Tag: cyber security

Testing the best smart plugs and outlets

I’ve started to read into what kind of smart power outlet to buy but there are so many outlets on sale that I got lost in the details. I couldn’t decide from what I read which one to order. So I’ve ordered 8 different types…

I’ve started to read into what kind of smart power outlet to buy but there are so many outlets on sale that I got lost in the details. I couldn’t decide from what I read which one to order. So I’ve ordered 8 different types…

One of the early predecessors of smart devices is the timer plug, which has been around for decades. You can buy the simplest types – a round-shaped plug with a mechanical watch – for about USD 5. The more complex electric ones that can be programmed to different settings cost about USD 25. We’d had a few of these at home (for example the timer for the light in the fish tank), so I got curious about what the latest generation of this device, controllable via a cell phone, can do.

How I tested?

For this review, I installed every device once. Then I reinstalled each of them in a different network. I marked down the time and the number of trials needed for the second installation in my summary table. Unfortunately, reinstallation didn’t work wonders for any of the devices. The problems I saw at the first installation would reoccur.

I compared the following features and characteristics:

  • Price: all devices were purchased at the same time, in early May 2018.

  • Number of attempts to install the device: how many times I had to start from scratch.

  • Time spent setting up the app: how long it took (in minutes) for the operating plug to show up in the app.

  • Wi-Fi: is the device Wi-Fi enabled? Those that are often send out their own open Wi-Fi signal – I’ll discuss this later in detail.

  • Bluetooth: it is most often used to speed up installation.

  • Remote access: you can check the device while you’re away simply using the cell phone network.

  • Manual switch: does the device have a physical button to switch it on and off?

  • Energy use monitoring: kWh meter.

  • Cost estimation: does the app offer the option to set a kWh/HUF input?

  • Everyday scenarios: for example, “I got up.”/”I’m going to bed.”

  • Timer: Can you set the plug to turn on or off in a given hour, on a given day?

  • Presence simulation: The outlet turns on at random times for random periods to simulate that you’re home when in reality you’re away. You should connect a lamp to the outlet so that the switching on and off is visible.

  • Timed shutdown: the outlet can be set to turn off after being on for a set amount of time.

  • Sunrise/Sunset: the device checks for the time of the sunrise and sunset for the location programmed.

  • Event control: for example, if the kWh meter reaches a pre-set number, the outlet shuts off.

  • Software usability: my own subjective opinion on a scale of 1-5 (1: it makes my head hurt – 5: kicks butt).

  • Sofware language: the language of the text in the app.

  • Nest: communication with this system: www.nest.com
  • IFTTT: communication with this system: www.ifttt.com

  • Amazon Alexa: does it work with voice control?

  • Google: does it work with voice control?

  • Apple Siri: does it work with voice control?

  • Apple Homekit: communcation with this system: developer.apple.com/homekit/

 

That damned security risk

Before going into details, let’s tackle an important conceptual question. If you control the power outlets remotely, do you open up the house to all sorts of security problems?

Let me explain:

  • for these devices to be controlled remotely, they first ask for permission to join the internal Wi-Fi network (the home network).

  • after that, the device connects to a server in the cloud (online), run by the manufacturer, and communicates with this server.

  • the bigger and more well-known the manufacturer, the more you can trust it to protect its server properly. But you also need to pay attention to how long the manufacturer offers support for the device. Once the support period ends, chances are the server will no longer be properly protected, either. And then if a hacker gets into the manufacturer’s neglected server, he/she can easily get into your home network, too. Why is this bad? Because on your home network, you have more vulnerable devices. These include the network drive where your pictures are stored, the webcams, even the baby monitor.

  • moreover, devices connecting to the Internet require regular updates, which are easily forgotten when you’re busy with your life. Yet these updates are very important for cybersecurity.

  • another important issue: some of these devices have their own Wi-Fi signal; you set them up using Wi-Fi. With such devices, once you installed them, you must check that the Wi-Fi signal is no longer broadcast. If it isn’t, you’ll have nothing further to do.

  • Maybe you can detect my unease to let a device like this connect to the Internet. What is the solution then? I limit the device to the home network, and I’ll check in from the outside using a safe VPN connection. Once the VPN is activated, the mobile network opens a checked gateway to home, and my phone will think that it’s at home. Unfortunately, setting up your home VPN requires quite an effort or a good friend who knows this stuff.

