Unless you want to live like a luddite, you can find ways to have the best of both worlds.
As a fairly seasoned IT veteran I think it boils down to the tradeoffs between security, privacy, and convenience–just like at work. I’m sure most of us have implemented things in less secure ways to accomodate a business need. When you do that at work, you just try to mitigate that risk as best you can by putting other measures or controls in place. I do that at home.
Everyones tradeoff decision will be different, but at some point, for me, the convenience of some IOT and smarthome devices outweighs the security and privacy concerns. Or at the very least I realized its a weird hill to die on as we use our android phones, google for searches, gmail, instagram, etc. I am sure some of you have completely divested yourself of all of those services and have GrapheneOS installed on your phone and use OpenStreetMaps to get yourself lost. Most of use still use a few of those.
That said, I think the nerdiest and most security privacy saavy among us in the IT field can implement it in a fairly secure way. Pfsense,Ubnt, ofsense,openwrt routers with vlan segregation for traffic. IDS/IPS, pihole local dns, etc. You can absolutely make it so devices only communicate in ways that you approve. With things like VPNs (tailscale), Cloudflare tunnels, etc you can access your stuff securely without exposing any admin things to the public web.
Digital locks are fine, just get one with a mechanical lock too. I have a digital lock on my front door that I can program with keycodes but it also has a key. I can give the cleaners a temp code if I need to. I can give my neighbors a code if they watch the house while I am away for a long time, then I can get expire it when I return. The analogue alternative is arguably less secure.
That is basically my requirement for smarthome or connected devices. I need to be able to control it to a level that I feel comfortable and if it fails or isn’t connected it still needs to work. IE no smart light switches that don’t function if the wifi is down–they still need to be a switch. My nest thermostat still works without wifi. My smart plugs still work without wifi. If any of those things was hacked or compromised, they are completely segregated from anything of actual value on my network–and depending on the device it wouldn’t be able to see anything else at all.
For major appliances, I dont see the value of any ‘smart’ features built in (yet), so I won’t be buying them anytime soon but if I did they’d still have to meet the “still needs to work in ‘dumb’ mode” requirement–smart, connected features are extra not required to function.
I work in IT as well, specifically networking. The bottom of the stack.
I have built my home network to be better and more reliable than the networks I operate for my workplace.
The reason? Most high end network stuff is more or less set and forget. If you buy cheap stuff, like unmanaged switches and AIO wifi routers, you end up dealing with them a lot because they’re not built to be reliable. The Cisco 3750E I use as the main switch in my house, had several years of uptime when I shut it down and moved house at the end of last year. It worked perfectly that entire time. After I tuned the Cisco aironet “WiFi 4” (802.11n) access points for that place, and got all the wireless networks set up with the right security and a complex password for my SSID, I didn’t touch that either, and I didn’t have to revisit the settings at all. The business grade firewall I was using was my most touched item, mainly in adjusting port forwarding and such. I replaced the off brand DSL modem from my ISP with a Cisco router to handle the physical WAN link and I never had to reboot a modem.
Sure, there were times that my internet went down, I’d log in to my Cisco router and see what’s up, and usually the EHWIC-VA-DSL module would tell me that there’s no carrier on the POTS line or something, which is not my problem. At most, I would reload the DSL module (I didn’t have to reboot the router to do this) and it would resync, but even that was extraordinarily rare. I had a small stack of equipment in the corner of the bedroom we were using as an office, which almost none of it made any significant noise, and the only time there was a significant outage, was when I intentionally turned it all off to clean dust from the equipment and give it a deep cleaning (at that time it has gotten notably louder, but still not loud. The cleaning made it very quiet again).
DNS and DHCP have been the only real problems with this set up, as I’m running them both on raspberry Pi units, one does just DNS, the other does DNS and DHCP. I log in regularly to hit the update button and I don’t do much more with it than that. I run my DNS this way because I use split DNS (to resolve specific internal domains over VPNs on my firewall), and DHCP is done this way because it’s way easier and more reliable to manage them over webmin than using the Cisco or firewall interface.
