Soon: It was a mistake to teach a light bulb to DDoS a hospital.

@teachonlywhatiseasy

3 жыл бұрын

.1x

YOU never told, what spaghetti length you used.

@MrFido7up

3 жыл бұрын

the entire internet will know once he use some lame IOT security stuff in in his house.

@INVAZOR33

3 жыл бұрын

we have to wait for hackers to leak it

@notlessgrossman163

3 жыл бұрын

Nothing weird about that.random distribution of spaghetti in boiling water is crucial.. everyone knows that.

I love this series. Such a necessity, for now and especially for the future. Hopefully you keep going, and others too.

This sounds like "parental controls" for iot. I like it. I trust teens on the internet, about as much as I trust a lightbulb.

In a previous life I did Crestron programing and the amount of wiring in the walls brings back memories. Their web interface used to be an IE plugin (1) which was...a choice. The development environment was interesting. It was a windows executable that launched Cygwin(2) to do the cross compile in GCC(3) so you could send the code to a CNMSX(4) over a serial cable. Good times. 1) Their touch panels ran WinCE. Hours of battery life. Hours I say. 2) Or similar 3) Which was an ancient version 4) The brains of the system

I work in government IT and I mostly deal with Windows PCs on the General VLAN. It's always amusing to see "garage openers" appear on the monthly Nessus scans. The "garage openers" are the security gates that can block vehicle traffic from entering or leaving the garage buildings. You would think security would have all their devices on a separate physical network.

I’ve been looking forward to this part 2 Thanks for everything you are doing, L1T!

"Look at this guy, he measures all his spaghetti." Hahaha, I lost it.

@iliasvelaoras3038

3 жыл бұрын

"What? He also has a toilet seat cover collection?!"

Next Episode: How to make your own secure processor from scratch for security cameras

Philips Hue is great, the system seems to work exactly at intended for my parents. Only 4 of the 60+ bulbs have ever become disconnected from the hub, and that only happened after a power cut (and they've had several other power cuts and it has never happened again. The hub also doesn't need any internet access, so if you want to just block it you can. And it all works by ZigBee so it's not the insecure mess that are WiFi bulbs. Oh and it has really good support with Home Assistant and other similar projects.

You can totally use daisy chained Dallas one-wire protocol to control about 300 x DS2408 8-channel switch boards using 1 data+power wire and ground.

@Level1Techs

3 жыл бұрын

I have some temp sensors I installed on steam pipes that are the dallas one wire protocol and it works really well but lightning pops those little sensors every now and again. Induced current on the wire, I suppose. I would love something like that, but UL listed.

@thomasesr

3 жыл бұрын

@@Level1Techs I think you can mitigate that issue with some circuit protection close to the devices. MOVs and resistors or a transistor buffer instead of directly connecting them in line. Also, there are various well documented Application notes on Maxim's website for reliable 1-wire networking.

@thomasesr

3 жыл бұрын

@@Level1Techs also, the ammount of different sensors you can get such as IO boards, protocol translators and temperature sensors as well as Arduino 1-wire device emulators, so that you can use an arduino as a 1-wire device with several analog pins to connect PIR sensors and other i2c devices is awesome.

@thomasesr

3 жыл бұрын

@@Level1Techs maybe this can help you out with your sensors dying problem: www.maximintegrated.com/en/design/technical-documents/tutorials/5/5026.html

I have been screaming out about IoT device security for years... however... KZreadrs push VPN's offering a level of security for their computers and devices... the big problem is educating why these problems exist and why people use them incorrectly... adding another layer is great for us that know how it works... but ultimately these IoT designers need to go back to geek school!! - We are already too deep into this... likely the reason I stay old skewl - damn, I don't even have RGB in my computers! :) ...keep up the great content m8!

A great big thumbs up! I 've been asking myself these same questions for a while now and I've yet to find a good answer. These gadgets are so easy to set up but a hell to secure without affecting their functions - they simply were not made to be secure.

WENDELL THE WHITE BOARD SCENE IS SO SMART!! such a great way to visualize what we know so obviously in our head.

