Low Cost IoT Devices

What's wrong with the many low cost IoT devices now available?

The short answer: do you want personal information about you, your home, your network, and how you use your home (your IoT devices) to be known outside of your home? Do you want your home automation to work when the internet is down? Home automation should be just that - in home control of your home. Your home should never be operated by unknown services through the internet.

These devices are typically "cloud only". This means that when you plug them in and set them up, they immediately connect to the manufacturer's web servers (aka cloud servers), reporting your GPS location (needed for timers & sunrise/sunset automation), your email address, your private WiFi SSID and password, your external IP address, the device state and your usage patterns.

If the firmware of those devices can be updated it's easy to replace or extend the base function to turn an IoT device into a network bridge from the internet into your home private network. Just because their app asks permission to update the device firmware does not mean they cannot do it without your permission.

Do you trust the manufacturer? Their site designers? All of their cloud service administrators? How skilled are they at preventing hacking even if you trust them? Is the company running the service owned in a country that has strong privacy protection? Do they comply with those laws? Can the state compel the company to provide access? Are they skilled at network security? If they're hacked themselves the hackers will have access to ALL of your personal information.

Imagine there's a trade war. Could your data be harvested for use by that country? What if such a war should escalate? Would they have malicious control of your IoT device (hint: yes)? Could state sponsored hackers leverage access through your IoT device into your home network (hint: yes)? Could you stop them while still using your cloud based IoT device (hint: no)?

Running a cloud service is an expense with no revenue return unless it includes advertising. Which brings up a few more questions. What happens to your device if the cloud servers break down? Or the owners go out of business or lose interest? Do you want to use an app to manage your home that includes advertising and monitoring? If you're not charged for a product, you are the product. Do you want to be a source of their data? Are you sure it's collected and sold anonymously?

What if they have a bug, or there's an internet outage and their services are offline. How will you control your home? What happens with your home automation? How long will the lights remain out?

What can I do?

1. Only use devices that have a local LAN API allowing them to be completely blocked from reaching the internet (use your router firewall). Disabling remote access in any of the apps provided by the manufacturer ONLY disables it for YOU! The device will still reach out to the cloud servers, and the manufacturer can still reach back into the device.
2. Use devices that can be reflashed with safe firmware and used with a safe application. See: ESP8266 for options.
3. Throw them away.

MPP products run entirely within your home network. You can deny AM and all of your devices access to the internet using your router firewall and they will still function. If you do need voice or remote access you enable connectivity directly to your google account. No one outside of you (and google) have any access to your devices or account, everything is handled from your android device to google directly. There's no third party account involved, no separate skills or access to enable. Similarly if you enable Amazon/Alexa no other services need be enabled/authorized. Further, the data is specific to AM, neither google nor amazon are aware of the format of the data used by AM.

Tuya: https://en.tuya.com/

This company is providing services to IoT manufacturers that include customer apps to control the IoT devices and connections between those devices and the Tuya cloud, which then can connect or be driven by the various voice and cloud services, for example google home, alexa, and IFTTT.

Go to the Tuya web site and check the "About us" page. Note that while there are sales offices in the US, all of the development is being done in mainland China. While the servers may be running in North America or Europe, they're running in Amazon's AWS and are controlled from China. Why are these services free? Where is your personal data being harvested and stored? Is this what you want for your home?

They do have a security compliance page, yet there is no visible enforcement or external auditing of their compliance.

A recent example - the supported devices rely on firmware developed for the ESP8266. That firmware would not prevent Over the Air (OTA) updates over the local network, meaning that if a hacker penetrated your network they could load your devices with malicious firmware and compromise your entire network; turning your IoT devices into internet bots, act as network bridges to your home network, etc. Adoption of this new firmware level by the IoT manufactures themselves is, as you can imagine, very slow. Many, many pre-existing devices remain vulnerable. (Note that MPP device firmware can often be flashed over these low end devices and used with AutomationManager; MPP firmware updates can be password protected. See ESP8266).