Phew, this is solved then. And I can switch the power outlet on and off on my phone even from work! But what happens if your significant other also wants to enjoy switching the device on and off remotely? Well, that’s not going to happen. Without the manufacturer’s central server, these plugs can only be paired with one device.

In summary, you have a choice to make:

  • you allow the power outlets to go “outside,” which means you’ll have an ID/password pair that you can set up on your phone as well as on your girlfriend’s/boyfriend’s phone

  • you won’t allow the power outlets to connect to the internet directly, meaning you can only control them with one device. If this device is the tablet you hung on the wall at home, you’ve lost the remote access function.

Choose the option you prefer… finding a really good solution would be a lot of complicated work, and even then it would come with many compromises. But let’s not get ahead of ourselves. First let’s take a look at the power outlets tested.

A comparison of power outlets

Product

Belkin WeMo Switch

Edimax Smart Plug

Elgato Eve Energy

Emos Wi-Fi Plug

Hama Wi-Fi Plug

iSmartAlarm Smart Wi-Fi Plug

myDLink Smart Plug

tp-Link Smart Wi-Fi Plug

Price

USD 36

USD 44

USD 50

USD 46

USD 31

USD 43

USD 37

USD 37

No. of installation attempts

3

2

1

1

2

2

3

1

Time spent setting it up

15

10

3

2

4

4

18

4

Wi-Fi

x

x

x

x

x

x

x

Bluetooth

x

x

x

x

Remote access

x

x

x

x

x

x

x

Manual switch

x

x

x

x

x

x

x

Energy use monitoring

x

x

x

x

x

Cost estimation

x

x

x

Everyday scenarios

x

x

x

x

Timer

x

x

x

x

x

x

x

x

Presence simulation

x

x

Timed shutdown

x

x

x

Sunrise/Sunset

x

x

x

Event control

x

x

x

Software usability

4

1

5

4

3

3

2

4

Software language

English

mixed

Hun

English

English

English

English

Hun

English

Nest

x

IFTT

x

Amazon Alexa

x

x

x

x

x

Google

x

x

Apple Siri

x

x

Apple Homekit

x

A description of smart power outlets/plugs

BELKIN – WEMO SWITCHimg_5282 (1)

Impressions:

Setting the timer is a piece of cake – as long as you’re good at detecting invisible icons. That’s because the days in the setting are not visible until they are selected. You also need to figure out by trial and error that selecting days means stopping rather than allowing the timer. The default setting is the same time for every day. This is useful, but it was unclear.

Remote access: Remote access is only allowed if you enable it.

Pros:

  • the function of being away but pretending to be home works really well. It takes setting the timer once to set when to have this function on. This can be switched on and off quickly.

  • as an extra, the power outlet can be set to shut off automatically. You can set the number of minutes after which the outlet becomes inactive. This, possibly combined with a motion detector, may come in handy for controlling the reading light by your favourite armchair. You’ll never have to use the switch here again.

  • it can communicate with nearly everything. For Homekit access, you need a dedicated Belkin device.

  • although this is only a power outlet, WeMo offers a whole range of devices to automate your home.

Cons:

  • for some reason or other, it took ages for the plug to find the Wi-Fi and my phone. I was really close to giving up on it and marking it as “failed to install.”

  • no energy use monitoring

Conclusion: if a power outlet requires so much effort to set it up, that’s an F from me. I wouldn’t buy it again.

 

EDIMAX – SMART PLUGimg_5280 (1)

Impressions:

You’ll need a lot of patience with this one. For some reason, the software spends more time showing you the hourglass cursor than actually working. The Hungarian and unknown Asian characters together would unsettle even the most patient ones of us.

When trying to set the timer, my reaction was, “no sane person would come up with something like this.” (well, this was what I meant but my words were a bit less sophisticated.) For every single day, a hidden menu option had to be turned on to start setting the timer. It took about 10 minutes to get rid of the “timer off” sign this way. As you can guess, the timer is rather simple but at least it’s easy to understand: you set on what days (or everyday) the device should turn on and off and when. That’s it.

Remote access: You have to use it.

Pros:

  • The energy consumption function allows you to turn off the power outlet if the consumption reaches a pre-determined value. You can choose a daily, weekly or monthly value here.

Cons:

  • Unusably slow software: I did figure out at the end why it was so slow. For every data request, the software sends the request to the server in the cloud, which then communicates with the smart plug. The data take the same roundabout way in the other direction, too. The server is likely not optimised for access from Hungary.