Can’t wait for more episodes of this IoT series! Love it !

Yesss finally part 2!

Great video Wendell, keep this series coming

Yay! Part 2 is here! I'll see what I can contribute as I too would like to get this going somehow, especially with the Open Source crowd. I believe wireless is the best way to go. You can secure it and deploy devices almost anywhere. Low cost used wireless devices can be had for really cheap on sites like Kijiji. I'm definitely in on this project.

Going all-out on filtering system for out-of-the-box gear might be very useful. I've been playing around a bit with replacing firmware on devices but it is a lot of work finding the right gear and you end up having to dig into enclosures to attach to programming ports, etc.

sweet, I was looking for pretty much exactly this!!

Find ESP based devices that can be reflashed with Tasmota - connect to a local MQTT on Home Assistant, and the IoT things never talk to the cloud ever again. Also works when the internet is down.

Really enjoying this kinda content, I would love to see more on layer 7 analysis and your ways on how you would go about implementing it into securing a network. OpenAppID on pfsense maybe?

I'll be following this for sure.

I used to install Smart Homes. Lutron is top tier for lighting. They do sell a product for homeowners/enthusiasts. I just use a Hue setup.

@r4mps

3 жыл бұрын

When the technology is here in the sense that we can fit all that in one box and not one room, people will buy :))

I like having my "smart" devices dumb. I don't need any cloud-connected devices, I want everything on a separate wired network, inaccessible without plugging a cable into a port or modifying a vlan on a port / in a trunk on a switch or changing a firewall rule (one out of the 3). I used an arduino uno at my workplace to detect movement when inside the premise and open the door (because people are too lazy to push a button and they were getting head-on inside the door). Having that sensor there helps people be lazy and not lose momentum when walking. Best part of it? Doesn't even require a network connection, not to mention internet connection. It's just an arduino with an ultrasonic sensor and a 3v (mechanical) relay (solid state ones are better, but more expensive). And no, you can't open the door from outside, tested it thoroughly with my colleagues. The bad part is that you need to connect a USB if you ever want to change the code or add features (which is basically never at that location). I am thinking of using some old *Pis and wiring some lights in the house and have some cron jobs to turn the lights on in the morning when my clock rings (maybe even make the lights flash, so they are more annoying - for flashing lights, I highly recommend solid state relays). Cameras don't need any introduction, you can do IP cameras and have a samba / nfs server for storage, or buy a DVR with coaxial cameras if you want a more professional setup. Make a VPN and connect to your home network to monitor them, don't use the manufacturers cloud platforms. Lock systems are a little scary, especially if you want to unlock without a key, so I highly recommend old locks. But considering people have garage doors that open with a pretty insecure key, well, you could make a locking system using Pis and relays (again) with electromagnetic locks and either use a VPN to remote home and unlock a specific door, or have a hidden wifi network that you connect to in close proximity to unlock the door. Again, I recommend neither, because the risk of getting cracked into is quite high (and it's pretty easy to scan for hidden wifi networks). Bonus points if you use Mycroft or similar software for voice commands, but your setup gets more complex and you need microphones and speakers. Funny stuff, while a part of me is somewhat excited about making a secure home automation intranet (again, with no access from outside or even from my normal LAN), another part of me is really autistic when it comes to security and I think I shouldn't trust computers and try to do as primitive a setup as possible (up to and including having a rooster wake me up in the morning, instead of an alarm clock - and I can't snooze the rooster).

This is fantastic.

I watched the whole video because it is very exciting. I also could listen to Wendell talking about tech for hours so thank you ! However, I will never go for IoT in my own home. Won’t need it, I can check things and put the blinds up by myself just fine thanks!

