Archive
How not to implement smarthome security – Connected A/C
Recently I added a few Mitsubishi minisplit A/C systems to my home and because I travel a lot (and I’m incredibly lazy) wanted to be able to control them from my phone (and the couch). I’ve had previous history with the Honeywell RedLink system (which requires yet-another-hub) and was pleased to find that mini-splits with native wifi connectivity are available.
My installer had never set up such “new” technology so this week he arrived with a number of tiny plug-in boxes, and the installer training video to connect up my units.
Halfway through following the steps on the video, the app presents us with an “Enter Installer Pin” challenge – cool I think, “some security at least to stop…”
what exactly?
I’ll get to that topic later – but needless to say, the pin wasn’t mentioned in the training video, nore the one-page install guide in the package.
Never to be defeated, I turn to my trusty advanced hacking toolkit and universal IoT password finder..
google.com
A search for “Mitsubishi installer pin” yields some helpful results – one, in particular, catches my eye, since it’s hosted on that vendor’s support URL
Here’s a picture of the result – note how helpfully they put the pin in bold text!
Installer Pin
So strike one and two for this vendor –
- never use a fixed pin, for anything!
- never print your passwords, especially not in public-facing documentation
I’ll let the 9999 pin pass, given it’s not in the top 10 of most common pin codes (it’s #11) – http://www.datagenetics.com/blog/september32012/
So, back to the question of what exactly the installer pin is protecting? Mostly, it’s protecting the homeowner from adding a new unit to their online account, and it’s protecting them from being able to re-link a unit if for some reason it loses connection. In my case, there were no “dangerous” options I could mess around with – and reading the documentation, it seems that the installer protected options are really a crutch for a system which should be able to learn for itself what options are present and configure itself automatically.
So for me, the “installer pin” protects my installer, otherwise, I’d be able to configure my A/C unit without him. He’s a nice guy, but I don’t want to be scheduling a site-visit every time I change my wifi password.
This seems to be a trend within the Air Conditioning industry – for example, Honeywell’s Redlink Gateway (which is effectively plug-and-play) also should only be installed by a “trained experienced service technician” – at least with these gateways the PIN is unique and printed on the bottom of the device.
As an aside, the Honeywell VisionPro Thermostat also has installer-only options protected by a code, which also is printed on the back of the clip-on device. But if you’re REALLY lazy and don’t even want to unclip it, there’s a menu option on the screen which will helpfully tell you the code.
Believe me – The Redlink gateway takes 30 seconds to install and configure, and you don’t need any “AC training” to understand how to link a thermostat to a mobile app.
Honeywell Redlink Gateway Pin Code
I’m not very tolerant of this kind of “protectionist” behaviour – how many people paid a few hundred dollars for someone to plug in a hub, or “add” their minisplit head unit to their online account – things which require no expertise, have no risk, and generally should be automatic?
How successful would Nest have been if it required a service call to install?
Did you pay for someone to add a trivial IoT device to your home? Comment below.
Buying or selling a smarthome? Watch out for amnesia!
With everyone, including Realtors talking about “smart homes” I’m not sure there’s anyone who’s involved in a home transaction who’s not aware that “smartness” is a compelling selling feature.
So much so, that the realtor company Coldwell Bankers teamed up with CNET a few months ago to define exactly “what a smart home is” – some criteria their members can use to decide whether your home is worthy of the title.
Simply, they define a smart home as one with internet-connected HVAC or security, plus something else, like connected lighting, audio, watering systems or safety systems.
Yes, a home with Sonos music and a Ring doorbell would be considered smart.
The problem is – much of the current generation of consumer smart technology is likely to be taken by the previous owner when they vacate. Read more…
Realtors define “smart home” – but there’s a catch.
Coldwell Banker teamed up with CNET to define what a smarthome really is – but they didn’t pay any attention to what is in my opinion the most important fact to smarthome buyers.
What technology is transferred to the new owners?
Their examples include very transitory things, like smart TVs and entertainment systems which you would normally expect to leave with the original owner.
And, they don’t cover the difficult process of how exactly do you transfer control of permanent things like your HVAC system to new owners? Do you give them your user name and password? Can they even set a new user name?
For the more complex integrated systems – is it even possible to transfer control over without giving them “your account”? – after all, you don’t want to move into your new smarthome and find you have to set up all the automation again.
Of course for the original owner, if you give someone your account – are you able to set up a new one for your new home? Does the new owner get to see all the logs from your residence? Read more…
Smarthome Survey Shows Safety Is No.1 Concern
After surveying nearly 10,000 individuals crossing every continent, it’s obvious that concerns around personal data are the most pressing issue in adoption of smart home technology – more than 90% of people had concerns about cybersecurity.
