Announcement

Collapse
No announcement yet.

Jun 19 Insteon HUB update 1016 will break the plugin

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    All,
    please follow the above guidance to get the fix pushed to your hub. this is the same information i received from my contact. they are not going to mass rollout the fix; only those that request it will get it
    Mark

    HS3 Pro 4.2.19.5
    Hardware: Insteon Serial PLM | AD2USB for Vista Alarm | HAI Omnistat2 | 1-Wire HA7E | RFXrec433 | Dahua Cameras | LiftMaster Internet Gateway | Tuya Smart Plugs
    Plugins: Insteon (mine) | Vista Alarm (mine) | Omnistat 3 | Ultra1Wire3 | RFXCOM | HS MyQ | BLRadar | BLDenon | Tuya | Jon00 Charting | Jon00 Links
    Platform: Windows Server 2022 Standard, i5-12600K/3.7GHz/10 core, 16GB RAM, 500GB SSD

    Comment


      I received the same email from Insteon - likely because I opened a case on this issue yesterday, and asked that it be escalated. I'm debating between joining the beta group approach or just sending in my Hub ID to have my hub reverted back. Beta usually involves getting beta software pushed to your device before the mass firmware push, which may lead to other issues in the future that would be out of my control. If Mark doesn't get the same (broken) release that I do, I am potentially down and out of luck. If I just have them do the revert now, I am just postponing the inevitable next (broken) auto-update that takes my automation down again. I found one line in the email interesting - " Your participation will also ensure that any future updates do not impact your integration". Does that mean that once you are signed up for beta, they *will not* push firmware updates to your device when they go out for wide-release. That would be great if we could prevent updates in the future until 3rd party integration developers have had a chance to test.

      Comment


        I submitted my hub ID and also signed up in Beta. They just pushed an NDA my direction for the beta program and I returned that. Hopefully between the two of them we're able to get a fix pushed quickly.

        I still may block the hub from updating (via my firewall) after this gets resolved. Beta program or not. I'd like to have better control of what FW my hub is running...

        Comment


          Originally posted by ianmcg View Post
          I submitted my hub ID and also signed up in Beta. They just pushed an NDA my direction for the beta program and I returned that. Hopefully between the two of them we're able to get a fix pushed quickly.

          I still may block the hub from updating (via my firewall) after this gets resolved. Beta program or not. I'd like to have better control of what FW my hub is running...
          +1

          I was thinking instead of setting the hub to dhcp, just hard code the IP and don't give it a gateway (if possible). I have not tried yet. But also plan to block via FW.

          Comment


            Originally posted by charlesmbell View Post
            same here. no downdate.

            i found this on another forum (openhab) where insteon responded:

            Hello all,

            I am writing on behalf of Insteon and wanted to share an update with you all:

            We are aware of an issue where our latest hub firmware update (1016) caused integrations using local http commands to stop functioning. While this is not an officially supported API, we understand that having local command and control is preferred among a select group of users as well as some 3rd party software developers. Therefore we will be looking to make the necessary updates to restore this functionality. If you are using the local API, we would like to invite you to join our beta group to assist us in testing our next update. Your participation will also ensure that any future updates do not impact your integration. To submit your request to join the beta program, fill out the form here 7. Be sure to select OpenHAB as the software you are using so that we can arrange a special firmware build that will restore local API control. Please be patient as we will need time to get you setup as a beta tester and to configure your account.

            We appreciate your patience while we work to resolve this issue and thank you for choosing Insteon for your home automation projects.

            Kind regards,
            The Insteon Team
            I got this as well in a personal email (maybe because I complained louder?). The options to get Insteon going again are:
            • Enroll in the Insteon beta here
            • Send an email to custsvc@smarthome.com, specifying your Hub ID number, and associated email address. The software team will push out the necessary update (no timeframe)

            Comment


              Some TLS debug

              Only TLSv1.2 is attemptable:

              Code:
              $ nmap --script ssl-enum-ciphers -p 443 10.11.111.90
              Starting Nmap 7.70 ( [url]https://nmap.org[/url] ) at 2018-06-21 16:54 PDT
              Nmap scan report for 10.11.111.90
              Host is up (0.0037s latency).
              