@williamhicks2763

Жыл бұрын

I was pretty much of the same opinion until recently. Now, I’d really like to build some devices and use IFTTT to alert me if certain things happen while I’m away from home. One such example is I’d like to know if my gun safes are opened so I don’t walk in on someone in the middle of a robbery. I’d also like to setup a security system that doesn’t require monthly fees. And between Docker and IFTTT there are a number of things I could do to better secure the home or be alerted to problems while away. Our last hot water heater decided to burst a leak in the middle of the night and we were only awakened after the water started pouring through the ceiling which shorted out a smoke alarm and set off all the other smoke alarms. Turns out, the water leak sensor we had no longer worked nor did the automated shutoff valve, so quite a bit of damage was done before I could shutoff the mains and drain the pipes. These are just a couple of examples but I’m definitely now thinking I’d like an alert system and camera system. At the same time, I’m looking at replacing my NAS and upgrading my network so just trying to figure out what my options are. I’ll certainly watch the entire playlist on this topic and hope perhaps an update will be done seeing how old these videos are. I also need a system that my wife can understand and maintain if I pass away and so that adds another wrinkle to how, and if, I can get this done.

Love this kind of stuff.

If you're doing something in the middle you could consider using srt (secure reliable tranaport) on the outbound side of the video instead of rtmp. Resilient to packet loss and encrypted

Have a look at KNX. It's an open-source protocol used for building and home automation that is around for 30 years. I installed it in my home and it works great. Since it's only a protocol it can be implemented either wired, wireless and over IP (again wired or wireless) and there are mutliple companies around the world that produce devices that operate on the protocol and deliver everything from turning on loads (lights, outlets etc.), thermostats, switches, various sensors to interfaces to other protocols (Zigbee, RS485, propietary HVAC device etc.). There are two downsides to it, in my opinnion: 1. rather slow (9600 baud), which is not bad, considering you do not have a lot of traffic flowing (how often do you turn on/off the lighting or how much does your temperature fluctuate, etc.) This short comming can be resolved by optimizing the topology, but it is still slow, in 2020. 2. The software used for commissioning the system (ETS) is only available in Windows and the license is rather expensive (it's meant to be used by certified technicians, even though its not rocket science) and there are no open-source alternatives available, yet. I got certified in KNX after programming the devices in my home as I really think it is a great backbone for a modern home. I use Home Assistant on top of KNX and I can use it to bridge other systems. For example make my robovac to come and clean the kitched by pressing a light switch. If your interested in this I would gladly help you out with getting started.

I need a mips madness video definitely.

For me since I'm not going to open my walls and run separate wires to every device I want to control I have chosen the wifi route. I do have a separate ssid that is on its own vlan that does not have direct access to the outside world. I dual home a Home assistant instance so it can have local control for the devices. So I'm kind of using HA as my WAF, but I also tend to stay away from proprietary devices and protocols. So I flash tasmota and esphome for most of my ESP devices.

@morosis82

3 жыл бұрын

I think this is a good compromise. Something you can run locally that segregates those things and runs them all through a proxy that can filter the stuff you don't want. If you want voice service, but not ads, block the ad requests.

@williamhicks2763

Жыл бұрын

I’ve recently learned of these ScreamBeam devices that can turn your existing cable coax cables into Ethernet. Have you guys had any experience with those? I am thinking about getting some to try out. Otherwise, I might have to start cutting into walls.

I've built a home auto system back a few years as a project to learn IoT, it wasn't great and probably is insecure. But man it was fun, have the door bell turn on a light, the RFID turn off the TV, any switch can be redirected to any light/lights, or any thing controlled by any IR remote that you setup. Just designed and printed new outlet boxes that house a 120v ac to 5vdc board, a raspberry pi 0 w, outlet covers that hold arcade buttons, docker and a bash script that if the pi can't get internet become a hotspot (gotta love nmcli) and host a setup page to give it the Wifi, central host, and the host's public key.

@nnm35

Жыл бұрын

Do you have your work on github or ?? This sound great.

You should check out KNX it’s a fully hardwired system with a bus line to connect devices like Motion sensors and keypads. It links directly to Home assistant. I’m building a house and I was looking for a hard wired system like control4 without the price and I happen to find. it’s mostly used in Europe but you can get it here too

One thing I think we need is cheaper and smaller switches with fast uplinks. Running tons of wires to one spot where you need a lot of ethernet devices is pretty gross and it'd be nice if we can have switches that just act as traffic aggregators to push all that traffic over a single higher speed link.

great video

that dual cam got me lol

As a guy who has done network runs in my earlier IT years, I do feel the need to have spaghetti that is the same length before I put it into the pot. I never thought about it until now :(

I’d love to see someone make a voice assistant that is offline. Really I only use my echo dots to turn lights on/off and occasionally ask for the weather.

