Oct 272014

Xipiter has a great write-up on how they hacked the MiCasaVerde Vera quickly and easily:

The device has embedded SSH private keys on THE IMMUTABLE sections of the firmware image so we know that all these devices have the same embedded ssh key. It uses that key to access the manufacturers backend and set up ssh port forwards… While this a simple little device, the ability to attack it on the local network and potentially reach it THROUGH the manufacturers own servers as a beachhead to other computers on your home network is a reminder of why devices like this need to be understood better

This is a good illustration how the funky remote access methods for Vera got them into trouble. They would be better served with the API keys & calls other IoT hubs have been focused on. If you are running a Vera, it may be worth investigating offline mode until there is some confirmation that the remote access is possible or not.

Oct 182014

As I’ve been moving all of my home automation projects over to the SmartThings environment, I’m expanding my number of devices and scenarios in order to take full advantage of the easy monitoring and alerts which are possible within the SmartThings ecosystem.

The Problem

Leak detectors are normally pretty simple devices; water conductivity completes an electric circuit and a buzzer or alarm sounds.  This is great if you are within listening distance, but next to useless if you are away from home or even in a different part of the home.  Having recently seen the damaged caused by a burst hose at a friend’s house, the benefits to being alerted to a leak as quickly as possible are obvious.

When I initially started looking at z-wave devices to detect leaks and floods I found some things I didn’t like about most of the products available.  The first design flaw I found is that many of the devices were designed to sit on the same surface which was going to flood – they didn’t have a detachable monitoring lead.  This means that there is a pretty good chance that the devices are going to fail after or during a flood, as they are not designed to be waterproof.  The second thing I didn’t like about most of the devices on the market was price, with many starting around the $50 mark.

The Solution

During my search for an affordable z-wave smoke alarm I discovered that many devices made for the Lowes Iris system were z-wave compatible.  Searching that further I found that there was a leak detector made by Utilitech which was reasonably priced at around $30 which also worked with SmartThings – Utilitech Water Leak Detector White Indoor Flood Sensor (Works with Iris) Item #: 422362 | Model #: TST01-1.

Utilitech Water Leak Detector

I purchased one and put it to use with my SmartThings system.  First up, hardware impressions.  It appears to be well made, all of the pieces have a solid feel and the mounting is well designed (they also include a lot of mounting tabs if you have particularly long cable runs).  The device has a separate lead for the water monitor so that the device can be mounted above where the monitor contacts are mounted.  The leak detector was easy to pair with SmartThings and a number of SmartApps are suggested after the device is configured in the SmartThings system.  I chose to work with some of the included SmartApps for Damage & Danger to do two things when water is detected – send a push alert to my phone (and any devices connected to the SmartThings account), and send a text message to my telephone number.

 IMG_0805.PNG IMG_0804.PNG IMG_0806.PNG

As with my smart smoke detection I used the Sonos integration with SmartThings via Sonos Notify with Sound to send a text to speech (SmartThings detected a flood) auditory alert about the leak as well.  I tested the alerts a number of times and it seemed to be fairly responsive, typically the SMS & push message updates were received on my phone in under 5 seconds.  In total the installation of the leak detector and setup of the SmartApps had taken less than 20 minutes.  Not bad for a bit more intelligence at home.

Save 10% on SmartThings
If you are interested in using SmartThings, this referral link will get you 10% off any shop.smartthings.com order containing a Hub or Kit.

Oct 112014

As I’ve switched my home automation from Vera to SmartThings I’ve also been expanding my network of z-wave devices at home. Since SmartThings does such a great job with different notification options I’ve also been looking more into monitoring our home for different kinds of damage or danger. One of the first tasks on the agenda was to make our fire detection much smarter and able to alert us even if we are not at home. I looked around at the available market for z-wave smoke detectors and found a bit of a mixed bag. I could splurge and purchase the Nest device at roughly $100, or go with the Monoprice version of the Everspring Z-Wave Smoke Detector which runs at roughly $40.

