Thursday, October 17, 2019

When is security not necessary?

Why do I need SSL encryption for my light bulb?

Recently I have been working on my diyHUE Razer Synapse project, article linked here, where I connect some LED strips to Razer Synapse via a Raspberry Pi and diyHUE. I've just about completed all I wanted to with the lights, getting a strand of 30 lights into the system and configuring them all to work, which they do. Except, now the Synapse side of my project doesn't work, and as far as I know, there's an issue with establishing a secure connection.

If I were controlling a remote drive or camera or something from my college dormitory in Indiana to my house in California, I would want standard encryption, to prevent any private info from being viewed by outsiders, or even to prevent strangers from tracking me or my house down. In this case, or even more private and secure cases, I would most definitely want encryption (which unfortunately my website doesn't have) to send over data. But my dorm and the network within the dorm and my college aren't some hundreds of miles apart; a connection doesn't have to take ten or so IP hops to send data- as far as I know the data would never leave my college, much less my router that all my devices are connected to. Do I really need encryption to turn my lights on and off?

I would say that it should be optional. In my case, the data never is seen publicly, and even if an external device were to hack into the secured network over wifi or thru a public IP, they would see a bunch of JSON being sent between two devices (at my college every IP is publicly accessible but we'll assume my network assigns its own local IP). This data is nothing more than values to set LEDs, like an ID, or RGB values- no IPs, no MACs, no passwords, no encryption keys. Sure, the hacker might be able to change the LEDs themselves, but that won't do a lot of harm. And if the hacker can hack into a computer thru HTTP or UDP, then there's probably other easier exploits to use to get into the computer.

Unfortunately, many developers like Philips and Razer don't leave security or no security as an option, because quite obviously, they don't want to risk any data leakage (but chances are they probably already have all your data, so what's the difference if a hacker or a corporation has your data anyways?). But chances are, the data being sent to my raspi isn't being sent to Hue servers- I can't even log into a Philips Hue account because diyHUE is incompatible. Enabling and disabling security measures would allow older or incompatible devices to connect, and while there is a risk of data being intercepted, often I would rather take a small risk rather than have my programs not work due to complications with authentication, encryption, and more. Yes, sometimes that risk is what may bring a hacker in, but being an experienced programmer modifying home networks and what not, I know the risk, play it safe, and take steps to minimize the chance of hacking as much as possible. Note that if you aren't experienced in networking, like setting up home networks or getting authentication or other security to work, you should NOT disable security, and frankly I shouldn't either...

But whether it's Philips Hue communication, 2 FA or the difficult-to-work oauth2 protocol, security is a difficult challenge to overcome. Not only is it important to make your data secure and private, it's also important to make security easy to use, so anyone can be encouraged to become secure when possible. In addition, it's also important, like mentioned in this post, to use it when necessary, and not be overly excessive to the point where you can't test your own software (like antimalware blocking your program). And furthermore, with the rise of quantum computing being able to solve the most advanced math problems in seconds, encryption would have to evolve beyond what it currently is. And today, encryption isn't necessarily enough- even though I don't want to secure data transfer from my pi to my PC, I still want to make sure everything else is as safe as possible- encrypting hard drives, using an additional router or device as a firewall, or even using incognito mode and a VPN when I'm about to do something sketchier than setting up LEDs. One day, we may see in internet where I don't have to spend hours trying to solve an issue with SSL on my lights, and don't have to worry about a hacker destroying everything via those same lights.

No comments:

Post a Comment