Security for IoT devices is kind of the ultimate rathole. SSL/TLS/0Auth, etc – I agree definitely not worth the cost and inconvenience. I’m all for protecting the user experience. Additional security should be optional.
What I’d advocate for is the ability to set a simple password on the Web UI – something to keeps the curious/silly/casually malicious from doing things like changing settings or editing and deleting patterns just because they happen to have access to the wifi network the PB is on.
The use case here is pretty simple: It keeps random friends and relatives, and doofoids with (readily available) wifi cracking tools from killing your mobile art projects or changing your store, show, or home lighting.
I wouldn’t bother protecting the websocket UI because it’s harder to do something consistently and interestingly harmful that way. Also, I’m not worried about physical access, because let’s face it, physical access means game over for security. This is mostly about bozos with cell phones.
Determined hackers… I don’t think they’re going to be such a problem for Pixelblaze. I mean, it’d be interesting to make a coin mining pattern, but given the constraints, there are better targets out there.
(Personally, I actually don’t need this at home – I isolate IoT devices on a network segment that’s not accessible to guests and doesn’t broadcast its SSID. All interaction from the guest wifi segment is done via various proxies, running on my highly paranoid firewall/DNS server machine. Plus, I’m out in the middle of the desert!
But installing for friends/clients who aren’t on the crazy side of the technical spectrum, and who want to let visitors use their wifi, a password option could be helpful.)