Bed sensor

Some time ago I got a Withings sleep sensor. Not cheap. I am not really sure it helps me understand my sleep well. It does a lot - tracks sleep, types of sleep, snoring, sleep apnea, heart rate. Clever bugger.

However, it does not allow you to use it without consenting to your data being used for other things, which, seems to me, to be a clear breach of GDPR. Obviously I reported it, and ICO were obviously inept, though they got as far as referring to EU, and then Brexit happened, so no idea where the case is now. I think it has fallen down the cracks and Withings just ignore GDPR, it seems.

Apart from some interest in what it says about my sleeping, my main use for this is reporting to my home automation when I go to bed and when I get up. I then link this to various things from simple lights, to air-con, directing the vents for lossnay (fresh air), illumination settings on environmental sensors, and so on. I rather like that lying down turns off the lights, and that getting up in the night turns on one light on a mirror in the en-suite bathroom. If I get up in the morning for 5 minutes it turns on the rest of the lights, and my office air-con, and so on. The possibilities are endless and there are people that are way more in to this than I am.

The problem is that the way this works is convoluted!

• Sensor detects in/out of bed.
• Sends to Withings which is in France I think
• That is linked IFTTT - no idea where that is
• IFTTT does a get on my server in my loft
• My server pokes MQTT for various things to happen

It can take a few seconds to a few minutes, or not at all if any servers or internet access is not working.

The solution

Recently I realised that a simple bed sensor mat is something one can buy cheaply. I mean I realise now that obviously such things must exist, but it had not occurred to me before.

I got one of them - a larger one for a bed (amazon, or cheaper direct). They also sell smaller ones. They could be used on a bed, a wheel chair, even under a door mat. They are sold for healthcare to track someone getting out of bed, or falling out of wheelchair, etc.

I was surprised to find it copes with my thick memory foam mattress, and slats. The Withings one has a pump to pump it up with air to adjust for weight of things like a mattress, but it is doing more than just detecting I am on the bed (e.g. heart rate, etc).

Withings (top, grey) and new sensor (bottom, white)

The trick is what they connect to - alarm devices are sold to work with them. I decided to give it a try, and found it was actually easy to make this work with my home automation. The trick was to use a Shelly Plus i4 DC (here). The reason for the DC model is that I don't want mains under my bed really, and the switch inputs on most Shelly are mains. They do an isolator which has digital and analogue inputs which would allow a Shelly Plus 1 to be used, but the DC i4 is easier. The other feature is it can work from 5V to 24V, and so can be powered from a USB socket. I got a USB lead (amazon).

Too many USB devices already!

The wiring was simple - the sensor appears to be a simple passive sensor. The 4 wires are actually two wires connected and two wires connected, so only effectively two wires, between which is open circuit when no pressure. When pressure applied they go to around 2kΩ, but I suspect it changes with the level of pressure. Thankfully it is low enough to trigger the input on the Shelly Plus i4 DC.

The sensor operates like a switch input, and so can be linked in to any home automation that can work with a Shelly. There is HomeKit stuff for that, but I re-flash with tasmota personally. Obviously this could work up to 4 such sensors, ideal for his/her side of bed, or floor mats as well, etc.

The nice thing is that it is instant in reacting, though obviously I can add a delay if I want. The important thing is it is not a random 10 seconds or several minutes delay as before.

De-clouding IoT

There is a lot of IoT (Internet of Things) stuff these days, and it is impressive what you can do with home automation - linking sensors and devices and command speakers and phones and all sorts. It is even impressive that third party linking services like If This Then That even exist now!

A lot of these devices make use of The Cloud in one way or another, but not all, and not all to the same extent. This is both good and bad, and represents something of the age old compromise of security and convenience in a way.

Today I am playing with three devices: A Daikin air-conditioning unit (as per my blog), a Withings Sleep monitor (as per my blog), and some new SONOFF switches. All have different approaches. All work with IFTTT, so if I was happy to just use the cloud, this would all be simple.

What's wrong with the cloud?

Convenience

The first thing that is right with the cloud is the convenience - simply connect a device, load a phone app, set up and it is working. Devices that live on your home WiFi and talk to servers on The Internet do tend to just work and be easy to use. But this convenience comes at a cost...

