cross-posted from: https://lemmy.world/post/32265822
xkcd #3109: Dehumidifier
Title text:
It’s important for devices to have internet connectivity so the manufacturer can patch remote exploits.
Transcript:
[A store salesman, Hairy, is showing Cueball a dehumidifier, with a “SALE” label on it. Several other unidentified devices, possibly other dehumidifier models, are shown in the store as well.]
Salesman: This dehumidifier model features built-in WiFi for remote updates.
Cueball: Great! That will be really useful if they discover a new kind of water.Source: https://xkcd.com/3109/
I just bought my first home and as soon as I’m decently unpacked I’m going to start my journey on self hosting.
Currently planning:
- Small i5 HP Pro SFF PC for hosting large apps (going to config for Linux and power it off until I get more mature
- Raspberry Pi4: pihole and home assistant
- Raspberry Pi4: NextCloud, Deck
- ZigBee router thing:
- Nest thermostat came with the house
- adding light bulbs and switches
- want a smart doorknob but the security bothers me. Schlage Connect™ Smart Deadbolt, Z-Wave Plus
- NAS
- Jellyfin
- JBOD on SFF?
- flashing old Netgear nighthawk into wwdrt
- OS Ticket to replace NextCloud Deck for a JIRA type solution to manage projects and major house items.
- ZigBee thermometers for better Nest accuracy
- ZigBee motion sensors for entry ways and bathroom
- smart plugs and motion sensors for basement TV lights
Not sure what else to add. Open to advice or suggestions.
I’ve watched enough Lock Picking Lawyer never to want a consumer ‘smart lock.’ Half of them can be opened with a magnet. Maybe commercial grade is better, but I’ve been locked out of my job after every power failure for the last 10 years, until someone comes along with a physical key.
Re homeassistant on a Pi: homeassistant does a lot of database transactions, so you may want to have db storage on something other than an SD card.
Good call. I was thinking of trying a 128GB usb3 stick I got. Maybe a ssd/nvme on a USB3 controller.
I have an old 2.5inch 500GB laptop HDD plugged into a USB/sata adaptor into my rasberry pi.
that’s been running flawlessly for 3 years and drops every concern with running HA on a pi
I have tentative plans to make my own smart lock by way of electric motor and commercial deadbolts with an RF scanner and a back up battery for emergency. It won’t be amazingly secure in a tech way, but I figure the combination of novelty and DIY should make it reliable.
That said, I gotta be that guy and remind everyone that all locks are security theatre and are not going to protect your house from the persistent or prepared. Your best defense is a combination of foresight and social engineering.
I have a rule that “Nothing will be automated that cannot be manually overridden.”
Well, actually it’s my wife’s rule but it’s a good rule nonetheless. As a result, there’s a big panel full of relays in the basement that is the “last mile” for anything climate control or security related.
There have been a few times when it’s been handy. Like when the exhaust fan isn’t working and I don’t want to debug the ESP32 controller today so I just flip it over to “Manual”.
New kinds of water, you say? The marketing department is already on it and boy have I got news for you!
Wait… Is that heavy water?? /s
FYI I learned About VLANs that it is in no way „locked down“. I can spoof the MAC address of a known device from a specific VLAN and I’m in that VLAN. Yes your devices can’t reach the internet/other devices by default but it won’t stop a bad actor.
and this is why I have a completely separate physical network for my IOT stuff.
Depends on you hw. That seems rather poor implementation… I believe my TP switch might handle that, because it rejects traffic to its management interface from mac X from vlan 20 because it sees the same mac in vlan 10… (only vlan 20 is allowed for management)
That’s a very cool feature actually but how does it stop a hacker if he has obtained a trusted MAC address from another device and connect to vlan 20 directly while the real device is offline?
You configure vlans per physical port, so in a properly implemented system your attack won’t be possible. When the packet comes to the switch the vlan tag is added to it according to the configuration for the port it was received from.
Or are you talking about mac-vlans?
