[jaredraby]

This was interesting look at home IoT is used in home security today and it's current downfalls. However, the items that seem IoT specific are ones that are issues in implementation, not application.

To frame what I mean when I say "IoT specific", I'm pointing out that many of the examples that he highlights are also the downfall of traditional security systems as well. If you have remote monitoring, and you internet/telephone line goes down, IoT or not, you've lost the service end of discussion.

  It doesn’t take a professional to realize his particular 
  house of cards is about as fragile as they come. It is built 
  on the assumption that one’s WiFi will always work, their 
  internet connection will always be up, power will always be 
  on, and every piece of software and firmware is stable and 
  trustworthy."

Power loss on traditional security, wifi loss on traditional security, hard wire cut on traditional security, all of these will take their toll as well, not just on an IoT system.

Onto the IoT specific related items. The implementation issues that he highlights; having to have your app open to record footage. Your cellphone being at the bottom of you bag and you can't reach it. These are all problems that can happen already. If you can't reach your phone when the security company calls you to notify of a break in, this is the same problem.

I understand why there is a lot of distaste for IoT, and all the security pitfalls that happen. However this is not an inherent issue to the concept, rather is a breakdown of implementation of security protocols that are not being followed and a lack of learning from traditional systems that isn't being applied.

After thinking about this for a while there are ways to bolster an IoT security or monitoring system: > Power / connection required for signaling. So rather than waiting for a system to signal something is wrong, wait for a heartbeat to die. > Battery back up: Pretty obvious. You should have a way to at least keep your systems for a period while you get power restored > Multiple links to a central service. WiFi and Cellular, monitor for connections going down and built in trouble shooting to notify the user if there is one or the other > Centralized data center for always on recording, pay an additional $10/mo for the ability to store your data elsewhere or offer local 24 hour recordings in the security base station in your home like many dash cams have now.

As for security concerns I look at it this way. Remote connections are something we've got down pat, assuming everyone follows it. Blaming IoT on being inherently insecure is like blaming the database password leaks on mysql rather than an open port and plain text user name / passwords.

I think IoT security has a place and purpose that offers benefits over a traditional system, we're just waiting for the right implementation.

[CaptSpify]

We could make useful devices right now, there's just more money to be made without it.

A) Use existing open protocols: WTF do I need an app to get alerts. Doesn't email still work fine?

B) No cloud connectivity: No, camera, You don't need to store everything on the internet. My NAS can store it just fine. Or my backup usb drive, or whatever. If you want that as an option, sure, but quit trying to pretend that it's the only way this can be done. Same with you fridge. You don't need to store that grocery list online, it can just be emailed directly to me, TYVM.

C) Manual overrides: If my door won't unlock because servers are down, give me a physical key as well. I've read some companies faq's saying that if the internet is out, or their servers are down, you'll just have to call their customer service. No no no no no. Give me a key override. I'm not going to stand outside my own house while you try to get your servers going again. And what if your company goes under?

D) Open Source: If a bug comes out that renders my door-lock unusable, I want to know that I can patch it. We know the manufacturer sure isn't, using history as a guide. Why would you buy next years model if this years model didn't have security flaws?

Building a robust system isn't hard, it's just not profitable. All of these failure-points aren't there because we can't solve the problem, they exist because they are more profitable to leave unsolved.

[jaredraby]

I agree that a robust system isn't hard. I don't agree that it's not profitable. If you don't make an app, that cuts down on your bottom line, not paying to make the app or the programmers to maintain it. From there you can just tack on additional services easily. Local storage for everything as they do now with security. Just give the users a micro SD card slot, say you can record everything right here. Charge them for a cloud connection / storage. Charge them for remote monitoring.

Agree with manual overrides there is no reason to not have a key. I'm surprised you've read about that because that's against regulation in commercial security. If power goes down there should be a battery backup to power it and keep the key card / door security working OR it turns off and you can't lock your doors. Better to keep unlocked than have someone burn alive inside.

The beauty of IoT is how it can be easily expanded and connected should you choose to. There is nothing preventing companies from implementing the same idea to the payment system. Charge enough for securing those IoT devices once they reach out into the world and I think you can have a real system on your hands.

[CaptSpify]

> I don't agree that it's not profitable.

I'm open to your opinion on that, but if that's true why is it not being done? There's a lot of companies making IoT stuff, but it's really hard to find any of them making robust systems. The lack of profitability is the only way I can reconcile that. If you have another idea, let me know.

> I'm surprised you've read about that because that's against regulation in commercial security

Looking now, I see a lot of companies switching to local bluetooth connections. That's definitely an improvement to the last time I looked (years ago).

> The beauty of IoT is how it can be easily expanded and connected should you choose to.

I agree! but not if we keep pushing closed-off systems and protocols

[jaredraby]

I guess my opinion comes from the idea that there hasn't been a product or company that exemplifies a basic/robust system as we have both described. Everything has had the flashy app, or cloud connectivity, which in itself is a cost. If you're able to build a basic system completely contained, mark that up, you have just a regular hardware product, doesn't need to be IoT. Now, if you want remote monitoring, or backup systems you can start charging for that. Which, I might add, traditional security companies already do. And what many IoT companies seem to consider "essentials" rather than "extras". I think once the idea is shifted from user base / experience towards a goal to hit the actual benefits (ease of expansion / cheap data monitoring ) then we'll start to see IoT really explode.

[rwallace]

> why is it not being done? There's a lot of companies making IoT stuff, but it's really hard to find any of them making robust systems. The lack of profitability is the only way I can reconcile that.

Two reasons.

1. Time to market. Reliability and security are slightly expensive in money but very expensive in calendar time (throwing bodies at the problem, substituting money for time, is a somewhat effective way to get features and marketing, but not an effective way to get security).

2. Power. Remember that the entire edifice of modern economics is a leaky abstraction implemented on top of a killer ape. Power is a stronger motive than money.

[thaumasiotes]

> if that's true why is it not being done?

Most profitable things are not currently being done.