I hacked my Tado system this week too.
They have a mobile-first website written AngularJS, so I Prettified it's JS which exposed all it's API calls.
( G/PP 💩💩💩💩💩&#128, Fri 6 Mar 2015, 9:50, 1 reply, 10 years ago)

Filthy

( The Light in Chains don't touch the Pope's boner, Fri 6 Mar 2015, 9:51, Reply)

Only a bit,
When I told their Twitter, I was supprised they didn't react a bit stronger, because one of the params is a numerical "ClientID". I don't think that's entirely secure, I didn't test it against the cookie, but if they're accepting that, then the odds are I can change other people's heating.
( G/PP 💩💩💩💩💩&#128, Fri 6 Mar 2015, 9:55, Reply)

and this is why the "Internet of Things" is a dumb idea
By all means have stuff in your house talk to each other, but ffs air gap it from the Internet at all costs.
(localboy purveyor of pisspoor puns, Fri 6 Mar 2015, 10:01, Reply)

If it's done right, then it's OK.
On the Philips Hue system, every time you use a new app, you have to phsyically press a button on the base-station.

This year at WWDC we'll see HomeKit implimented properly, now that manufacturers have had a year to get certifications from Apple - I think that'll do the job properly.

NFC on iOS is locked down due to ApplePay, but it can 'unlock doors' in hotels, so I have no idea how actually locked down it is.
( G/PP 💩💩💩💩💩&#128, Fri 6 Mar 2015, 10:20, Reply)

Not convinced by any means
Even smart TVs are phoning out unencrypted now, pisspoor security through cost-cutting doesn't make me want to touch any of it with a bargepole.
(localboy purveyor of pisspoor puns, Fri 6 Mar 2015, 10:28, Reply)