I probably touch it for less than 10hrs over the year, and the most notable outage I had was when I involuntarily upgraded from a raspberry Pi (first gen) to the r.pi 3, when the SD card in my first pi died (it literally had a crack going through it) and I had no choice but to either repair or replace it, I temporarily turned on the DHCP on my firewall and set DNS for a public resolver until I could have two pi3 units sent to me with all the bells and whistles I needed (SD cards, cases, power adapters, etc), which is when I promptly rebuilt the system. Two pi3 replaced my single pi1, and the only non redundant part of it is DHCP right now… So I try to keep a copy of my dhcpd config, just in case.
Everything runs on a UPS unit, and it’s incredibly reliable.
I recently updated to using newer WiFi 5 (802.11ac wave 2) access points, and I moved to an updated controller (Cisco 2504), and I’ve been trying to work out the kinks in the system, not the last of which is that my access points aren’t properly placed and mounted. That’s been my only trouble recently and it’s otherwise been a pretty solid system.
I’ve been using this, or some form of it, for at least 7 years, with minor improvements as I go. Namely the recent addition of the newer access points, and the replaced Pi’s, but I also upgraded the 3750E to a 3750X when I moved, and I upgraded the firewall to a newer version of the same as I was using before.
I could talk about this all day if given the chance… Yet people insist on their AIO wifi routers that may only last a couple years, and either die, or are obsolete enough that they’re replaced. I don’t think I’ve sunk more than $400 into this set up and it has run for 7-8 years and will continue to run for many many more.
Laugh all you want about my wifi 4/802.11n, but we had a 50mbps line at that location and the wifi significantly outpaced what the internet connection could do. It was always fast and responsive, and far more reliable than any other network I’ve managed.
Unless you want to live like a luddite, you can find ways to have the best of both worlds.
As a fairly seasoned IT veteran I think it boils down to the tradeoffs between security, privacy, and convenience–just like at work. I’m sure most of us have implemented things in less secure ways to accomodate a business need. When you do that at work, you just try to mitigate that risk as best you can by putting other measures or controls in place. I do that at home.
Everyones tradeoff decision will be different, but at some point, for me, the convenience of some IOT and smarthome devices outweighs the security and privacy concerns. Or at the very least I realized its a weird hill to die on as we use our android phones, google for searches, gmail, instagram, etc. I am sure some of you have completely divested yourself of all of those services and have GrapheneOS installed on your phone and use OpenStreetMaps to get yourself lost. Most of use still use a few of those.
That said, I think the nerdiest and most security privacy saavy among us in the IT field can implement it in a fairly secure way. Pfsense,Ubnt, ofsense,openwrt routers with vlan segregation for traffic. IDS/IPS, pihole local dns, etc. You can absolutely make it so devices only communicate in ways that you approve. With things like VPNs (tailscale), Cloudflare tunnels, etc you can access your stuff securely without exposing any admin things to the public web.
Digital locks are fine, just get one with a mechanical lock too. I have a digital lock on my front door that I can program with keycodes but it also has a key. I can give the cleaners a temp code if I need to. I can give my neighbors a code if they watch the house while I am away for a long time, then I can get expire it when I return. The analogue alternative is arguably less secure.
That is basically my requirement for smarthome or connected devices. I need to be able to control it to a level that I feel comfortable and if it fails or isn’t connected it still needs to work. IE no smart light switches that don’t function if the wifi is down–they still need to be a switch. My nest thermostat still works without wifi. My smart plugs still work without wifi. If any of those things was hacked or compromised, they are completely segregated from anything of actual value on my network–and depending on the device it wouldn’t be able to see anything else at all.
