Apple's control-freakery is making the Internet of Shit shittier

Originally published at: http://boingboing.net/2017/05/11/siri-open-the-pod-doors.html

…

Brilliant marketing. We get new phones a heck of a lot more often than we get new homes or even automation systems for our homes. By locking out every other vendor, Apple is ensuring that once you choose them for home automation you are also locking yourself in to buying another iPhone no matter how bad it is.

This is an example of why I don’t commit myself to any device within the Apple ecosystem, except perhaps a laptop where I have some modicum of behind the scenes control and where there are still some standard ports and interoperability. I can see why the simplicity and design might be appealing to those consumers who don’t care about how the tech works or have enough money to buy the services and products of those who do, but not for me.

Either I’m missing something or this is a new low in spuriously inserting the word ‘Apple’ into headlines.

If you want tchotchkes, you can buy tchotchkes that are compatible with HomeKit and also with other systems. If we’re saying “HomeKit is bad and doesn’t support enough tchotchkes”, fair enough, but “making a product you don’t like” is not the same thing as “controlling you somehow”.

It sounds a lot like the foofaraw over Flash, where certain people didn’t know whether to attack Flash for being a toilet fire, or Apple for agreeing with them.

Every IOT device I’ve seen that’s HomeKit compatible is also compatible with at least one other device standard like Wink or Lutron. I’ve literally never seen HomeKit-only devices out there. But even the non-homekit devices have their own walled-garden ecosystem. In fact that’s been the major hurdle to mass-adoption of IOT devices. Every brand wants its own standard and they’re all shit.

So, if anyone in my household wanted to switch to Android or whatever else comes down the pike, they’d be just fine as long as that OS had an app that supports Wink or Lutron or whatever myriad other protocols are out there. And they likely will because those companies want all the potential customers they can get.

Wait, the issue is that you need to use Apple devices to control an Apple home network which connects Apple devices and devices made to work with HomeKit?

Well, yeah.

I’m sure Apple’s ultimate hope is that HomeKit becomes cross-platform, with an Android app, because it only helps them in the long run to spread their home-network platform. But they’ve had a lot of pushback in the past when trying to distribute Apple apps to Android. They’ve kind of got their own anti-Apple ‘walled garden’.

I also think people are overlooking what is perhaps the primary driver of Apple’s decision-making:

I must concede that this rigor is a net positive: Apple’s approved HomeKit devices are presumably the least likely to suffer from IoT plagues like the Mirai botnet that famously took down millions of connected cameras.

It should be no surprise that the same organization refusing to decrypt phones for the FBI is the same company that doesn’t want to be responsible for exposing your IoT devices to hackers. You need to have a real bent towards hating on Apple when you find yourself arguing for less security.

Is Apples HomeKit so secure no one can crack the security or has no one tried because the other devices are such low hanging fruit to hack?

Are you just crediting everything to JWZ reflexively now?

Dude, where do you think you are? Corey can spin anything into an anti-Apple rant, even when them being ‘control freaks’ is a net positive, and not nearly as bad as he makes it sound. Security is never convenient, I would think he would understand that.

I can’t imagine a more eloquent way of summing up the whole IoT foofaraw. Would upvote this 10K times if I could.

Sigh, it’s that time of year again. Random Apple related articles until September, or whenever the next iPhones are announced, and then a month solid of clickbait about how great or end-of-the-world-terrible the new phones are.

For what it’s worth, not a fan of the Apple approach, but there is just no way in hell that IoT makers will come up with a secure and inter-operable system that isn’t a complete joke. It’s just not going to happen.

And, as has been posted, most Apple compatible items are also compatible with one or two other systems/interfaces.

I’m a little surprised he didn’t work in his anti-trademark iPhone mis-capitalization.

Hi, I’m Cory Doctorow here to shit on everything Apple.

I complain about botnets on a regular basis, I talk about how Android is always infected or crawling with spyware, and how shitty the ioT is.