Ok maybe I don’t fully understand yet. Let’s say an access point has 3 SSIDs, lan, guest and iot each client on each SSID gets a vlan tag accordingly. So it’s only connected to a single physical port, i think that’s what confused me. But SSIDs are interfaces just like an physical port afaik so your analogy still stands. The security here is the WiFi password anything that connects to LAN gets a LAN vlan tag. but it’s not like anything that connects to any of the SSIDs can get the DHCP lease of some random device on any vlan cuz it got tagged before. Or am I missing something?
The security here is the WiFi password anything that connects to LAN gets a LAN vlan tag. but it’s not like anything that connects to any of the SSIDs can get the DHCP lease of some random device on any vlan cuz it got tagged before. Or am I missing something?
That sounds accurate. I have all my devices assigned a specific IP address, based on their MAC address, but that’s only per-interface. The other interfaces aren’t aware of my assignments for each other.
If I connect my phone to my LAN SSID, it’ll get its assigned IP, but if I connect it to the NOT [network of things, no internet access] SSID, it’ll get assigned a new address out of the DHCP pool because I haven’t assigned it an IP on that interface, until I assign it an IP. But, which VLAN it’s connected to will determine which IP its getting, and it still requires me to know the passwords for each SSID.
I believe where you’re getting confused is that a some businesses (or homelabs) might use a RADIUS server which will be more like this: ONE_SINGLE_SSID-Broadcast -> Device connects -> RADIUS Server detects account/certificate/MAC -> RADIUS Server assigns interface -> Device connects to VLAN the RADIUS server granted it access to
So, in that scenario, if the ONLY thing that’s being used to validate the access is the devices MAC address, just changing the MAC address will effectively grant a completely different level of access with nothing else changing. Most people in a homelab (and even plenty of larger businesses) aren’t running the infrastructure to do this though, they’re just effectively connecting a VLAN to a port and then that port can only be used to connect to that VLAN. They’re doing the same with the WiFi SSIDs where each SSID connects directly to the VLAN.
Usually though, for places that are implementing the RADIUS server, they’ll also install a certificate on their devices and the certificate needs to be in place in order to get certain access otherwise the RADIUS server will authorize less permissive access or just won’t allow access at all. Or, it’ll also need a user to log in to gain additional access.
For wired, the company may also implement port locking where the port will only allow a certain amount of MAC addresses to connect (presumably one unless there is also a VOICE VLAN with a phone being used, in which case it’d be two) where if you change your MAC address (or connect a different device), the port will lock and won’t power POE devices and won’t allow connectivity until an admin clears the lock. It’s possible that they may have multiple VLANs allowed on the port and client side you can change VLANs, but, this isn’t typically done on all ports, usually only on trusted ports or ports that need the multiple VLANs (my VM server for instance has access to a port that’ll allow multiple VLANs and I just enter the tag I need when I create the VM). This would be similar to your WiFi scenario, the port with the WAP connected to it will have access to multiple VLANs and then those WLANs just connect to the VLAN that they’re assigned to.
TL;DR - Typically one wireless SSID connects to one VLAN and if you want to jump to the other VLAN you’d need to connect to the other SSID, so you still have the individual passwords protecting you. On wired, typically VLANs are assigned per port and you can’t jump between then, but where they aren’t, it should be in a planned way and not just every port having access to every VLAN. Bad implementations exist though, so, anything is possible.
I was an idiot and bought a high end TPLink router, I can’t even use Vlans without signing up for their back door service.
Yeah. Even my old solid netgear got a firmware update that’s begging me to get the app now. Shobe that shit up your ass.
At least give me a checkbox to stop bothering me
Shit, are consumer appliances really getting that bad? ew!
Internet of things sucks, but lan of things is pretty cool
you must have lots of LoTs
My house has manual windows, manual locks, and a dumb garage door controller… because I work in IT.
I do have a few smart appliances (environment reporting) but they are only allowed on the banishment VLAN so they don’t get to interact with any single appliance inside my network. All they see is internet and nothing else.
The S in IoT stands for security
