Network Security, IOT, And HomeDaemon-MCP
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Display list of topics
Sarah's Resources You Should See
Sarah's Blog Buy Sarah's Pictures
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2018-04-17 11:43 by Karl Denninger
in Technology , 113 references Ignore this thread
Network Security, IOT, And HomeDaemon-MCP
[Comments enabled]

My HomeDaemon-MCP controller has always "attracted" a certain number of "probes", nearly all of which result in a log entry that looks like this:

[10:18] SSL ACCEPT Error [http request] on [::ffff:103.254.156.xxx]

These are connections that are made to the controller and the SSL negotiation fails because the other end doesn't respond at all to it.  That is, it doesn't get back a bad negotiation or attempt to play games with the SSL protocol, it simply gets nothing, a bare HTTP request, or something similar (e.g. someone thinks it might be a Telnet server, for example.)

HomeDaemon-MCP contains its own web server; it does not rely on something like ngnix or Apache.  The reason for this is that the required set of capabilities is well-defined and it's much more-secure to write code that does what you need, along with interdicting attempts to be "bad" (and reporting them) than it is to rely on someone else's brain-fart which, due to the complexity of what it must handle, is inherently much larger and thus has a far larger attack surface.

In the last 48 hours or so the number of "probes" have exploded as apparently Russia and a handful of other locations (the Czech republic, for one) have decided to "ratchet up" attempted assaults on various "Internet of Things" devices.  I'm now seeing these reported not one or two at a time but by the hundreds, back-to-back.  There has also been a marked increase in the number of what appear to be "white hat" surveillance attempts on said devices, including mine, looking for potential vulnerabilities.  The fact that the "bad guys" know I'm here and how to find me isn't surprising in the main.  That the white hat guys are also hammering me is, because the presumption has to be that their primary means of finding me is an exhaustive port-scan on IP address ranges.

Why the "bad guys"?  Because I've been at this sort of stuff long enough, and am well-enough known from my days of running an ISP, that my presumption is that they know who I am and are at least passingly interested in trying to steal things -- like my software.  Maybe I'm wrong and they're just randomly looking too, but I wouldn't take that bet.

This appears to be related, according to the "white hat" folks, to this CERT alert -- and it's a NASTY one.

But HomeDaemon-MCP is laughing all of these attempted assaults off -- both the "white hat" probes and the far more-malicious "black hat" sort.

It's not at all impossible to write IOT code -- HomeDaemon-MCP is one such instance -- that is reasonably secure.

However, it's very hard to cheat and use libraries to do huge amounts of security-sensitive parts of the processing, including the web service part, and actually maintain security because the code isn't yours, even if you attempt to audit it you didn't write it and thus don't have a full understanding of it, and if there is a problem found you're reliant on someone else to fix it.  It gets even worse if you're writing in something like PHP.

That's why HomeDaemon-MCP doesn't do any of that and I took the time and effort to write it on the metal using "C", with the only outside dependency being the OpenSSL libraries.

A reasonably-full description of HomeDaemon-MCP can be found here; it speaks not only Z-Wave with an inexpensive USB "stick" but also can manage independent and fully-internal analog input monitoring using an extremely inexpensive ADC "bolt on" but also GPIO (digital) outputs.  If you have encryption-enabled Z-wave devices it will use AES encryption as well (e.g. door locks.)  It's fast, secure, and runs on extremely inexpensive hardware (the Pi2 and Pi3 computers) with the code itself and its entire working data set for a reasonably-large (~150 events) installation, plus a slave controller, requiring only 10MB of working RAM.  It consumes roughly 10-20% of a Pi2's CPU with it clocked at 600Mhz, or roughly "half-speed" and even with the FreeBSD operating system has nearly 3/4 of the 1Gb of RAM on the unit free.  In other words it's insanely economical in terms of resource consumption, is entirely self-contained in terms of security and it's also extraordinarily fast.

I've recently implemented an "app interface" on top of the standard, HTML-5 browser port that will make streaming-update apps (e.g. for Android) a trivial undertaking, and am starting development of a sample Android app to speak to it (which ought to be fun, since I need to teach myself Android app development in the process!)

Oh, and the license verification code (also certificate based using PKI) is built-in already -- it's literally ready to go, needing only the issuance of certificates to each customer for however long their license terms is.

So where is the firm or firms that want to offer a secure controller of this sort, whether as a packaged product or as an installed system complete with all the mark-up available to same?

If you're that firm email me at karl@denninger.net and let's talk.

Yes, it's for sale -- in source, all rights, and while it's not cheap the asking price is, for what it is, very reasonable.

