Why the big deal connecting to smartphone?

Noob.

I searched for info on connecting to my dashboard with my smartphone.

What I found was lots of admonitions against doing so and warnings to tread carefully—because security.

Ok, sure. Security.

But isn’t IoT literally all about connecting devices to each other? What good is a dashboard in this age if you can’t access it remotely? And isn’t IoT what node-red is all about?

Why aren’t remote connections safe and practical to establish? The impression I have is that you need to almost double as network administrator/security expert just to do this—if you choose to ignore the admonitions.

Remote connections can be safe if the security is done well, and you know what the implications are.

Opening up a port on your router would be considered quite unsafe by many but people still do it. I guess as long as you know the risks then you can make the call.

A better and safer option is using a vpn, but still leaves you exposed to a degree, for example if you were to lose your phone.

An even better way is connecting indirectly via an app like Telegram. Also probably less complicated than setting up a vpn correctly but a little more restrictive in its use.

And there are other more complex, and perhaps safer, options available as well, but can require more effort to administer.

So, remote connections can be safe and practical, if you have the knowledge.

This is nothing to do with node-red. It would not matter what application you were running, and trying to make accessible from the internet, you would still need to consider the security implications. Once you make your system accessible from the internet it will be found by bots run by those with malice in their minds and you must take measures to deter them from getting in. As is obvious from the fact that one regularly hears of large companies getting hacked this is not a trivial task.

I think what you need to keep in mind is how nodered works and how remote access for example in commercial iot solutions works.
In most commercial systems that have an app that does remote access the app never actually talks directly to your system but instead to the companies servers.
The paid company staff will take care of all the complicated security stuff involved in this and not just providing the infrastructure and middle man.
Eg they will set up all the firewalls, certificates, authentication systems for you. Its worth their wile as you will be just one of many paying customers connecting to that infrastructure and you will never see all the security implications. Their is actually a few people on this forum who do get paid in their day jobs to care about stuff like that full time.
Now apply that to nodered. Nodered is an open source project which you run 100% locally on your infrastructure.
So in this case you will have to do all the above yourself. Its just outside the scope of nodered to even think about providing the infrastructure for every one to connect remotely.
So you will have to do the work yourself that you pay others to do when using commercial systems.
Thats a choice you make when choosing something like nodered.
All that said im very happy with my vpn setup.
Its really not that hard to set up something like open vpn and some router suppliers like avm even have build in vpn s out of the box.
And should my phone get stollen the vpn is the least of my worries.
Just my 2 cents, Johannes

1 Like

err no... it is one main use for it - but it isn't what it's all about. It's about a visual way of writing code that handles events. Events can come from anywhere, like production lines, business processes, databases, people pressing buttons, social media, and indeed lot of things. If you wrote the code in python, C, C++, Java, php, whatever you would still need to make it secure.

2 Likes

To do it save, yes.
However there are some easy soltuions around to make a save network, vpn is one of them. Even setting up VPN can be a pain in the *ss to get it working on all sorts of devices.
Have a look at Zerotier, it makes it very easy to setup up your private wlan.

Connecting devices, yes - IoT devices. Your smartphone is not, primarily, an IoT device but rather and End User Computing (EUC) device. It is massively powerful and incredibly complex. It is also a very large target.

In well architected IoT, devices are isolated from external access as far as possible. They are often kept on separate private networks. That is because IoT devices generally have very limited security capabilities. Organisations that get this wrong end up being a massive pain to the rest of the world as their devices end up in global botnets that are used to attack other people. If they have valuable information, they end up leaking that as well. You don't need to look very far to find this problem, check out references to the Shodan search engine for example.

It is extremely useful if you don't need it remotely :grinning_face_with_smiling_eyes:

When I am out of the house, I really don't need to see lots of detail, a simple text message or text command is all I need as in this example telegram command and response from Node-RED:

If more is needed, I can remotely start up a temporary HTTPS VPN (vastly easier to set up than a full VPN) using NGROK (not secure by default, check out my previous post on the subject) which will give me the access I need. A telegram command starts and stops the NGROK connection. Excellent security that I don't have to worry about. Minimal setup.

Why do politicians lie? Why to people steal?

The global networks that you take for granted are very complex and have to run through many different, often untrusted, nodes.

