www.homeseer.com    
 

Go Back   HomeSeer Message Board > Analog & Digital IO Device Plug-ins > Analog & Digital IO Discussion > Arduino Plugin (3P)

Arduino Plugin (3P) Discussions related to the Arduion plugin for HS3 by enigmatheatre

Reply
 
Thread Tools Display Modes
  #1  
Old March 19th, 2017, 08:02 AM
ZoRaC ZoRaC is offline
Seer Plus
 
Join Date: Jul 2016
Location: Trondheim, Norway
Posts: 75
Security?

When using Ethernet-mode, how is the communication between the Arduinos and the plugin secured? Thinking about both authentication and "commands" it receives/sends.
Reply With Quote
  #2  
Old March 19th, 2017, 09:23 AM
petez69's Avatar
petez69 petez69 is offline
Seer Master
 
Join Date: Oct 2005
Location: Alice Springs, Australia
Posts: 738
Quote:
Originally Posted by ZoRaC View Post
When using Ethernet-mode, how is the communication between the Arduinos and the plugin secured? Thinking about both authentication and "commands" it receives/sends.
There is no security. If there is a concern, put the HS box and Arduinos on a private v-lan...You can run wireshark and watch the commands from any PC that is connected to a port that can mirror to the HS switch port. The handshaking is straight forward when you watch it, equally you can look at the INO source code before compiling and you can see how it interacts with HS.

Pete
Reply With Quote
  #3  
Old March 19th, 2017, 11:05 AM
ZoRaC ZoRaC is offline
Seer Plus
 
Join Date: Jul 2016
Location: Trondheim, Norway
Posts: 75
Quote:
Originally Posted by petez69 View Post
There is no security. If there is a concern, put the HS box and Arduinos on a private v-lan...You can run wireshark and watch the commands from any PC that is connected to a port that can mirror to the HS switch port. The handshaking is straight forward when you watch it, equally you can look at the INO source code before compiling and you can see how it interacts with HS.

Pete

Thanks! That probably made the decision for me, to not buy the plugin.

If any device that is on the same network as the Arduino can send commands to the Arduino or send false statuses to Homeseer as if it was the Arduino, then that just isn't good enough for me...
Reply With Quote
  #4  
Old March 19th, 2017, 11:57 AM
rprade's Avatar
rprade rprade is offline
OverSeer
 
Join Date: Jan 2014
Location: Colorado
Posts: 4,657
Quote:
Originally Posted by ZoRaC View Post
Thanks! That probably made the decision for me, to not buy the plugin.

If any device that is on the same network as the Arduino can send commands to the Arduino or send false statuses to Homeseer as if it was the Arduino, then that just isn't good enough for me...
This would also be true for a Z-Net, Raspberry Pi, Ethernet to USB, Ethernet to serial, OWServer, GCIR, etc. I don't know of a single Ethernet connected device used with home automation that employs secure communications. I suppose the communications could be encrypted, but that might be a lot of overhead for an Arduino. I'm quite comfortable with my home network's isolation from the WAN with a separate firewall appliance. There are so many devices connected to my LAN, not just HomeSeer related, that can only rely on that isolation for security.

To be quite honest, I can't see someone with nefarious intent a) having access to my LAN or b) understanding the actual pin layout and functions of my Arduinos to the extent needed to do any harm.

Are you sharing your local network with other people?
__________________
Randy Prade
Aurora, CO
Prades.net

PHLocation - Pushover - EasyTrigger - WeatherXML - UltraECM3 - Ultra1Wire3 - Arduino
Reply With Quote
  #5  
Old March 19th, 2017, 05:54 PM
petez69's Avatar
petez69 petez69 is offline
Seer Master
 
Join Date: Oct 2005
Location: Alice Springs, Australia
Posts: 738
Quote:
Originally Posted by ZoRaC View Post
Thanks! That probably made the decision for me, to not buy the plugin.

If any device that is on the same network as the Arduino can send commands to the Arduino or send false statuses to Homeseer as if it was the Arduino, then that just isn't good enough for me...
If you need security then you should select a product that uses secure authentication ie: PGP and encrypted packets. The Arduino doesn't really have the power to do this on the fly. Buy a dedicated solution like the ELK M1G, it uses a proprietary RS485 bus and that has crypto..

