WI-FI IOT modules



  • Hi. recently i start looking more to iot wifi based ,not because it's new but because i see the prices from the shelly wifi modules comparatively with the zwave ones that we are using now.
    I never had paying much attention to this wifi modules but by 19$ they are really cheap for shutter or relay modules embedded in wall,and can we can change the firmware to custom one ,once they are esp8266 second i read.
    Anyone can explain me the disadvantage? Are this wi-fi modules always transmitting to the router? or they are like our mysensors that only comunicate once per hour or so to saying"i m alive", when they are idle/not sending data.
    That is an old care about not fill the house with wi-fi "noisy" devices...



  • wifi uses a lot of handshaking for communication = drain batteries too fast
    Mysensors and other "good" protocols have a little handshake and preserves battery energi
    I am only using wifi devices that are mains/230V powered


  • Hero Member

    You can use wifi- now, which uses the wifi radio at the phy layer. It's not real wifi, but it's a lot more energy efficient.

    You can leverage the esp8266 modules, which cost only about $1 each and yet offer 20dbm tx...


  • Mod

    @neverdie said in WI-FI IOT modules:
    Wifi- now sounds cool. Do you have any more info? I tried google, but didn’t find anything that looked relevant.



  • @mfalkvidd
    Look for ESP-NOW ...
    But it is limited to max 20 nodes per one network.
    ( Without encryption. With encryption, number of nodes is more limited - 6 or 10 )


  • Plugin Developer

    Never use wifi for IoT devices. It's too big of a security risk to have devices with a binary blob that are not updated, can connect to web services autonomously/directly, and can offer an attractive stepping stone to your laptop/etc.

    All those IoT hacks you keep reading about? Wifi devices..


  • Hardware Contributor

    I agree with alowhum about wifi for IoT, not a big fan too.
    I imagine people may think IoT is an alternative way of controlling their devices, in case of their controller is ko for example..

    But, like OP said, you still can change fw so your device only works on a LAN. for some mains powered and cheap devices, I understand it's attractive. not the best for battery powered, sure.

    I don't see any big security flaw as soon as your LAN is well secured (but I'm not sysadmin).
    This applies to any rpi connected to your LAN though. Many devices can be security holes nowadays (even phones..) in your LAN. So, by well secured network, I mean it's nice to have a dedicated secured network for HA, and of course apply some security checks on devices (with vlan, reverse proxy etc.)

    I won't explain here how to ko a mysensors network, but when the HA network is secured I think some local wifi modules are quite secured too. But, then you can't switch your wifi off if you liked to do it.
    btw it's never ideal to rely on wireless devices that can be jammed, for home security devices (like strategic lights, cameras, door/motion sensors etc), unless you have a strong and reliable fw.
    Sometimes there is no choice πŸ™‚

    About "noisy" wifi (vs health ??), I'm not sure, but maybe using a few wifi AP instead of one, to reduce RF range needed, would make them use less RF power.


  • Hero Member

    @mfalkvidd sorry, I think I probably meant esp-now. As I understand it, it provides access to the wifi phy layer, which would be pretty cool, and what you do with that is up to you, but maybe there's more to it than that.

    It's doesn't rely on a wifi AP, so the idea is that it frees you from all the wifi overhead, which is much of what kills you from an energy point of view. Iirc, with ESP-NOW a node broadcasts a frame and nodes listen in promiscuous mode. It's expresiff's attempt to become energy efficient.

    Since it's not wifi compatible, how secure it is is up to you. If (?) you have total control over what goes into a frame, I would think that good encryption alone would buy you a lot. There may be other phy layer tricks that would also make even frame detection a problem for an attacker, but not for you.

    A big advantage is the potentially very high data rates that a wifi phy can offer. You tx at 20.5dbm, but for just a fraction of the time. That might be a big win that would offset some of the esp energy inefficiencies. For example, 54mbps, if an esp can even go that fast, might compensate for a lot of non-tx inefficiency.