However, after reading through the SmartThings forums a lot of people were having success using some of the devices which are certified for Lowe’s Iris Home Security and Automation system. The system runs z-wave as well and a lot of the devices are compatible with SmartThings since they both speak z-wave. First Alert makes a battery powered smoke detector with a model name of “ZSMOKE” which has built in z-wave and only costs $29.97. Note that they also make a CO2 z-wave model, however I already CO2 detection in the house, and I’m not as worried about being alerted to CO2 even when I’m away from the house. The other thing to know about CO2 detection is that the detection components deteriorate much quicker than they do for smoke alarms, which can lead to a lot of false alerts 4-6 years down the road.

IMG_0808.PNG IMG_0807.JPG

The smoke detector was easy to install into SmartThings (simply hold the test button as you insert the batteries to pair it to the system) and mount in an existing bracket on the ceiling. The smoke detector will continue to act as a regular (dumb) alarm until it is extended further on the SmartThings network with some SmartApps to go with it.

IMG_0809.PNG IMG_0812.PNG

I’ve added several different SmartApps now that my SmartThings system has smoke detection:

Damage & Danger


SmartThings has some out of the box SmartApps which are already configured for common scenarios with smoke detectors. There are several different options within these SmartApps, which all fall under the “Damage & Danger” category. Using these apps my SmartThings system will now do the following for any smoke alert:

  • Send an alert via the SmartThings app to our phones (when it triggers and when all clear)
  • Send a text message for the smoke alert (when it triggers and when all clear)
  • Turn on specific lights (most using GE z-wave switches)
  • Unlock the front door (Kwikset SmartCode 914 Series Z-Wave Deadbolt which I’ll cover in a future post)

Sonos Notify With Sound


Sonos has some pretty cool integration options with SmartThings, some of which I’ll post further about in the future. For the smoke alarm, there is an app named “Sonos Notify With Sound” which will play a custom alert on any configured Sonos speakers when smoke is detected. This isn’t the most critical of features, as the smoke alarm is plenty loud, but generally I tend to think the more the merrier when it comes to fire alarms.

Low Battery Notification

SmartThings already has some low battery notifications built into the system, however there are other apps which people have created to select specific devices and battery levels and send an alert once they cross a specific threshold. I’ve installed one which I have configured to alert me when devices hit 10% battery.

Somethings with SmartThings are not always easy to setup and configure, but this was completely painless. The device works well and paired quickly, and SmartThings has most of the functionality needed in the SmartApps out of the box.

Save 10% on SmartThings
If you are interested in using SmartThings, this referral link will get you 10% off any shop.smartthings.com order containing a Hub or Kit.

Oct 082014

Having lived in the US for over a decade there are quite a few cost of living differences I notice when I return to visit Canada. One of the more obvious differences between the two counties is the treatment of alcohol. The first and most obvious difference is how one purchases liquor or beer. In many US states liquor is commonly available at any corner store. In Canada, up until relatively recently all liquor had to be purchased through Provincially owned and controlled stores. This history also means that even the privately run liquor stores are typically quite clean, modern, and tidy – one never sees run down malt beverage shops which occasionally dot the landscape of poorer zip codes in the US.

The second big difference is in price. The price difference is primarily due to higher “sin” taxes in Canada. However, there is a secondary effect when it comes to imports as higher duty charges also take effect. While visiting this summer I took a look to see what was available in one of the larger stores in Prince George. While domestically produced spirits seemed to be about the same price one would pay for them in the US, some imported liquor appears to be dramatically marked up. The one which surprised me the most was Old Pulteney Scotch 12 Year – this is a nice Scotch which is typically under $40 in the US ($35.99 as of the time of my writing in San Diego). However, at this LCBBC the price was an eye watering $79.99. I guess I’ll be sticking to Canadian rye when I visit.