Privacy

One of the issues is privacy - the data from these devices is going to third parties - companies you don't know, or may not even know which country they are in. Often the "service" they provide is not something you even knew was needed when buying the product and is some separate "agreement". GDPR should make your data safe, but it is a law not a technical means. They may not understand GDPR (Withings clearly don't, and have been reported to the ICO). Even if they do understand GDPR you have no real way to know if they are following it properly, or if they will ever get hacked.

The main way to ensure privacy is to keep control of your data. A cloud based service inherently takes that control away.

Reliability

If a device needs the cloud to work, that is also a problem. Even the Withings Sleep monitor, which is totally cloud might seem like it is not an issue if your WiFi or Internet is down or they are doing maintenance on their servers, etc, but when you use the real-time triggers for getting up or going to bed to work the lights and heating and so on, suddenly it matters.

With locally connected and controlled devices in your home you can remove that reliance on the Internet and The Cloud, but at the cost of a single point of failure and equipment you have to maintain.

You also have to allow for the fact that this is most likely a free service, and something they can stop by choice, or because they go bust, or even politics between countries, and suddenly your devices are useless.

Adding extra parties like IFTTT just adds to the issues.

Security

Finally security - this is a huge issue with IoT. "The S in IoT stands for Security".

The Daikin air-con have no security - simple http requests. Even if there was a password it would be easy to snoop. It means anyone on your home network / WiFi can access the air-con.

Does it matter? After all anyone with a remote can do the same in the house or even from outside through the window (stories of someone turning on neighbours air-con through the letter box whilst they are away so heat rises to their flat and saves them money). But is it a big deal? Well, remember, this is not just about you - if someone could control all air-con in a country they could make them all turn on at the same second and cause a major power blip? They could monitor when you are in and not and break in when not. It is not so simple.

But they need to be one local network / WiFI? Well, no, they just need a compromised broadband router or compromised device (a lot of IoT is very hackable) on your LAN, or even some background secret function in some popular phone app. It is not as hard as it sounds.

So security of IoT really needs to improve.

What do I mean by de-clouding?

Basically I want to have devices I control, and home automation I manage using my computers in my home without using The Cloud. I can set up any remote access I want with a secure VPN. I then control my systems, and control my data. It means I have to maintain a machine, but I do that anyway, and it is not that hard - could even be a Raspberry Pi or some such.

Daikin

As per my blog, this was simple - no authentication just local http - it has no security.

The good news is that it makes it simple for me to lock down on separate WiFi SSID and VLAN and easy for me to write my own controls.

Apart from a lack of security, the other failing is a lack of documentation. I'd prefer if the API was actually documented - why not, Daikin?

Withings Sleep

The Withings Sleep monitor was more of a challenge - the security is trying with this one.

The device does an HTTP request to fetch the public key used for HTTPS, but includes its MAC and a random challenge in the request and gets a digest in the response. Any change to the response key, or even the request MAC causes it to abort and start again (DHCP, DNS, HTTP, etc). So it seems there is likely to be a per-device key check on the response and as such I cannot simply replace the public key returned. It then checks the public key on the HTTPS.

So yes, I am stuck. The good news is that it does do IFTTT and that can be linked by creating an applet to a webhook to poke my own server for triggers. Sadly this is not direct from the device, but via Withings, so no chance to intercept / hack that either. It has all the disadvantages of cloud and local servers combined, but does mean I can then control the actions I take directly - such as changing air-con settings, turning lights on/off, etc.

SONOFF

I was inspired by a blog post (here). It seems SONOFF are very cheap and very popular, even with alternative code that people flash in to the units. However, the security is poor in the first place meaning one can control them off-the-shelf. This is bad for security but good for de-clouding them.

First off, the simple in-line power switch (e.g. for lighting circuits) - which I have connected to a table lamp (purchases especially for this test, and obviously pixar style).

It was incredibly difficult to see the AP mode SSID pop up and connect to it, and I wonder if you just have to try several times. You long hold the button and it shows up if you are lucky (ITEAD-1000xxxxxx with password 12345678) But then the /device and /ap http commands work as explained in that blog. It seems serverName can be a host name.

As expected it then connects https. Unfortunately, even where the server has proper https and the name matches, it is just closing the connection after getting server certificate details. Arrrg.

Reading some of the comments, it seems I am not alone - even with a valid (LE) cert, the sonoff is not happy with the https negotiation. Grrr.

This sort of leaves me either using IFTTT and cloud, again, or re-flashing the code. Not amused.