              PORT    STATE SERVICE
              443/tcp open  https
              | ssl-enum-ciphers: 
              |   TLSv1.2: 
              |     ciphers: 
              |       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
              |     compressors: 
              |       NULL
              |     cipher preference: indeterminate
              |     cipher preference error: Too few ciphers supported
              |     warnings: 
              |       Broken cipher RC4 is deprecated by RFC 7465
              |       Ciphersuite uses MD5 for message integrity
              |       Weak certificate signature: SHA1
              |_  least strength: C
              That's a cipher that went out with SSLv3, long long ago, so I doubt we'll make any headway finding a TLSv1.2 client that supports that cipher. A little further digging exposes a default manufacturer self-signed certificate that expired in 2012 is being presented on 443.

              Per the RFC mentioned, the cipher is unsupported in TLS. https://tools.ietf.org/html/rfc7465

              Code:
              $ openssl s_client -msg -connect 10.11.111.90:443 -tls1_2
              CONNECTED(00000003)
              >>> TLS 1.2 Handshake [length 0139], ClientHello
                  01 00 01 35 03 03 75 e7 55 b8 91 fa eb dc b9 44
                  36 59 68 b5 2d fa 53 df 37 74 b4 5d a3 ca c5 04
                  bd a2 ed 3d 4a 69 00 00 98 cc 14 cc 13 cc 15 c0
                  30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a3 00 9f 00
                  6b 00 6a 00 39 00 38 ff 85 00 c4 00 c3 00 88 00
                  87 00 81 c0 32 c0 2e c0 2a c0 26 c0 0f c0 05 00
                  9d 00 3d 00 35 00 c0 00 84 c0 2f c0 2b c0 27 c0
                  23 c0 13 c0 09 00 a2 00 9e 00 67 00 40 00 33 00
                  32 00 be 00 bd 00 45 00 44 c0 31 c0 2d c0 29 c0
                  25 c0 0e c0 04 00 9c 00 3c 00 2f 00 ba 00 41 c0
                  11 c0 07 c0 0c c0 02 00 05 00 04 c0 12 c0 08 00
                  16 00 13 c0 0d c0 03 00 0a 00 15 00 12 00 09 00
                  ff 01 00 00 74 00 0b 00 04 03 00 01 02 00 0a 00
                  3a 00 38 00 0e 00 0d 00 19 00 1c 00 0b 00 0c 00
                  1b 00 18 00 09 00 0a 00 1a 00 16 00 17 00 08 00
                  06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00
                  01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 00
                  0d 00 26 00 24 06 01 06 02 06 03 ef ef 05 01 05
                  02 05 03 04 01 04 02 04 03 ee ee ed ed 03 01 03
                  02 03 03 02 01 02 02 02 03
              <<< TLS 1.2 Handshake [length 004a], ServerHello
                  02 00 00 46 03 03 5b 2c 3a 0e cb e5 68 9f b2 56
                  27 88 6c da 43 09 0a 10 60 98 40 68 f4 a4 b5 20
                  b3 cd 7c 15 c8 60 20 b1 31 0a e1 01 bc 54 05 c5
                  51 88 36 79 11 8e e9 8a 2a 5e 2f 23 a9 3b 50 06
                  ca d9 16 55 36 07 fc 00 04 00
              <<< TLS 1.2 Handshake [length 03e4], Certificate
                  0b 00 03 e0 00 03 dd 00 03 da 30 82 03 d6 30 82
                  02 be 02 09 00 cf 70 0e af ac df 27 09 30 0d 06
                  09 2a 86 48 86 f7 0d 01 01 05 05 00 30 81 ac 31