Go to responses (registration required to post)
 



 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
User Info Network Security, IOT, And HomeDaemon-MCP in forum [Market-Ticker]
Jal
Posts: 614
Incept: 2009-03-25

Report This As A Bad Post Add To Your Ignored User List
"So where is the firm or firms that want to offer a secure controller of this sort,"

Blackberry????
Whossane
Posts: 14
Incept: 2018-01-25

Report This As A Bad Post Add To Your Ignored User List
Karl,
How do you create the floor plan that shows up on your device screen?
Tickerguy
Posts: 152426
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
You draw it (pick a tool); it's just a PNG file that's displayed as the background like this:

<!--Security:02-->
<div style="position: absolute; top:0px; left:0px;">
<img width="800" src="house-layout.png"></img>
</div>

"Security:02" tells the code not to display anything after it if you're not signed in (there's a "<!--/Security-->" stanza later on) so it doesn't come up on the login page. That's a bitwise mask implemented so you can declare different classes of users where some can look at some things, some can look at all things, some can execute certain commands, etc.

The data is described in an HTML-like file that has the extension ".parsed" (for what you think it is) using div's for positioning and has stanzas in it interspersed that appear to be comments but are replaced by data in real time, such as this:

<div style="position: absolute; top:140px; left:250px;">
Return<br>
<!--Dynamic Pool Return-->
</div>

<div style="position: absolute; top:100px; left:310px;">
Temp<br>
<!--Analog Pool Temp:Pool-->
</div>

<div style="position: absolute; top:140px; left:310px;">
Temp<br>
<!--Analog Return Temp:Pool-->
</div>
<div style="position: absolute; top:320px; left:250px;">
Setpt<br>
<!--Variable Hottub_Temp:Pool-->

Anything that is declared as a "dynamic" references a second file that can contain nearly arbitrary-complexity ANDed tests, such as this:

Pool Return
<!--if [GPIO Spa_Return:Pool] = 0-->
<!--if [GPIO Ret Disable:Pool] = 0-->
POOL
--end--
Pool Return
<!--if [GPIO Spa_Return:Pool] = 0-->
<!--if [GPIO Ret Disable:Pool] = 255-->
<span style="background-color: #B0FFB0;">
Both
--end--
Pool Return
<!--if [GPIO Spa_Return:Pool] = 255-->
SPA
--end--

That declares three potential things to show for the Dynamic variable "Pool Return" -- in other words, it has three potential states, "POOL", "Both" and "SPA". "Both" is a "split-return" for the pool pump water that maintains a small spill-over so the spa's water is circulated with the pool, thereby getting rid of the need to separately maintain its water chemistry (and thus rendering it a "zero cost" add-on, where normally you wind up with two chemistries to monitor and maintain.)

For things that are simple representations of "on", "off" or similar (e.g. dim level, temperature, etc) you just declare them, but if you want things like the "spinning fan" GIF then the dynamic capability allows for that, or virtually anything else. For example the "CLOSED" vertical display of letters in green on the garage doors, the "Occupied/Away" status (as opposed to "On" or "Off"), etc.

All of that is parsed in real-time by the internal web server code to return both a javascript dynamic update set that is part of the base page and also a second stream that delivers real-time updates literally "to the second" when you're on the web page.

----------
Winding it down.

Geckogm
Posts: 4438
Incept: 2007-06-26

Canyon Lake
Report This As A Bad Post Add To Your Ignored User List
Karl This segment is exploding. The Samsung hub, nest and ring products, security cameras galore. The price points for all this stuff is now affordable and the companies are marketing additional add products. I listen to satellite radio raw dog comedy and Fox news and the ads are cranked up big time for home automation.

Who is the target market for this product when most people are in costco buying this stuff which say easy installation. These people have alexa in their house.

The average homeowner can now have a video doorbell security lights and camera, indoor controlled lights a smart thermostat and for 1000 bucks installed.

Joe six pack loves Alexa and buys stupid. It seems the market share for this product is small and very niche. So which end user wants this and how much is end user paying for setup and maintenance?
Tickerguy
Posts: 152426
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Maintenance is zero, potentially anyway. That's the beauty of this setup in that it can be sold inexpensively and widely as a "packaged product" like the Samsung hub (still at a very nice profit, since the hardware is extremely cheap) AND you can sell it as a "buy the hardware for cost, pay a subscription fee $X per Y unit of time" on the same basis, AND you can sell it as a fully-integrated with maintenance product and service (again, secured by the certificate and thus subscription fee) AND....

