Announcement

Collapse
No announcement yet.

HS4 - Security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    HS4 - Security

    Greetings, folks
    I have been away from this board for quite a while. Sort of gave up on relying heavily on HS and attempted to move important functions (security, climate control, surveillance) to separate, much more modern solutions. However, I still have a 4500 sq ft house fully equipped with Z-Wave devices, close to 97 per cent I'd guess, so after seeing the sales banner, realized that HS4 is apparently and imminent reality. Bought an upgrade because, well, not going to trash close to 200 switches and sensors and go Control4 route now...

    Anyway, as I attempted to figure out what exactly is new and improved in HS4 (I mean, licenses are sold and release is "...by the end of 2019"), I realized that not much is crystal clear. My last upgrade from HS2 was, well, painful. So, I attempted to study up now. Failed. Literally no detailed information. Everything , in terms of features, reads like marketing material. So I lowered my expectations accordingly. But... I would love to know the answer to one question: access security.

    HomeSeer goes several years between major versions. This is a major one. For quite some time, in order to easily access the system, without workarounds, myhs.homeseer.com is the way - via web browser away from home, or from your smartphone. The issue is the lack of 2FA, that one time code that most of us should be using to access, well, any site that supports it. The more you integrate into HomeSeer, the more your whole house is exposed to anyone able to log into myhs.homeseer.com. Pretending that a secure user name and password are safe is silly these days. I doubt anyone would argue with that. I brought this up several time when the site went live (myhs.homeseer.com), simplifying remote access and management and eliminating the need for port forwarding (much more insecure). But my questions died off without any meaningful answer.

    So, any news, from anyone, about securing access to myhs.homeseer.com, not by individual workarounds (IP whitelisting, VPN access, etc), but using industry standard and security experts recommended design and implementation?

    Respectfully,
    Alex

    #2
    Originally posted by VirtualPanther View Post
    Greetings, folks
    I have been away from this board for quite a while. Sort of gave up on relying heavily on HS and attempted to move important functions (security, climate control, surveillance) to separate, much more modern solutions. However, I still have a 4500 sq ft house fully equipped with Z-Wave devices, close to 97 per cent I'd guess, so after seeing the sales banner, realized that HS4 is apparently and imminent reality. Bought an upgrade because, well, not going to trash close to 200 switches and sensors and go Control4 route now...

    Anyway, as I attempted to figure out what exactly is new and improved in HS4 (I mean, licenses are sold and release is "...by the end of 2019"), I realized that not much is crystal clear. My last upgrade from HS2 was, well, painful. So, I attempted to study up now. Failed. Literally no detailed information. Everything , in terms of features, reads like marketing material. So I lowered my expectations accordingly. But... I would love to know the answer to one question: access security.

    HomeSeer goes several years between major versions. This is a major one. For quite some time, in order to easily access the system, without workarounds, myhs.homeseer.com is the way - via web browser away from home, or from your smartphone. The issue is the lack of 2FA, that one time code that most of us should be using to access, well, any site that supports it. The more you integrate into HomeSeer, the more your whole house is exposed to anyone able to log into myhs.homeseer.com. Pretending that a secure user name and password are safe is silly these days. I doubt anyone would argue with that. I brought this up several time when the site went live (myhs.homeseer.com), simplifying remote access and management and eliminating the need for port forwarding (much more insecure). But my questions died off without any meaningful answer.

    So, any news, from anyone, about securing access to myhs.homeseer.com, not by individual workarounds (IP whitelisting, VPN access, etc), but using industry standard and security experts recommended design and implementation?

    Respectfully,
    Alex

    https://www.intego.com/mac-security-...should-use-it/

    Good stuff!
    We have all trusted HomeSeer for not hacking into our homes and our credit cards! (except for the cards it's a one time thing when you are making a transaction which may equate to what you are on about) It seems you are an IT professional and indeed know your thing or two. Lets hope you are not giving hackers ideas that HomeSeer is weak! And indeed a remote login can't be automated to your time (window) of choosing then set the system to autonomously work on it's own until you get there. But that said, it's a good idea! It should be added.