For major appliances, I dont see the value of any ‘smart’ features built in (yet), so I won’t be buying them anytime soon but if I did they’d still have to meet the “still needs to work in ‘dumb’ mode” requirement–smart, connected features are extra not required to function.
I remember one women said she liked her smart oven’s remote feature because she would always worry if she left the oven on and now she could check it.
I work in IT as well, specifically networking. The bottom of the stack.
I have built my home network to be better and more reliable than the networks I operate for my workplace.
The reason? Most high end network stuff is more or less set and forget. If you buy cheap stuff, like unmanaged switches and AIO wifi routers, you end up dealing with them a lot because they’re not built to be reliable. The Cisco 3750E I use as the main switch in my house, had several years of uptime when I shut it down and moved house at the end of last year. It worked perfectly that entire time. After I tuned the Cisco aironet “WiFi 4” (802.11n) access points for that place, and got all the wireless networks set up with the right security and a complex password for my SSID, I didn’t touch that either, and I didn’t have to revisit the settings at all. The business grade firewall I was using was my most touched item, mainly in adjusting port forwarding and such. I replaced the off brand DSL modem from my ISP with a Cisco router to handle the physical WAN link and I never had to reboot a modem.
Sure, there were times that my internet went down, I’d log in to my Cisco router and see what’s up, and usually the EHWIC-VA-DSL module would tell me that there’s no carrier on the POTS line or something, which is not my problem. At most, I would reload the DSL module (I didn’t have to reboot the router to do this) and it would resync, but even that was extraordinarily rare. I had a small stack of equipment in the corner of the bedroom we were using as an office, which almost none of it made any significant noise, and the only time there was a significant outage, was when I intentionally turned it all off to clean dust from the equipment and give it a deep cleaning (at that time it has gotten notably louder, but still not loud. The cleaning made it very quiet again).
DNS and DHCP have been the only real problems with this set up, as I’m running them both on raspberry Pi units, one does just DNS, the other does DNS and DHCP. I log in regularly to hit the update button and I don’t do much more with it than that. I run my DNS this way because I use split DNS (to resolve specific internal domains over VPNs on my firewall), and DHCP is done this way because it’s way easier and more reliable to manage them over webmin than using the Cisco or firewall interface.
I probably touch it for less than 10hrs over the year, and the most notable outage I had was when I involuntarily upgraded from a raspberry Pi (first gen) to the r.pi 3, when the SD card in my first pi died (it literally had a crack going through it) and I had no choice but to either repair or replace it, I temporarily turned on the DHCP on my firewall and set DNS for a public resolver until I could have two pi3 units sent to me with all the bells and whistles I needed (SD cards, cases, power adapters, etc), which is when I promptly rebuilt the system. Two pi3 replaced my single pi1, and the only non redundant part of it is DHCP right now… So I try to keep a copy of my dhcpd config, just in case.
Everything runs on a UPS unit, and it’s incredibly reliable.
I recently updated to using newer WiFi 5 (802.11ac wave 2) access points, and I moved to an updated controller (Cisco 2504), and I’ve been trying to work out the kinks in the system, not the last of which is that my access points aren’t properly placed and mounted. That’s been my only trouble recently and it’s otherwise been a pretty solid system.
I’ve been using this, or some form of it, for at least 7 years, with minor improvements as I go. Namely the recent addition of the newer access points, and the replaced Pi’s, but I also upgraded the 3750E to a 3750X when I moved, and I upgraded the firewall to a newer version of the same as I was using before.
I could talk about this all day if given the chance… Yet people insist on their AIO wifi routers that may only last a couple years, and either die, or are obsolete enough that they’re replaced. I don’t think I’ve sunk more than $400 into this set up and it has run for 7-8 years and will continue to run for many many more.
Laugh all you want about my wifi 4/802.11n, but we had a 50mbps line at that location and the wifi significantly outpaced what the internet connection could do. It was always fast and responsive, and far more reliable than any other network I’ve managed.