Again if you are so concerned with packets being intercepted, lock the mac address down on the switch port and put your automation onto a seperate VLAN. Best security is an airgap, mixing devices on a network will never be secure. This beats any crypto if the network cant be gotten to

If you are truly concerned about security then you know your way around wireshark and would be sniffing the packets to assess the security.
Reply With Quote
  #6  
Old March 20th, 2017, 04:58 AM
ZoRaC ZoRaC is offline
Seer Plus
 
Join Date: Jul 2016
Location: Trondheim, Norway
Posts: 75
Quote:
Originally Posted by rprade View Post
This would also be true for a Z-Net, Raspberry Pi, Ethernet to USB, Ethernet to serial, OWServer, GCIR, etc. I don't know of a single Ethernet connected device used with home automation that employs secure communications.
I hear you and I think that's a fundamental problem in the IoT-world. Security is at the bottom of the feature list... I bet Mirai also thought that using the same password on all their products wouldn't be a problem - after all, the device will be connected to a customers LAN, where all is safe...

Quote:
Originally Posted by rprade View Post
I suppose the communications could be encrypted, but that might be a lot of overhead for an Arduino.
That's what I ended up doing. TLS and authentication against JSON-interface of HS (a TLS-proxy between, as HS isn't exactly good at encryption either). Working great!


Quote:
Originally Posted by rprade View Post
I'm quite comfortable with my home network's isolation from the WAN with a separate firewall appliance. There are so many devices connected to my LAN, not just HomeSeer related, that can only rely on that isolation for security.
Same here - separate VLAN for all IoT-devices, separated from other parts of the network and limited access to WAN.

Quote:
Originally Posted by rprade View Post
To be quite honest, I can't see someone with nefarious intent a) having access to my LAN or b) understanding the actual pin layout and functions of my Arduinos to the extent needed to do any harm.
How do you define "access to your LAN"? If you mean sitting on the outside on a laptop, I agree. But what about your wifi doorbell? Wifi weatherstation? Wifi thermostat? Etc? We have no control of the security level of such devices. Maybe the doorbell could just send packets to the Arduino after seeing what packets HS sends to it?

Quote:
Originally Posted by rprade View Post
Are you sharing your local network with other people?
Yes. Logitech, Nexmo, Fitbit, Canal Digital - just from the top of my head...
Reply With Quote
  #7  
Old March 20th, 2017, 05:01 AM
ZoRaC ZoRaC is offline
Seer Plus
 
Join Date: Jul 2016
Location: Trondheim, Norway
Posts: 75
Quote:
Originally Posted by petez69 View Post
If you need security then you should select a product that uses secure authentication ie: PGP and encrypted packets. The Arduino doesn't really have the power to do this on the fly. Buy a dedicated solution like the ELK M1G, it uses a proprietary RS485 bus and that has crypto..
Ended up using TLS and authentication.

Quote:
Originally Posted by petez69 View Post
Again if you are so concerned with packets being intercepted, lock the mac address down on the switch port and put your automation onto a seperate VLAN. Best security is an airgap, mixing devices on a network will never be secure. This beats any crypto if the network cant be gotten to
I'm using wifi. All IoT in a separate VLAN already.

Quote:
Originally Posted by petez69 View Post
If you are truly concerned about security then you know your way around wireshark and would be sniffing the packets to assess the security.
Yeah, but that doesn't reveal how the plugin handles "invalid" data. Could I just pass along any command I want and the plugin will process it? Etc. And asking is a lot easier than sniffing and analyzing.
Reply With Quote
  #8  
Old March 20th, 2017, 06:44 AM
petez69's Avatar
petez69 petez69 is offline
Seer Master
 
Join Date: Oct 2005
Location: Alice Springs, Australia
Posts: 738
Quote:
Originally Posted by ZoRaC View Post
Ended up using TLS and authentication.



I'm using wifi. All IoT in a separate VLAN already.



Yeah, but that doesn't reveal how the plugin handles "invalid" data. Could I just pass along any command I want and the plugin will process it? Etc. And asking is a lot easier than sniffing and analyzing.
Greig will have to answer the question of command set. Good luck and hope youbuse yhe plugin as it s great.

Sent from my SM-N910G using Tapatalk
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security, Homeseer, Dedicated Security Systems masman HomeSeer General Discussion Area 6 September 13th, 2011 05:18 PM
Security system pad/without security pannel nk89 Security System Discussion 3 August 15th, 2011 08:00 AM
Security Remote and the ACRF Security System karib ACRF Processor (3P) 0 November 19th, 2005 04:42 PM
Security Remote hardware needed for security system? snedecor W800 RF Receiver (3P) 3 February 6th, 2004 02:22 PM
Reliability DS7000 Security system + X10-HA vs X10-Security napoleon3rd General Home Automation Hardware Discussion 0 June 11th, 2003 09:26 AM


All times are GMT -4. The time now is 04:39 AM.


Copyright HomeSeer Technologies, LLC