If you build a gadget that connects to the Internet and sell it in the United Kingdom, you can no longer make the default password “password.” In fact, you’re not supposed to have default passwords at all.
A new version of the 2022 Product Security and Telecommunications Infrastructure Act (PTSI) is now in effect, covering just about everything that a consumer can buy that connects to the web. Under the guidelines, even the tiniest Wi-Fi board must either have a randomized password or else generate a password upon initialization (through a smartphone app or other means). This password can’t be incremental (“password1,” “password54”), and it can’t be “related in an obvious way to public information,” such as MAC addresses or Wi-Fi network names. A device should be sufficiently strong against brute-force access attacks, including credential stuffing, and should have a “simple mechanism” for changing the password.
There’s more, and it’s just as head-noddingly obvious. Software components, where reasonable, “should be securely updateable,” should actually check for updates, and should update either automatically or in a way “simple for the user to apply.” Perhaps most importantly, device owners can report security issues and expect to hear back about how that report is being handled.
Violations of the new device laws can result in fines up to 10 million pounds (roughly $12.5 million) or 4 percent of related worldwide revenue, whichever is higher.
Besides giving consumers better devices, these regulations are aimed squarely at malware like Mirai, which can conscript devices like routers, cable modems, and DVRs into armies capable of performing distributed denial-of-service attacks (DDoS) on various targets.
As noted by The Record, the European Union’s Cyber Resilience Act has been shaped but not yet passed and enforced, and even if it does pass, would not take effect until 2027. In the US, there is the Cyber Trust Mark, which would at least give customers the choice of buying decently secured or genially abandoned devices. But the particulars of that label are under debate and seemingly a ways from implementation. At the federal level, a 2020 bill tasked the National Institutes of Standard and Technology with applying related standards to connected devices deployed by the feds.
Home Assistant, until recently, has been a wide-ranging and hard-to-define project.
The open smart home platform is an open source OS you can run anywhere that aims to connect all your devices together. But it’s also bespoke Raspberry Pi hardware, in Yellow and Green. It’s entirely free, but it also receives funding through a private cloud services company, Nabu Casa. It contains tiny board project ESPHome and other inter-connected bits. It has wide-ranging voice assistant ambitions, but it doesn’t want to be Alexa or Google Assistant. Home Assistant is a lot.
After an announcement this weekend, however, Home Assistant’s shape is a bit easier to draw out. All of the project’s ambitions now fall under the Open Home Foundation, a non-profit organization that now contains Home Assistant and more than 240 related bits. Its mission statement is refreshing, and refreshingly honest about the state of modern open source projects.
The three pillars of the Open Home Foundation.
Open Home Foundation
“We’ve done this to create a bulwark against surveillance capitalism, the risk of buyout, and open-source projects becoming abandonware,” the Open Home Foundation states in a press release. “To an extent, this protection extends even against our future selves—so that smart home users can continue to benefit for years, if not decades. No matter what comes.” Along with keeping Home Assistant funded and secure from buy-outs or mission creep, the foundation intends to help fund and collaborate with external projects crucial to Home Assistant, like Z-Wave JS and Zigbee2MQTT.
My favorite video.
Home Assistant’s ambitions don’t stop with money and board seats, though. They aim to “be an active political advocate” in the smart home field, toward three primary principles:
Data privacy, which means devices with local-only options, and cloud services with explicit permissions
Choice in using devices with one another through open standards and local APIs
Sustainability by repurposing old devices and appliances beyond company-defined lifetimes
Home Assistant founder Paulus Schoutsen wanted better control of his Philips Hue smart lights just before 2014 or so and wrote a Python script to do so. Thousands of volunteer contributions later, Home Assistant was becoming a real thing. Schoutsen and other volunteers inevitably started to feel overwhelmed by the “free time” coding and urgent bug fixes. So Schoutsen, Ben Bangert, and Pascal Vizeli founded Nabu Casa, a for-profit firm intended to stabilize funding and paid work on Home Assistant.
