> I am just not delegating Internet access directly to cheap consumer electronics, which simply put, shouldn't be done.
Yeah, but most people are going to do that. Most people aren't security-conscious professionals, and they do like cheap things.
In a hypothetical reality where home networks were better designed to accommodate remote access, we wouldn't have this problem. And for those of us who can configure networks to be securely accessed remotely, there are definitely better ways to do things.
But that isn't the reality of the landscape of consumer IoT -- which is that people expect to buy a cheap device, connect it to the wifi network of any consumer wifi router, and have it work out of the box. They are already buying these devices regardless of whether they are secure, and will continue to do so. This initiative is about encouraging reasonable incremental changes to the existing reality.
If the requirements for this label were drastic enough that they required people to secure the devices behind behind a firewall, store data locally, and provide remote access only with an inbound VPN or something like that, it would simply be ignored by manufacturers and would have zero impact. Because vanishingly few people are going to replace their Comcast modem/router just to install some IoT device. To most people, they "get wifi" from their ISP. The concept of "reconfiguring a home network" is a nonstarter. Whatever the ISP provides is what normal people use, by default.
You missed my point. On the contrary, having every light switch in the house need its own network stack is not just insecure, it's overengineered and expensive.
It's fine to have a computer or "gateway" device that calls outbound to a server for outside access, no firewall rules or VPN required. The point is there should only be one point of contact with the outside world, and that's a tech device with enough power to update, secure, etc. As Wi-Fi standards and such change, people should expect to replace it.
Hardware in and on your walls should be dumb, cheap, and long-lasting. Insteon's technology hasn't substantially changed in twenty years, most of my smarthome hardware is over ten years old, and is no less secure or current than when I installed it. And of course, all of it works just like a "dumb" counterpart when the Internet is down or there's no smarthome controller involved. This should be cheaper at scale than "wi-fi smart outlets", if they aren't selling your data to offset the cost.
I understand your point, it's just not relevant. Consumers aren't doing any of that, nor are they going to. Expecting consumers to buy smart-home devices as a whole system and integrate it into their structure is just not practical. The barriers to entry are too high.
I'm glad you bought up Insteon. They're a great example of this, they failed commercially.
I understand the benefits to the architecture you're advocating for. Personally, I started with X10 in 1995. But that simply isn't what people buy anymore. People are buying individual smart-home products, not integrated systems.
The requirements of this program are to address the reality of the types of devices people are actually buying, and the security concerns that affect them.
I mean, fwiw, Insteon is in business today as a new entity. They're producing new hardware and all. It's viable enough a technology to have survived business issues that killed the company.
I disagree with your assumption you understand consumers: Many prefer to buy all products from unified systems, and the complaints about how disconnected and disjointed having odds and ends are have led to Matter, which is struggling to solve the problem.
The major players have all sold home automation hubs, and a lot of solutions still use them, but a lot of the hardware is still overengineered, has a short usable life, and creates security risks.
Yeah, but most people are going to do that. Most people aren't security-conscious professionals, and they do like cheap things.
In a hypothetical reality where home networks were better designed to accommodate remote access, we wouldn't have this problem. And for those of us who can configure networks to be securely accessed remotely, there are definitely better ways to do things.
But that isn't the reality of the landscape of consumer IoT -- which is that people expect to buy a cheap device, connect it to the wifi network of any consumer wifi router, and have it work out of the box. They are already buying these devices regardless of whether they are secure, and will continue to do so. This initiative is about encouraging reasonable incremental changes to the existing reality.
If the requirements for this label were drastic enough that they required people to secure the devices behind behind a firewall, store data locally, and provide remote access only with an inbound VPN or something like that, it would simply be ignored by manufacturers and would have zero impact. Because vanishingly few people are going to replace their Comcast modem/router just to install some IoT device. To most people, they "get wifi" from their ISP. The concept of "reconfiguring a home network" is a nonstarter. Whatever the ISP provides is what normal people use, by default.