Comment on NY Times cell phone tracking piece

A friend posted this article about cell phone tracking (kind of the flip side to their earlier and much longer article on phone tracking) and I thought it needed more than a Facebook post to fill in some of the stuff missing from the article and expand on other bits. Not to increase paranoia or dismiss it but to point out things those not in IT might not know. Especially given the increasing number of posts I see about tracking worries that are way off the mark (tracking chips in vaccines for example) that often would be less of an issue even if they were real than what is actually in increasing use. I don't have an answer. Some think all tracking info should not be kept. On the other end are those that are not worried at all. In the end everyone has their own idea of acceptable risk but that should be based on actual risk factors and as the NY Times' article points out companies are making a business out of linking all available data sources.

Location tracking basics

Here is the rub. Every tool can be used as a weapon. Cell phone location ping data is just a tiny fraction of the stream:

• Apps track your location as well as what you did. Many apps ask for WAY more perms than they need. Some because the developer was lazy, some to have data to monetize.
• WiFi access points can track you as you pass them even when you do not connect to them. This includes hotspots in your car. For example 
  
  
  
• Linked security camera and WAMI systems can basically TiVo an area to allow forward and backward tracking of multiple objects over the entire coverage area which is growing fast. You might be amazed how many posts I see of people having or wanting license plate readers to log cars passing their house. I might note too want a Pan, Tilt  and Zoom (PTZ) camera because they think it will somehow locate and track people in range. More here to why they won't. So if WAMI for homes became available there would probably many that would sign up.
• Bluetooth is getting strong enough these days to be used as well and is.
• Then there is LoRa which Amazon just adopted as part of Sidewalk and so on. 
• Not to mention almost everything is or will shortly be connect to the internet. If it can ID you (as in you have any sort of auth on it) there is another data point. 

That means it is virtually impossible to not be tracked now and it will only get harder as data storage rates drop, computing power increases and systems get deployed and continue to interconnect. The thing is that the data is huge so without a reason it generally just gets stored for "in case". Developers will always err on the side of having too much data to debug with and for future features. Companies are always looking for new features to offer customers and ways to monetize having to store the data they have. And all too often security and QA are seen as overhead costs to be kept to a min. Add to that governments will always want more and better tools the track down "criminals" and most people will be happy to comply as long as they assume it will never be used against them or they think they can exclude themselves. Look at all the people commenting on rep posts without constituent badges because they seem to think that means Facebook will not know where they are even though if you log in from a diff browser you get a notification telling you your account was just access from machine X in city Y. Failed logins are logged too. Even by basic hosted website has that level of tracking by default so you can imagine what a site like Facebook is doing. Even a non static IP is linked to a location for the length of the exchange. Granted there are ways to hide your location somewhat but few are going to deal with that hassle even if they are aware of them. Plus many proxies and VPNs are not as anomilizing as they claim. Also, one of the things all the breeches have shown is most people still use the same login and password everywhere and do not even know what 2FA is making them both easier to track and hack. There again it is not that hard to track down someone's home address these days from a few data points given a lot of government data is online and or sold to search engines like PublicData.com (since 1997).  Outrage back when people first heard and they moved the servers off shore but even then that only saved you the trip to the clerk for the data. People just did not know. While we are on social media you might want to look at this story about the police tracked some protesters via social media.

So then it would seem the only option is to limit access to the data or what the data can be used for. But I would not hold much hope there either. Take WAMI for example. Back in 2016 a company did a WAMI test that was pretty successful at tracking criminals. People kind of freaked at the time but Baltimore police are attempting a new test run to track how it affects crime when people know it is watching. People seem freaked about drones in general though the WAMI tests are with piloted aircraft people still seem to see them as drones. You know if they get their test and it shows good results others will want it too. Same goes for other related tech. As I mentioned above people are saying they want features like tracking and recognition even if saying they do not want the government and companies them. The Chinese are going all in so in the end it might be a question if we buy from them or develop it here. BTW did you know almost all security cameras are made in China? There are people warning about that as well of course. That is a whole other thread about unsecured networks of IoT devices whether or not they came with backdoors. 

If you think your device is spying on you, then you are missing the point.

Why does this keep coming up? No one buying a $25 cam or < $50 voice assistant is a hot ad target. Much less a blackmail target. Just think about it for a second and it is obvious. It all comes down to ROI. Processing audio much less video to the point of getting data points out of it is costly. Note devices are getting more powerful all the time. Processing is moving from the cloud to the device. So not long from now it might be cost effective to pull ad data from every word heard by a speaker but right now it is not. Note too even with local recog the assistant needs a wake word / phrase to know it is being talked to to pull that voice from the stream of other voices (like a TV or radio) surrounding it.

Streaming audio, much less video, 24/7 is going to get noticed. Lots of people have looked at the traffic on these devices and found nothing unexpected. Note Wyze used to use servers in China but people complained about it right away and they switched to US servers. But in the posts I mainly see it is "someone told me that it was doing X." Or some sort of vague thing like I talked about this thing and then saw an ad for it. Usually something not all that unusual for them to see an ad for.

However IF the makers of these devices were going to do something malicious the odds are MUCH more likely they would be used as bots for attacking REAL targets. As in companies and agencies. Either for extortion or brute forcing access. An even greater worry ought to be that these cheap devices probably are not that secure and might be pulled into a third parties botnet. Either way unless it is activated you would not expect to see any significant traffic. Note though, while you might be a "real" target, there are lots of script kiddies out there that might just use you to learn on and or try stuff out before going after a real target. They hit my websites and bang against my home firewall all the time. And since they do not know what they are doing they can REALLY screw things up if they get access.

