Toerless Eckert <[email protected]> wrote: > In the home automation IoT device vendor that had the largest market > share in germany, you could bootstrap devices a) via QR code. I did > that. So i had to use permanent marker to put some device name onto > each of my 50 devices as well as the same device name on the fitting QR > code piece of paper. and scan / stash-away those QR code.
One attack that a few people realized about QR codes is the "Roomba attack"
they have cameras... they can drive up to the device and take a picture if
under malicious control. Now, the device might need to be rebooted or have a
button pushed to go "back" into onboarding mode, so it's probably harder to
do this than some imagined. Still.
> Over the
> past few years i had some incidents where i had to re-bootstrap some of
> the devices. It's grizzly to think about what happens if my home
> controller would fail and whether or not a full backup will actually
> allow me to restore all existing device associations.
There are three lifecycle situations that matter here.
1) your device loses it's mind. PHB has written about how many times he's
had to climb up a 30ft ladder to re-init the light bulbs in the chandelier.
2) your home controller fails, or you want to upgrade it, or it's integrated
with your home router, and you change ISPs and/or connection speeds.
3) you sell your home. Everything needs to be sensibly re-keyed. I would
expect the lawyers to escrow those keys along with the front-door key.
> a) The vendor managed to put the QR codes ONLY onto their devices. Such
> as in-wall light switches. So, i simply have to shut off my mains
> power to remove such a light switch from the wall would it ever need to
safety first.
> be re-bootstrapped. b) During bootstrap for magical reasons, the mesh
> network connectivity (z-wave in this case) seems more picky as during
> operations. So i can actually not enroll some of the devices from their
> target deployment location. And/or have to take my RPI4 controller with
> me, plug it into a nearby wall-socket to enroll such a device. (For the
> QR-code free bootstrap option).
z-wave is a very challenged network.
Enough for on/off actions, but I'll bet bootstrap, there are many more
packets that have to get through.
> So, all-in-all i think i would try to stay away from QR codes whenever
> i can, home or industrial - but to make that work, the whole network
> based solutions need a lot more detail improvement work.
QR codes won't fly in most industrial settings.
One of the driving forces for industry BRSKI was that the devices are in
places which are too hot/hostile for humans. For instance, refiners.
Yet, the entire refinery stack is leased/sold a few times/year to a different
operator, and it has to be rekeyed. But, it takes days to weeks to allow it
to cool enough.
> Theoretically i think NFC would be a great option, but i have no actual
> experience. But the idea of having a box of 50 devices, and the
> reseller just has to type a button on the smartphone to register all 50
> devices' NFC tags - that just sounds like an intriguing option. Would
> also have solved my QR code experiences. But not sure if it would be
> cheap enough for typical home automatin IOT devices.
Many people would like.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =- *I*LIKE*TRAINS*
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list -- [email protected] To unsubscribe send an email to [email protected]
