IoT: It Begins!
A couple of days ago, Sabriena said she wanted a smart lightbulb. Her reasoning is fairly sound: the lamp on the “bar” is in quite an unfortunate place, given that you have to get up, walk completely around the couch, squeeze between the end table and the wall, and turn it on.
My immediate response was one of revulsion: they take a cheap, consumable electronic device, strap $1 worth of ESP microcontroller to it, charge A$25~100, and lock you in to a vendor. But this subject is a cause of deep congitive dissonance for me, and it warrants examination.
Let’s start with the negatives. There’s the above-mentioned cost, which is basically a non-issue as we’re currently tremendously privileged. What else is there? There’s the security concern that a bunch of cheap devices on our home network might increase the chances of compromise. There’s the reliability concern that if our internet, or part of AWS, goes down we’ll be unable to control certain aspects of our house. There’s the environmental waste concern of extra e-waste going to landfills. Finally, there’s the bougie concern that getting your fat arse up to walk around the couch every once in a while is not the end of the world.
Now the pros, in my mind. The bougie concern is, I think, outweighed by the accessibility concerns of others - smart lightbulbs and other things that disabled folks might find life-changing won’t be profitable on their own if it’s only disabled folks who need them are the ones buying them. In my mind, if dumb, lazy gadget-obsessed fucks like me helps seed the market to reduce prices for folks who need them, even a little bit, I can get over it and embrace my laziness. It’s worth noting that we, through no concious decision just a happy accident, have both a ducted vacuum cleaner and a robot that will grind coffee beans, press them, and spray steam through them to give me a reasonably decent espresso every time. On the grand scheme of things, I’m already a lost cause.
Likewise, the environmental concerns: LED bulbs are going to create waste even if they’re “dumb”, and if the additional waste caused by a few million microcontrollers is an issue it’s not going to be solved by pseudo-enlightened folks making a few personal purchasing decisions. Next.
The security issue? I get paid for security for fuck’s sake, if I can’t find a way to do this securely then what am I doing? Why am I spending hundreds of dollars on “enterprise” (term used very loosely) grade gear and spending hours fucking with it if a particularly clever lightbulb can be the end of me?
Reliability concerns? Now we’re getting to the crux of the argument. For this experiment, we couldn’t bring ourselves to pay the price of admission for something like the Philips Hue or a Zigbee setup, my wife and I are much too “Scotish” for that. A$22 is about the limit of our desire to experiment on this, and Sabriena really was quite set on buying the ones that K-mart had because they’re dirt cheap if we decide the whole thing is stupid. There’s a world of difference between a $20 “stupid mistake” and a thousand-dollar “stupid mistake”, and I’ve already made plenty of the latter.
So I started looking into them, and learned quite a bit in a very short time. She basically nerd-sniped me.
The brand she ended up going with is Mirabella Genio, sold in numerous places. From what I was able to gather, these are reskins of bulbs made by a company called Tuya, who will quite literally sell you a minimum order of lightbulbs and bundle the cloud server and mobile apps for you to customize as you like. Indeed, the reskin effort is incredibly low, so much so that they are Tuya bulbs. This is good news, because the Genio app is not supported by Home Assistant, but the Tuya app is… but that is easy enough because you can throw the bulbs into pairing mode, and simply pair them with the Tuya app instead. Then after jumping through some hoops, you can configure the Tuya Cloud shit to work with Home Assistant.
This solves the vendor lock-in issue handily too… if we get used to interacting through Home Assistant, then switching vendors is mostly fairly easy - a one-time ordeal to configure the new shit to work with HA and then it doesn’t matter if we have lightbulbs from multiple vendors.
Home Assistant? Oh yeah, that. Everyone sets that up as a bare-metal installation on a Raspberry Pi. I do not have a Raspberry Pi - I’d like one, but they’re fucking expensive. And again, we’re trying to do this experiment on the cheap.
So throw it in Kubernetes, that’s free. Oh, what an ordeal that was! Almost everyone runs it as a privileged container… no thanks, I don’t see why that’s necessary. After some time, and some swearing, I got the thing configured to work via Traefik, with an HTTPS certificate and everything. Re-pair my wife’s fancy lightbulb with the Tuya app, link the cloud shit over, and bam! It works!
She liked it so much, we bought a second one to experiment on too. And a lamp to go with it, because the lamp in the family room has a dark shade and won’t show the RGB unicorn puke through effectively. Fuck.
I started looking through all the shit that Home Assistant can do, and I’m thinking if we can figure out the worst of the security + reliability issues, this might actually be a net good for us. For one thing, our ancient garage door opener has given me the heebie jeebies since we moved in. I would probably bet my left nut it’s a matter of time before some fucker with a Flipper Zero drives around seeing who’s doors open with it.
So I’m thinking it might be possible to disable the radio in it, and simply wire the hardware button up to Home Assistant. When our phones connect to the home wifi as we hit the end of the driveway, we can pull up an app to make the door open. Shit, I might even be able to get it to pop up on the Android Auto display automatically, wouldn’t that be fancy. If we forget our keys, but not our phones, we wouldn’t be locked out either.
Now what to do about the remaining concerns? Well, they’re really the same thing. In the current configuration, when we want to turn a light on we push a button on our phones, which connects across wifi to our server, which sends a signal to one of AWS’s European datacentres. This sends a signal back down an open websocket to the lightbulb, and it comes on. That means a bunch of outside connections to some Chinese-run cloud service, reliance on our internet and every hop between.
Well, most of the Tuya globes are some form of programmable microcontroller, and it looks like they may be fairly trivially hacked. If they’re not super up-to-date on firmware (they probably are) we can probably do an OTA update on them and trick them into running an open-source firmware. Failing that, you can crack them open and reflash them with a few bucks worth of bits (I don’t like the idea of cracking them open). Failing that it might be possible to rob the encryption keys from the app and shoot packets directly at them and block them from accessing the internet at all.
They also only support 2.4GHz wifi, which is a bit of a pain… but not really, because I set up a third wireless network in our house specifically for internet-of-shit devices. There’s no firewall on it currently, but we will allow it to only access the internet and not any of our home stuff at some point… probably this weekend, if I can figure it out without breaking my wife’s shiny new lightbulbs.
What next? I’m not sure. The list of potential integrations in Home Assistant is pretty huge, but do I want something to have control over say, our thermostat? It doesn’t seem particularly relevant with gas heat, but for air conditioning for instance it might be smart to have it set up to crank the temperature down slightly when we’re generating more solar power than we can sell for instance.
We’ll see where this takes us, and if I don’t wake up tomorrow morning and decide I hate the whole fucking idea.
Update: 2022-06-26: Today, absent something better to do, I knocked the bulbs offline and sorted out the segregation for the IoT network. It took a bit of remembering to work out how to configure the firewall zones in OpenWRT, but I eventually got it working… the Kubernetes pods (so Home Assistant) can access that vlan, but not vice versa. The IoT vlan can only access the internet and nothing else. If I can figure out how to get the local communication working, I can block that too (probably allowing them temporarily for new devices).