Through that stability, Home Assistant could direct full-time work to various projects, take ownership of things like ESPHome, and officially contribute to open standards like Zigbee, Z-Wave, and Matter. But Home Assistant was “floating in a kind of undefined space between a for-profit entity and an open-source repository on GitHub,” according to the foundation. The Open Home Foundation creates the formal home for everything that needs it and makes Nabu Casa a “special, rules-bound inaugural partner” to better delineate the business and non-profit sides.
Home Assistant as a Home Depot box?
In an interview with The Verge’s Jennifer Pattison Tuohy, and in a State of the Open Home stream over the weekend, Schoutsen also suggested that the Foundation gives Home Assistant a more stable footing by which to compete against the bigger names in smart homes, like Amazon, Google, Apple, and Samsung. The Home Assistant Green starter hardware will sell on Amazon this year, along with HA-badged extension dongles. A dedicated voice control hardware device that enables a local voice assistant is coming before year’s end. Home Assistant is partnering with Nvidia and its Jetson edge AI platform to help make local assistants better, faster, and more easily integrated into a locally controlled smart home.
That also means Home Assistant is growing as a brand, not just a product. Home Assistant’s “Works With” program is picking up new partners and has broad ambitions. “We want to be a consumer brand,” Schoutsen told Tuohy. “You should be able to walk into a Home Depot and be like, ‘I care about my privacy; this is the smart home hub I need.’”
Where does this leave existing Home Assistant enthusiasts, who are probably familiar with the feeling of a tech brand pivoting away from them? It’s hard to imagine Home Assistant dropping its advanced automation tools and YAML-editing offerings entirely. But Schoutsen suggested he could imagine a split between regular and “advanced” users down the line. But Home Assistant’s open nature, and now its foundation, should ensure that people will always be able to remix, reconfigure, or re-release the version of smart home choice they prefer.
Enlarge/ Wyze’s Cam V3 Pro indoor/outdoor smart camera.
Wyze cameras experienced a glitch on Friday that gave 13,000 customers access to images and, in some cases, video, from Wyze cameras that didn’t belong to them. The company claims 99.75 percent of accounts weren’t affected, but for some, that revelation doesn’t eradicate feelings of “disgust” and concern.
Wyze claims that an outage on Friday left customers unable to view camera footage for hours. Wyze has blamed the outage on a problem with an undisclosed Amazon Web Services (AWS) partner but hasn’t provided details.
Monday morning, Wyze sent emails to customers, including those Wyze says weren’t affected, informing them that the outage led to 13,000 people being able to access data from strangers’ cameras, as reported by The Verge.
Per Wyze’s email:
We can now confirm that as cameras were coming back online, about 13,000 Wyze users received thumbnails from cameras that were not their own and 1,504 users tapped on them. Most taps enlarged the thumbnail, but in some cases an Event Video was able to be viewed. …
According to Wyze, while it was trying to bring cameras back online from Friday’s outage, users reported seeing thumbnails and Event Videos that weren’t from their own cameras. Wyze’s emails added:
The incident was caused by a third-party caching client library that was recently integrated into our system. This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.
In response to customers reporting that they were viewing images from strangers’ cameras, Wyze said it blocked customers from using the Events tab, then made an additional verification layer required to access the Wyze app’s Event Video section. Wyze co-founder and CMO David Crosby also said Wyze logged out people who had used the Wyze app on Friday in order to reset tokens.
Wyze’s emails also said the company modified its system “to bypass caching for checks on user-device relationships until [it identifies] new client libraries that are thoroughly stress tested for extreme events” like the one that occurred on Friday.
Wyze cameras have been unreliable for many users for more than nine hours today, with cameras disappearing from the Wyze app or simply reporting errors when owners try to view them.
