NOTICE: I think this article is only recommended for people who have systemic knowledge. As you know I have a certain idiosyncrasy about IoT, because of the habit that these devices have of "calling home". For example, I'm already annoyed enough that Google Assistant's shit starts calling their cloud all the time from their cell phones. But for this there is a sort of porting of iptables for android, which you can also download from the official market, and it is quite effective to understand what the destination of the traffic is, and block it on your home router.
The app is located here: https://play.google.com/store/apps/details?id=app.greyshirts.firewall&hl=en
Having said that, I have to say that if home automation does only what it says it will do, it wouldn't be bad at all. The problem is, you have to prevent this from messing up what's going on at home.
So, the first thing I did was to buy a wireless router for use only for IoT purposes. Obviously the router is NOT connected to the internet, unless I decide to physically attach the ethernet cable.
Sometimes it is necessary because often there is a time when the device has to register and download the firmware, or some initial settings.
At this point, however, the problem arises: almost no vendor tells you that his device needs the internet. Sure, they tell you it's "compatible with Alexa or Google or Apple", but they don't tell you they NEED IT. This you normally find out later.
Santa Amazon is an excellent remedy for this. In fact, Amazon allows you to send the package back within one to two weeks (depending on the vendor) without giving justifications. Which is perfect for accomplishing what I need to accomplish.
The algorithm I use, therefore, is the following.
- Create an ad hoc Wifi with the "client isolation" setting, so that one device cannot communicate with another device within the same WiFi. Usually the setting is available on every good router, even if disabled by default.
- Order the desired IoT on Amazon (light bulb, switch, power strip, whatever)
- Temporarily connect the “IoT” router to the network, to allow the first installation and possibly the download of an updated firmware.
- Install the devices and program it to do what is required.
- Disconnect the "iOT" douter from the internet, physically disconnecting the ethernet cable.
- Check that the device continues to work.
- If it works without the Internet, then let's keep it and have fun.
- If it does NOT work without the internet, we pack it up and send it back to the sender. (Thanks Amazon!).
So far you have done what almost anyone could do. Buy a router, set up a WiFi, and know how to connect or disconnect the ethernet cable. And use Amazon. But I'm a smanettons, so let's move on.
A nice thing are the Home Automation Hubs, which are normally identified as Amazon Dot, Google, Apple, Samsung, Philips, etc. What little is known is that there are also open source software that do the same thing, if installed on a Raspberry.
Personally, I am very comfortable with this: https://github.com/domoticz/domoticz
I like it because it already supports many of the protocols I need, and because it is easy to extend it using LUA or Python. So, to the famous IoT router that does NOT connect to the internet we will also have to attach a Raspi that is capable of supporting Domoticz. If you use ArmBian, Ubuntu for Raspi or the native Raspbian, the compilation is not very complicated, after installing the usual build-essentials, etc.
The only thing you will have to do is simply configure the raspi as the default router, so that every time something tries to reach the internet it sends the packet to the raspi. As it happens, on the stalk there will be a nice little rule of iptables that ends the traffic of some doors on the stalk itself.
This serves you for two reasons. The first is that if you do a tcpdump on the stalks you see what the pathetic spy trinkets try to do, when they try to spy. The second victory is that these devices don't have a real list of CAs to check with when they call home. To have it they should update it periodically and this adds cost and complexity. They generally don't even have a client certificate or just the CA of their server, since the certificate would end up expiring, and these devices are not complex enough to update it.
You easily notice this by setting an NTP server on your stalk, and sending all the NTP protocol there via iptables. All you have to do is force the data to the server, say, in 5/10 years, and see how the device that thinks it is in 2025/30/40 reacts. Obviously, the certificates will appear expired and will try to update them. If it does, then it's smart. If he doesn't try to do it, it's because he doesn't have the intelligence to update them. If so, you can assume that it does not keep a list of CAs, nor a client certificate. In this case, it is reasonable to think that it will also accept a selfisigned, as long as the CN coincides with the DNS name and you can put on everything you need to screw it, without risking wasting time.
If they are primitive, what they do is believe in any certificate, even self-signed, in case the hostname matches. So, all you have to do is install any proxy dns (unbound, pdnsd, coredns) that uses a hosts file as the source. At that point you can spoof the dns and use your selfsigned certificates to trick these devices.
I'm not talking about relatively sophisticated and expensive devices, which also manage certificates well. I speak of the very simple ones, which you can then control using Domoticz, or simply deceive.
I talk about things like this: https://www.amazon.de/dp/B07NV4L2W5?ref_=ast_sto_dp
Or this one here: https://www.amazon.de/dp/B07GF2MG7F?ref_=ast_sto_dp
These are interesting Chinese, but they have the bad habit of "calling home". The bad luck they have is that being very cheap electronics does not make a real certificate check, and you can fool it with any self-signed certificate as long as you have set up a DNS that deceives the device.
In this case you have to do one thing:
- Set your stalk as DNS on the WiFi router in DHCP.
- On the Raspi, start the DNS in debug mode.
