Telstra launches Australian homes onto the Internet of S**t

Telstra's decided that Australian homes aren't insecure enough, launching its very own Internet of S**t Things offering based mostly on generic home-branded kit.

The service, offered to Testra and non-Telstra broadband users, currently comes in two starter flavours: a home security offering with window sensors and camera; or an automation pack with power plugs, motion sensors, and window sensors.

Devices connect through a home hub, other supported devices include smart light bulbs from Sengled, a thermostat from an outfit called "Zen" and a Lockwood door lock. The carrier promises more devices next year.

Given that 2016 has provided so many Internet of S**t security disasters, The Register hopes to put questions about just what's under the hood, whether firmware upgrades will be possible and so on. Telstra's told us it will try to find a time when someone who has heard of security might be available to share some information.

So here's what occurs to Vulture South, and we're sure readers can think of other questions as well:

Whose devices? “Badge engineering” is no longer good enough, in a world where major Internet infrastructure can be hosed by a Botnet of Things. If a carrier is slow with a firmware patch and there's no second source available to users, both customers and the Internet are at risk.

Even best-practice Thing patch management is mostly rubbish, as Akamai's CSO Andy Ellis told The Register in September.

Software: In the Internet of Things, it's clear that suppliers need to be transparent about the software on their devices.

Telstra is letting non-Telstra customers sign on for the Smart Home service: other ISPs, at least, need to know that the gateway device isn't running an old, unpatched embedded Linux or open source software library.

Cryptography: We've asked Telstra what cryptographic protocols protect communications to and from the home user; and to/from the smartphone apps.

Configuration: The devices can't be configured from a desktop machine, only from a mobile app. In other words, the carrier wants all configuration information to run through its cloud.

That also means I can't change a configuration without all parts of the network – my broadband connection, my mobile connection, and Telstra's cloud – in operation, which leads us to the next bad idea.

Cloud dependency: Without a connection, a user can't manage anything.

Ask a Finn what he or she thinks of a cloud-dependent thermostat – or, for that matter, Americans who couldn't connect to their home automation systems while a Mirai botnet was clobbering Dyn DNS.

UPnP: Because there's no local configuration, the user must let UpnP through their gateway.

UPnP – the Universal Plug'n'Play protocol – has been popped many, many times, frequently because low-cost manufacturers forget to change the chip-vendors' SDK defaults.

Security advice: Telstra's Smart Home promo pages make no mention of even basics things that might secure the home router: strong passwords, disabling remote management, turning off UPnP (oh, that's right, you can't) and the like.

Today's hot gadget is tomorrow's abandonware: The Internet of Things market is littered with unhappy people who bought a device tied to a service, only to have it bricked when the service is withdrawn. We'd love to know how long Telstra plans to keep this kit alive.

Nest's Revolv home automation hub is a fine example.

One more thing: if the smart light bulb Telstra sells me has a flaw that turns it into a data-sucking monster, will that count against download quotas? ®