Announcement

Collapse
No announcement yet.

Local - Remote - HSTouch Passwords - Several things I'd like to be sure of

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Local - Remote - HSTouch Passwords - Several things I'd like to be sure of

    Sorry I know this is long.

    This started from HSBuddy needing the Local and Remote passwords needing to match in HS4...but it brought up a couple things I'm not completely clear on.


    1) I block all my wall tablets from access to the Internet in my routers. If for no other reasons I don't want to constantly worry about OS patches and a couple are old enough I can't update them anymore anyway. As such, my HSTouch client wall tablets connect locally. What are the minimum permissions for a local HSTouch client passwords/login to be able to run anything that I set up on HSTouch? I probably could play with this for a while and figure it out, but if someone knows and can spare me that grief I'd really appreciate it. If this explained in a doc somewhere...I can't seem to find it.

    It seems that I can set this in HSTouch software to that of a uname/pw with admin rights and a complex password and then set the client to use a uname/pw of an HS4 account with set to normal and then disable all the rights. At least they seem to be able to still run events etc.


    2) The speaker client unname and pw in the HSTouch HS4 setup...Is that ONLY for speaker clients and has nothing to do with any other of the tablet if not using speech? If I was using speech this pw effects nothing else?

    ​​​​​​

    3) Other than the matching local (same subnet) and remote (MYHS) uname and passwords, if my system is only accessible from the Internet via MYHS are all the ones I use for other local stuff like the wall tablets only "useable" locally?

    I ask this because I use a generated pw for MYHS that's long enough no human would ever want to type it in manually. I'm not going to run the password software locally on anything that either can't or I don't keep the OS patched to make copy and paste or automatic entry possible. I still use decent passwords locally, but not something 40+ characters long. Should I?

    Confused...THANKS!

    #2
    HomeSeer security practices are poor at best. The Android client username and password are stored in clear text in the file com.homeseer.hstouch_preferences.xml. That file requires root access to view, but that doesn't forgive the practice of storing credentials that way.

    Comment


      #3
      mterry63 - THANKS! Good to know. I'm thinking I only really ever need 4 passwords ever...

      In the user setup

      1) For MYHS which needs to be the same as the one tagged as "local" and used in any app that needs to access HS4 via MYHS
      2) For HSTouch - with full admin rights - which probably could be the same as #1
      3) For my HSTouch Clients - this can be a normal user with all access toggles turn off as it must go <client to HSTouch Server> then <HSTouch Server to HS4 Server> so the server is all that needs any rights - This could be the same as #1 as well, but don't want to have to type in really long passwords on all my clients that have no rights if they are no HSTouch clients as well.


      4) On the network setup tab a uname / pass for the speaker client so In the summer when I use the speaker client to talk to Alexa to pause my sprinklers for 5 minute if the jeep parks on the curb. My assumption is that pw does nothing but allow speaker clients.

      Comment


        #4
        I was well would not recommend relying on security within HomeSeer. Setup a vpn to your house and then use HomeSeer technology across the VPN.

        Setting up a VPN is not all too difficult. Many options.
        HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

        Comment


          #5
          How are up setting that up so that other things like, Alexa for example, can interface w/ Homeseer? IE Things that have to go into MYHS to control things? Nothing talks directly to my server from outside the perimeter of my router/firewall edge except via MYHS. If it does I may be missing something I really need to know. I'm assuming that's MYHS traffic is encrypted...but to your point I don't actually know that for a fact.

          Comment


            #6
            The conversation (or subject title) was about HSTouch, right? So, one can use a VPN with HSTouch. Just because something is encrypted doesn't mean that its data payload can't be decrypted or deciphered. Point being is that if one encrypts something using a weak cypher that a bad actor can decrypt or decipher the payload. Even with a strong cypher one can decrypt the payload within certain amount of time. It is therefore best to layer your security scheme. But it all depends on what you're trying to do. We don't have all of the information in this post.

            It sounds like you're trying to secure your network and associating applications/technologies. I can appreciate that as I think that way myself. It would be best if we had a offline conversation. Send me a private message in how I can get a hold of you via Skype, Zoom, or other technology and let's chat.

            Security isn't hard, but it is confusing as there are so many options and subjective/competing possibilities. You're on the right track.
            HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

            Comment


              #7
              Krumpy - Thanks for taking all this time...it's much appreciated! A really good help file grouping how all the pw's tied together would be really nice.

              I headed and team of engineers as the IP Architect for all routing/switching and firewalls for the last 10 years of my working days protecting about a trillion in assets for a Fortune 100 company. I retired a couple years ago. That doesn't really make me any sort of genius though and half of what I did know has likely changed by now. I won't argue encryption can be hacked, but I'm willing to bet that access to my lowly home network isn't really worth somebody's time. That doesn't mean some 10 year old half way around the world won't try

              It doesn't stop me from worrying about it though and I'm just trying to lock things down as much as possible. To your point. it'd be really nice to know a least a high level how secure MYHS is. Since it's inside a cloud facility, I'm guessing these sessions terminate on a dedicated VPN devices that can support whatever HS4 can throw at it. Who knows, the only really secure side of the flows are likely on the MYHS end...

              I asked a while back for HS to give me their global IP ranges so I could tighten my rules...I wasn't too surprised when they wouldn't.

              Comment


                #8
                Personally I suspect MyHS is functionally equivalent to "GoToMyPC" or equivalent, providing a TLS encrypted web session to your local HSx instance. It's either providing direct web access to the HSx UI, or JSON access for things like Alexa, Google, IFTTT, or HSBuddy, and similar for HSTouch. They recently added backup storage to that service.

                When you fire up HSx locally it reaches out to MyHS and connects, I assume they authenticate by comparing shared username/password and system ID. MyHS is using the same username/password to authenticate remote clients. This methodology is simple for less technically inclined users as it requires no manipulation of inbound firewall rules at the public ingress/egress point. No information is provided on how the credentials are stored in the cloud service, but I would assume any cloud service worth paying for would provide a secure API, whether the cloud customer choses to use it is anyone's guess.

                That's my 2 cents..

                Comment


                  #9
                  mterry63 - Sometime I'll get around to doing some packet capture though I doubt I'll get too much out of it...but would not doubt too much if you are close. It's actually a good question that we have every right to know...at least at a high level we should understand our connections are secure. Nobody's going to give specific except to people actually setting up the service. My assumption is that they're 100% "renting" services and have at least discussed security with hired guns. I really doubt anybody's is going to play man in the middle on my connection just to steal my TV. Someone hacking MYHS as a whole is a completely different conversation.

                  I'm guessing just like anything else one of the best things to do is change passwords often. That's the problem I really have assuming there is at least descent security. It's such a pain...for me...HS4 itself...3 tablets...3 phones...MYHS...Every single Geofence and PHLocation device...HSBuddy.. the Homeseer app. I'm probably missing something else as well. It takes at least 1/2 an hour.

                  Which actually is the basis for the start of the thread... I'm going to post the question and see if HS TAC can give us a high level answer on MYHS session security. I may have to open a ticket. Refusal to provide any information would be a bit scary.

                  Comment


                    #10
                    I also used HST for my passwords. Once my boss accessed his employee monitoring software account on my laptop. HST remembered the password, and then I added 4 extra hours of work to myself, haha. But HST is very useful, cause I work with a lot of passwords.

                    Comment

                    Working...
                    X