  • The software’s firmware update didn’t work.

  • It can send you emails on all sorts of statistics of your power consumption, but for that it requires your email password. I strongly recommend not to give out this information to an app like this.

Conclusion: the app was made for patient people who think they will live for 300 years. I wouldn’t buy it again.

ELGATO – EVE ENERGYimg_5281 (1)

Impressions from use:

The software was not made for a single power outlet but for a whole apartment. In accordance, you have to programme everyday scenarios because it’s not the device you’re setting the timer for but the scenarios. This is quite a drag for one device but wonderful for your whole apartment. When programming events on the timer, you can set it to check not only the time but the outlet’s usage or the volume of the usage (kWh consumption, Voltage, Amp).

Remote access:Not included by default.

Pros:

  • the software works like a charm. You can program all sorts of things, and then you can use them very easily.

  • since it’s compatible with the Apple Homekit system, you can add a “guest” to control the device at home. You can control via the Apple system who has access to what.

  • it checks consumption and estimates costs

  • the smallest power outlet I’ve found

Cons:

  • it relies on Bluetooth communication, so the area it covers can only be extended with additional devices (such as Apple TV). This is not a problem for small apartments. But if you live in a larger home or one with more than one floors, this may give you some headache.

Conclusion: if I can make the Homekit system see it through the additional device, then this is a great plug (further testing is required). – I’d buy it again.

 

EMOS WI-FI PLUGimg_5287 (1)

Impressions:

Setting it up was easy-peasy.

Remote access: You have to use it.

Pros:

  • simple as can be

Cons:

  • very few extra functions such as event control.

  • you can get more bang for your buck with other devices

Conclusion: given the price, this should be much smarter – I wouldn’t buy it again.

 

HAMA WI-FI PLUGimg_5284 (1)

Impressions:

The software is very buggy. For example, I set the time for the timer, then went on to choose the days. Once the days were selected and I went back to the time, I saw that the software forgot the time that I’d already set. Another problem I encountered was that sometimes a setting didn’t appear to be saved when in fact it was. So I’ve set the same timer setting three times.

Remote access:You have to use it.

Pros:

  • price.

  • if you don’t want to change the settings too often, then the software is easy to use.

  • this was the only device in the test that came with a Hungarian manual.

Cons:

  • software bugs

  • certain functions were only included so that the manufacturer can say they are included (everyday scenarios)

Conclusion: this is the bare bones version of the smart power outlets. The only reason why I wouldn’t buy this again is that I’d either buy an old-school mechanical timer, or I’d skip two dinners and buy a smarter kind.

 

ISMARTALARM SMART WIFI PLUGimg_5288 (1)

Impressions:

It kind of works as it should but the software didn’t leave an impression.

Remote access:You have to use it.

Pros:

  • worked as promised.

Cons:

  • you can get more bang for your buck with other devices

Conclusion: given the price, this should be much smarter – I wouldn’t buy it again.

 

MYDLINK SMART PLUGimg_5283-1

Impressions:

I plugged this in the power outlet and started the installation. Then suddenly it asked for a PIN code that’s printed in tiny fonts on the inside of the plug.

I was surprised to see a temperature function. But it’s unclear what temperature it checks. I’m guessing it’s its own inner temperature because the display said 36 degree Celsius in a 21 degree Celsius room. This does not make sense.

The timer allows you to repeat turning on and off. In theory, this would simulate your presence when you’re away. But the time periods are always the same, so in practice this doesn’t work well.

For event control, it offers two options: reaching 30 kWh or reaching 90% of something. I have no clue what these are.

Remote access: You have to use it.

Pros:

  • it’s appealing because it appears to have a lot of functions.

Cons:

  • it’s appealing and then you’ll see that most functions are half done (e.g. event control). A big disappointment.

  • they couldn’t pay me enough to go through the installation again.

Conclusion: Hell no, I wouldn’t buy it again.

 

TP-LINK SMART WI-FI PLUGimg_5285 (1)

Impressions:

All of them should be like this.

Remote access:Remote access is only allowed if you enable it.

Verdict: A big YES: I’d buy it again.

 

 

So which smart power outlet / plug is the best? Which one should you buy?

The winner of this roundup is clearly the tp-link Smart Wi-fi Plug.

