Jonathan Lalou's Blog

Posts Tagged ‘IoT’

Aapo Oksman, a seasoned security researcher specializing in IoT and network protocols, delivered a compelling presentation at DEF CON 32 on harnessing private Access Point Names (APNs) to analyze mobile and IoT device traffic. As devices increasingly rely on 4G and 5G networks, bypassing traditional Wi-Fi monitoring, Aapo’s innovative approach enables security professionals to inspect, filter, and tamper with mobile network traffic. His talk provided practical techniques for both offensive and defensive cybersecurity, from penetration testing to detecting malicious activity in mobile ecosystems.

Challenges in Mobile Network Monitoring

Aapo began by highlighting the shift in device communication from Wi-Fi to mobile networks, which complicates traditional traffic analysis due to direct connections to ISP-operated base stations. Setting up private base stations, while possible, is costly and complex. Aapo introduced private APNs as a cost-effective alternative, allowing users to create isolated networks within ISP infrastructure. This approach grants visibility into device communications, overcoming the limitations of locked-down devices and enabling detailed traffic analysis for security purposes.

Harnessing Private APNs for Security

Delving into the technical details, Aapo explained how private APNs can be configured to route mobile traffic through controlled environments, such as firewalls or custom servers. His demonstration showcased the setup process, emphasizing affordability and scalability, with costs decreasing as more devices are added. By intercepting IP traffic, security professionals can perform penetration testing on IoT devices or monitor for malicious activity, such as command-and-control (C2) communications. Aapo’s approach leverages ISP infrastructure to create a controlled network environment, enhancing both offensive and defensive capabilities.

Uncovering Advanced Malware Threats

Aapo addressed the growing sophistication of mobile malware, which often avoids Wi-Fi or VPN connections to evade detection. He cited an example of a misconfigured malware detected via Wi-Fi traffic, underscoring that advanced threats are designed to operate solely over mobile networks. Private APNs enable defenders to monitor these communications, identifying C2 servers or other malicious activities that would otherwise go unnoticed. Aapo’s insights highlight the critical need for innovative monitoring techniques to counter evolving mobile threats.

Practical Applications and Future Directions

Concluding, Aapo shared project details and encouraged the DEF CON community to explore private APNs for their research. He emphasized the dual-use potential of his approach, enabling both penetration testers and defenders to gain deeper insights into mobile device behavior. By connecting private APNs to existing security infrastructure, organizations can enhance their ability to detect and mitigate threats. Aapo’s work paves the way for future advancements in mobile network security, urging continued exploration of ISP-based solutions.

Links:

• None available

At Devoxx France 2021, François Mockers, an IoT enthusiast, delivered a 32-minute talk titled IoT open source à la maison (YouTube). This session shared his decade-long journey managing over 300 open-source IoT devices at home, likening home automation to production IT challenges. From connected light bulbs to zoned heating and sunlight-responsive shutters, Mockers explored protocols (ZigBee, Z-Wave, 433MHz, Wi-Fi) and tools (Home Assistant, ESPHome, Node-RED, Ansible, InfluxDB, Grafana). Aligned with Devoxx’s IoT and cloud themes, the talk offered practical insights for developers building cost-effective, secure home automation systems.

IoT: A Growing Home Ecosystem

Mockers began by highlighting the ubiquity of IoT devices, asking the audience how many owned connected devices (00:00:30–00:00:45). Most had over five, some over 50, and Mockers himself managed ~300, from Philips Hue bulbs to custom-built sensors (00:00:45–00:01:00). He started with commercial devices a decade ago but shifted to DIY solutions five years ago for cost savings and flexibility (00:00:15–00:00:30). His setup mirrors production environments, with “unhappy users” (family), legacy systems, and protocol sprawl, making it a relatable challenge for developers.