That's the beauty of it -- it covers the ENTIRE panoply from the "boxed product" setup all the way up the line. With a couple of $10 add-on boards (one for relay control for valves, the other ADC for $1 LM34 temperature sensors) it's the BETTER of the $500 "smart" pool/spa controller that the pool guys sell, except it'll integrate with a main unit inside as a slave, so it all appears to be one. I have that setup out by my pool gear mounted in a waterproof $30 RainBird sprinkler controller box; it's fully independent of the "main" unit yet when both are online it talks to and integrates with it seamlessly. You can separately log into the pool one if you want, assuming you have a login and password set up for it. That unit talks to a VFD motor on the pump which takes your $100 pool pump monthly power bill and makes it a $20 bill instead without losing anything on water quality. The motor swap took me an hour and paid for itself inside of six months. The same setup will drive an irrigation system, of course, and for that matter can also drive a multi-zoned HVAC system "native" (try doing THAT with any of the existing "smart" thermostats.)

The "Alexa/Smartthings/etc" products are nice, cheap, and very simple. This can be that (and compete with it) but it ALSO can be sold as a subscription model or with installation, maintenance, etc -- and can be set up to do things of nearly-infinite complexity. As a "boxed product" the end-user can do those things of infinite complexity, and on a managed, licensed model for those who either don't want to or can't figure it out a firm can do it for them on a subscription basis.

What you see on the web page is what Alexa could NEVER do. The setup not only knows how to manage the pool and spa for energy consumption and remote control, reporting it all, but it also manages everything around the house entirely automatically -- it knows when nobody's here, when someone is here, what defines "here", and the complexity of the decisions it makes are only limited by what you want them to be.

There are a number of small but very-material things it can trivially do that the "Alexa-style" set ups cannot -- say much less the far more complex ones. As just one example most of the "smart numerical pad" deadbolts (all working with encryption, thank God) can have codes added via the controller. But HomeDaemon can trivially disable the entire keypad (without clearing all the codes) when you go to bed, and then turn them back on in the morning when you wake up, knowing you're up because of something it saw happen inside. Thus, if someone has (watches you key it, etc) your PIN code it's worthless while you're sleeping.... or, for that matter, it can be worthless while you're away too since the keypad can trivially be locked out.

"Alexa, turn on the bedroom light" is simple. What's not so simple is knowing whether it's night time or day outside, whether you'd want a higher or lower level of illumination (or none at all), and by the way, someone just walked in the room -- no "Alexa" command required. Maybe in the winter you don't want your bathroom exhaust fan to come on when someone is in there (the humidity and heat that are generated from taking a shower are both *good* and *free*, never mind that the exhaust sucks out all the heated air you paid for) but when it's warm out side and the thermostat is in "cooling" mode you DO want it to come on (because in that case they're both BAD and it's a lot cheaper to exhaust them than to A/C them out of the house.)

In addition nobody gets your data or what you're doing BUT YOU.

If you want to tie to Alexa you certainly could, although IMO you'd be nuts to do that as Alexa would be happy to expose all the state information to the cloud if you were silly enough to let it see that!

HomeDaemon-MCP slots in terms of capability very close to if not exceeding what systems like the must-run-LV-wiring-to-every-box Creston setups that go into multi-million dollar mansions -- but at a fraction of the cost.

----------
Winding it down.

Tickerguy
Posts: 152426
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
BTW if you're curious where the syntax idea came from here's a small piece of one of the templates for the forum....

<!--*post-->

<!--=@flags%1024-->
<!--=@toppost=1-->
<!--GHeadBlog-->
<!--=-->

<head>
<!--=N=1-->
<title>
Requested post is not available or does not exist.</title>
<!--Galldone-->
<!--=-->

<title><!--@subject:60--> [<!--@forum-->] - <!--@+title--></title>
<link rel="stylesheet" href="../style.css" type="text/css">


If it looks familiar that's because it is smiley

----------
Winding it down.
Tickerguy
Posts: 152426
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Oh, then there's this.... (that's kilowatt-hours, not money, compared against prior year, same month)

 


Gee, I wonder what changed that dropped power consumption around here by just over 15% on what looks a lot like damn near a step function....

12 month averages over same month, prior year:
2016-Apr - 2017-Mar 105.40%
2017-Apr - 2018-Mar 84.98%

Incidentally in August that "feature" was intentionally shut off because I wanted to check my data collection and make sure I wasn't imagining things, so.... yeah.

That, by the way, is likely good for a patent (the provisional I have prepared and WILL file before someone gets ANY look at how it's done or enough to figure it out) -- it can be compartmentalized and sold separately, or become part of a "learned skill" that's bundled within. I can't find ANY prior art on the subject either -- and I've looked pretty thoroughly......

----------
Winding it down.

Asimov
Posts: 109815
Incept: 2007-08-26

East Tennessee Eastern Time
Report This As A Bad Post Add To Your Ignored User List
I'm secretly (well, not anymore) hoping that you decide to move to east tn and that you decide to market it yourself, because I'd love to apply for a job.

----------
It's justifiably immoral to deal morally with an immoral entity.