What I think would help...

Firstly I think all IoT needs better security - maybe there needs to be a testing standard as part of compliance for CE marking (scary).

But also I really think the APIs should be published. This would allow devices to work directly with IFTTT or competing home automation systems or local controllers.

At the end of the day the closed approach, and forcing all data via the cloud maybe made commercial sense when companies could collect and use all that lovely personal data. GDPR kills that business model, and even makes having that data a potential liability! So please, let's open the APIs (securely) to allow more competition in the home automation market.

Oh, and don't forget support of the current IP protocol (IPv6).

Update: Current plan is to re-flash SONOFF. I'll blog more on that soon.

Personal (medical?) data

I am having a bit of an issue with a company called Withings!

I purchased a sleep monitoring gizmo, it goes under the mattress. It is actually pretty cool as it tracks sleep, and heart rate, and snoring. Working out what to do with the data is another matter, but is interesting, and could be quite helpful.

Obviously this device needs a way to present the data to me, and that is via an app on my phone. The ideal way would be to, say, bluetooth it to the app. Simple, and it has bluetooth.

But no, it seems to be set up so it uses my wifi to send data to Withings over the internet, and then the app on my phone gets it from them and displays it. This is not ideal, and it annoys me a little that people make devices work like that, but, in theory, GDPR comes to the rescue.

My sleep is not always good

Once upon a time companies could probably do what they like as part of T&Cs of some service they offered (though, bear in mind, I have not bought a "service", I bought a "device"). However, these days, they cannot simply use my data, they need to have a legal basis, and perhaps even consent.

Also, arguably, this is sensitive personal data (medical data), so subject to even tighter controls.

So, in theory, I should be able to use the device with the data being conveyed to them and back too my phone, and no more. Data being deleted when no longer needed, and not used for any other purpose. Or so you would hope.

The first clue of a problem was that the installation not only required me to agree their T&Cs (annoying) but "consent" to their privacy policy (here). This immediately rang alarm bells as "consent" is meant to be "freely given" under GDPR. Insisting I consent as part of installation is wrong.

So, I consented on the basis I want to use the device, and immediately emailed withdrawing my consent, as is my right. To be clear, I explained I accepted that there would be some data processing to provide the core functionality of monitoring my sleep and displaying that on the phone app, but I withdrew consent for any other purposes - specifically (as per their privacy policy): Developing and managing Products and Services, Conducting data studies, and Marketing, advertising and making recommendations. The last one being my main concern.

It is worth noting, had they had a number of entirely optional consent settings such as "share data with our developers to help improve the product" and so on, I may well have clicked on some. Making it mandatory to consent to usage as per their privacy policy was what kicked this all off!

They basically have no clue, seriously. Many emails back and forth. They kept telling me where their privacy policy was and asking if there was anything else they could help with. They totally failed to understand their obligations or what I was asking. Finally I have an email saying if I don't consent then that is not compatible with use of the product and they offer a refund. Well, no, I want to use the product, but my data only be used for that usage and nothing more. That is my right!

We'll see what happens next - I have written to them now as well.

However, there is a big gotcha here, and this is the same with T&Cs for installing a smart TV and a lot of other internet of shit stuff.

EVEN IF I CONSENT, what of other people?

This is not entirely hypothetical now. I was away for the weekend, and my sleep tracker says I slept one of those nights I (someone that does not snore!). Now, I happen to know who did sleep in my bed, he is 5, and not only did he not consent to Withings having his data, but he legally is too young to have done so.

(I believe my having his data probably comes under personal/domestic use in much the same way as if I marked his high on a door post).

But Withings will presumably want to use the data for Developing and managing Products and Services, Conducting data studies, and Marketing, advertising and making recommendations.

If the basis of this use is "consent", which they seem to suggest, then when and how did they get his consent exactly? I have asked them this. We will see what they say.

Basically, they cannot assume they have consent for any sleep data they collect to be used in such a way, at all, ever, as even if the installer or owner of the device consents, they do not know the person sleeping in the bed has consented.

As I say, this is much the same as smart TVs that could be recording you viewing patterns. Even if the installer has agreed terms and consented to such data processing, the people viewing the TV may not have.

This is a legal issue that needs sorting. I wonder if the sensitive nature of medical data in the case of the Withings sleep monitoring device will help get this to a test case? ICO have been told.

P.S. I checked, and it is at least talking over https.