                  0b 30 09 06 03 55 04 06 13 02 55 53 31 10 30 0e
                  06 03 55 04 08 13 07 41 72 69 7a 6f 6e 61 31 11
                  30 0f 06 03 55 04 07 13 08 43 68 61 6e 64 6c 65
                  72 31 23 30 21 06 03 55 04 0a 13 1a 4d 69 63 72
                  6f 63 68 69 70 20 54 65 63 68 6e 6f 6c 6f 67 79
                  2c 20 49 6e 63 2e 31 0c 30 0a 06 03 55 04 0b 13
                  03 57 50 44 31 22 30 20 06 03 55 04 03 13 19 53
                  53 4c 20 44 65 6d 6f 20 43 65 72 74 69 66 69 63
                  61 74 65 20 32 30 34 38 31 21 30 1f 06 09 2a 86
                  48 86 f7 0d 01 09 01 16 12 69 6e 66 6f 40 6d 69
                  63 72 6f 63 68 69 70 2e 63 6f 6d 30 1e 17 0d 31
                  31 31 30 30 32 31 30 35 36 32 39 5a 17 0d 31 32
                  31 30 30 31 31 30 35 36 32 39 5a 30 81 ac 31 0b
                  30 09 06 03 55 04 06 13 02 55 53 31 10 30 0e 06
                  03 55 04 08 13 07 41 72 69 7a 6f 6e 61 31 11 30
                  0f 06 03 55 04 07 13 08 43 68 61 6e 64 6c 65 72
                  31 23 30 21 06 03 55 04 0a 13 1a 4d 69 63 72 6f
                  63 68 69 70 20 54 65 63 68 6e 6f 6c 6f 67 79 2c
                  20 49 6e 63 2e 31 0c 30 0a 06 03 55 04 0b 13 03
                  57 50 44 31 22 30 20 06 03 55 04 03 13 19 53 53
                  4c 20 44 65 6d 6f 20 43 65 72 74 69 66 69 63 61
                  74 65 20 32 30 34 38 31 21 30 1f 06 09 2a 86 48
                  86 f7 0d 01 09 01 16 12 69 6e 66 6f 40 6d 69 63
                  72 6f 63 68 69 70 2e 63 6f 6d 30 82 01 22 30 0d
                  06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01
                  0f 00 30 82 01 0a 02 82 01 01 00 c5 ed d8 35 23
                  00 33 a6 aa fb 6c a0 bf 4a 44 92 7f d3 75 4f 8a
                  6b 33 4d ef 66 51 2d f2 d0 b2 85 f0 24 b7 86 96
                  66 e6 9a 91 61 97 11 3a 4a 78 3a 71 b8 5f 69 47
                  a6 1b 17 4f de 37 9c 12 b7 d6 72 11 cd 94 2b 39
                  c5 92 9d 4b 6b 6c 69 30 99 9e cc 85 80 5f 68 83
                  41 86 a4 2b 9a eb 95 e0 25 ae 3d 9f 76 9b 98 47
                  82 85 84 78 79 0b 5f 7b 0c 31 6d 65 8b fa 65 65
                  62 79 22 01 ad 96 01 84 0c 8b 2d f2 7c 92 b0 08
                  e6 48 d6 a7 57 d8 2d 89 20 f6 49 3f ea ef b7 88
                  31 26 4f 1f 96 f0 a1 8b 56 d1 2a 11 32 7c c0 ba
                  c5 73 fc 94 6b b9 05 6c fa 6d f1 93 34 41 e1 7a
                  13 b3 c9 40 d1 2d e2 85 fd 64 6d 97 ec fb b8 08
                  53 09 11 c3 44 29 5a 2e 96 c4 a6 24 b5 00 99 d1
                  3f 70 2c aa 2a ec e7 2a c9 5c a6 72 33 35 02 b7
                  c7 4c 33 03 3d 2b d6 66 b7 e2 84 45 76 2e c3 8a
                  0b 56 8b d9 c9 89 be 20 20 05 87 02 03 01 00 01
                  30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03
                  82 01 01 00 13 af cd 5a f8 ae a1 32 1e 38 f1 b6
                  ac 1b 77 9b 46 74 3f bf 71 16 9b 87 16 10 1d f1
                  c5 fc a5 53 0c 9c 5f 58 03 30 68 ad 7f 7c c0 68
                  44 db 9b f7 c8 fe 20 0f f9 42 f1 c8 b1 8e aa e4
                  e6 d6 16 2c 66 9d 97 de 34 4c ba a7 61 11 5f b3
                  8f 48 92 74 d5 52 2b df 13 e2 fa 7d ae 60 a3 56