IoT Protocols: A Diverse Landscape

Mockers provided a technical overview of IoT protocols, each with unique strengths and challenges (00:01:00–00:08:15):

• ZigBee: Used by Philips Hue and IKEA, ZigBee supports lights, switches, plugs, motion sensors, and shutters in a mesh network for extended range. Devices like battery-powered switches consume minimal power, while plugged-in bulbs act as repeaters. Security issues, like a past Philips Hue hack allowing remote on/off control, highlight risks (00:01:15–00:02:15).
• Z-Wave: Similar to ZigBee but less common, used by Fibaro and Aeotec. It supports up to 232 devices (vs. ZigBee’s 65,000) with similar mesh functionality (00:02:15–00:02:45).
• 433.92 MHz: A frequency band hosting protocols like Oregon Scientific (sensors), Somfy (shutters), and Chacon/DIO (switches). These are cheap (~€10 vs. €50 for ZigBee/Z-Wave) but insecure, allowing neighbors’ devices to be controlled with a powerful transceiver. Car keys and security boxes also use this band, complicating urban use (00:02:45–00:04:00).
• Wi-Fi: Popular for startups like Netatmo (weather, security), LIFX (bulbs), and Tuya (garden devices). Wi-Fi devices are plug-and-play but power-hungry and reliant on external cloud APIs, posing risks if internet or vendor services fail. Security is a concern, as hacked Wi-Fi devices fueled major botnets (00:04:15–00:06:00).
• Bluetooth: Used for lights, speakers, and beacons, Bluetooth offers localization but requires phone proximity, limiting automation (00:06:00–00:06:30).
• Powerline (CPL) and Fil Pilote: Protocols like X10 and fil pilote (for electric radiators) use electrical wiring but depend on home wiring quality. Infrared signals control AV equipment and air conditioners but require line-of-sight and lack status feedback (00:06:45–00:08:00).
• LoRaWAN/Sigfox: Long-range protocols for smart cities, not home use (00:08:00–00:08:15).

Open-Source Tools for Home Automation

Mockers detailed his open-source toolchain, emphasizing flexibility and integration (00:08:15–00:20:45):

Home Assistant

Home Assistant, with 1,853 integrations, is Mockers’ central hub, supporting Alexa, Google Assistant, and Siri. It offers mobile apps, automation, and dashboards but becomes unwieldy with many devices. Mockers disabled its database and UI, using it solely for device discovery (00:08:30–00:09:45). It integrates with OpenHAB (2,526 integrations) and Domoticz (500 integrations) for broader device support.

ESPHome

ESPHome deploys ESP8266/ESP32 chips for custom sensors, connecting via Wi-Fi or Bluetooth. Mockers builds temperature, humidity, and light sensors for ~€10 (vs. €50 commercial equivalents). Configuration via YAML files integrates sensors directly into Home Assistant (00:10:00–00:11:45). Example:

esphome:
  name: sensor_t1_mini
  platform: ESP8266
api:
  services:
    - service: update
      then:
        - logger.log: "Updating firmware"
output:
  - platform: gpio
    pin: GPIO4
    id: led
sensor:
  - platform: bme280
    temperature:
      name: "Temperature"
    pressure:
      name: "Pressure"
    humidity:
      name: "Humidity"

Node-RED

Node-RED, with 3,485 integrations, handles automation via low-code event-driven flows. Mockers routes all Home Assistant events to Node-RED, creating rules like bridging 433MHz remotes to ZigBee bulbs. Its responsive dashboard outperforms Home Assistant’s (00:12:00–00:14:00).

InfluxDB and Grafana

InfluxDB stores time-series data from devices, replacing Home Assistant’s PostgreSQL. Mockers experimented with machine learning for anomaly detection and room occupancy prediction, though the latter was unpopular with his family (00:14:15–00:15:15). Grafana visualizes historical data, like weekly temperature trends, with polished dashboards (00:15:15–00:15:45).

Telegraf

Telegraf runs scripts for devices lacking Home Assistant integration, sending data to InfluxDB. It also monitors network and CPU usage .

Ansible and Pi-hole

Ansible automates Docker container deployment on Raspberry Pis, with roles for each service and a web page listing services . Pi-hole, a DNS-based ad blocker, caches queries and logs IoT device DNS requests, exposing suspicious activity.

Security and Deployment

Security is critical with IoT’s attack surface. Mockers recommends:

• A separate Wi-Fi network for IoT devices to isolate them from PCs .
• Limiting internet access for devices supporting local mode .
• A VPN for remote access, avoiding open ports .
• Factory-resetting devices before disposal to erase Wi-Fi credentials .

