Archive
How not to implement smarthome security – Connected A/C
Recently I added a few Mitsubishi minisplit A/C systems to my home and because I travel a lot (and I’m incredibly lazy) wanted to be able to control them from my phone (and the couch). I’ve had previous history with the Honeywell RedLink system (which requires yet-another-hub) and was pleased to find that mini-splits with native wifi connectivity are available.
My installer had never set up such “new” technology so this week he arrived with a number of tiny plug-in boxes, and the installer training video to connect up my units.
Halfway through following the steps on the video, the app presents us with an “Enter Installer Pin” challenge – cool I think, “some security at least to stop…”
what exactly?
I’ll get to that topic later – but needless to say, the pin wasn’t mentioned in the training video, nore the one-page install guide in the package.
Never to be defeated, I turn to my trusty advanced hacking toolkit and universal IoT password finder..
google.com
A search for “Mitsubishi installer pin” yields some helpful results – one, in particular, catches my eye, since it’s hosted on that vendor’s support URL
Here’s a picture of the result – note how helpfully they put the pin in bold text!
Installer Pin
So strike one and two for this vendor –
- never use a fixed pin, for anything!
- never print your passwords, especially not in public-facing documentation
I’ll let the 9999 pin pass, given it’s not in the top 10 of most common pin codes (it’s #11) – http://www.datagenetics.com/blog/september32012/
So, back to the question of what exactly the installer pin is protecting? Mostly, it’s protecting the homeowner from adding a new unit to their online account, and it’s protecting them from being able to re-link a unit if for some reason it loses connection. In my case, there were no “dangerous” options I could mess around with – and reading the documentation, it seems that the installer protected options are really a crutch for a system which should be able to learn for itself what options are present and configure itself automatically.
So for me, the “installer pin” protects my installer, otherwise, I’d be able to configure my A/C unit without him. He’s a nice guy, but I don’t want to be scheduling a site-visit every time I change my wifi password.
This seems to be a trend within the Air Conditioning industry – for example, Honeywell’s Redlink Gateway (which is effectively plug-and-play) also should only be installed by a “trained experienced service technician” – at least with these gateways the PIN is unique and printed on the bottom of the device.
As an aside, the Honeywell VisionPro Thermostat also has installer-only options protected by a code, which also is printed on the back of the clip-on device. But if you’re REALLY lazy and don’t even want to unclip it, there’s a menu option on the screen which will helpfully tell you the code.
Believe me – The Redlink gateway takes 30 seconds to install and configure, and you don’t need any “AC training” to understand how to link a thermostat to a mobile app.
Honeywell Redlink Gateway Pin Code
I’m not very tolerant of this kind of “protectionist” behaviour – how many people paid a few hundred dollars for someone to plug in a hub, or “add” their minisplit head unit to their online account – things which require no expertise, have no risk, and generally should be automatic?
How successful would Nest have been if it required a service call to install?
Did you pay for someone to add a trivial IoT device to your home? Comment below.
Realtors define “smart home” – but there’s a catch.
Coldwell Banker teamed up with CNET to define what a smarthome really is – but they didn’t pay any attention to what is in my opinion the most important fact to smarthome buyers.
What technology is transferred to the new owners?
Their examples include very transitory things, like smart TVs and entertainment systems which you would normally expect to leave with the original owner.
And, they don’t cover the difficult process of how exactly do you transfer control of permanent things like your HVAC system to new owners? Do you give them your user name and password? Can they even set a new user name?
For the more complex integrated systems – is it even possible to transfer control over without giving them “your account”? – after all, you don’t want to move into your new smarthome and find you have to set up all the automation again.
Of course for the original owner, if you give someone your account – are you able to set up a new one for your new home? Does the new owner get to see all the logs from your residence? Read more…
Smart Home or Dumb Home/Smart Cloud?
At the end of my street, tucked between some bushes and a tree in someone else’s garden, is a weathered beige box. I’d never noticed it before this week, but it’s become very important to me, because that dirty, unloved box is responsible for whether my smart home automation works, or not.
