upcoming legislation in Europe mandates secure-boot for any IoT device sold by 2025 in EU. this and the cybersec resilience act will ensure only firmware shipped and signed by the vendor are able to boot :) ... so your comment is spot-on.
* A declaration that no content copyrighted by the hardware vendor is in the codebase
* The code cannot be classified as a DMCA circumvention device as it does not provide
access to copyrighted works
* An assertion that the RE activities are protected under US fair use doctrine for the
purposes of hardware interoperability (even if not a US citizen)
* Any potential trade secrets were discovered independently through the RE process
The code in question scraped the API off of app/device traffic.
Also, Home Assistant is a locally focused platform, and when it uses cloud APIs it creates HUGE amounts of traffic for the amount of users that use it.
Source: I run a developer program for a different IoT company
Or, crazy idea, just let users use their devices locally. You won't even have to get your shit together and fix your api then!
Now also just design an official home assistant module and you've turned this drama into community goodwill.
Radio Equipment Directive which now has a huge cybersec impact. So if you want to sell hardware in EU it must be certified
here is a lot of what will be in there. https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02...
the final standard is not the above but based on the ideas in ETSI.
While the above applies mostly to the "thing" the cloud and edge that enable services for IoT will be covered by the hotly debated CRA:
Yeah right.
We actually have a public self-serve API. In some cases, if I've tried the diplomatic approach, I've had to actually shut off API access to get someone to even respond to me.
In this case, it appears they've taken the same access/creds as the mobile app maybe?
Another one of our platforms we cert-pinned the API to prevent this as well.
Yes there are ways, the other part we don't know is if they went straight to the legal route or not.
If 3k home assistant users take up as much traffic as say... 50% of my total population we're just supposed to accept that cost in perpetuity?
> Or, crazy idea, just let users use their devices locally. You won't even have to get your shit together and fix your api then
I advocate for local access internally (to be clear, I don't work for Haier). But I'm here to discuss things I have sphere of influence over as well.
> Now also just design an official home assistant module and you've turned this drama into community goodwill.
That, again, costs money/people/time that can be spent doing things that keep us all getting paid.
All this said, we have lots of API keys in our systems issued that are used in HA, and they DO take up lots of traffic. I sort of let it go because of exactly this (it creates a lot of noise to shut it off for little benefit).
Again, I also agree we should all offer local interfaces, but that's an uphill cybersecurity battle (lots of reasons, some of them not great)
Yes, they are your users. They are likely the people who will gush about your product to their friends and result in more sales. If the plugin could be behaved better: Make a PR and improve it. People will love you if you do it under your company name, but if you don't want the potential internal drama just do it anonymously. Wins all around.
> That, again, costs money/people/time that can be spent doing things that keep us all getting paid.
Power users are some of the best cheap marketing available to device manufacturers. They will post about your product online. They will tell their friends. They will make your product better for no charge to you.
> I also agree we should all offer local interfaces, but that's an uphill cybersecurity battle (lots of reasons, some of them not great)
I'd love to hear about how this could be considered a cybersecurity issue. It's typically far more secure than a cloud connected solution, but most companies don't like that line of reasoning because it doesn't allow them to track their users.
Which is why to this point, I let it go and don't actually tell anyone how much traffic it takes up. It isn't worth fighting over. Haha.
> Power users are some of the best cheap marketing available to device manufacturers. They will post about your product online. They will tell their friends. They will make your product better for no charge to you.
If I had some way to quantify that, I'd accept it. But as it sits now the vast majority of our users don't interact with any integration models short of "share data with my installer". Alexa being the most popular aside from that.
> I'd love to hear about how this could be considered a cybersecurity issue. It's typically far more secure than a cloud connected solution, but most companies don't like that line of reasoning because it doesn't allow them to track their users.
Go look at major IoT "security problem" news. It is either "cloud leaked data" or "OEM didn't lock down local interface correctly". See the recent Bosch Thermostat story.
Or the "horror years" of Chinese ODM cameras showing up on shodan with live feed video access.