    Eman.
    TinkerLand : Life's Choices,"No One Size Fits All"

    Comment


      #3
      Originally posted by VirtualPanther View Post
      Greetings, folks
      I have been away from this board for quite a while. Sort of gave up on relying heavily on HS and attempted to move important functions (security, climate control, surveillance) to separate, much more modern solutions...
      Respectfully,
      Alex
      I am curious what other systems you moved to and what was "more modern" about them? Is it something more than just the user interface or the port forwarding concern?

      The reason I ask is because I like to run "what if" scenarios to see what would happen if I switched from Homeseer to another platform (or combination of platforms) in case I ever needed to for some reason. So far I have not found an alternative that could replicate everything I do on HS3 so I am skeptical when folks claim something else is "better" or "more modern", etc.

      Comment


        #4
        Originally posted by upstatemike View Post

        I am curious what other systems you moved to and what was "more modern" about them? Is it something more than just the user interface or the port forwarding concern?

        The reason I ask is because I like to run "what if" scenarios to see what would happen if I switched from Homeseer to another platform (or combination of platforms) in case I ever needed to for some reason. So far I have not found an alternative that could replicate everything I do on HS3 so I am skeptical when folks claim something else is "better" or "more modern", etc.
        Well,
        I am afraid, the main drive behind "something else", as a choice, is not necessarily that it is better. I simply have long lost faith in HS being a solid, dependable system, regardless of one's design or environmental aspects. Big part of that is Z-Wave as well. Very convenient and, perhaps, more reliable with a smaller network and overall number of devices, but in my experience, over the last decade or so, just not very stable and something I can expect to function at a reliability and dependability I have come to experience from, say, and average commercial Wi-Fi based app.

        1.) Thermostats. I have owned close to ten Z-Wave stats over the years. Two zones in the house, two separate AC and heating units, so two thermostats. Started automation of that long a lo with the first Wi-Fi thermostat. The Z-Wave, replaced on average every two years or so. After some time, they would lose connection to network. No reason. Delete and re-add and we're back in business, but you must be home to do that, and have the time... So for two years now, I use Ecobee. Yes, bought the plugin and integrated them into HS. More so as a backup, since Ecobee cloud (and remote access) can also have issues. Hasn't happened yet to such degree that I would have to go to HS for control. Wife loves their app and it meets my needs. Ability for the wife to go online and create a myriad of customized schedules helps immensely. Frequent updates to the app. Now even Siri integration. More of a toy, but surprisingly enjoyable. The "modern" feel of the app, site, and the whole experience is on another level from the cartoonish HS mobile app.

        2.) Security. This is still integrated into HS, as far as events (arm, disarm, included in routines manually activated). But remote access is limited to Elk app. This is both a factor of an immensely more granulated control and visibility of features in the app, as well as security. I do not trust HS with access to Elk root functions remotely (see above about 2FA) and Elk app communication with alarm panel (directly) is AES 256 encrypted.

        3.) Surveillance. This is a big one and my hobby. I use several dozen of commercial Axis cameras around the property. These are monitored and recorded by a commercial VMS, Milestone XProtect. Nothing against HS in this regard, but for my needs, a dedicated surveillance server with a dedicated software was a way to go. However, the reason I brought it up was because when I had just a few of the cheapest Axis cams, they were still too difficult to integrate and access on moments notice via HS, especially when away from home.

        4.) Power control. I do still have, as I mentioned earlier, close to two hundred switches, dimmers, sensors, etc. that are Z-Wave. But I have a large amount of electronics in the house and on the perimeter. So, I need a close to 100 % reliability and dependability to be able to power cycle them remotely. Z-Wave, for one, can not reliably do that and, second, can not traverse as large of area as Wi-Fi / Cat6 can. So, for in-house power strips I use rackmount Ethernet Power Controller units by Digital Loggers: https://dlidirect.com/products/copy-...r-controller-7
        For around house non-rack mountable control (up in the attic, movie theater area, etc.), I use their Web Power Switch Pro: https://dlidirect.com/products/new-pro-switch
        For periphery of property, I have a small rack in either of my two sheds and use these there: https://dlidirect.com/products/new-u...-pdu-with-wifi

        These are "always" online (Ethernet connected with Wi-Fi backup) and integrate nicely into monitoring service I subscribe to, Domotz Pro.