People also had strong opinions on how things should be secured, with passwords being the most disliked option. It seems the future smart home will use fingerprints, voice and even eye scans instead.
Despite these concerns though, people are generally positive about “smarting up” their living spaces – 75% of participants expect to see real benefits, and were especially interested in smarter lighting, kitchen appliances and heating systems.
And, driving good design, 82% of our participants wanted “a single integrated security package” – another reason for the smarthome industry to drive towards consolidation.
You can find more information in the Atlantic Council smart home report, at http://www.atlanticcouncil.org/publications/reports/smart-homes-and-the-internet-of-things
Elective Age Ratings, Breaking down Age-Label
This week I was introduced to the web site age-appropriate rating system Age-Label, sponsored by OMK in Germany. Proposed as a standard for self-regulation of web sites, it allows owners to insert a small xml file “age-de.xml” in the root of their websites which defines the appropriate age ratings of the site, or subsections of such. I dug deep into the system and did some trawling across the internet to find out how used it is.
You can read an English translation of the standard online.
It would seem like a good idea – instead of relying on a third party to analyse the content of your site and make a determination on what age groups it’s appropriate for, web site owners can define it for themselves. The XML file also allows you to specify different sections of your website for different age readers.
Of course, this requires some appropriate technology on the readers device to look for, interpret, and act on the age-de.xml file – but if you imagine a world where the majority of sites are (honestly) tagged, and browsers use the xml data, and parents set the browsers with the appropriate age information, we could indeed go a long way towards protecting minors from inappropriate content.
Smarthome 102 – Electrical
Following on from my article on Plumbing your smarthome here are my top tips for electrical work when you’re designing or remodeling a home. I’ve bought surprisingly featured homes designed with expansion and maintenance in mind, and also homes that though well built,were not built to be smart, maintainable or upgraded.
Don’t forget that most countries require permits for electrical additions, even if it’s just adding a new outlet so the more you plan ahead, the better use you can make of your electricians time.
1. Run Neutral wires to each switch location.
More common now than a decade ago, but still I see new homes with no neutral in switchboxes. This may seem obscure, but most modern smart switches need live and neutral to operate – but most lighting switches work on live only. Make sure your electrician runs neutral wires to all switch locations so you can add smart switches at some point in the future. Read more…
SmartHome 101 – Plumbing
Simon’s tips and tricks when you’re creating a smart home with a pencil, or hammer. Taking a moment to think about how your plumbing is going to be laid out, considering future upgrades and accessibility for repair and replacement will make things much easier for you.
For Electrical tips, see Smarthome 102
1. Don’t put a shower head or controls on an outside wall.
This one should be obvious – if you install your shower controls on an outside wall, there’s no way to EVER get behind them. This may not be something you’re worried about now, but what about in a few years when you want to replace the diverter valve with the newest technology?
If possible make sure that there’s an interior wall behind your shower controls, and best, a closet – because you can easily cut a hole in the closet drywall to get to the valve, and that won’t mean having to re-tile your shower. Read more…
CIO Review IoT Special Edition, November 2015
CIO Review and I have collaborated a few times around the smart home security and IoT space. They kindly asked me to write something for the November IoT Special Edition, published this week.
You can find me at p47, but the whole edition is valuable reading.
Smart Home or Dumb Home/Smart Cloud?
At the end of my street, tucked between some bushes and a tree in someone else’s garden, is a weathered beige box. I’d never noticed it before this week, but it’s become very important to me, because that dirty, unloved box is responsible for whether my smart home automation works, or not.
Yes, that beige box in someone else’s garden is where my home cable connects to the community coax network.
I’ve come to the realization that my smart home is actually pretty dumb on its own – without a connection to internet services, a lot of my clever rules and technology simply fail to work. My doorbell camera doesn’t send me video, my IFTTT rules to work the Hue Lights fail, and I can’t even open my Wink-connected door locks.
Amazon’s Echo is another victim of connectivity – it seems so clever, but when you step back and think about it – it only understands two words/four syllables – Ah-Mah-Zon and for the alternate name, Ah-Lex–Ah. All the other language processing is done in the cloud, so you can “turn off” my home voice recognition just by unplugging the coax in that anonymous roadside box. Read more…
Speaking at Mobility Live 2015 on the 28th Oct.
This week, 28th October I’ll be participating on the IOT panel at Mobility Live 2015 in Atlanta, GA. The topic is “The New World of IoT” – I’ll be joined with peers from Stanley Black & Decker, Accenture and Siteminis Inc.
Who?
 | EVP Cyber Product Innovation for Mastercard. Formally the Chief Technology Officer for Intel Secure Home Gateways, CTO for McAfee Enterprise Endpoint, CTO McAfee Innovation team, and Founder/CTO SafeBoot Corp. |
Simon Says - Musings of a Technology CTO 
Comments