@joshualoscar7609

3 жыл бұрын

Have you taken a look at mycroft.ai? it claims "leading open source voice assistant. It is private by default and completely customizable."

@Catsrules1

3 жыл бұрын

@@joshualoscar7609 Is it fully offline yet? I really looked into it maybe a year, year and a half ago and they were just outsourcing all of the voice recondition to some third party. From what I understood this was just a temporary solution but I never looked again.

@flograuper9294

3 жыл бұрын

Catsrules1 you can use a self-hosted Mozilla DeepSpeech server, but the inference is quite heavy and it doesn’t have the same quality as the default Google stt engine. mycroft-ai.gitbook.io/docs/using-mycroft-ai/customizations/stt-engine

Easiest way is pfsense for VLANs and a managed switch. Run security VLAN for cams not connecting and add iot VLAN for WAN only. 5 mins and done.

@cmh2111

Жыл бұрын

And lock out all countries access but North America.

What I got from this video. We really really really need a reserved IoT internet layer protocol

I have recently spent some time converting some of my iot stuff to work with HomeKit. I want something more like you want, but I don’t really have the time to do it correctly.

I think the idea of an application firewall is a excellent solution for things like smart tvs were being on the internet is key to their functionality. That said, I'm not sure it makes much sense for things like carera's and smart devices. I agree I don't want those things on the internet so I run a VLan for my cameras and a separate VLan for my IOT devices like dimmers and motion sensors and the like. I then run local servers (Home Assistant and ZoneMinder) that are on the private VLans and but also have internet access if needed. What do you see as the use case for letting Cameras and IOT devices have even limited access to the public internet?

Home Assistant and shelly devices riding on unifi infrastructure. I did start with cheap poe ip cameras on an vlan but may switch to unifi cameras.

very interesting video but you mentioned Arista switch and docker which Arista switch ? and go also very interesting i wish you had a video in more depth ? in your research setup capturing this data thanks so much for your broadcasts

Hikvision, partially state owned.... Umm...

My system is build on a rock64 sbc. It runs fhem for automation. some of sensors and devices I build with the mysensor library for arduinos

I wish more than anything that I had the time to dedicate to this type of stuff.

Why not setup all your IoT cameras on a different subnet within your home and isolate them with a sort of "reverse" DMZ? You could use one of the machines in your home as a terminal server so there's no outbound traffic hitting the internet but you could still access footage through the web GUI? This wouldn't solve your problem with devices like Nest and Ring, but it could be a jumping off point for something more substantial down the road.

Thanks for the content, I would definitely be interested in contributing some code if you get something going. I don't have the time/money to head up anything but there is a big need for some open source solution. It scares me to think that we may have 100s of these devices in our homes in the future, all waiting for just the right time to launch a denial of service attack.

CAN and RS485 can be a good option, SPI although technically feasible is not foreseen for out of system communications, CAN and RS485 are a better match. Also running parallel CAT 6 cables all around ur house seems unnecessary. A Serial/ Star based architecture is a better solution for IOTs.

The giant bundle of wire can still be hacked to give you direct access to device protocols, it's just harder. Devices themselves should have either a jumper/tag you remove to put them into post-configure mode, or a way to remotely attest configuration data and OS integrity.

She is diggin that nahemic audio

My ip cameras have their own managed poe switch that only connects to the Blueiris server. No outside access to the cameras but can still view the feeds through blueiris.

some wifi lights and switches can work with without internet,put in a vlan,block internet,use home assistant

real interesting stuff I'd love to get into but I'm a little too busy to

For your CAN like network, what about MQTT? Pub-Sub protocol that allows all devices to communicate with each other.

What about seperate VLAN for all devices like IoT ? Isn't it the best way (most efficient) to protect your home network ?