        For basic single-outlet important device control I use Kasa Wi-Fi outlets. Not Z-Wave. I have eight Ubiquiti access points around house and outside perimeter, so signal is not an issue.

        Those mentioned above are the solid core of reasons and uses. But the overall drive is perpetually pervasive instability and lack of dependability of Z-Wave, as a standard, along with quite likely the size of my Z-Wave network. I had invested heavily and wholeheartedly into Z-Wave and HS. Years of trying to get this to work as flawlessly as possible have, essentially, failed. I am using what I have and not investing any more.

        Comment


          #5
          Deal with security for work and we participate in NIST meetings with primary partner membership defining certain new standards.

          Keep in mind that most 2FA is done via unencrypted e-mail or SMS and both are no longer accepted as a secure second-factor by the NIST and should be avoided.

          They've been advocating that for over 2 years now -- https://pages.nist.gov/800-63-3/sp800-63b.html

          Easier explanation:

          “While a password coupled with SMS has a much higher level of protection relative to passwords alone, it doesn’t have the strength of device authentication mechanisms inherent in the other authenticators allowable in NIST draft SP 800-63-3. It’s not just the vulnerability of someone stealing your phone, it’s about the SMS that’s sent to the user being read by a malicious actor without getting her or his grubby paws on your phone.”
          If you are that paranoid about security and need remote access then just disable myHS and setup a VPN. Then activate the strongest layers of security, including your personal 2FA or even add a trinary method if you want. Having full control yourself also makes it easy to for example block all IP netblock ranges from China, Russia, and other countries that you do not plan on visiting, but which normally show massive amounts of "attempts" to brute-force access or scan for exploits. Of course with the huge amount of already compromised EU/US-based systems exploited as proxies that is not any real safety, but it does help.

          For most users myHS is more than enough security if it is paired with a reasonable secure password. And remember that strong entropy is not created by using "!@#sdv5*(rf" type of passwords, but relying on length to equal the bit-size of the hashed algorithm used, so passwords like "This is factually a much stronger password, due to its length". That's why it irritates me beyond belief when my bank limits me down to short passwords, does not allow me to use spaces, and prevents me from using Unicode or other extreme combinations. Of course being able to enter password on a wide variety of devices in some cases poses extra limits, so my gaming console password tend to be only 8-chars, because I refuse to buy a BT keyboard just to type in a password once in a blue moon, but quite irritating to use virtual keyboard to enter

          Comment


            #6
            Originally posted by RoChess View Post
            Deal with security for work and we participate in NIST meetings with primary partner membership defining certain new standards.

            Keep in mind that most 2FA is done via unencrypted e-mail or SMS and both are no longer accepted as a secure second-factor by the NIST and should be avoided.

            They've been advocating that for over 2 years now -- https://pages.nist.gov/800-63-3/sp800-63b.html

            Easier explanation:

            If you are that paranoid about security and need remote access then just disable myHS and setup a VPN. Then activate the strongest layers of security, including your personal 2FA or even add a trinary method if you want. Having full control yourself also makes it easy to for example block all IP netblock ranges from China, Russia, and other countries that you do not plan on visiting, but which normally show massive amounts of "attempts" to brute-force access or scan for exploits. Of course with the huge amount of already compromised EU/US-based systems exploited as proxies that is not any real safety, but it does help.