Deployment uses Docker containers on Raspberry Pis, managed by Ansible. Mockers avoids Kubernetes due to Raspberry Pi constraints, opting for custom scripts. Hardware includes Raspberry Pis, 433MHz transceivers, and Wemos ESP8266 boards with shields for sensors (00:19:45–00:20:45).

Audience Interaction and Lessons

Mockers engaged the audience with questions (00:00:30) and a Q&A , addressing:

• Usability for family (transparent for his wife, usable by his six-year-old)
• Home Assistant backups via Ansible and hourly NAS snapshots
• Insecure 433MHz devices (cheap but risky)
• Air conditioning control via infrared and fil pilote for radiators
• A universal remote consolidating five protocols, reducing complexity
• A humorous “divorce threat” from a beeping device, emphasizing user experience

Conclusion

Mockers’ talk showcased IoT as an accessible, developer-friendly domain using open-source tools. His setup, blending ZigBee, Wi-Fi, and DIY sensors with Home Assistant, Node-RED, and Grafana, offers a scalable, cost-effective model. Security and automation align with Devoxx’s cloud and IoT focus, inspiring developers to experiment safely. The key takeaway: quality data and user experience are critical for home automation success.

Resources

• Full Video
• Home Assistant
• ESPHome
• Node-RED
• InfluxDB
• Grafana
• Telegraf
• Ansible
• Pi-hole

In the digital domain’s relentless ruckus, where innovation’s influx intersects with iniquity’s ingenuity, safeguarding society’s sinews demands diligence beyond devices. Mikko Hypponen, F-Secure’s chief research officer, surveyed this skirmish at dotSecurity 2017, chronicling connectivity’s costs—from Nokia’s nadir to IoT’s insurgency. A Finnish fixture in antivirus annals since 1991, Mikko’s métier—malware’s myriad manifestations—manifests in missives that marry menace with mitigation, urging unity against ubiquitous threats.

Mikko’s meditation meandered through time: 2007’s iPhone ingress, internet’s ingress into pockets—privacy’s payment in profiles. Youth’s yen: videos’ vista via Google’s gaze, data’s donation. Privacy’s plight: perhaps perished, yet security’s skirmish salvageable—society’s stake superseding screens. Criminality’s calculus: crime’s commoditization, ransomware’s rise—CryptoWall’s coffers crammed $325M, victims’ vigil via NoMoreRansom’s nexus.

IoT’s incursion: Mirai’s maelstrom, 600,000 conscripts cascading DDoS—Dyn’s downfall, Krebs’ knockout. Mikko’s maxim: defaults’ delinquency, patches’ paucity—devices’ disposability dooms defense. Refrigerators’ reconnaissance, lamps’ liabilities—cloud’s collapse cascades chaos, AWS’s outage orphaning ovens.

Hope’s harbinger: IKEA’s integrity, investment’s imperative—security’s sanctity secures society.

Innovation’s Influx and Privacy’s Peril

Mikko mapped metamorphosis: Nokia’s nosedive, iPhone’s incursion—privacy’s price, data’s dues.

Malware’s Myriad and IoT’s Insurgency

Ransomware’s ransom, Mirai’s muster—Dyn’s deluge, defaults’ danger. Cloud’s crumble, chaos cascades.

Links:

• Mikko Hypponen on LinkedIn
• F-Secure

At DevoxxUS2017, Kevin Nilson, a Java Champion and lead of the Chromecast Technical Solutions Engineer team at Google, joined forces with his 12-year-old son, Andy Nilson, to present a captivating live coding demo on building a connected home. Their session showcased how voice and mobile controls can interact with smart devices, leveraging platforms like Google Home. Kevin and Andy’s collaborative approach highlighted the accessibility of IoT development, blending technical expertise with educational outreach. This post examines the key themes of their presentation, emphasizing the fusion of innovation and learning.

Building a Smart Home Ecosystem

Kevin Nilson and Andy Nilson began by demonstrating a connected home setup, where lights, fans, and music systems respond to voice commands via Google Home. Kevin explained the architecture, integrating devices like Philips Hue and Nest thermostats through APIs. Andy, showcasing his coding skills, contributed to the demo by writing scripts to control devices, illustrating how accessible IoT programming can be, even for young developers. Their work reflected Google’s commitment to seamless smart home integration.