Users started reporting issues on Down Detector just before 4 am Eastern time, and the company issued a service advisory at 9: 30 am. As of 1 pm, the company stated that its “metrics show that devices are starting to recover,” and later that there was “continued improvement,” but it was still investigating history viewing issues. At 1: 15 pm, an Ars writer was able to view his Wyze v3 camera feed and update its firmware.
A Wyze employee updated the service advisory at 2: 28 p.m. Eastern to note “continued improvement for device connection recovery.” They added that the Event tab in the Wyze app, where one can see prior recordings activated by motion or other detections, is disabled, “to investigate a possible security issue,” and it will be back soon.
Wyze attributed the issue to an “AWS partner” in an earlier update. Amazon Web Services’ dashboard showed no issues or outages as of 1: 30 pm Eastern. Ars reached out to Wyze for comment and will update this post with new information.
The Wyze subreddit was stuffed at the time of this writing with confirmations that the Wyze service was down, with many waking up to find that none of their Wyze cameras were working or even showing in their app at all. One redditor noted that they could see footage from a camera that was three time zones away. Many noted their strategy, or now intention, to diversify their security devices or implement solutions with local viewing options.
This post was updated at 4: 30 p.m. Eastern to note an update to Wyze’s service advisory.
Enlarge/ The Matter standard’s illustration of how the standard should align a home and all its smart devices.
CSA
Matter, as a smart home standard, would make everything about owning a smart home better. Devices could be set up with any phone, for either remote or local control, put onto any major platform (like Alexa, Google, or HomeKit) or combinations of them, and avoid being orphaned if their device maker goes out of business. Less fragmentation, more security, fewer junked devices: win, win, win.
Matter, as it exists in late 2023, more than a year after its 1.0 specification was published and just under a year after the first devices came online, is more like the xkcd scenario that lots of people might have expected. It’s another home automation standard at the moment, and one that isn’t particularly better than the others, at least how it works today. I wish it was not so.
Setting up a Matter device isn’t easy, nor is making it work across home systems. Lots of devices with Matter support still require you to download their maker’s specific app to get full functionality. Even if you were an early adopting, Matter-T-shirt-wearing enthusiast, you’re still buying devices that don’t work quite as well, and still generally require a major tech company’s gear to act as your bridge or router.
CSA’s illustration of how smart homes worked before Matter, which is unfortunately a lot like how they still work, after.
CSA
Lights that Matter, but do less
Jennifer Pattison Tuohy at The Verge has done more Matter writing, and testing, than just about anybody out there who doesn’t work for the Connectivity Standards Alliance that oversees the spec. As she puts it:
I’ve been testing Matter devices all year, and it has been the most frustrating year of my decade-plus experience with smart home devices. Twelve months in, I do not have one Matter-based device working reliably in my home. To make matters worse (yeah, I know), the one system that’s always been rock solid, my Philips Hue smart lights, is basically unusable in any of my smart home platforms since I moved it to Matter.
When the Matter upgrade for Hue lights rolled out in September, I didn’t move to switch my bulbs over. For one thing, it wouldn’t result in a net loss of limited-purpose hardware (i.e. hubs). If you wanted to move your Hue bulbs over to Matter and control them through Google’s Home app, you’d need a Google Home Hub or Home Mini to act as a Matter bridge device. The same goes for Alexa (Echo devices), Samsung SmartThings (a Hub), or Apple Home (an Apple TV or HomePod/mini). You also lose some Hue-specific function, like gradient lighting and scenes (like holiday green/red schemes). And, as Tuohy has noted, it’s likely not a more reliable network than the proprietary Zigbee setup that Hue ran on before.
The smart home and automation market is like that pretty much everywhere. Aqara offers a Matter-compliant light strip, the T1, but it requires a hub, and using Matter means you can’t use Apple’s light-sensing adaptive brightness, because Matter doesn’t support that yet. The same goes for Nanoleaf’s Matter-friendly bulbs and strips, which are Matter and Thread capable but require Nanoleaf’s own app to provide Nanoleaf’s version of adaptive lighting.