            For most users myHS is more than enough security if it is paired with a reasonable secure password. And remember that strong entropy is not created by using "!@#sdv5*(rf" type of passwords, but relying on length to equal the bit-size of the hashed algorithm used, so passwords like "This is factually a much stronger password, due to its length". That's why it irritates me beyond belief when my bank limits me down to short passwords, does not allow me to use spaces, and prevents me from using Unicode or other extreme combinations. Of course being able to enter password on a wide variety of devices in some cases poses extra limits, so my gaming console password tend to be only 8-chars, because I refuse to buy a BT keyboard just to type in a password once in a blue moon, but quite irritating to use virtual keyboard to enter
            1. You are absolutely correct about SMS and email as means of communication for 2FA distribution. I apologize for not being clear: authenticator app, similar to that by Google, Authy, SAAS, or DuoMobile is what i had in mind. I guess, in the absence of any 2FA, I did not elaborate on my preferences.

            2. I would not call myself paranoid, but I get the point. I do, actually, use a hardware firewall on premises and do limit traffic by geolocation. However, none of this is relevant to HS anymore, as i was simply dissatisfied with functionality of the the Z-Wave standard in general and my use of HS, specifically. Good points on network perimeter security.

            3. You are absolutely correct: most users are likely very happy. Sadly, I was not one of them. My opinions here are just that, hardly worth anything outside detailed examination of your own environment and needs. IT is just a hobby of mine, nothing more.

            4. Thanks for the smile: painfully aware of bank, etc. foolish password policies. Come to think of it, even Bank of America relies on SMS for 2FA, as does PayPal. Guess they haven't heard of SIM spoofing or honeypot cell towers. Cool job, by the way. Hopefully NIST meetings are more fun than your average work gatherings of mind powers

            Comment


              #7
              Nice to know we have some hardcore Security Professionals crawling the HS forums

              Comment


                #8
                Originally posted by VirtualPanther View Post

                1. You are absolutely correct about SMS and email as means of communication for 2FA distribution. I apologize for not being clear: authenticator app, similar to that by Google, Authy, SAAS, or DuoMobile is what i had in mind. I guess, in the absence of any 2FA, I did not elaborate on my preferences.

                2. I would not call myself paranoid, but I get the point. I do, actually, use a hardware firewall on premises and do limit traffic by geolocation. However, none of this is relevant to HS anymore, as i was simply dissatisfied with functionality of the the Z-Wave standard in general and my use of HS, specifically. Good points on network perimeter security.

                3. You are absolutely correct: most users are likely very happy. Sadly, I was not one of them. My opinions here are just that, hardly worth anything outside detailed examination of your own environment and needs. IT is just a hobby of mine, nothing more.

                4. Thanks for the smile: painfully aware of bank, etc. foolish password policies. Come to think of it, even Bank of America relies on SMS for 2FA, as does PayPal. Guess they haven't heard of SIM spoofing or honeypot cell towers. Cool job, by the way. Hopefully NIST meetings are more fun than your average work gatherings of mind powers
                One way to help mitigate SIM jacking and deal with sites like BofA that don't do real 2 factor is to get a Google Voice number, and use that for all your SMS 2FA work. To get into that you have to deal with google's multifactor auth, which can be by google autheticator app, or security key, etc... Even if the underlying SIM for your phone is stolen, that won't give the hackers access to Google Voice.

                Mike

                Comment


                  #9
                  Yeah, use Google Voice to funnel all of my SMS and voice to my actual Sprint #, I also use Yubico USB and NFC keys for everything 2FA.

                  Comment


                    #10
                    So many people concerned about security, yet I'm amazed how many of them are probably using Alex/Google/Siri spyware sitting right next to their beds. I got your security right here... me? EVERYTHING hardwired, Wi-Fi off 100% of the time, phones go into a Faraday cage when we come home (service handed off to VOIP phones). I don't know why people are going to myhomeseer. Just set up a VPN client on your mobile device, VPN into your router and port forward. But oh noes! The port forwarding is the devil's tool! Yeah, you know all those Chinese hackers are trying for weeks to break into the secret Smith house on Generic Dr., Anytown, USA so that they can access your cams and catch your overweight, bald, wife-beater wearing butt yelling at your wife and kids to keep it down so you can watch your football nonsense while stuffing yourself with cheesy poofs. Let's be real.

