We use the precision cooker to maintain a water bath temperature on a piece of equipment we manufacture (works great too!). We would like to have our controller (which has a Microchip RN4020 Bluetooth V4.1 low energy module embedded in it) be able to set and monitor the temperature of the cooker wirelessly as the top mounted controls are hard to reach in our physical layout. Any suggestions as to how to communicate with it?
Paging @Bill. @Robr, you’re asking for Anova to release their api for the PC to you. Me (having a background in technology security) would never advise a company to do that - once it’s out in the public domain, the “black hat” community will have a field day with it.
If you publish the API, then the hackers will delve into the firmware in the unit and figure out how Anova has implemented their security for their cloud infrastructure (and what vulnerabilities it has) and create some lovely tweaks to give everyone grief.
Sorry to take an extreme view on this, but this is a vulnerability of having a shared cloud for control - if its security becomes compromised, you may see a lot of people chasing after Anova for a refund.
I too would like to see an API, not for development purposes as Robr, but simply out of technical interest as an IT professional with well over 30 years in the biz. I manage systems development for a mid-sized US city and, while not a specialist, deal with IT security issues daily. I don’t share Mr. fischersd’s vulnerability assessment — assuming, of course, that Anova has built security into their product of the sort summarized here. If that is not the case then they should set to work on it!
@dhgancarz said:
I too would like to see an API, not for development purposes as Robr, but simply out of technical interest as an IT professional with well over 30 years in the biz. I manage systems development for a mid-sized US city and, while not a specialist, deal with IT security issues daily. I don’t share Mr. fischersd’s vulnerability assessment — assuming, of course, that Anova has built security into their product of the sort summarized here. If that is not the case then they should set to work on it!
You don’t expose vulnerabilities in your products simply because people have curiosity, nor because someone has a “one of” use for it. There needs to be a business driver for doing so. Especially in the IOT (internet of things) realm we’re moving into. Homes are going to be more exposed and those networked devices prone to attacks.30 years in IT doesn’t add any measure to your quality of opinion. Security isn’t something that’s just bolted onto a product. Often the best defence is ensuring no interface information is leaked to the public. Don’t arm the hackers with unnecessary information and they’ll find fewer exploits to cause you headaches.
Huh? I thought Anova had already released their SDK or API with the blue tooth version. And why would either affect the cloud security. Do you need a cloud account to use wifi or Blue Tooth? If some disgruntled Anove customer is smart enough to disrupt my home appliances well better they start with my Anova than my giant freezer:) I am sure it will happen eventually but their are a lot of smarter than Anova appliances, door locks, security systems etc. in place for years that seem to be pretty functional.
Not saying it couldn't happen but worse case I would lose an expensive cut of meat, and I would feel pity for the poor fool who has nothing better to do with there time than mess up my sous vide cooking. They would have to attack me at the right time as I do not sous vide constantly and chances are I would notice and correct it. Maybe there will be a worldwide attack if and when someone is smart enough to do it and is motivated to do it. Doubt it will happen in the next 10 years but if it did we would find out pretty quick. Again worst case one meal ruined and likely not even that.
@Helen, just to put this topic to bed.
The API that would have been published (about a year ago or so) for the bluetooth PC will almost certainly have similarities to the wifi PC.
The difference in behaviour is that the wifi PC connects over your wifi to Anova’s cloud (which their app is able to connect to over any data connection - cellular or wifi - didn’t appear bluetooth was an option yet - only used for initial setup).
No matter how tightly you secure everything, anytime you allow connectivity over the internet, you’re exposing your infrastructure.
To the end user, the “scary” scenario would be if they find a way to compromise the security of the cloud. Hackers aren’t interested in ruining an individual meal. Now, if they could give everyone that has a cloud connection with a Sous Vide device food poisoning? Yep, that’s newsworthy - and that’s what these guys are all about…making an impact.
It’s simply the argument about whether you expose the interfaces or not. If you do, you arm the “black hat” community with more information.
@ fischersd Interesting.
So you feel that publishing the Wi-Fi API would result in massive destructive behavior? Not arguing, anything can happen in this world. And pretty well anything that communicates over the airwaves can be hacked I would think.
An assumption I make is that the Black Hat people do not actually need the Anova API, just any appliance API using this protocol to accomplish this. Or do it without. And more are coming out.
I see the recently announced ChefSteps Joule Sous Vide wand also is Bluetooth/Wi-Fi .
Sorry to bore you further but I am pretty interested in the topic generally. I know that a few people have had their cook fail by dropped/restarted connections with their blue tooth device. Probably not Anova's fault, but intrinsic to the use of the Smart Blue Tooth APIs?
