’ve been thinking about ways Hubitat can generate long-term, "sticky" revenue without compromising the local-processing mission. I have two suggestions for optional services that many users (including myself) would pay for to avoid the "hassle tax."
1. Managed SMS Service (Twilio-as-a-Service) With the 10DLC changes, setting up a personal Twilio account for alerts has become a major headache for the average user.
The Idea: Hubitat acts as the "Master Brand" for a 10DLC campaign. Users pay a small monthly fee (e.g., $2–$4/mo) to enable SMS alerts with one click.
The Benefit: Hubitat handles the vetting and compliance. The user gets a reliable "emergency exit" for notifications without the technical setup. It’s high-margin, recurring revenue.
2. Cellular Backup (USB Dongle + Service) For critical monitoring (sump pumps, equipment, security), the internet being down is a major single point of failure.
The Idea: Offer a branded USB cellular modem and a low-data "Emergency Only" subscription.
The Benefit: This strengthens the "Local First" mission by ensuring the hub stays connected to the owner even when the ISP fails.
These would be purely optional value-adds, similar to Hub Protect, and wouldn't change the core free functionality of the hub. I’m not looking for anything in return—I just want to see Hubitat stay around for the long haul.
They did support Twilio previously; as I recall, it got too cumbersome. As for managing compliance, do you realize how small a company Hubitat is? These suggestions would add significant overhead, likely more than they could hope to recover from them after expenses of offering them. You aren't really getting out of any hassle tax; you're just paying it to a different entity.
I'm do not understand why people (for several years) keep coming up with ways to initiate new nickel-and dime subscriptions. Haven't we had enough of everything being moved to a subscription model? Between subscriptions and tipping, it's getting out of hand.
I have a yolink cellular hub. 6 bucks a month. I also have a cellular alarm panel with automation. 20 bucks. Starlink standby on the network. 5 bucks.
If you want cellular or second internet service backup for Hubitat you don't need Hubitat to do it for you. Plenty of options.. And freedom of choice since Hubitat can be used anywhere in the world.
That's actually kind of my point. All of those options you listed cost money too — the difference is that money goes to Yolink, your alarm company, and Starlink instead of back to Hubitat. I'd rather see Hubitat benefit from it with a native, integrated solution.
Actually, you are misguided. The money for the service goes to the carrier. Hubitat isn't a carrier. Starlink is a carrier. My cost for yolink is the Sim card and data plan that I can supply myself. The alarm panel is a package of cellular and services. A little different.
There is absolutely no economic advantage for Hubitat to add cellular hardware to the product. It's not positioned like a life safety system or the yolonk device.
Assuming one wants to use a service like this, why shouldn’t it be an ongoing subscription?
I hear what you’re saying, the trend towards moving things from a one-time lump sum to never ending subscription can certainly be annoying.
But it’s hardly a stretch to suggest that ongoing access to an SMS gateway service should have an ongoing cost associated with it, for those that choose to use it.
That said, I agree with the sentiment that this is unlikely to be of financial benefit for Hubitat Inc. even though there are presumably some users that would want it.
I have no inside knowledge, but I assume they put some consideration into the decision to drop support for SMS rather than spin it into a new subscription-based option.
If someone wants to, that is fine. My general issue is the move towards everything being some kind of subscription and the base tier being barely functional. More and more people are suggesting things that really should be part of the basic functionality and suggesting they be locked behind a subscription. Most services make the base tier so limited it is more likely to drive people away from the product rather than into a subscription.
That was more of a comment on society that we are conditioned now to accept and even suggest a subscription for what should be part of basic functionality. No one thinks twice about $5-$20 a month, but that really starts to add up when you start getting into multiple services.
I do think Hubitat has done a great job of finding a balance between keeping the system robust and very much functional.
while also offering value-added subscriptions that the consumer has a choice in whether they use and is not obligated to subscribe to to maintain even a basic level of functionality.
SMS is an outdated and insecure technology. Beyond that, there are services out there that the consumer can set up for themselves if they are willing to pay. But to set up, maintain, and monitor for compliance, SMS will likely appeal to such a small subset of users that even as a subscription, it would not only have no financial upside for Hubitat but also be a drain on already limited resources.
Neither do I. I do remember it was dropped several years ago, maybe six or seven years? There was a community integration for Twilio, but I think Twilio tweaked things (possibly started charging more?). It's all sort of fuzzy now, but that was when Pushover and Pushbullet became more popular. Even Pushover is fine; it's a great deal for a one-time $5 charge. To be clear, I am more open to a one-time charge than the constant slow drip of an ongoing subscription.
NIST SMS Security Guidance
NIST SMS Security Guidance - Complete Citations
Classification as Restricted Authenticator: NIST's updated Digital Identity Guidelines (SP 800-63B-4) formally classify SMS/PSTN one-time passcodes as a restricted authenticator. In SP 800-63B Rev 3, SMS OTP was allowed with cautions, but Rev 4 formalizes a second-class status for SMS OTP/PSTN, making clear that it can still be used while its weaknesses are significant enough to require additional conditions. TypingDNA
Core Vulnerabilities: SMS vulnerabilities include: telephone number reassignment to new devices controlled by attackers, weaknesses in SS7 security that allow interception of out-of-band secrets, the ability for subscribers or attackers to forward notifications to new devices breaking device possession verification, and activation factors not being cached. NIST
Risk Monitoring Requirements: Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret. NIST
Mandatory Mitigations if SMS is Used: The use of PSTN for out-of-band authentication (including SMS OTP) under § 3.1.3.3 and § 3.2.9 is considered restricted. At the time of publication, it is the only method in this category. If you rely on SMS for multi-factor authentication, you now need to meet specific conditions and to mitigate its well-known risks like SIM swaps, number porting, device theft, and MITM/relay attacks. TypingDNA
Specific Attack Vectors: Security vulnerabilities of SMS OTP include SIM swapping (attackers convince mobile carriers to transfer a victim's phone number to a SIM they control), SS7 protocol attacks (weaknesses in the global telecom signaling protocol allow sophisticated attackers to intercept SMS messages in transit), phishing (real-time phishing sites trick users into entering OTPs which attackers relay immediately), malware (device-level malware can intercept incoming SMS messages), and social engineering (fraudsters impersonate banks or services to extract OTP codes directly from users). Authsignal
Original Deprecation Rationale (Rev 3): In NIST SP 800-63B Rev 3, the guidance stated that due to the risk that SMS messages may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators, and "OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance." Schneier on Security
