identifies] new client libraries that are thoroughly stress tested for extreme events” like the one that occurred on Friday.

“So violated”: Wyze cameras leak footage to strangers for 2nd time in 5 months Read More »

Wyze outage leaves customers without camera coverage overnight

security cameras, Smart Home, Tech, wyze / Ryan Harris / February 17, 2024

Internet of ethereal things —

Company points to “AWS partner” for cameras disappearing from users’ apps.

Kevin Purdy – Updated Feb 16, 2024 7: 03 pm UTC

Wyze v3 camera pointed at viewer — Getty Images

Wyze cameras have been unreliable for many users for more than nine hours today, with cameras disappearing from the Wyze app or simply reporting errors when owners try to view them.

Users started reporting issues on Down Detector just before 4 am Eastern time, and the company issued a service advisory at 9: 30 am. As of 1 pm, the company stated that its “metrics show that devices are starting to recover,” and later that there was “continued improvement,” but it was still investigating history viewing issues. At 1: 15 pm, an Ars writer was able to view his Wyze v3 camera feed and update its firmware.

A Wyze employee updated the service advisory at 2: 28 p.m. Eastern to note “continued improvement for device connection recovery.” They added that the Event tab in the Wyze app, where one can see prior recordings activated by motion or other detections, is disabled, “to investigate a possible security issue,” and it will be back soon.

Wyze attributed the issue to an “AWS partner” in an earlier update. Amazon Web Services’ dashboard showed no issues or outages as of 1: 30 pm Eastern. Ars reached out to Wyze for comment and will update this post with new information.

The Wyze subreddit was stuffed at the time of this writing with confirmations that the Wyze service was down, with many waking up to find that none of their Wyze cameras were working or even showing in their app at all. One redditor noted that they could see footage from a camera that was three time zones away. Many noted their strategy, or now intention, to diversify their security devices or implement solutions with local viewing options.

This post was updated at 4: 30 p.m. Eastern to note an update to Wyze’s service advisory.

Wyze outage leaves customers without camera coverage overnight Read More »

Matter, set to fix smart home standards in 2023, stumbled in the real market

2023, aqara, matter, nanoleaf, phillips hue, Smart Home, smart home standards, smarthome, Tech, Thread, Zigbee / Mike M. / December 24, 2023

A matter for the future —

Gadget makers, unsurprisingly, are hesitant to compete purely on device quality.

Kevin Purdy – Dec 23, 2023 12: 35 pm UTC

Illustration of Matter protocol simplifying a home network — Enlarge / The Matter standard’s illustration of how the standard *should* align a home and all its smart devices.

CSA

Matter, as a smart home standard, would make everything about owning a smart home better. Devices could be set up with any phone, for either remote or local control, put onto any major platform (like Alexa, Google, or HomeKit) or combinations of them, and avoid being orphaned if their device maker goes out of business. Less fragmentation, more security, fewer junked devices: win, win, win.

Matter, as it exists in late 2023, more than a year after its 1.0 specification was published and just under a year after the first devices came online, is more like the xkcd scenario that lots of people might have expected. It’s another home automation standard at the moment, and one that isn’t particularly better than the others, at least how it works today. I wish it was not so.

Setting up a Matter device isn’t easy, nor is making it work across home systems. Lots of devices with Matter support still require you to download their maker’s specific app to get full functionality. Even if you were an early adopting, Matter-T-shirt-wearing enthusiast, you’re still buying devices that don’t work quite as well, and still generally require a major tech company’s gear to act as your bridge or router.

CSA's illustration of how smart homes worked before Matter, which is unfortunately a lot like how they still work, after. — CSA’s illustration of how smart homes worked before Matter, which is unfortunately a lot like how they still work, after.

CSA

Lights that Matter, but do less

Jennifer Pattison Tuohy at The Verge has done more Matter writing, and testing, than just about anybody out there who doesn’t work for the Connectivity Standards Alliance that oversees the spec. As she puts it:

I’ve been testing Matter devices all year, and it has been the most frustrating year of my decade-plus experience with smart home devices. Twelve months in, I do not have one Matter-based device working reliably in my home. To make matters worse (yeah, I know), the one system that’s always been rock solid, my Philips Hue smart lights, is basically unusable in any of my smart home platforms since I moved it to Matter.

When the Matter upgrade for Hue lights rolled out in September, I didn’t move to switch my bulbs over. For one thing, it wouldn’t result in a net loss of limited-purpose hardware (i.e. hubs). If you wanted to move your Hue bulbs over to Matter and control them through Google’s Home app, you’d need a Google Home Hub or Home Mini to act as a Matter bridge device. The same goes for Alexa (Echo devices), Samsung SmartThings (a Hub), or Apple Home (an Apple TV or HomePod/mini). You also lose some Hue-specific function, like gradient lighting and scenes (like holiday green/red schemes). And, as Tuohy has noted, it’s likely not a more reliable network than the proprietary Zigbee setup that Hue ran on before.

The smart home and automation market is like that pretty much everywhere. Aqara offers a Matter-compliant light strip, the T1, but it requires a hub, and using Matter means you can’t use Apple’s light-sensing adaptive brightness, because Matter doesn’t support that yet. The same goes for Nanoleaf’s Matter-friendly bulbs and strips, which are Matter and Thread capable but require Nanoleaf’s own app to provide Nanoleaf’s version of adaptive lighting.

Matter, set to fix smart home standards in 2023, stumbled in the real market Read More »

Get the Echo Buds for $70 and snag a free Echo Dot in time for Christmas

Echo Buds, Highlights, Smart Home, The best tech deals / Ryan Harris / December 17, 2022

internal/modules/cjs/loader.js: 905 throw err; ^ Error: Cannot find module ‘puppeteer’ Require stack: – /home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js at Function.Module._resolveFilename (internal/modules/cjs/loader.js: 902: 15) at Function.Module._load (internal/modules/cjs/loader.js: 746: 27) at Module.require (internal/modules/cjs/loader.js: 974: 19) at require (internal/modules/cjs/helpers.js: 101: 18) at Object. (/home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js:2: 19) at Module._compile (internal/modules/cjs/loader.js: 1085: 14) at Object.Module._extensions..js (internal/modules/cjs/loader.js: 1114: 10) at Module.load (internal/modules/cjs/loader.js: 950: 32) at Function.Module._load (internal/modules/cjs/loader.js: 790: 12) at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js: 75: 12) code: ‘MODULE_NOT_FOUND’, requireStack: [ ‘/home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js’ ]

Get the Echo Buds for $70 and snag a free Echo Dot in time for Christmas Read More »