                  27 2b f2 54 79 0c 75 3c 40 fe f3 45 d0 23 92 a3
                  7c 64 37 d9 17 d9 77 11 60 dd 18 ba e4 d6 63 77
                  d5 1b 3b 1a 07 29 eb 77 45 cb 08 7e f6 67 a1 b7
                  0c 03 ee 07 b6 8e 18 d4 c1 36 f5 a7 fe 99 48 c4
                  90 7f 73 7d 85 31 4e b1 27 1c 5a b9 22 94 f4 ee
                  79 78 72 ca 40 65 04 d7 27 72 ee f6 dd 94 0d 41
                  3c 61 8c f1 29 b5 df e8 c9 01 17 2c d6 25 b9 e9
                  10 30 8a e0 72 32 fc 17 12 89 fa b7 70 05 f4 48
                  89 21 d1 8a 58 64 7f 3e 57 ba b2 48 41 25 e9 2c
                  47 b5 f3 ba 27 3a 97 06 9b 55 b8 29 68 20 30 1d
                  87 7c 8a 19
              depth=0 C = US, ST = Arizona, L = Chandler, O = "Microchip Technology, Inc.", OU = WPD, CN = SSL Demo Certificate 2048, emailAddress = info@microchip.com
              verify error:num=18:self signed certificate
              verify return:1
              depth=0 C = US, ST = Arizona, L = Chandler, O = "Microchip Technology, Inc.", OU = WPD, CN = SSL Demo Certificate 2048, emailAddress = info@microchip.com
              verify error:num=10:certificate has expired
              notAfter=Oct  1 10:56:29 2012 GMT
              verify return:1
              depth=0 C = US, ST = Arizona, L = Chandler, O = "Microchip Technology, Inc.", OU = WPD, CN = SSL Demo Certificate 2048, emailAddress = info@microchip.com
              notAfter=Oct  1 10:56:29 2012 GMT
              verify return:1
              <<< TLS 1.2 Handshake [length 0004], ServerHelloDone
                  0e 00 00 00
              >>> TLS 1.2 Handshake [length 0106], ClientKeyExchange
                  10 00 01 02 01 00 48 61 16 8f 6c c0 3b a3 5d 09
                  bc 80 41 7a 6b cd 53 7a 9a e8 a9 9f 25 42 ff f3
                  87 ba ab 08 a6 ee 0a c7 18 58 37 0a c5 d7 fc 66
                  bd fe a1 0a b3 73 04 7f 2e a3 a1 7c c4 b0 76 1a
                  fc a2 29 c9 3e a8 11 4d ff 6b 4d a6 84 12 30 76
                  e2 ac 15 ae 25 3c 5d 58 6f 45 e7 0b db 29 20 85
                  6a 08 56 2b a8 fd f7 09 3c 87 80 75 37 6d ee 1a
                  3f fa 2d 34 d1 b6 b2 bb 0e 24 8a d5 89 00 5f a4
                  9d 32 95 e8 4e f7 ee f1 be 82 4f 24 3c ac 3a 77
                  04 68 ab 01 38 ae 54 5e e3 dc 7f 92 d7 c8 e5 83
                  65 e5 5e af a5 55 e7 9b e5 40 c4 de 91 e9 01 fe
                  98 c6 f4 c1 a6 cd 66 a2 39 2b 7b bf cc 5c ec a1
                  c2 c7 f9 d3 bc b4 61 a7 54 f2 8d 97 40 4f c1 e5
                  36 77 07 1a 02 ad 80 ac e8 29 f0 53 54 ac ed fb
                  da a8 33 54 70 21 74 d7 28 31 44 0c 1c f2 1e c0
                  62 76 52 f6 ff 17 79 5e c0 e5 d6 be 3c 61 70 0e
                  92 58 a9 9c 3c 9f
              >>> TLS 1.2 ChangeCipherSpec [length 0001]
                  01
              >>> TLS 1.2 Handshake [length 0010], Finished
                  14 00 00 0c ad bf 47 6f 6e 98 05 b2 aa de 11 f7
              Terrible engineering on this product, as the multitude and depth of exploit of vulnerabilities for it show. They could probably fix it merely by adding a few modern ciphers to the list their TLS library exposes and producing a current self-signed certificate.

