Tonight on GeekNights, it's a tech news roundup for March 2017! Cloudbleed caused a severe security breach for anyone using CloudFlare. The Internet of Things is rife in backdoors and poor security as always. CRTs are dying the true death, yet their corpses remain. There is a bill to legalize active countermeasures to cyber attacks. The FCC doing too little too late to prevent phone numbers from being entirely useless thanks to robocalls. Uber greyballed regulators to hide its shady and illegal practices. Amazon had a major outage that you probably encountered. The FBI dropped a child pornography case rather than reveal the Tor exploit it used to the court.
We are live at PAX East 2017 on Friday! Support GeekNights on Patreon!
Things of the Day
Take my word with a grain of salt because I work for a competitor in Sonos’ newest market, but in a Verge article I saw, they mentioned that Sonos’ mesh network still works on 802.11 b/g because it hasn’t been updated for newer networks. I’d be careful with that, @SkeleRym.
I read somewhere that the reason why not many smart home devices don’t work with Apple’s Home Kit is that the bluetooth security and other security measure were so stringent that it took way too much processing power for the normal cheap components the device makers would normally use. So they either had to put in more expensive hardware or do loads of development and optimisation. I think it took something like 45 seconds for the first version of a Home Kit door lock to do the correct randomisation needed for the secure key swapping… which isn’t very handy if you’re stuck outside your apartment!
Of course, these same devices don’t need the same security levels if they aren’t going through home kit, and are connecting directly to the internet or online services, so there’s probably still security holes all over them.
Seems more like there is not enough of a market for manufacturers to go down this path. No market, no easy development no products.
Home Kit isn’t open source like the majority of Apple products. The majority of security focused software and programming needs to be vetted by those using the tool. i.e. explaining how a key and lock works to a person before they start using it and reasoning as to why it is secure (the unique pattern of the key), versus “here’s a piece of metal, put it into this other piece of metal and turn to unlock, trust me the magic of my product will keep you secure”.
Open source encryption and networking protocols such as the one used by Open Whisper systems Signal is the most secure method of communication while most all closed source projects have zero days for ages.
If we estimate an average 20 million operations per second (note a Raspberry Pi should handle 5 billion operations per second), then that calculation still requires 900 million operations which is insane for “correct randomisation needed for the secure key swapping”. The unlock operation should take milliseconds to computer, the longest period would be a network bottleneck. I somehow doubt your source or your interpretation of the information provided. Sounds like poor software rather than hardware.
I think this was the first version the device manufacturer made in development, their first prototype, not a shipped product. Trying to run the Apple-required security on the cheap bluetooth chips was waaaay too much for them. These chips aren’t Raspberry Pi-level of powerful. And that’s the point: they couldn’t use their normal chips for Home Kit stuff, as it wasn’t powerful enough, so they had to design new products from scratch. Hence the higher cost off Home Kit devices.