Thread: Why Don't I Understand Homekit?
View Single Post
Ryan
Veteran Member
 
Join Date: May 2004
Location: Promise Land of Trustafarians
 
2020-08-28, 18:17
Quote:
Originally Posted by Kickaha View Post
As someone with his fingers in the IoT world (I wrote the SENSR specification), HomeKit is a layer of security over the ABSOLUTE SHITSHOW that is IOT.

Alexa and Google devices don't give a shit about security. Data is sent in the clear, and you bet they scrape every damned bit they have access to.

HomeKit creates end to end encrypted channels between devices in your system, and works hard to keep your ID private externally... which is why, in the era of monetized private data, companies didn't want to go to it. Alexa and Google let them sell that data at whim, HomeKit doesn't.

HomeKit is the *only* IoT protocol I'll allow in my house. The rest are simply nightmares.
Glad to know my instinct was correct. I've only gotten HomeKit so far.

Two apartments ago, the complex installed an internet-connected IoT lock from Yale. We had no choice. Later on, I learned my complex was their pilot location for a nationwide rollout of those devices to 40,000+ units. It connected to the internet via a hub they placed in my unit with a USB 3G dongle. Fortunately I realized it still functioned if I just unplugged the hub and left it disconnected from the internet.

I connected with some security researchers via Twitter after seeing a tweet from one I follow about the topic and realizing she lived in an apartment complex owned by the same company. Hoo boy we found some shit.

1) This major apartment management company had contracted with a 20 person startup to roll out smart locks and thermostats to all their units. That startup had exactly one (1) security professional on staff.

2) This researcher I connected with ordered some of these locks for herself. She and the local Defcon group went to town on them and built a proof-of-concept in which they could wirelessly unlock these locks. No internet access required, just broadcast the right message on the right radio frequency and they'd pop open. Zero authentication.

3) The manufacturer specifically advised *against* using this model in single-entry dwellings because the failure rate is so high.

There was more, naturally, but I don't recall all the details anymore.

The management company continued rolling out the locks anyways. I moved out when my lease was up.
  quote