I would like to see a more robust App myself. The benefits for me outweigh the risks and some risks might be actually reduced.
Their are a lot of DIY Smart Bluetooth controlled project board based articles/videos so it may become attractive to hackers.
Well I am meandering on so I will stop now. Sorry for that.
@Helen Do I think it will result in Anova’s cloud being compromised? Probably not - the user base may not be big enough to appeal to the hackers - they’re all about how big of an impact they can have (well, and the technical challenge).
“just any appliance API using this protocol” - umm, which protocol? The thing about an API with a device is that it is unique to that device. (those are all of the interfaces / triggers you can manipulate with your code). The actual protocols over the wire are how you get there. Those would also need to be published (the bluetooth ones having already been so - though they may have changed with this unit).
The only reason that hackers were interested in near field applications such as bluetooth and NFC are to be annoying (and put a few extra bucks in their pockets when they’re at the mall). Keep in mind…a lot of these kids just ride on the coat-tails of the ones that do the heavy lifting - all of the work to find these exploits. Once the exploits are out there in the public, even those with limited abilities can write code to use them. You have to be close by to use the bluetooth radio - that has limited appeal. Now, having many devices connected to a common cloud - that enters the realm of interesting.
As soon as you have common infrastructure, you have a single point of vulnerability for this functionality (yes, yes, you can have multiple data centres and thousands of servers, using load balancing technology so it’s fault tolerant), but you provide a common means of attack. An “achilles heel” for your customer base. If you get enough customers connecting to the same infrastructure, it becomes a more appealing target. But, sous-vide hasn’t gone completely mainstream yet (I still can’t get decent sous-vide racks in Canada) so, we have a certain amount of anonymity keeping this from being a high profile target…for now.
But, someday? Yep, someday there will almost certainly be something published that will give the infrastructure folks in Anova’s R&D cause for concern. I’m pretty optimistic that they’re going to be highly successful. As long as they have a team keeping their ear to the ground for security threats, they’ll be fine (you simply have to patch the holes before too many know about them) :)
Well you obviously know more than I do about such things. Which is why I keep harping on it perhaps. just want to know.
Regarding which protocol:
I have made the assumption that there is a common protocol/API/SDK available to manufacturers of current small Smart cooking devices. This is based on the following.
All require Bluetooth 4.0
All I have of the apps seen look pretty similar in design.
All are in phone sized windows even on a tablet.
Maybe there is an exception but I have yet to see it. So I assume they are all using the same canned software approach.
In other fields there is Nexus and one other that I cannot recall the name at the moment. I feel reasonably secure with Nexus but I also know anything can and will probably be hacked eventually.
Pretty sure cooking is a low priority in the" Black Hat" world, but I doubt the Anova is equipped to keep up with them if they decide to focus in this area. For a scientific based company they seem a little bit lacking in general programming knowledge.
Actually, protocol could also be called language. To give you an idea of the complexity of communications, you could look at the OSI model: OSI model - Wikipedia (if you do a google images search, there’s lots of pretty pictures showing the layers) 
The API is proprietary to each device family / manufacturer. In time, Apple wants to standardize a lot of these interfaces with their home kit standards (I’m sure Google has similar standards).
Just because the user interface looks the same to you, the end user doesn’t mean that there’s any similarities under the covers. All of the media, transports, protocols and programming languages can be entirely different.
@Robr said:
We use the precision cooker to maintain a water bath temperature on a piece of equipment we manufacture (works great too!). We would like to have our controller (which has a Microchip RN4020 Bluetooth V4.1 low energy module embedded in it) be able to set and monitor the temperature of the cooker wirelessly as the top mounted controls are hard to reach in our physical layout. Any suggestions as to how to communicate with it?
Rob: I wonder if anyone has disassembled an Anova PC to identify the bluetooth chipset being used (and I am not volunteering, btw). That would likely lead to the answer to your question of how to communicate with it. It’s highly unlikely Anova would have developed their own command set — they would just use the one packaged from the manufacturer, just as your firm likely does with the RN4020 API command processor.
Meh, sounds like security through obscurity. If someone is serious about hacking Anova via bluetooth, all they have to do is to disassemble the iOS/Android apps already publicly available.
I was curious too if the Bluetooth commands were public. Want to control from a raspberry pi to do temperature ramps. Looks like someone sniffed the communications: GitHub - dfrankland/sous-vide: 🍲 Node.js API to control Anova water circulators.
I think the security discussion was funny.
found another project here: Anova sous vide control over MQTT - Share your Projects! - Home Assistant Community with python code.
I rather have Anova release their code to someone who may be able to make this POS work as promised.