The title is actually incomplete but didn’t want to make it too long. What I’m about to describe is an initiative on how to put together an encrypted, authenticated, realtime, RaspberryPi powered home automation gateway. It will be a few separate posts that will go from concept to implementation, using a real world example of how to control something in the house. I’ll break it down and explain the big picture and each part that needs to be addressed. But first, a little more background and reasoning behind this effort.
Above you can see my temporary gateway setup. It’s very simple – I have a RaspberryPi powered through an ATXRaspi, and a Moteino which acts as the gateway to my wirelessly controlled house. It’s hard wired to my home router because the wireless adapters are simply junk, not reliable. Also hooked up to a monitor and keyboard.
I’ve seen tons of blogging and articles on how to make something blink, turn a servo or LED on, even do more real things like turn ON lights, change the thermostat or control some household appliance, from your smart phone. All cool and dandy. But almost everyone seems to completely skip security. The blog posts end when the LED or light turns on, and everyone seems to be super excited about the cool thing they just did. But I’m left there with a raised eyebrow wondering if those people know what they are doing. Security is of major concern to me because if I hook up my garage doors, lights and perhaps other appliances to the interwebs, I don’t want unauthorized access. Is that a nobrainer or am I paranoid?I’ve actually only seen one such tutorial where the garage door was operated directly by a RaspberryPi and access was authorized with google’s OpenAuth, great – but I wanted more features, more scalable and realtime.
Ok so let’s get the 10,000 ft picture…
- Authorization. We need to only allow authorized access to the home gateway. So whoever hits the gateway needs to provide authorization tokens. I started with basic HTTP auth which works well, and allows for a simple hard coded .htaccess file based authorization.
- Encryption. We need HTTPS, period. All communication between your smartphone or remote browser and your home automation gateway needs to be encrypted, including the basic_auth tokens or session data, and of course the commands that say … open the garage. This is to avoid eavesdropping and other attacks from capturing your session tokens or basic_auth credentials and then impersonate you.
- Realtime. To have any kind of real time feel interacting with your home automation gateway, you will need websockets. Otherwise you’re gonna be sitting there all day hitting a refresh button every time you want to check if something happened, or set a refresh script on your Apache driven PHP page… a little slicker but still kinda lame. That was cool in the 90’s with the META refresh tag. These days, you got websockets, use them. Websockets allow all clients to get realtime notifications of events, broadcasted or targeted. That is wonderful for home automation or anything event-driven.
- RaspberryPi powered. It’s because Rpi is the other cool thing of the day. It’s powerful enough to run a fast webserver, a websocket server, perhaps a database to log your data, and host your wireless Moteino gateway, or whatever else you might interface to your IoT stuff. I want ONE central Rpi, not a dozen. It’s very cheap, but I don’t want each thing in my house to be Rpi driven because 1) it doesn’t scale and 2) it doesn’t make any sense. I want nodes like tiny Moteinos to control the IoT stuff because that’s all it takes, they scale very well, are fairly unobtrusive, and it’s all wireless and also encrypted and easy to use. Goodbye CAT5 cables, network hubs, drilled walls and angry wives, welcome sanity and awesomeness.
Ok so if you’re still reading this it means the theory sounds interesting. The main point for this post is that your gateway needs to be secured. Encryption is not sufficient, you need to also authorize access. This encryption-authentication tandem is a must-have for home automation that will secure your gateway and give you peace of mind. The websockets part is really bells and whistles, but a nicety nonetheless.
In the next post I will describe the tools I used and the challenges that needed to be addressed to make this a solid and reliable solution that will not easily get hacked into.
I dislike multipart article blogging because it gives the reader that unfulfilled sense of incompleteness, like when you’re a kid and are waiting for Santa and then he only brings half your toy, and need to wait for what seems like another year before you get the next part. But this time I have to break this up in order to make it digestible. Because it’s LONG. So sorry dear reader for keeping you waiting. I want to make you feel awesome after you get this stuff running on your Pi. One step at a time.