But more to the point, I hate Apple.

Unlike all the other companies, Apple requires their devices communicate with a rolling 256bit encryption protocol. Practically unbreakable. And the devices that use the HomeKit protocol are never hacked due to the requirements Apple implements – even if they are communicating with Google Home or Alexa, as evidenced by near identical hardware that does not include the ‘Apple Tax’ (I coined this, just so you know) which get pwn’d but not the ones with Homekit on the side.

But fuck Apple for caring about security. I mean, fuck them. They do everything I want about security and the environment and not selling my information to corporations, but I want everything to be open where companies that don’t care about security, nor the environment, nor privacy from the corporation, nor political malfeasance…well…none of this matters. Because fuck Apple is all. I have hope that if everyone were to stop hacking these devices and corporations would understand libertarianism that open would work for everyone. C’mon folks…why won’t you just understand FUCK APPLE.

That said, Homekit pisses me off more often than not. I’ve got it working now…but DAMN…

Because HomeKit is designed to be the secure all-encompassing platform for IoT devices for iPhone users, there’s no way Apple will ever include other standards because, by their definition, they’re stupid and insecure

Not really true, Apple explicitly allows “bridge” devices. So the Phillips Hue light bulbs only deal in ZigBee. To hook them up to HomeKit you typically use the Phillips Hue bridge (2nd gen or newer, it is in their current “starter kit”). The Hue bridge shows up on HomeKit, and makes all the Hue lights show up as well.

Phillips doesn’t want you using other people Zigbee lights so they do a little runaround and try to only bridge Hue devices. Other companies with HomeKit bridges care less, so for example NanoLeaf’s bridge shows multiple brands of lights and things (I doubt they go to any effort to bridge things other then lights though).

Sadly that also means the “HomeKit only via a bridge” devices are attackable via whatever presumably less secure networking they use.

There is also an open source HomeBridge project that is a HomeKit software bridge and supports a great number of random non-HomeKit devices bridging things like garage door openers and TVs that support “some” IoT controls, but not HomeKit into the HomeKit world. For example my garage door opener has apparently been advertising that it will have a HomeKit option “real soon now” for 3 years, meanwhile it has a “internet gateway option” that is supported by HomeBridge. So I could use that (if I wanted to buy the gateway thing that controls my garage door via email, which seems like a really bad idea), and control the garage door via HomeKit.

I’ve been meaning to put some time into HomeBridge and see if I can develop a module that creates events for “somebody in the family is home”/“nobody in the family is home”, because HomeKit’s native “you are/aren’t” home assumes either I live a sad single life, or my wife wants the lights to be turned off every single time I leave the house… but I haven’t gotten around to it yet.

Software security is never really about “perfectly secure”, it is about “assume this secret is worth $X, does it cost more then $X to break?”

HomeKit uses good encryption, so you won’t be able to spoof the control messages. I believe it has replay proofing as well (but I don’t recall how exactly that is handled because HK doesn’t require reliable clocks). However HomeKit is also non-trivial to implement, so bugs may exist. It also requires WiFi and/or Bluetooth, so you have a lot of attack surface. Maybe the HK software on a camera is great, but the bluetooth stack it uses to bootstrap onto WiFi without doing the “connect to the camera like it is the basestation” kludge has bugs…you could exploit that.

Most likely however you are better off going for a software target, like non HomeKit devices, or the non-HomeKit part of a HomeKit device (for example many HomeKit lights are Zigbee lights plus a HomeKit bridge, don’t attack the HK bridge, attack the Zigbee network…or attack the non-HomeKit software stack in the Phillips bridge).

This was a curious bit in the Verge article:

It’s been almost six months since word leaked out that Apple had disbanded their WiFi router division. (The company still sells routers, but is apparently doing no further development.) Surely someone on the tech beat is aware of this?

What I don’t understand is why my toaster and light switches need internet access in the first place. They never seemed to need it before.

So they can Tweet, of course.