Old Pulteney Scotch 12 Year Canadian Pricing

Oct 052014


The last few days I noticed my site wasn’t performing great and response times had gone up. When I had a change to look further, I could see that CPU usage was high and apache was running out of worker processes on a regular basis. However, overall site and bandwidth usage was low – there was no huge influx of visitors or bots pulling content which would explain the increased load. Looking deeper into apache’s access logs I quickly found the culprit(s):

The log above shows that during one second there were 7 posts to xmlrpc.php from 3 different IP addresses. These IPs are likely compromised or botnet servers which are attempting to brute force my server. XML-RPC functionality is used for extending certain functions in WordPress, like JetPack or the mobile client. However, it can be susceptible to brute force attacks on user accounts & passwords. I use very long (20+ characters) passwords which are random character strings, so the likelihood of anyone guessing any of the account passwords is extremely small, even with months and months of brute force attacks. However, the continued hammering on the server had introduced performance issues.


While WordPress has been patched to prevent the xmlrpc.php attack for some time, compromised or botnet servers will still continue to hammer away on sites. The first order of business is to limit the functionality of XML-RPC to further reduce the surface area for the attack within WordPress itself. There are a number of ways to do this in WordPress, including disabling the functionality completely. In my case I want to retain some of the functionality in order to use JetPack and WordPress mobile. I can limit the functionality by using the iThemes Security and selecting Only Disable Trackbacks/Pingbacks:

Additionally I wanted to block the three IPs which were hammering my site from even reaching WordPress in the first place. I could use .htaccess to prevent the IPs from being served WordPress & PHP, but I actually want to go one further and prevent them talking with apache at all in order to further limit CPU usage. I’m using IPTABLES in order to block these IPs at the firewall/network level, but there could be other ways of doing this depending on how your server is configured. Note that in the case of IPTABLES, the deny/drop commands should be above the allow commands in order for them to be processed properly:

The above is a simple fix. However, if you are seeing traffic on a number of different IPs and wanted to automate the firewall level block further, you could also implement a custom filter for xmlrps.php using Fail2Ban which http://xplus3.net/ has outlined well.


CPU usage dropped dramatically as a result of limiting XML-RPC to specific functions and banning the 3 IPs which were hammering the server:
CPU usage

This has been a good reminder to review settings and logs on a regular basis.

Sep 232014

I’ve been playing around with the Hyperlapse app from Instagram and took it on a walk down the pier at Imperial Beach:

This was hand-held and I didn’t make any efforts to keep the camera steady during my walk. I’m pretty impressed with the way it turned out and will definitely use it for some other experiments.

Sep 092014

BBC News has a very interesting story about the ongoing territory disputes China and its neighbors are involved in. Rupert Wingfield-Hayes travels to the disputed area on a Filipino fishing boat to get some of the first photos and videos of China’s ambitious plans:

Other countries that claim large chunks of the South China Sea – Vietnam, the Philippines, Taiwan, Malaysia – all control real islands.

But China came very late to this party and missed out on all the good real estate. Beijing only took control of Johnson South Reef in 1988 after a bloody battle with Vietnam that left 70 Vietnamese sailors dead. Hanoi has never forgiven Beijing. Since then China has shied away from direct military confrontation.

But now Beijing has decided it is time to move, to assert its claim and to back it up by creating new facts on the ground – a string of island bases and an unsinkable aircraft carrier, right in the middle of the South China Sea.

Interestingly they also link to published designs from China State Shipbuilding Corporation which show a man-made island on the Philippine-claimed Mabini (Johnson South) Reef in the South China Sea. This is more than just a simple patch of land:

The Ninth Design and Research Institute of the state-owned contractor bared three-dimensional design plans for reclamation project on disputed waters showing an artificial island consisting of military airport, a long airstrip and a boat harbor for law enforcement.

About 30 hectares or 74 acres of the reef are proposed to be reclaimed, purportedly for the China People’s Liberation Army to strengthen its posture in the contested maritime area, claimed by the Philippines, Vietnam and Malaysia.