    Anyone reading this tried it and can comment? I'm curious enough that I'll likely give it a try, if it is easy that is. I'd get dsss for range or ofdm for speed, plus the fast mcu and arduino ide, all for about $1. Pretty amazing if it pans out. πŸ™‚ plus, I presume I'd retain the option of doing wifi (for arduino FOTA), and turning it off afterward. At least, that would be the hope. I suppose that would be a security loop hole, so maybe you dedicate a separate network just for up updates so nothing crosses back over into your circle of trust. Then in the worst case you have your nodes restore to a prior known good state.


  • Hero Member

    #172 Hidden: ESP32 and ESP8266 point-to-point (ESP-Now): Fast and efficient. Comparison with LoRa – 16:07
    β€” Andreas Spiess

    Btw, he assumes just 1000mah for the battery. 2xAa lithium would be at least 3x that.

    Lora sounds better overall, but then it costs a lot more than just $1, so that's the tradeoff. At $1, I think one can maybe make a case for esp-now.



  • It feels wrong to me when someone says that WiFi (and by extent private networks & appliances) is extremely insecure, being what it is, with so many years of development.
    Today there's everything for WiFi. And WiFi is not a protocol nor a transport.
    How many here run their inet provider access point? That's dangerous.

    Start learning about vlans, network segregation, AP mesh and redundancy.
    And there are some tricks for l2 enc & auth.
    Got to know the infrastructures of today houses.



  • @sergio-rius I agree - but vlans require a new switch and they are too expensive for me (but if you insist I will accept one as a Christmas present!) πŸ˜‰

    For wifi I think a radius server (which runs well on a pi) is the neccessary level for todays environment.

    Bluetooth is not much safer either as there are hacks for that too - that is why I like nrf modules as there is no 'built-in' capability in notebooks, tablets, phones etc to allow some bored kid to mess around with your data.



  • Ok, send me your address πŸ˜„

    RF are not more secure. Kids spoofed garage door key fobs for decades and now are used to do more complicated things with cars. We are the accommodated ones.
    Nrfs are also jammed at the same time that WiFi.

    A good starting point to learn to do things with network is open-wrt. You can flash almost any router and start playing (and repurpose them for other things). And today you can find retired good L2 switches on eBay on a budget.
    DLinks are very friendly, don't jump on a Cisco only bc they're cheap. (Or HP 😱)
    Professional & Soho switches have nice features like Poe & unused ports power down. With 48p or more they can be hungry beasts.



  • Ok, send me your address πŸ˜„

    That is sooooooo kind of you! πŸ™

    RF are not more secure. Kids spoofed garage door key fobs for decades and now are used to do more complicated things with cars. We are the accommodated ones.
    Agreed - I wired a lot of GB ethernet around the house, but this is not an option for people who rent or are moving home soon......So RF is really the only option (not including powerline stuff that is just awful at spewing out RF all over the place).

    Nrfs are also jammed at the same time that WiFi.

    Agreed, but jamming a 2.4-2.525GHz range takes some doing in terms of power required and broadband jamming techniques. It can be done, but not that easily from an attacker who is tens of metres away.

    A good starting point to learn to do things with network is open-wrt. You can flash almost any router and start playing (and repurpose them for other things). And today you can find retired good L2 switches on eBay on a budget.
    DLinks are very friendly, don't jump on a Cisco only bc they're cheap. (Or HP 😱)

    For anyone looking at how easy it can be to hack a wifi should search youtube for "vivek ramachandran" - He did a great series on this topic many years ago and it is all still relevant today!

    Professional & Soho switches have nice features like Poe & unused ports power down. With 48p or more they can be hungry beasts.

    I have a 48 port switch for the whole house. It has good 'green' features like using only the power it needs on any particular port to make a good connection. It does not support VLAN however 😞


  • Plugin Developer

    Start learning about vlans, network segregation, AP mesh and redundancy.