@adamlis8112

3 жыл бұрын

Not if you want your device to have some internet functionality like chromecast for example.

@lgolebio

3 жыл бұрын

@@adamlis8112 that's easy actually. When you create VLAN you obviously have a router. You can then create NAT/firewall rules to comunicate from LAN to VLAN bot not allow device in VLAN to establish connection. Also all devices in VLAN can have internet. This is very easy to accomplish. You can even block everything except some communication protocols so that your chromecast will only do what you allow....

@adamlis8112

3 жыл бұрын

@@lgolebio But the point is that, you allow some traffic like streaming services to go through, and block telemetry and other data collection. You can't do that with just regular VLANs and firewall ip/port rules.

@lgolebio

3 жыл бұрын

@@adamlis8112 Yes that's true. Firewall can only block specific traffic/ports/protocols and so on. It will not protect you from bugs in IoT devices. I'm only refering to "cost effective" solution. Also it protects you from someone who gained access to your light bulb not penetrating your home network. That's all.

@Mr.Leeroy

3 жыл бұрын

@@lgolebio What does it matter which VLAN hijacked IP camera sits in if it is connected to Internet and watches you sleep?

It's be great to have an open source proxy that can do this, with plugins for new hardware as it becomes available. A nice web GUI to inspect traffic and whitelist things, Runnable in a rocket on a switch or pfsense router or something. Perhaps to make it even simpler, a device like a switch running this software that will automatically recognise and segregate new devices on a vlan to pump through the proxy.

What about KNX as a communication protocol? It's the standard for big commercial applications and has a lot of devices with support for it

Crazy idea here, since rewiring is an issue is there a way around that? The right approach for IoT is not only open source, but also cheap. So with that in mind, how about implementing a custom data over the power line protocol? It should be quite effective for low bandwidth devices, and as for cameras ethernet there is fine. EDIT: There are pretty cheap IC's that do just that Power Line Communications Modem is one key word to start agooglin'

Esp32 has built in ethernet, perhaps a way to go for your sensors? Flash it with esphome or espeasy and you are good to go. Otherwise some kind of industrial bus, modbus, rs485 or knx would be an alternative.

KNX and DALI do exist though :D which are open standards so you arent stranded with a single company though its more common here in europe :D and for those networks you can basically have any topology without switches :D

@Rolinator1

3 жыл бұрын

KNX is kinda expensive though, but for people who want the reliability of wires this is a decent solution. Also, KNX is not really meant to install by yourself. Technically it's possible to diy it, but in practice you should be looking at a professional installer to get it done for you.

@niklasxl

3 жыл бұрын

@@Rolinator1 yeah other then that i dont really see a downside in KNX and for a cheaper price DALI is a close second :D

Personally I'm using VLANs to try and keep the IoT stuff separate but it's not really a good solution. I can recommend Maltrail as a potentially useful tool for picking up bad traffic. It's designed for detecting malware attempting to reach out but could be helpful for figuring out if your IoT devices are being used for nefarious purposes.

Don't forget about your Enmodus SSD's guys, deal is today (even for those who didn't pledge)

Will DMX based of rs485 will work for this kind of mesh network?

ok you did address most of my concerns in this vid lol, I love how you design your scripts wendell it's really well thought out and super honorable. we need better arguments that speak to the "common man" in terms of explaining the security exploitability of commodity IOT. IOT should be an electricians niche NOT an amazon business model. if we give the power of home wiring to multnational tax evading corporations then we may as well be giving up our houses to the government as they're the ones who control it.

Love this commentary, total tech geekdom, i get it, but most wont AND most dont care.

Steel reinforced slots, well that's just more bling, you know it's plastic where it counts.

BACnet MSTP is a master slave Tolkien passing protocol that uses Rs485. Its a protocol that’s been used in industry for many years.... rs485 is very touchy on how it is wired and the converters to ip based communication is expensive

can you elaborate on why golang is well suited for a wrapper?

If the IoT connect to the internet but have security loopholes, is it better to keep it on a guest network so it is separated from your home network?