The Elgato-Eve Energy would be the runner-up for its flawless software and perfect design. As I said, further testing of this device is required. It’s worth giving this a shot for the Homekit compatibility. If it works, you don’t need to open up your home network and you could still control the power outlet from more than one phones. Third place is not awarded to any of the devices unfortunately. As seen above, all have major issues.

PS.: The goal of this piece was to help you guys. Not buying any of the six not recommended plugs will save you quite some trouble.

 

Cyber crimes in the family

Best practice to prepare your kids and yourself to manage passwords and other secrets in the family.

Best practice to prepare your kids and yourself to manage passwords and other secrets in the family.

I came across an infographic the other day that explained how to talk to your kids about the dangers of the Internet. Taking that a little further, I’ve thought about what you should do in the family to protect yourself and your loved ones from annoyances that could have been avoided with a little more care. Before I begin, I must make it clear that I’m not a security expert. What follows is based on everyday experience rather than expert advice. If you take just one piece of advice from here, you’d be better off than you were before reading this post. Let’s look at the issues one by one.

Passwords today

If you use passwords for websites and services that you can memorise, you’re reckless – unless, of course, you have photographic memory. Unfortunately, with today’s computing capacities, you don’t need to be anyone special for your passwords to be worth cracking. All you need to know is that passwords shorter than ten characters are totally outdated. Even passwords with 20 characters protect you only if the people who want your data don’t want to spend too much time on cracking your account. It’s not just about the length of passwords any more. To make your password safe, you should use a variety of characters (and two-step verification – see below).

What does this mean in practice?

  • creating your own password (this can be memorised)
  • if you want to create your own password, start with linking two or three words together. You can play with different languages or use nonsensical words. For example: brown apple flower
  • add capitals and lowercase letters, numbers and special characters (space is also a special character). For example: browN:Apple flower
  • then add a character that’s not normally used in writing, and you’re done: For example: browN:$Apple flower

Using a password generator (these passwords can’t be memorised): there are software solutions that help generate random series of characters.

Now you have at least one password that appears safe; let’s call it the Master password. This should be the one you actually memorise. If you have one such password, you don’t need to remember the rest. You’ll use the Master password to encrypt all your other passwords.

Use password manager software to store your passwords

A good password manager software program today must meet at least the following requirements:

  • it encrypts data locally. This means that no service provider should have your Master password – once something’s stored online, it may be cracked.
  • it stores the data in the cloud. This doesn’t contradict the point above because your data are already encrypted with a Master password. This means that your passwords are backed up and their storage is location independent.
  • it should be usable on more than one device. In addition to your computer, your cell phone is used for many things.
  • it should support sharing passwords within a safe group. This is useful for families as well as companies.
  • it shouldn’t be expensive.

I’m going to show you two solutions, one free, one paid.
– the Keepass software is free, and it stores data locally on the computer. But if you upload the encrypted password data on Google Drive, you’ll be able to access the passwords on your cell phone. A drawback of this software is that you can only share passwords with your family members by using different password database files for yourself and for your family. Another drawback is the overly simplistic mobile interface, making it a bit difficult to use. But it’s safe and free of charge. You can make it work with the browsers on your computer, but setting that up requires some computer expertise.
1Password is a monthly subscription-based service, but it meets all the requirements of a password management solution. A particularly likeable special feature is that 1Password works with your cell phone’s browser, so it automatically fills out the login information on the selected websites. (That is, if it has the Master password.)

That’s the theory. And then you have the practice.

In spite of the well-thought out principle above, humans are LAZY. Even I don’t store all the passwords for all services and websites. How do I decide when to be lazy and when security-conscious? This depends on the kind of data stored about us and which of those I find sensitive:

  • scenario 1: I want to try a service: I’m just looking, so I don’t give out my real email-address but an anonymous one registered for this purpose. This has a short but suitably complex, tried and tested password. If I decide to use the service for real, I’ll re-register with my real email-address and a safe password. This solution involves NO password storage.
  • scenario 2: I order something from a shop I don’t use often: I don’t register but check out as a guest (doesn’t save bank card data). I’ll survive having to type in my personal information twice a year. This solution involves NO password storage.
  • scenario 3: I often order something from the shop but it doesn’t reveal much about me, and the store doesn’t save bank card data: I register with my real email-address but use the short password that was mentioned above. In this case, identity theft is not a real risk at the shop, since you give out your address in many places anyway. This solution involves NO password storage.
  • scenario 4: I often order something from a shop and it’s important that it remains a secret; or the shop stores bank card data: This DOES involve password generation and password storage.
  • scenario 5: using an online service: This DOES involve password generation and password storage.
  • Facebook: This DOES involve password generation and password storage. But I create my password so that it can be memorised if I want it to.
  • Email: This DOES involve password generation and password storage. But I create my password so that it can be memorised if I want it to.