Voice Control and Device Integration

The duo delved into voice-activated controls, showing how Google Home processes commands like “turn on the lights.” Kevin highlighted the use of OAuth for secure device linking, ensuring commands are tied to user accounts. Andy demonstrated triggering actions, such as activating a fan, by coding simple integrations. Their live demo, despite network challenges, showcased practical IoT applications, emphasizing ease of use and real-time interaction with smart devices.

Inspiring the Next Generation

Kevin and Andy emphasized the educational potential of their project, drawing from their involvement in Devoxx4Kids and JavaOne Kids Day. Andy’s participation, rooted in his experience coding since childhood, inspired attendees to engage young learners in technology. Kevin shared resources for learning IoT, recommending starting with specific problems and exploring community solutions, such as hackathon projects like the Febreze air freshener integration, to spark creativity.

Fostering Community and Collaboration

Concluding, Kevin encouraged developers to explore IoT through open-source communities and hackathons, sharing his experience as a Silicon Valley JUG leader. Andy’s enthusiasm for coding underscored the session’s goal of making technology accessible. Their call to action invited attendees to contribute to smart home projects, leveraging platforms like Google Home to build innovative, user-friendly solutions for connected living.

Links:

• Google company website
• Devoxx4Kids website

Thomas Eichstädt-Engelen and Kai Kreuzer, both prominent figures in the open-source home automation scene, presented an engaging exploration of openHAB. Thomas, a senior consultant at innoQ with expertise in Eclipse technologies and OSGi, teamed up with Kai, a software architect at Deutsche Telekom specializing in IoT and smart homes, to demonstrate how openHAB transcends basic home control systems. Their session highlighted the project’s capabilities for geeks, running on affordable devices like the Raspberry Pi while offering advanced features such as presence simulation, sensor data visualization, and integration with calendars.

They began by challenging common perceptions of home automation, often limited to remote light switching or shutter control via smartphones. Kai and Thomas emphasized openHAB’s open-source ethos, allowing extensive customization beyond commercial offerings. The framework’s modular architecture, built on OSGi, enables easy extension to connect with diverse protocols and devices.

A live demo showcased openHAB’s runtime on embedded hardware, illustrating rule-based automation. For instance, they configured scenarios where motion sensors trigger lights or simulate occupancy during absences. Integration with Google Calendar for irrigation scheduling demonstrated practical, intelligent applications.

Thomas and Kai stressed the project’s appeal to Java and OSGi enthusiasts, featuring an Xbase-derived scripting language for defining complex logic. This allows developers to craft rules reacting to events like temperature changes or user inputs.

Core Concepts and Architecture

Kai outlined openHAB’s structure: a core runtime managing bindings to hardware protocols (e.g., Z-Wave, KNX), persistence services for data storage, and user interfaces. Bindings abstract device interactions, making the system protocol-agnostic. Persistence handles logging sensor data to databases like MySQL or InfluxDB for historical analysis.

Thomas highlighted the OSGi foundation, where bundles dynamically add functionality. This modularity supports community-contributed extensions, fostering a vibrant ecosystem.

Advanced Automation and Integration

The duo delved into rule engines, where scripts automate responses. Examples included voice commands via integrations or mobile apps notifying users of anomalies. They showcased charts displaying energy consumption or environmental metrics, aiding in optimization.

Integration with external services, like weather APIs for proactive heating adjustments, illustrated openHAB’s extensibility.

User Interfaces and Accessibility

Kai demonstrated multiple UIs: web-based dashboards, mobile apps, and even voice assistants. The sitemap concept organizes controls intuitively, while HABPanel offers customizable widgets.

Thomas addressed security, recommending VPNs for remote access and encrypted communications.

Community and Future Developments

They noted the growing community, with over 500 installations and active contributors. Future plans include simplified binding creation guides, archetypes for new developers, and enhanced UIs like MGWT.

In Q&A, they discussed hardware support and integration challenges, encouraging participation.

Thomas and Kai’s presentation positioned openHAB as a powerful, developer-friendly platform for innovative home automation, blending Java prowess with real-world utility.

Links:

• Thomas Eichstädt-Engelen on LinkedIn
• innoQ company website
• Kai Kreuzer on LinkedIn
• Deutsche Telekom company website