Actually every Homey knows his hostname - at least i hope so. So, during “E.T. calls home”, it’s possible to ask also certificates. Yes, this is additional connection and also may lead to some delay during initial connect (and also, when someone changes the hostname). But in theory this must be working.
Yeah, of course… or nope, if The Bad is really interested… or just a DIY-ers with “Pringles cantenna”. And even without such equipment. Have seen ~50 different WiFi networks on my phone in “normal situation” (just a dense living block, not some exhibition or something)
About targets… Actually, Homey smells like honey for attacker. For proffessional - it’s the key for doorlock, disarm button for alarm system and also indicator about presence. For amateur it’s very interesting to see: Sending packet and there the light switch on.
About communication between phone and Homey - start some sniffer, and look, how many “bonjours” and SSDP-s You can count from Homey during a minute. So, target is self-advertising. Only sniff some real connection (as this is WiFi, then it’s public, no need to fool switches) and take the bearer.