 

Logging in with Facebook or Google

Recently, many websites and services have started to allow you to log in with your Facebook or Google account. To me, this convenient scenario equals those above that were marked as involving password generation and password storage. But it’s important to know what you allow the websites/services access to. Let me give you an example that made me think twice about this the other day. I wanted to use a function of the  IFTTT service that sends a notification to your phone if you get a certain email. But for this not only was I asked to authorise Google login, but IFTTT wanted access to the actual email. I didn’t want this, so I had to find another solution. I’d like to stress here that you really need to think hard when a website/app/service asks for access to your most valuable user data, that is, your email and Facebook profile.

Always, always lock everything

To sum up what you’ve learnt here so far: you need to remember one password, and then you’ll be able to see all of your other passwords on your computer and cell phone. And if you need to give access to it to a family member, you can do that, too.

Unfortunately, every chain is only as strong as its weakest link. Your weakest links include the computer (maybe more than one), cell phone, tablet. If any of these get into the wrong hands, your passwords may be revealed.

  • Most devices think that if you enter the Master password then it’s you using the device. This is all fine but only if the password database automatically closes after, say, three minutes, or once the device is locked. A typical workplace scenario is that you pop out for a coffee for just two minutes and you leave the computer unlocked. DON’T do this! Learn that two-character keyboard shortcut that locks the computer and use it whenever you get up and leave. You should get used to using it; it’s not a problem if you “automatically” use it even at home.
  • Likewise, lock you phone when you put it away. Try to avoid using your fingerprint instead of a password on your cell phone. In my opinion, a fingerprint is enough to protect your phone data, but not for your precious passwords. Just think about a night out when you don’t remember everything the next day – you shouldn’t give anyone a chance to abuse the situation and your fingerprint. (My suggestion is that if you do use your fingerprint to unlock your phone, the alternative shouldn’t be a pin code but a suitably strong password you came up with.
  • So you have to type in the Master password on the phone. When you do this, cover up the phone screen with your other hand. Modern cameras can see the screen from a distance of several metres.

To sum up what’s been discussed so far, you can say that only you have access to your stored passwords. All in all, you must remember two passwords: the Master password, and a password that allows you to unlock your phone or computer without your fingerprint.

The 12+1 commandments

Interestingly enough, kids are faster than adults to understand the issues described above. They don’t have bad habits set in yet. In summary, here are the steps to follow:

1) Have a Master password, the “boss” of everything.
2) Have a password for devices you use your fingerprint to log in.
3) Always lock the devices, just like you lock the door when you leave home.
4) In addition to your regular email-address (which contains your name), have at least one extra email-address. You can forward the messages you get here to your real email address.
5) Use a password manager software where you can save all your secret information. Only you can see it.
6) Learn your Facebook and email password by heart.
7) In addition to Facebook and your email, there is other important personal data that should be protected. The best way to protect it is the so-called two-step verification. This means that, for example, you get a text message/generate code within an app to verify your identity when you log in. This means that if an unauthorised person learns your password somehow, he/she won’t be able to log in with it because you get notification on your phone, and because you use your phone to verify your identity.
8) Check for the privacy settings for every service you use. If there’s something you don’t understand, look it up online or ask someone in the know, but don’t just leave it at that.

There are a few other things I’d recommend doing:
9) Use a virus scanner.
10) Install updates.
11) Don’t click on any email attachment if you don’t know the person who sent it or if you’re unsure whether you know him/her.
12) Use your browser’s HTTPS setting. Today, any website worth visiting must be able to handle it.
12+1) If any of your passwords has potentially been exposed, take the time to change it, even if it’s the Master password.

As an afterword to those who made it to this point, or to those who doubt that this is all useful, I’d like to recommend some scary-amusing lesson on the topic: watch episode “Shut Up and Dance” in the third season of the series Black Mirror. https://en.wikipedia.org/wiki/Shut_Up_and_Dance_(Black_Mirror)