    The thing is.. my mom doesn't know how to do that. In the real world, using WiFi is just asking for trouble.



  • @skywatch said in WI-FI IOT modules:

    It does not support VLAN however

    It's not a L2 switch? What is it?
    In fact, switches only have to comply to 801.1x... whatever for vlan "passthrough" it's the router that's managing it. Also wifi APs has to be able to bring up several ssids and tag them.

    I have opnsense virtualized in my server as the router, and a small physical shitty appliance as failover.

    But @alowhum mysensors only works bc it's not widely used. You know what I mean. Just imagine a building with as mys installations as WiFis you can get nowadays.
    And don't even think on phone telling your mother she has to modify bootloaders, firmwares, to switch a channel that perhaps it's also occupied. It's not realistic.

    Anything can be done though. Those are tribulations, like wondering what will be next on cars, electrics or hydrogen.


  • Hero Member

    @alowhum said in WI-FI IOT modules:

    Start learning about vlans, network segregation, AP mesh and redundancy.

    The thing is.. my mom doesn't know how to do that. In the real world, using WiFi is just asking for trouble.

    Do you hold the same view of esp-now as you do of wifi? No doubt one does get a bit more security from using a non-stadard Phy, but with Hack-RF available, I suspect you'll get ID'd just the same. Maybe there's even some program that does it automatically. Or may using an RTL-SDR? Not sure if those are powerful enough for the task though.


  • Hardware Contributor

    @alowhum
    I get your point, but the problem is very often mothers are not able to secure their LAN too πŸ€“
    I think private datas are as important as home network security.
    any ethernet devices like cameras, voice assistants, ssl, unsecured mqtt etc? if so, how to connect them? on same LAN as home computers, phones, with stock isp router and config? it's the easiest but that's not super secure.

    I just meant it's a good idea to isolate HA to main LAN when you want good security (lot of good router/firewall solutions). + SBC's should be secured (ssl when enabled, ddos attacks etc)
    this should help for wifi devices attacked from internet. If someone would get into, then lot of chance he would have access to your main LAN too.

    About local, security, I know a small agriculture company where I live in country field, who got jammed and robbed, no security alarm triggered. I think they may have got the lesson about going wireless. First time I heard about a jamming attack here but this exists.

    And if someone is trying to hack your HA RF with a local sniffer, I would be worried about intrusion in my main wifi network, if not secured too.



  • @scalz
    "About local, security, I know a small agriculture company where I live in country field, who got jammed and robbed, no security alarm triggered. I think they may have got the lesson about going wireless. First time I heard about a jamming attack here but this exists."

    Determined criminals (or government versions) will always be better prepared and equipped to exploit holes and abuse systems no matter how secure they purport to be.
    Even a security system wih GSM comms can be locally jammed and wifi nodes interfered if pros want to rob it, but crucially they have to be in close proximity. All you can do is make it difficult for them by extending intrusion detection range to raise the alarm before they can.
    For the 99% amateur crooks this is perfetly adequate.
    I do not trust reliance on the internet or wifi nodes, as almost every modern kid is intimately acquainted with internet and wifi hacking, so internet access can never be 100% secure and will always be a moving target.



  • That's like saying one would never travel by plane because accidents happen. Your simplifying in excess the wifi concept.

    Tell me how a WiFi connection can be hacked, if it implements an "inclusion mode"


  • Plugin Developer

    @scalz @Sergio-Rius

    I get your point, but the problem is very often mothers are not able to secure their LAN too

    True. That's why I'm not against WiFi, I'm against any IP-based technology for IoT devices. Which is ironic, since I'm a big fan of the Mozilla WebThings Gateway, a project whose main goal is to connect all kinds of devices to the internet using an open standard. I totally disagree with that goal πŸ™‚

    mysensors only works bc it's not widely used

    True. I use MySensors for prototyping, but if the Candle project would ever turn into actual commercial devices, I'd probably move the wireless technology to Zigbee/Z-Wave/Bluetooth.

