Creating a connected object is easy! This is often what we think, or what we believe we know when we create our first DIY project with an Arduino. When I attend IT conferences and listen to others talk about their projects completed over a weekend or two, that’s the impression I get. But strangely, when I design an object, I ask myself a lot of questions, write a lot of code, not just to make a simple lamp work, but to ensure that it works simply and securely… The saying goes that the “S” in IoT stands for security (geeks will understand), and if IoT has a bad reputation, it’s because of its history (though we can also talk about MS-DOS, W3.11, W95… too), but also because there is a lack of understanding of what IoTs really are. Through a personal experience to understand how a connected bulb works, I will attempt in this article to show you part of the non-functional code used in such a simple object, whose functional purpose can be summarized as adjusting the light intensity between 0 and 100% and changing the color hue.
Continue readingTag Archives: security
Frigate – Manage IP Camera with a Raspberry Pi
As a long-time user of high-quality video surveillance systems like Synology and Ubiquiti, I’ve grown accustomed to deploying and relying on their robust, feature-rich ecosystems. However, this time I was looking for something more affordable, focused solely on video management, without the overhead of NAS capabilities or other advanced features. I needed a lightweight solution that could run on a Raspberry Pi—and on Guillaume’s recommendation, I turned to Frigate. This open-source tool offers live video stream management, recording capabilities, and even optional AI-based video analysis. It looks promising and well-built. This post is, as usual, a log of my journey testing this setup in real-time. It’s also an excuse to finally experiment with a Raspberry Pi 5, which I’ve paired with an NVMe drive for video storage, avoiding the SD card’s limited endurance under heavy I/O workloads. I’ll admit, it’s slightly ironic to now need this much power for tasks I used to run smoothly on Synology boxes over a decade ago. Even funnier is that Frigate may require a neural accelerator for its AI features—something that seems excessive when you consider modern AI models like YoLo run on microcontrollers with far less processing power. That said, I don’t plan to use AI in this setup (at least not yet), but I’ve still opted for a dual PCIe HAT to keep the door open for testing a Coral accelerator in the future.
Continue readingIoT slide deck 2024-09 Update
Here is the update of my IoT slide collection, which now approaches 400 slides that you are free to reuse. In this new edition, you will find technical elements on Meshtastic, Mioty, DePin, LoRa updates throughout, and a few introductory slides on blockchains. However, on this point, my new deck, published a few days ago, is more relevant.
As usual, to go further, you can find video content on my Youtube channel, like my new MooC about Block Chain and my IoT MooC (long version) posted this year.
Continue readingUnderstand IoT Security
Who doesn’t associate the word IoT with security issues in 2022? Apart from those who do the IoT maybe? Like all emerging domains, shortcuts are easy, because they are poorly understood. I will try to give you some elements on what cannot be denied: security, in the IoT, as in other technologies, is an essential element. I will especially take care to explain to you why it is very essential in IoT, why this subject is poorly understood and also, why many times we talk too much on this subject.
Continue readingFilter X-Forwarded-For Apache
The XFF HTTP field can be used to obtain the remote IP when a http server is located behind a reverse proxy. If the remote proxy does not clean the XFF field you can’t trust it. The worst is that this field can be used for injecting code in your website.
I’ve been a such issue in a security plugging logging and not filtering the remote IP field. As this one came from XFF, it was possible to inject javascript into the database remotely and execute that JS when displaying the dashboard of the “security” pluggin.
One of the option to solve this is to clean the XFF field (or reject the request when the XFF is not clean). This can be done with a simple configuration in the http config file (or htaccess)
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-For} !^$
RewriteCond %{HTTP:X-Forwarded-For} !^[0123456789.\ ,]{7,36}$
RewriteRule ^ - [L,R=404]
Here, empty XFF and XFF container anything else than numbers and some other char, lower than 7 char and higher the 36 chars will be rejected with a 404 as Last operation.
Secure your children Internet access
I’m a big fan of PiHole for my children but also for my IoT devices [not the one I build but the one I’m purchasing 🙂 ]. That said, there are two things missing in it:
- The first one is that Pi-Hole is operating on DNS request so any malicious solution using its own DNS or direct IP will bypass Pi-Hole protection.
- The second one is the lake of functionalities like stopping Internet for a certain group of user during certain period of time.
So, when a friend of me contacted me to share its work on a different solution using a proxy, I’ve been happy to let him make a blog post here to introduce his solution. And this solution can be used in complement of PiHole. So, let’s make some place here to Manu PILLANT
Continue readingIoT Decoded Podcast EP#1

First episode of my IoT podcast. This month is about IoT maket study and how numbers can be bullshit when comes from certain analyst. We also talk about the LoRaWan world distance record.
This first episode is a test, a poor and a bit dirty (or too long) episode for testing podcast concept on my blog. It is going to be a monthly rendez-vous on IoT and especially LPWAn news.
Stop telling me Sigfox is clear payload, for real you’re just lazy ;)

The usual attack on Sigfox network is related to the “security”. Behind this large concept, for real, the only point is related to the use of clear payload over the air. As a consequence some are extending this to the possible replay after 2048 frames so regarding a standard use of Sigfox is will be about 6 month later…
That said, for real, all of this is just ignorance from these pseudo “security” experts and developer laziness. Don’t beat me for saying that, I’m part of the lazy developer, the only difference is I’m not complaining and I’m aware the solution is in my own hands.
Because, for real, the payload encryption exists as documented in the post I’ve published on May 2017 and detailed on the Feb 2017 technical security paper published by Sigfox or like in this document.
So saying the Sigfox is not proposing payload encryption is wrong and this option is also fixing any 6 months later message replay. It’s like saying WiFi is not secured because you can create an open-network.
So now, let’s see why encryption is not the default option, why a network encryption standard is not the best option and then see how to stop to be a lazy developer and make encryption working.
Continue reading