Festina lente.
Cobra2411
Posts: 11713
Incept: 2007-06-26
A True American Patriot!
Philly P.a.
Report This As A Bad Post Add To Your Ignored User List
Quote:
a casino was hacked through the thermometer in its lobby aquarium.

Glad you're good at what you do Karl. We don't need pictures from your hot tub thermostat floating around the internet... smiley

http://www.businessinsider.com/hackers-s....

----------
Government: A device that allows you to get blind ass drunk and your children die from alcohol poisoning.
Tickerguy
Posts: 152426
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
That'd be a picture of my dick -- "up" means it's not hot enough smiley

----------
Winding it down.
Geckogm
Posts: 4438
Incept: 2007-06-26

Canyon Lake
Report This As A Bad Post Add To Your Ignored User List
13 years ago I had a crestron rep come out and give me a bid. I had a ridiculous house at the time. 52k was the bid I was like thanks but ill turn the lights off and on myself see ya.

I am considering retiring from the mortgage business soon. What is coming is another blood bath that I do not want to watch again. That and the regulatory and compliance headaches and making a 10th of what i used to makes it no fun.

So I have been putting together a home automation business together on the side. But my target market is the DIY products installed and configured by a professional for the families that pay people to mow their lawn. I have something like 16 million people within 90 miles of me . I am in the process of getting low voltage license for California. Which is damn hard to get unless your best buddy who is general contractor gets involved in the LLC. This is not a get rich business this idea is a cash side business and stay active in retirement biz. By the way no low voltage wiring lic. is needed if the wires are already there.

Your product interests me cause I know its bad ass. However I want to suck money out of 80% not find the unique 20%
Tickerguy
Posts: 152426
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
The Smart Things Hub is $100, more or less, and it's not very smart -- it's really just a gateway (that is, it exposes the ability to talk to the devices over an app-style interface.)

The hardware for HomeDaemon can be had, Q1, for about $80 (Pi + Zwave stick.) Bought in any sort of quantity at all it'll be materially cheaper and it does a HELL of a lot more.

So yes, it's very competitive both from the 80% and let's you target the 20%. ~$50k is about right for a decent-sized Creston install incidentally, which is MASSIVELY overpriced IMHO -- but they get it, so.... yeah.

The other "teachable" controllers that I looked at before writing the first version of this stuff back in the 2000 timeframe, and have kept looking at since, are WHY I wrote this (I thought they were insufficiently capable AND ridiculously expensive - most are $500+ devices and a lot of that is actually the hardware requirements they have to work reasonably well -- but couldn't do the sorts of things I wanted to do.)

Targeting the folks who pay someone to mow the lawn is exactly where the big opportunity is. Instead of an "Alexa, turn on the lights" deal on the same hardware you have a system that is entirely customizable to any degree the person who owns it wants, it's accessible from anywhere on any device (since it is a browser interface) and it can be taught damn near anything very easily, no matter how complex. Of course you can (and should!) charge for that, since they don't want to mow their own lawn... Not that they couldn't, but you know they won't which is why they called YOU! It's also damn near bomb-proof since it boots off an SD card and never needs to write to the card except when the configuration is changed and it's explicitly told to save the changes.

If they got a pool then it gets even better because the retrofit to make that a part of it on a seamless basis is about the same as any of the packaged Jandy stuff on a price basis, but again, the convenience factor is immensely superior. Sitting in a bar an hour away and turning on the hottub so it's ready when you get home is where it's at.

I have mine talk to me in certain cases since I have in-ceiling speakers in the living and dining rooms; a $20 amp and $5 USB audio dongle plug right in, and speech synthesis is easily grabbed as a freely-installable system package. That also gives you infinitely-customizable tones and speech intermixed (e.g. doorbell on proximity when someone walks up to the door without pushing a button, etc.)

"The hottub is ready" being announced when it reaches setpoint is sort of nice when you're kicking back with a beer....

Nice thing about Zwave is no LV wiring required; it's RF and a mesh so the more "things" you put in the better it performs, plus all the sensors (e.g. door, window, PIR, etc) are battery powered and they report battery status, so you get plenty of warning to change them before it goes dead on you.

One thing I really do like with the Amcrest camera interface I implemented is that the Amcrest cameras all have a set of dry contacts on the back. That's extremely useful, especially since they're FREE, and the code can use them as a triggering condition. The other interesting features on the Amcrest cams include both sound and motion triggering capability; the former, however, is CRAZY-sensitive even when turned all the way down (which is rather disappointing as if that WASN'T the case it would make a dandy forced entry/glass-break detector!) and the latter will trigger on reflected sunlight through a window since it's contrast based..... It's in the code and supported but whether I'd use either for other than "take a snapshot" purposes (which the code supports) is another matter.

----------
Winding it down.

Login Register Top Blog Top Blog Topics FAQ