Is there a community specific to FOSS or just general privacy oriented IoT? With plenty of hardware discussion along with software. Routers, piholes, Meshtastic, anything IoT but open source. If it touches a network but you want it to do something it doesn’t. Flashing a doorbell camera with FOSS firmware. Hosting media servers on your phones Hotspot. Loading gcode to a printer from anywhere. There are so many things and possibilities.

If there isn’t someone should start one, OpenIoT or something catchy and relevant.

  • @nottelling
    link
    English
    710 months ago

    Your Https connections are also symmetric, so that’s a silly thing to dislike.

    The handshake and key exchange are asymmetric, and used to establish a symmetric session key.

    ZigBee encryption is fine for the use case, because you’re only adding devices you know are being added. You inherently trust that your physical ZigBee device is the device it claims to be.

    There’s potentially an opportunity to hijack the key exchange between devices at network join, but you’d have to approve the listening device to your network in the first place.

    https://development.libelium.com/zigbee-networking-guide/security-and-data-encryption

      • @nottelling
        link
        English
        410 months ago

        No apology needed, one thing about security is that paranoia is good. One problem with security is that paranoia leads to assumptions and misinformation, rather than understanding.

        Symmetric key encryption is much faster than asymmetric, and can use much larger keys with less compute penalty. So we use acPU intensive asymmetric TLS handshakes to safely exchange the keys, and then switch to the faster method for the data.

        So when ZigBee use AES 128, you can be reasonably sure the data packets are safe. The next question to ask is “do they exchange their keys safely?”

        Which in this case would be “no” if you just leave the ZigBee controller in pairing mode all the time. However, you only allow pairing when you want it, and only pair with devices you explicitly allow. Unauthorized devices never get your network key.