- Turn on the device and wait for it to query the DNS.
Knowing which CN you will have to use, you know enough to create a fraudulent selfsigned certificate using openssl. Once done, you are spoiled for choice. Either sniff the traffic between the parent company and the device, simply by setting a proxy in the middle (but this requires you to also connect the stalk to the internet) or simply send the traffic on Domoticz using iptables, and hope that it uses a supported protocol. The chain above doesn't work with Domoticz, so I had to snort the traffic.
What I have seen is that the Chinese woman informs the house of her existence, and that she periodically downloads a json with a calendar inside, which is what you set up using the app if you want the power outlets to stick only at certain hours . The devices do not authenticate at all, a sign that they are really cheap and they have not spent any money: to tell the truth they send a kind of ID in the headers, but I tried to rewrite it and the backend accepts any string that has the length of 18 characters, including "puppaquicinciaolin". (Tested).
You understand well that a stupid webserver that serves a json file is more than enough: honestly, however, if all it does is keep me a calendar on the cloud, the maximum annoyance is that it knows my IP, which is quite workable putting TOR on the stem and connecting it to the internet. https://learn.adafruit.com/onion-pi/install-tor
Let's be honest: the fact that a guy in China knows that the lights on my patio have to go out at, I know, 11:00 in the evening doesn't worry me much. Since, however, there is psychological profiling and maybe 11:00 is typical of those who kill neighbors to eat the liver with fava beans and Chianti, then I put a stupid json on the stalks.
Steps for Chianti, but the liver with "a plate of beans", let's say it as it should be said, is a fucking recipe because the beans that accompany the liver must be reduced to puree. But Hannibal was American, what the fuck do we expect from an American cannibal in the kitchen? Needless to copy, they are capable! (cit.) It's been a long time since he put the pineapple on it. However below I put the recipe (one of) of the liver with the beans in puree . (1)
Go on. If it is a more sophisticated device, that is, a device that can contain and update certificates or CAs, this is complicated. Because these devices not only spy, but they also want to be sure to send the data to the right spy.
In that case, the most correct solution is simply to "pack and send back to Amazon".
If you are lucky, however, your device is able to connect with a known protocol, which has happened to me more frequently with devices that are declared compatible with Philips Hue. In this case, you are on horseback, because Domoticz knows how to handle them very well. In case you used your Raspi's Wifi to connect it to the Internet, you can also have events sent to you using Beehive, who speaks Hue. https://github.com/muesli/beehive
Since Beehive also supports Hue, at that point I managed to get me to send mail and messages using my XMPP server. The trouble with this solution, you say, is that it uses the internet. Of course, but let's not forget one thing: now we are the ones who control the transport. If I decide that everything goes through MY XMPP server, it is I who controls it.
Ultimately, therefore, all you need to have a secure IoT is:
- the passion for the "SMANETTATIO DVRA", macaronic evolve to say that you really like doing these things.
- A cheap WiFi router, better Tp-Link, so you can fleshare over several OS, such as OpenWRT.
- A Raspi capable of Wifi and Ethernet.
- Several hours of time &
In the end, you will wonder if it is worth doing all this to save the trouble of having bulbs and sensors and everything, but I must say the truth: the most useful thing is the automatic temperature regulation of the radiators, let's say an “intelligent” regulation, using this chain here: https://www.amazon.de/dp/B07VW9536M?ref_=ast_sto_dp
The reason I say this is that it saves a lot of money, which is never bad. But I don't want to inform the Chinese on duty that I am at home, that I am sleeping, and how many people sleep in my room (each human being emits about 2600KCal per day, depending on the basal metabolic rate, so calculate the difference in calorie consumption when there are people in the room it is not very difficult, as long as you know the outside temperature and have the history of your home).
So yes, Aiotti 'is fine, but being spied on in your own home is not. So, since these are skills that I already have, I find nothing wrong with using them.
The last question is: yes, but do they spy more on the Chinese or the Americans?
What I have seen is that Chinese products generally build very cheap datacenters, with very limited functionality, and even if they used those data to spy on, they are generally cheap devices that accept any certificate that has the CN that corresponds to the DNS. In this way, intercepting them is easy and understanding what they do too.
US-made devices, on the other hand, use cheaper chipsets. They manage to keep a list of CAs, which makes it MUCH more difficult (but not impossible) to intercept them. In general you have to go into it, where you will find a Linux, and install a CA that you have produced with OpenSSL. In that case, from that moment your certificates will be credible and you can intercept the traffic.
I only managed to do it on an Echo Dot, and honestly I saw that they send too much stuff for my taste. So, the point is simple: at least for now, cheap Chinese devices are spying LESS than western ones, for the simple reason that western ones being more expensive are able to implement more capable clouds and more powerful chipsets.
So far, therefore, I prefer to use Chinese devices, which I can control more. In case even the Chinese became like the USA, then the discussion will change and we will see how it is possible to insert a self-generated CA among them. But I have to be honest, I only did it on an Echo Dot, then I got tired of the dishonesty and bad faith with which they were drawn, and I sent it back.