That said if you give a damn about your data security you ought to have decent network gear that lets you monitor traffic and put your IoT on a network isolated from data you care about. Allow no inbound traffic and on the IoT network only allow outbound traffic as need. As a rule cameras should talk to nothing outside your network other than any cloud storage they might be linked to. On your data network you should be using a DNS that at minimum filters known bad actors. That is just life in the 21st century. Like door locks in the 20th.

Or just hope for the best and not worry about it. There is NO point in worrying about something without doing something about it much less doing any research. After all I hear some people still happily leave their doors unlocked.

Honeywell Vista 20P linked to Homeseer

Since this is mainly a wired panel I'll assume your house is wired. If not you will need to run wires and install switches and or sensors around the house. Or optionally get the wireless interface and sensors.

Items you will want

Honeywell VISTA-20P Ademco Control Panel, PCB in Aluminum Enclosure 
Eyez-On Envisalink EVL-4EZR IP Security Interface Module For DSC and Honeywell (Ademco) Security Systems
Honeywell Security 6160 Ademco Alpha Display Keypad (You seem to still need this to program the panel despite adding the above web interface.)
For a battery I used a Mighty Max Battery 12V 9Ah Compatible Battery for APC Back-UPS NS1250 mainly because I buy them in bulk for my UPSs.
Unless you get a battery for an alarm system it will probably have standard tabs so will need these F2 to F1 Sealed Lead Acid Battery Terminal Adapters
You will also need some 18 gauge wire to go from the panel to the transformer.

Useful guides:

Vista 20P / 15P wiring guide Note the keypad and the IP interface connect to the same place.

Envisalink install programming guide which gets you the first 8 zones programmed.

Honeywell VISTA 15P, 20P Programming Guide

Note if you wired doubled zones of need to change the hardwire type on those zones. See this doc for info on that. Also you need to program both zones. For example if 2 is doubled then you need to set the type on zone 2 and enable zone 10. And confirm Zone Type is correct for both.

Once done the local web interface should loo like this

And the network page like this

Not much there really. It is really only useful for setup. If you do have a problem you will still need to go to the EyezOn status page to get more than a "trouble" indicator. Note EnvisaLink TPI Status will offline till the Homeseer plugin is configured.

The EyezOn status page will look like this (Note MAC and public IP blacked out)

 Oddly the *29 error does not seem to really matter. The docs say it means the "Enable IP/GSM/LRR Shadowing" option is not checked in the local interface but it seems not to matter and be a 21P thing as flipping options did not seem to make it go away and it does not seem to be stopping anything from working. Ignoring for now and will update if solution found later.

Again not a lot useful here accept the log activity. By default the zones are labeled by number. You can put names on them to make them clearer by going to Settings

Then Zone Labels. Then add a name for each zone. When done it will look something like this.

Now your log will look like this

Note however it only seems to only keep closures in the log after a sensor has been closed.

To unhighlight the sensor that was tripped / clear fault on keypad (even in unarmed mode) you need to disarm a couple times. Note there may be a lag in seeing this in the web interfaces.

Homeseer plugin

In Homeseer you will need to add the Envisalink Ademco (Spud) plugin
The config screen looks like this

The devices create (by clicking the Update zone devices button) look like

Note your may not have the  as that indicates it is not health checked in my setup. See my ChkSensors.vb script.

A cheat sheeting on arming and disarming from the panel Note the Chime disarmed option is not supported by the plugin as a control but it does recognize it when set on a keypad.

Running a camera on battery

What I wanted to achieve.

I wanted to get a cam on my mailbox which across the street. But the closest place to an outlet that could get line of sight is over 300 feet from any building and across the driveway. So we are talking major construction to run a line or POE cable out there. I already have a couple cams down by the creek running longer distances from my super AP ( a UniFi AP Outdoor+ with a Ubiquiti Airmax Omni AMO-2G10 10Dbi 2.4 GHz Rocket antenna) so I started to wonder what kind of battery would it take to power a camera.

Moved the body of this to my camera blog where it makes more sense after adding camera compare info. Leaving this here to make it easier to find.

Arris cable modem issue / securing your home network

If you have an Arris cable modem, especially if you have AT&T internet you should read this. It shows why you ALWAYS want a router between you and your cable modem.BTW TWC uses Arris too but unclear at this time is have same bugs.

To check to see if your modem is exposed even it not an Arris

The easiest way to check is to go to Steve Gibson's ShieldsUP and see if any ports are responding on your cable modem.
Check "All service ports" then a custom port scan on port 49955 61001 49152 8080

You want to see all green

Stuff to fix / check

Lastly if you have never changed your routers password or see ports open in the above tests from a browser go to the Arris web interface
Change the password if still using the default. (Basic settings -> login settings). Make it something random and at least 12 characters.

On LAN Settings Enable UPnP should be unchecked. (Allows stuff to open holes in your firewall.)

I would turn off the WiFi on the modem if you have any other access points. All WiFi should be encrypted no matter what provides it or be ahead of any router you use to protect your devices.

If you have something you need to access outside the home like a webcam first find and add your router to the reserved IP list so its address will not change.

Add a port forward at the modem to the router the cam (or device / PC) is on

If you have multiple cams / devices / ports you can forward a range like this.

You will then need to forward each port to the correct cam / device on your router. That is diff depending on brand and even version so you will need to goggle that bit if it is not obvious from the router's interface. Look for something that says port forwarding. For instance on a Unifi router the instructions look like this.

One last thing

You actually want to have a couple routers. One for your PCs and phones and one for all the rest of your stuff like Blu-ray players, cams, TiVos, home automation hubs .... All the things that might not be all that secure. As an added measure you set that router's firewall to only allow those things you KNOW need to call out to the internet to do so. There have been a lot of reports lately for instance of webcams being shipped with malware on them. If they can not call home or be connected to directly from outside they can not be used in bot nets or as platforms to attack your other devices.