                    Comment


                      #11
                      Originally posted by sickpuppy View Post
                      So many people concerned about security, yet I'm amazed how many of them are probably using Alex/Google/Siri spyware sitting right next to their beds.
                      😆😆

                      Click image for larger version

Name:	image_83482.jpg
Views:	877
Size:	111.1 KB
ID:	1341270

                      Comment


                        #12
                        Hahaha. I remember when these spy devices came out and everyone was assured that the device would only listen when it heard the trigger word. Then everyone let out a sigh of relief, even though the idiots were so dense that they didn't realize that it needed to LISTEN ALL THE TIME or it wouldn't catch the trigger word. Then everyone was told that everything after the trigger was only transiently stored for the purpose of that query. Then it came out that it was stored forever. Then they gave to an option to 'delete' (wink, wink, sure... sure) your queries. Then it was found out that recordings are stored even prior to the trigger, as evidenced by cross-device ads served based on conversations made around these devices. They told you that the queries were only seen my machines for machine learning purposes. Then it came out that humans were accessing your queries... you know, to improve the user experience and fine-tune the machine learning... of course. Then there were situations where the police were able to obtain recordings without a search warrant because the police were not the ones who were doing the recording, making such recordings totally admissible in court.

                        But WE'RE the crazy ones.. you know, the ones who from Day 1 said this was a bad idea. I'm glad privacy concerns with these 'wiretaps' is making some traction and people are getting rid of them. Amazing how so many in the Homeseer community are still holding on to theirs. I would pay $1000 today for any Kickstarter that involves a cloudless voice assistant.

                        Comment


                          #13
                          Project Alias https://github.com/bjoernkarmann/project_alias is a cap that you put on top of the Alexa that plays white noise and random peole peaking into the Alexa mics. It has its own mics and a raspberry pie that you program with your own trigger word. When it hears your trigger word it records your command and then plays it back to Alexa. It is open source so you can look at the code to verify it is legit.

                          Of course Alexa and her related friends are not the only listening device in your home. OK Googe, Hey Siri and those voice activated remotes for your cable and sat TV are listening. Most computers have mics too.

                          Comment


                            #14
                            Originally posted by sickpuppy View Post
                            So many people concerned about security, yet I'm amazed how many of them are probably using Alex/Google/Siri spyware sitting right next to their beds. I got your security right here... me? EVERYTHING hardwired, Wi-Fi off 100% of the time, phones go into a Faraday cage when we come home (service handed off to VOIP phones). I don't know why people are going to myhomeseer. Just set up a VPN client on your mobile device, VPN into your router and port forward. But oh noes! The port forwarding is the devil's tool! Yeah, you know all those Chinese hackers are trying for weeks to break into the secret Smith house on Generic Dr., Anytown, USA so that they can access your cams and catch your overweight, bald, wife-beater wearing butt yelling at your wife and kids to keep it down so you can watch your football nonsense while stuffing yourself with cheesy poofs. Let's be real.
                            Actually they are constantly trying to get into anything they can. Still have my '80s BBS up and running on the Internet. Autoblacklist bad ip's that hammer it. My current blacklist is 366k and 24,574 lines (one ip address per line). Just because it's small and unimportant doesn't mean it couldn't be used for denial of service attacks. Can't get more real than that.

                            Comment


                              #15
                              VirtualPanther similar concerns as me.
                              i actually reverse Proxied HomeSeer behind IIS with authentication for outside access.

                              id love to see homeseer built on IIS rather than some unknown web server, but yeah a boy can dream aha

                              also re milestone, I was able to trigger milestone events from HomeSeer with the big5 plugin sending a string to the event server I was pretty stoked it worked lol. My milestone server is blocked at the edge from talking to the www except for smtp to my fav email provider, and when the front door is opened it emails a batch of images from the front door camera to me. Works well.

                              Comment

                              Working...
                              X