    So the overall point is that I much prefer network technologies that have smart devices on a separate, dedicated IoT network by design. Because it's separated by design, it means my mom is also better protected, by design.

    Then there's another point: these wifi modules have, or are connected to, ARM chips. These powerful chips are way more attractive to malicious parties than an Arduino Nano. That's why I follow the principle of "minimal viable hardware" when I design IoT devices.


  • Hardware Contributor

    I wonder how many people without good router/firewall are running their rpi controller directly on their home LAN, without ddos and ssh protection, running unsecured mqtt (for a mysensors gw, or snips etc for example)+many others ethernet devices like camera, audio clients etc for example. all on same network as computers, phones, without good passwords management policy, better have no malware or key logger, "no, don't click on this!"..


  • Hero Member

    @alowhum I hadn't quite looked at it this way before, but if you want something your mom can use which doesn't expose her PC or anything else on her home network, then those self-contained systems with cellular links back to the cloud start to look pretty secure. Then your mom looks at her home automation by opening a browser to some cloud URL, at which point she's' no more at risk than from regular browsing.

    On the other hand, I'm guessing that even just regular browsing is higher risk than some hacker invading through your home automation. In other words, yes the risk is not zero, but is it really a dominant concern compared to regular internet browsing or whatever else our mom's might be doing on-line?


  • Hero Member

    Well, to alowhum's point, yet another IOT wi-fi (ESP32) exploit was in today's news headlines: https://www.infoq.com/news/2019/12/esp32-fatal-fury/


  • Plugin Developer

    self-contained systems with cellular links back to the cloud start to look pretty secure

    @neverdie: indeed, that's why the Candle smart lock has a built in GSM modem: to circumvent using the internet, while still allowing you to unlock the door when away from home. Of course, data should never be stored in the cloud.

    I'm guessing that even just regular browsing is higher risk than some hacker invading through your home automation

    Both are high risk, so I would avoid the trap of 'whataboutism'. Protecting a browser (using add-ons) is at least somewhat possible for end-users. As your ESP32 hack points out, when a hardware device is compromised, most people are completely at the mercy of the supplier.

    Basically, it's all about keeping a minimal attack surface:

    • Don't use IP based connectivity when zigbee/bluetooth/etc will do.
    • Don't use ARM chips when a simple Arduino will do.
    • Don't connect to the cloud unless you absolutely have to
    • Don't store data in the cloud unless you absolutely have to.


  • This article @NeverDie published doesn't involve or talks about WiFi. It talks about physically accessing the chip and messing signals to program it.
    That is a nonsense if you already have physically access to the device. And it should apply to any device.

    That is what I mean. WiFi has been a nice word in the mouth of everyone for decades. It's so easy to simplify and confuse using a word as a flag.
    If a company created a new ideal device for mys and this device would be easily hacked, would not mean that mys is the culprit or bad.


  • Plugin Developer

    @Sergio-Rius You're right, it requires physical access. That makes it much less of a risk.

    There are other examples where wireless access was compromised though, such as the krakk attack.

    If a company created a new ideal device for mys and this device would be easily hacked, would not mean that mys is the culprit or bad.

    I don't think anyone is saying WiFi is without virtue. It's just a risk when deployed in IoT devices.

    Let's be honest: most vendors use WiFi out of convenience. Both for the end user, and for them. Devices that use WiFi are the logical choice if you want to send data to the cloud directly without any pesky smart home controller acting as a potential gatekeeper and privacy protector. At best, using WiFi is lazy or uncritical design. At its worst, WiFi is the technology of choice if your businessmodel depends on the extraction of data.


  • Hardware Contributor

    @alowhum
    of course, like we usually say, use the "best tool for the job".

