At EFF, we fight hard to ensure your rights to security and privacy are upheld in the digital world. Back when we were founded in 1990, the dream of a world united by the internet was accompanied by forward-thinking visions of connected devices of all kinds making our lives more convenient and luxurious. Over the past two decades, the Internet has grown from living room and office terminals to our phones, watches, appliances and light fixtures. And although so-called smart devices and Internet of Things (IoT) have allowed us to automate aspects of our lives, they have also been plagued with privacy and security concerns, giving hackers and data miners unprecedented access to our personal and behavioral information.
Examples of large botnets such as the notorious Mirai and newer Pediment– which consist of IoT devices connected to the Internet – have caused significant damage and given the IoT a terrible reputation for security. Governments have begun to take notice, and the adoption of the IoT Cybersecurity Improvement Act of 2020 in the United States, while welcome, is only beginning to address this problem. From a privacy perspective, our appliances and connected devices offer potentially hundreds of discrete data points per day to businesses without meaningful limits or insight into what they are doing with that data. And homeowners who want to add smart devices to their homes are often prompted to install apps that control those devices, but also provide data to third parties without notification.
The nuances of adding automation and connected features to the home while maintaining privacy and security seem like a daunting and difficult task. Many otherwise enthusiastic consumers have encountered untold frustrations, and fall victim to the failings of a data-hungry industry. The myriad of difficulties even prompted users to ditch smart devices absolutely.
Don’t despair, because there is hope. In recent years, many projects and protocols have been and are being actively developed that bring more privacy and security to the connected home. And it all starts with moving the orchestration of all these devices from the cloud to your own network, using a device called a “hub”.
Coordinate your smart devices locally with Home Assistant
Ideally, using a local hub gives us two advantages. This
- allows us to remove all individual apps controlling the wide range of smart devices we may have, and
- guarantees that we do not provide data on the use of our device (and therefore on our behaviors) to third parties or non-responsible companies.
However, not all hubs completely sever the ties between the device and the cloud – often additional steps are required for this. Keep in mind that even if you want to disconnect your devices from the cloud, you will need a way to regularly update the firmware on the devices. Otherwise, it often happens automatically when these devices are networked.
For any local hub, you’ll need the hardware and a way to connect to it, usually an app on your smartphone. The hardware is usually a small machine that connects to your local network and allows the user to access it. For simplicity, there are commercial products available that simply work. Hubitat offers a local hub for sale in the range of 100 USD.
For the more technically inclined, home assistant (HA) is community-driven, open-source hub software that can be installed on a variety of platforms, such as a Raspberry Pi or an old laptop lying around collecting dust. It doesn’t require a lot of processing power or memory to run – any Raspberry Pi 3b+ or later will do just fine. In this article, we will describe a typical high-level IoT configuration preserving privacy using HA.
After facility HA, you will be able to add devices through an HA concept called “integrations”; each integration allows the user to control one device or an entire category of devices. The variety of integrations provided are vast, and the benefit of community driven development really shines because even if your device isn’t specifically supported, it’s probably available through the unofficial site. Home Assistant Community Store (HACS).
A good thing is that HA will indicate if an integration is cloud-based. You can see this with an icon in the top right corner of your embed.
For integrations that are not cloud-based, you can block the device from internet connectivity. Although most smart electronic devices don’t facilitate this, if you have a home firewall or configurable router, you may be able to limit the connections it makes to your local network. On OpenWRT, for example, you can add firewall rules through the Luci web interface. Here we have specified the MAC addresses of the devices that we only want to connect to the local network, not to the Internet. Your configuration will vary depending on your device’s MAC addresses and local network configuration:
In particularly nasty cases, a device may refuse to function until it is able to access the internet, even though it can be controlled locally (via non-cloud integration). In most cases, however, a device will continue to allow local control when its internet connection is interrupted.
We now have a way to connect our existing smart devices to a local network hub and remove it from the internet.
Use Zigbee or Z-Wave to create a private Smart Mesh
ZigBee and Z-Wave are two open wireless protocols that were developed specifically for smart devices and operate on an entirely different network than your home Wi-Fi network (802.11). This provides a level of separation between smart devices supporting Zigbee/Z-Wave and the Internet by design, although this separation is not necessarily maintained when an untrusted hub is used. Many companies provide Zigbee or Z-Wave hubs that will send your data and device status over the internet. That’s why using a privacy-focused hub, like the ones mentioned above, is important to keep your data private.
Additionally, Zigbee and Z-Wave create a mesh network of your smart devices, greatly improving device range. As long as there is another Zigbee device within range, a new Zigbee-enabled smart device can join the network through it, without having to be within range of the hub. This also allows for theoretically unlimited network expansion. Communication between the devices and the coordinator (hub) is relatively secure, using CCM mode and 128-bit symmetric keys for cryptographically secure communicationsalthough when adding devices, an open trust model that trusts the initial pairing (similar to Trust the first use) is used. Unfortunately, Zigbee and Z-Wave are separate protocols that do not interact with each other. In this example we will demonstrate a Zigbee setup, although Z-Wave works similarly and both can be used in combination with HA.
In order to communicate with Zigbee devices, a Zigbee USB Gateway is necessary. Once plugged into the HA machine, the hub can use the Integration of Zigbee home automation (ZHA)that does not use the cloud, to discover new Zigbee devices, control them, display sensor data on them, etc. – and all this information is kept securely on your local hub.
Instead of directly interfacing the Zigbee USB gateway with HA, the USB device can communicate with general-purpose bridging software, zigbee2mqtt. The advantage of using zigbee2mqtt is that it translates all communication from your Zigbee device to the MQTT protocol, which is an ultra lightweight protocol for data transfer and device administration. As such, it is quickly becoming a universal language for IoT devices. zigbee2mqtt supports a wide range of Zigbee devices and lets you control the delivery of OTA firmware updates. It provides a standalone web interface that can be used to control devices, but is most often used as middleware to provide automation software (like HA) with control of Zigbee devices. To use it with HA, you can simply use the MQTT the integration.
You can refer to the Zigbee Device Compatibility Repository to see which devices are supported by ZHA and zigbee2mqtt and choose the option that suits you.
Take back control of your smart devices
IoT security and privacy is an incredibly tricky subject and, in general, manufacturers are extremely liberal with your data and its storage. In addition to cloud control of devices providing possible single points of failure and a lucrative target for malicious hackers, this adds an extra layer of complication where a user must install (and keep installed) as many apps as they have. device suppliers at home. . Some of these issues are slowly being addressed by initiatives such as Questionbut convenience and security are central to this new standard – user privacy is still delegated to the provider, not the users themselves.
Hopefully, we’ve shown a way to set up your smart home without sacrificing privacy and security for convenience. With a little extra effort, it is possible to get the most out of our smart devices without falling into the pitfalls and failures of IoT design.