I have over 50 esp based light bulbs for my new house ready to install.. As well as power controls and other relays and sensors. They cost £2-10 each and all work with tuya. Needless to say I'm also scratching my head at the moment on how to safely implement there setup without endangering the world by putting them on the internet. I have carefully picked every light and most of the other devices ensure its esp based so they can be reflashed with another firmware as honestly much though I like tuya, can it really be trusted?!!

Challenging way to approach the problem. For awhile I've been looking at building a plug in for Home Assistant that uses a recently developed globally supported onion routing network offering private access that supports UDP as well as TCP.

Oh yeah we used clipsail networks for lighting at work. That was all essentially a can bus

2+ years later and guess what, I'm _making_ time for it.

Surely you just throw control signals down the internal power wires. Most of the signals are going to be off and on, or colour and dimmer signals. The only thing you need high bandwidth for is media and security data.

Check out Home Assistant if you haven’t already!

I stopped measuring my spaghetti a long time ago. Instead I built a jig with a stop on one end, and on the other end is a diamond encrusted circular blade spinning at 20k RPM's. Like a chop saw, except the blade is running on air bearings. Oh and the entire apparatus is inside a climate controlled box as humidity and temperature caused significant deviations.

BACnet/SC?

My wife put a few of those google spy devices in our house but the smart lightbulbs are in the garage in a box.

Hi could you make a tuto for noob's on encryption and certificate. ty

Why not use vlans and on your smart switch with firewall rules based off the vlans.

pbffft "same length." successively longer prime-number-of-millimetres lengths also, nice kitchen, wendel.

What happened to X10?

Jonathan Oxer (Freetronics) has a KZread channel called Superhouse. If you haven't checked that out already, do so. Very interesting ;)

why not slap the cameras on a separate vlan and subnet and then zero out the gateway?

I want a solution that doesn't involve me running cable to a bunch of cameras (because re-doing drywall is my least favorite thing), and stores all data locally for the video (central server on the network, not locally on the camera itself). Anyone know of such a thing?

Feeding the algorithm via likes/sub/bell/etc, keep it up 😁. PSA: make a hotkey to help for free👌

Aren’t more and more devices encrypting their traffic? Wouldn’t you have to have something that let you use a cert from your WAF so it could even see the traffic?

@Level1Techs

3 жыл бұрын

That's a feature of hikvision dfl firmware.

I think Wendell is jealous ;)

You are correct. The vast majority of people just plug these devices in all over the place and love the novelty of it, but don't get how out of control it could be. It's like the scene in Wall-E where the ship commits mutiny. No one gets that this is a potential problem. I get told to take off my tin foil hat when I tell them their phones are always listening to them, and then when I ask them how the phone knows when you say "OK Google" or "Hey Siri" or whatever, they act like it's magic. #wiretapinmypocket

I too should measure my spaghetti!

could you lead me to a path to grow expertise so I would actually have stuff to add if I tried helping your team.

So what's wrong with zigbee?

I know its not the only problem, but just a thought.. Powerline lightbulbs.

Please, for the love of everything holy, Level099Techs for idiots like me who love this, but don't have the knowledge base! Drunk Ryan can host and insult us..

My Brain: haha ASS-Rock

Ps - CANBUS is a pretty intriguing template...

@LA-MJ

3 жыл бұрын

unauthenticated broadcast network, sure sounds fun

@omgMBP

3 жыл бұрын

@@LA-MJ hasn't it already been shown that CANbus is able to handle encryption and/or authentication by researchers? It just isn't generally done in the real world due to latency? I feel like an isolated IoT application wouldn't suffer. I didnt mean -"lets use CANbus as is." I meant that it's a starting point. I think that's what Wendel was driving at, as well.

@LA-MJ

3 жыл бұрын

@@omgMBP TIL

4:02 947 PPM CO2 is NOT what I would consider to be in the "good" range. That's definitely in the "acceptable, but you might consider more ventilation" category in my book. It's not at dangerous levels by any means, but it isn't great. Personally, I start to notice cognitive effects as low as 850 PPM, and I _definitely_ feel "off my game" if it's over 1000 PPM and I certainly don't sleep well when it's that high.