Yes, you do. If you are going to connect powerful tools up to the internet, you have a moral responsibility to keep everyone else safe, not just yourself. This is not the forum to go into details about that subject though I would happily have a PM conversation with you about it.

It is, of course, your ability to ignore what is being said. You can connect things up without security certainly. None of us can or would stop you.

Can I just say that, while VPN's can be better and safer, they are not a sinecure. Personally, I never recommend full VPN's to people without networking and security experience. That is because it is very easy to end up with something that appears to be secure when it really isn't.

That is why I recommend services like NGROK to people with limited experience - indeed, as you've seen, that is what I use myself even though I could certainly create full, secure VPNs with the equipment I have.

What you need to remember as well is that a full VPN is extending your local network out, via the Internet, to a remote device. If that device itself is compromised, the attacker has full access to your network.

Our modern systems are full of valuable information and chock with powerful processing capacity - both things that attackers are looking for.

1 Like

Thank you all for the meaningful replies---and for letting me play devil's advocate. I'm learning things from you people.

My hope has been to create a dashboard for an automatic or remote-controlled machine---a quadcopter, say---and monitor the state of that machine remotely during operation.

I couldn't follow a quadcopter everywhere, so I would need the dashboard to stay with me while the sensors and other data sources go with the quadcopter...

I guess it's OK if the dashboard is accessible on just one device (smartphone, ipad, laptop, pc, whatever)... but the data would have to be sent in remotely from the quadcopter (or other machine).

Is security still a big concern here? If I transmit my quadcopter data wirelessly using a wireless shield of some kind, then receive that data on my laptop and process it there, then feed it to node-red to drive a dashboard in real time... and keep that dashboard confined to that laptop...

...Is this OK? I know nothing about VPNs or NGROKs yet... Even TCP connections phase me... so it's important to me that there be a simple way to get started before digging in deeper and deeper---you know, to have a gradual progression toward something usable, but a quick start somehow so I don't have to master two new sciences to start seeing meaningful results...

That is fine under 2 conditions:

  1. You use a secured Wi-Fi connection.
  2. You are using your laptop (or some other dongle) as a Wi-Fi hub. As opposed to using some kind of public Wi-Fi connection.
  3. You only allow the drone to connect to your Wi-Fi hub, nothing else.

In truth, security for this - apart from (3) is probably not so much of a concern unless you happen to be trying to operate the drone somewhere like Syria where lots of military are operating, or near the US Capitol during a riot! I think you get the drift :grimacing:

As has been said, there is a considerable amount you have to learn and do if connecting a server over the Internet. It really isn't that hard as long as you think everything through.

Starting on your local network is easiest and safest while you learn the basics. Creating your own Wi-Fi hotspot would be next up but you still need to learn about how to make a secured hotspot. Though the risks will generally still be quite low (but certainly not zero and they will go up dramatically in busy cities and in countries with aggressive military and police presence).

If we manage to wake @dceejay up from his dark corner, he may be willing to re-share a project that he worked on very early in the life of Node-RED - about controlling a drone :wink: - that was done on a local Wi-Fi network I think (or some other local wireless connection, not sure).

1 Like

Ah wow that was a long while ago... Must have been Node-RED 0.9 territory... - but yes that was effectively your architecture 1 - the drone had a private wireless link to a groundstation and we had a direct connection to that. So it was all isolated. Setting up a secure wifi hotspot shouldn't be hard - after all you could use a home wifi AP with a decent password and just NOT connect it to the internet - but in that case I would be more worried about signal strength and the drone outflying the range etc.

1 Like

Thanks @dceejay! This is all new to me. How can I set up a private wireless link to a ground station? What constitutes a ground station, anyway? Also, are you saying that if I have a wi-fi hot spot disconnected from the internet, I could still use it to communicate with my drone?

I can imagine the degree of eye-rolling I just provoked here... Sorry... I don't know how I don't know these basic things...

It is just a private Wi-Fi access point. You can set one up with a Wi-Fi router or a dedicate AP. A Pi can be a low-cost AP for example. Or a laptop can be configure for its Wi-Fi to be an AP.

That is correct.

Yes. All you have to do is connect the Drone's wifi to your own AP.