              Comment


                Also, per the exploit notes, it would seem you can merely block cache.insteon.com and likely stop any further firmware updates:

                TALOS-2018-0512 - INSTEON HUB PUBNUB FIRMWARE DOWNGRADE VULNERABILITY
                An exploitable firmware downgrade vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the firmware version that is going to be installed, and thus allows for flashing older firmware images. To trigger this vulnerability, an attacker needs to impersonate the remote server "cache.insteon.com" and serve any signed firmware image.
                To wit - you could probably trivially MITM the latest firmware and serve the downgraded image in its place, but I wouldn't risk bricking the thing by doing so.

                Comment


                  my unit just got downgraded.

                  back in business!!!!!!!!!!

                  fw acl in place!!!!!!

                  now, the trick is how long will the hub last. this is my second unit. only a yr old so its got some life left.

                  when this thing goes (eventually it will), hopefully we can get an old firmware stored somewhere.

                  but for tonight, alexa, turn the lights down, and turn up the wine fridge!

                  thanks Mark!!!!!!!!!!!!!!!!!!!!

                  Comment


                    My hub has been downgraded back to 1015 as well and the plugin is back online. The only issue I had is that when they reverted back to 1015 the username and password I setup on the hub was wiped out. I had to go back and figure out what the original (unboxing) username and password was and set that in the plugin configuration. Fortunately, I always keep really good notes on this stuff .

                    Comment


                      Originally posted by charlesmbell View Post
                      my unit just got downgraded. ...
                      Thanks for the news, charlesmbell and automateme. Did you get any kind of email alert prior?
                      Is the firmware still labeled 1016, as reported from here?
                      http://connect.insteon.com/getinfo.asp

                      thanks again.

                      randy

                      Comment


                        Mark,

                        Is there anything else in that beta code that would be different other than the [HUB] section?

                        I have a few devices that dont seem to be working (like wireless door sensors)

                        any suggestions?

                        Comment


                          Originally posted by randy_h View Post
                          Thanks for the news, charlesmbell. Did you get any kind of email alert prior?
                          Is the firmware still labeled 1016, as reported from here?
                          http://connect.insteon.com/getinfo.asp

                          thanks again.

                          randy
                          no other than I have ultranetwork plugin pinging the hub and got an alert it took a hit. checked and the thing was downgraded

                          Comment


                            Originally posted by charlesmbell View Post
                            Mark,

                            Is there anything else in that beta code that would be different other than the [HUB] section?

                            I have a few devices that dont seem to be working (like wireless door sensors)

                            any suggestions?
                            do a reset and reprogram from the config page. this will erase the database and reprogram the links.
                            Mark

                            HS3 Pro 4.2.19.5
                            Hardware: Insteon Serial PLM | AD2USB for Vista Alarm | HAI Omnistat2 | 1-Wire HA7E | RFXrec433 | Dahua Cameras | LiftMaster Internet Gateway | Tuya Smart Plugs
                            Plugins: Insteon (mine) | Vista Alarm (mine) | Omnistat 3 | Ultra1Wire3 | RFXCOM | HS MyQ | BLRadar | BLDenon | Tuya | Jon00 Charting | Jon00 Links
                            Platform: Windows Server 2022 Standard, i5-12600K/3.7GHz/10 core, 16GB RAM, 500GB SSD

                            Comment


                              Originally posted by charlesmbell View Post
                              no other than I have ultranetwork plugin pinging the hub and got an alert it took a hit. checked and the thing was downgraded
                              Thanks. What firmware number does the asp report?

                              randy

                              Comment


                                Originally posted by randy_h View Post
                                Thanks. What firmware number does the asp report?



                                randy


                                1015


                                Chuck

                                Sent from my iPhone using Tapatalk

                                Comment

                                Working...
                                X