Smart-home security chatter

One side of smart-home internet is celebrating an open future, and the other side is warning that some of the cameras already inside people’s homes can still be cracked open from the outside. Home Assistant’s annual “State of the Open Home 2026” event ran on April 8 in Utrecht, while United States cybersecurity alerts and consumer watchdog reports keep documenting camera flaws that can expose live feeds or let attackers seize control. (home-assistant.io) (cisa.gov) Home Assistant is the software a lot of hobbyists use as the “one remote” for the whole house. It connects lights, thermostats, speakers, locks, and sensors from thousands of brands so one rule like “after sunset, if motion starts in the hall, turn on the lamp” can work across devices that were never designed to cooperate. (home-assistant.io) The pitch from the Home Assistant crowd is “open home,” which means your house should keep working even if a vendor changes its app, shuts down a cloud service, or gets acquired. The Open Home Foundation said in April 2024 that it was created as a non-profit to protect privacy, choice, and sustainability, and Home Assistant now says plainly that it “can’t be sold or acquired.” (openhomefoundation.org) (home-assistant.io) That is why Franck Nijhof’s post landed with Home Assistant fans this week. The 2026 event was framed around “building in the open,” and the official site tied it to an agenda, speakers, and a live stream rather than a closed-door product launch. (sotoh.openhomefoundation.org) (home-assistant.io) The security argument for that approach is simple: local control is like keeping a spare key in your own drawer instead of handing it to five companies and hoping none of them lose it. Home Assistant’s official Matter support says devices can run on local Wi‑Fi or Thread networks through its own controller software inside the home, which reduces how often basic commands need to leave the house for a vendor cloud. (home-assistant.io) Now the other half of the story: a smart camera is not just a camera, it is a tiny computer with a lens, a microphone, a network connection, and a password reset flow. If any one of those pieces is badly built, the product can become less like a lock on the front door and more like an open window. (consumerreports.org) The warnings are not hypothetical. In March 2026, the Cybersecurity and Infrastructure Security Agency published an advisory on Apeman cameras saying successful exploitation could let an attacker take control of the device or view camera feeds. (cisa.gov) A separate March 2026 advisory on Honeywell HIB2PI and HDZ series cameras described an unauthenticated application programming interface endpoint that could let an attacker change the password-recovery email and take over an account. That is the digital version of someone filling out your mail-forwarding card before you notice anything is wrong. (cisa.gov) Consumer Reports found the same pattern lower down the market in a February 2024 investigation into cheap video doorbells sold through major retailers and marketplaces. Its researchers said some models had serious flaws, including weak security design and exposed data, even though they were being sold in places shoppers usually treat as basic trust filters. (consumerreports.org) (innovation.consumerreports.org) The artificial-intelligence rush adds a new layer because vendors now market cameras as package detectors, face recognizers, baby monitors, pet watchers, and natural-language assistants, which means more software, more cloud processing, and more data retention. Every extra feature is another moving part, and moving parts are where security bugs usually hide. (consumerreports.org) So the chatter around this week’s Home Assistant event is really about two different futures for the same house. One future puts more control on hardware you own under a non-profit umbrella; the other keeps adding internet-connected eyes and ears whose weakest password-reset page can undo all the convenience in one shot. (openhomefoundation.org) (cisa.gov)