    I think with old 8bits mcu, and retrocompatibility, we may be kind of stuck to improve interesting points because of variety of hw setup (unprecise clocks etc).

    Interested to know, when not using IoT, with no physical access (physical access is not secure by design), how can an advanced SOC (ARM, esp32 which is not ARM but tensilica, etc) using proprietary RF, be unsecure ??

    I don't think adding plugins in browsers is enough to secure people, it helps sure. I spent lot of time cleaning friends computers and phones, even with plugins enabled.. when I ask them, why did you click/install again bad stuff, they reply it's certainly their wife or childrens πŸ€”



  • Also... Continuing with the supposed vulnerability in the article. If you correctly program the arm chip, not with fancy joke web portal, but with secure protocols, etc... And then as the article says, you set the fuses to avoid firmware changes...
    Where extreme risk would be? (Legit question)
    Those chips are cheap enough to start consider them as one use.



  • I think i touch the rigth spot! WIFI ☺ ☺ ~
    but my initial post was more about if they are reliable than if they are safe...
    even a wood door it's not safe...an kick and you are in ... i don't believe someone will start robbing my house ,by entering in the shutter iot module by an wifi hack and open the shutter,brake doble glass windows and enter....
    It's more a question if they are pratical and reliable? tey cost less than half of an zwave module..big point here...
    and my main concern is ,are they all day comunicating with router or they usualy sleep? i'm not sure how wi-fi devices like esp8266 work. If they ping the router regularly or what?


  • Hero Member

    Speaking just for myself, it's hard for me to rationally evaluate the risk of getting hacked by an IOT device without some statistics, like what percentage of the population it happens to annually. Otherwise, it's like worrying about how bullet-proof your home burglar alarm system should be: you can always think of vulnerabilities with whatever system you have, and then once you do it's only natural to worry about them.



  • @tmaster WiFi devices will behave as you program them, there are several "conventional" projects there for them, like espeasy, tasmota, espurna (my preference) and with luck one more by the next year.
    They poll the network for several things, like mqtt and ping status messages. Some are configurable.
    But on top of that, there's own wifi ttl, leases and other green implementations that need re-registering from time to time.
    So for battery powered devices could be tricky as that increases drastically wakeup.

    I had once a problem in a company where mobile devices where repeatedly disconnected from Cisco APs, due to a bad ttl config in them. That's how I know about it.



  • @tmaster I think the phrase "that escalated quickly" comes to mind..
    I can only speak personally in that I dismissed "Wifi" as a Node communication methodology due to limited structural penetration issues and the desire for complete separation between monitoring and reporting. Z-Wave operates in the 800-900MHz band so is less prone to structural blockage, externally it would take a dedicated geek parked in your back yard to break into that.
    My own issue with the blossoming of wifi incorporation in "a connected world" is that even your fridge can be used in a DoS attack, and it is pointless making comments about what CAN be done with a router, when the vast majority of consumers are only concerned they can check on their fridge 2,000m away without a ball's notion or concern who else may be affected. The comms protocol is less energy inefficient but it has a universal tag.
    I can see the advantage of "the cloud" but have a serious beef with dependency on that service, the other is living in a rural area where candles are common due to power cuts which also cut off the internet service externally. Yeah, burglar's paradise... except for the large dog and a Gatling Gun on heat sensors... Ok, one of them may be true πŸ˜‰
    I almost went for Honeywell's Evohome system a few years back, local operations on 868MHz, well secured, but then came the spanner in the works, internet dependency.
    All my home kit is self contained 433MHz, and happy it works away 24/7, with no local geeks acquainted with http protocols interested in researching or interfering, happy...
    In short, the cheap options are cheap for a reason, one of which is insecurity for a price hence Zigbee etc.....


Log in to reply
 

Suggested Topics

  • 4
  • 4
  • 2
  • 17
  • 15
  • 9

54
Online

11.4k
Users

11.1k
Topics

112.6k
Posts