Yes, that beige box in someone else’s garden is where my home cable connects to the community coax network.
I’ve come to the realization that my smart home is actually pretty dumb on its own – without a connection to internet services, a lot of my clever rules and technology simply fail to work. My doorbell camera doesn’t send me video, my IFTTT rules to work the Hue Lights fail, and I can’t even open my Wink-connected door locks.
Amazon’s Echo is another victim of connectivity – it seems so clever, but when you step back and think about it – it only understands two words/four syllables – Ah-Mah-Zon and for the alternate name, Ah-Lex–Ah. All the other language processing is done in the cloud, so you can “turn off” my home voice recognition just by unplugging the coax in that anonymous roadside box. Read more…
Why I want all my lights to be smart…
This week Theo Priestley of Forbes posted an interesting article, where he posed a couple of interesting questions:
An average home in the UK can potentially run to over 15 or so light bulbs, but how many would a consumer realistically want to be smartly enabled and connected to the internet ? And again, just what is the value they’re going to receive from controlling them remotely ?
As I sit in my office I have 9 light bulbs around me – I know I’m not in the UK, but I’m British and I don’t remember the UK being particularly starved of bulbs last time I visited. Perhaps Theo meant “light switches” in which case I only have 5 – but the first question he asks is why we want them all to be smart?
My answer is the following – when I get up at 4 am for a flight I don’t want to wake my wife up. I also don’t want to trip over on my way across the room to the light switch. Read more…
Smarthome 2015 – 80’s Computing Throwback?
Image C/O Gigaom
With so many competing IOT hubs and ecosystems – how can the dream of the connected home, digital butler experience be realized?
Can you remember personal computing in the 80’s? I was a Commodore 64 kid, I thought it was the best computer ever – why would anyone use anything else?
My classmates generally disagreed though – there was the ZX Spectrum, Tandy, Acorn, Atari, Amiga, BBC Micro (A and B), Amstrad, Apple, and the one kid who’s father had a CPM 80286.
The challenge was, even though we all had much the same goal – play the best games, learn how computers work, maybe write a game of our own – everything was completely different and incompatible – even storage with tape, microdrive, 3″, 3.5″ 5″, 8″ disks – each manufacturer, assured in their own superiority forged ahead creating their own proprietary isolated world. Read more…
Understanding Internet Of Things for the Home
Last week Rory Cellan-Jones, a reporter for the BBC, tried to explain in his CES2015 news article why we, all of us, should be interested in the progress of “Internet of Things” for the home. Even our Intel President admitted it’s a hard topic to generally appreciate
I asked Intel’s President Renee James whether she thought anyone outside the show got this idea – and she admitted that they probably didn’t. “It means a lot to us,” she said “but this show is largely about the industry talking to itself.”
In my opinion Rory also misses some of the real value that’s being created in this space, so let me relate some thoughts on the good, and bad of “Home IOT” Read more…
CES2015 – A festival of insecure, unmanaged IOT devices..
The Internet of Things (IOT) and “smart devices” were THE big thing at CES this year – the show was flooded with novel gadgets from every manufacturer – from smart connected coffee makers, health tracking devices, fire alarms, home security systems, and even vehicles which some are considering the next “wearable”.
CES behemoth Samsung’s CEO Boo-Keun Yoon spent a significant portion of their keynote reminding us that IOT “is not science fiction anymore. It’s science fact” – something I can attest to with a significant number of their devices in my own home.
Everywhere you looked, there was either an IOT device, something that “IOT’s” your devices, or something that manages them – and of course in the Intel booth, we also devoted a significant portion of our time talking about how to manage and secure them. Read more…
Who?
 | EVP Cyber Product Innovation for Mastercard. Formally the Chief Technology Officer for Intel Secure Home Gateways, CTO for McAfee Enterprise Endpoint, CTO McAfee Innovation team, and Founder/CTO SafeBoot Corp. |
Simon Says - Musings of a Technology CTO 
Comments