www.homeseer.com    
 

Go Back   HomeSeer Message Board > Analog & Digital IO Device Plug-ins > Analog & Digital IO Discussion > Arduino Plugin (3P)

Arduino Plugin (3P) Discussions related to the Arduion plugin for HS3 by enigmatheatre

Reply
 
Thread Tools Display Modes
  #1  
Old March 19th, 2017, 08:02 AM
ZoRaC ZoRaC is offline
Seer Plus
 
Join Date: Jul 2016
Location: Trondheim, Norway
Posts: 87
Security?

When using Ethernet-mode, how is the communication between the Arduinos and the plugin secured? Thinking about both authentication and "commands" it receives/sends.
Reply With Quote
  #2  
Old March 19th, 2017, 09:23 AM
petez69's Avatar
petez69 petez69 is offline
Seer Master
 
Join Date: Oct 2005
Location: Alice Springs, Australia
Posts: 781
Quote:
Originally Posted by ZoRaC View Post
When using Ethernet-mode, how is the communication between the Arduinos and the plugin secured? Thinking about both authentication and "commands" it receives/sends.
There is no security. If there is a concern, put the HS box and Arduinos on a private v-lan...You can run wireshark and watch the commands from any PC that is connected to a port that can mirror to the HS switch port. The handshaking is straight forward when you watch it, equally you can look at the INO source code before compiling and you can see how it interacts with HS.

Pete
Reply With Quote
  #3  
Old March 19th, 2017, 11:05 AM
ZoRaC ZoRaC is offline
Seer Plus
 
Join Date: Jul 2016
Location: Trondheim, Norway
Posts: 87
Quote:
Originally Posted by petez69 View Post
There is no security. If there is a concern, put the HS box and Arduinos on a private v-lan...You can run wireshark and watch the commands from any PC that is connected to a port that can mirror to the HS switch port. The handshaking is straight forward when you watch it, equally you can look at the INO source code before compiling and you can see how it interacts with HS.

Pete

Thanks! That probably made the decision for me, to not buy the plugin.

If any device that is on the same network as the Arduino can send commands to the Arduino or send false statuses to Homeseer as if it was the Arduino, then that just isn't good enough for me...
Reply With Quote
  #4  
Old March 19th, 2017, 11:57 AM
rprade's Avatar
rprade rprade is online now
OverSeer
 
Join Date: Jan 2014
Location: Colorado
Posts: 5,638
Quote:
Originally Posted by ZoRaC View Post
Thanks! That probably made the decision for me, to not buy the plugin.

If any device that is on the same network as the Arduino can send commands to the Arduino or send false statuses to Homeseer as if it was the Arduino, then that just isn't good enough for me...
This would also be true for a Z-Net, Raspberry Pi, Ethernet to USB, Ethernet to serial, OWServer, GCIR, etc. I don't know of a single Ethernet connected device used with home automation that employs secure communications. I suppose the communications could be encrypted, but that might be a lot of overhead for an Arduino. I'm quite comfortable with my home network's isolation from the WAN with a separate firewall appliance. There are so many devices connected to my LAN, not just HomeSeer related, that can only rely on that isolation for security.

To be quite honest, I can't see someone with nefarious intent a) having access to my LAN or b) understanding the actual pin layout and functions of my Arduinos to the extent needed to do any harm.

Are you sharing your local network with other people?
__________________
Randy Prade
Aurora, CO
Prades.net

"Do or do not, there is no try"
-Yoda

PHLocation - Pushover - EasyTrigger - UltraECM3 - Ultra1Wire3 - Arduino
Reply With Quote
  #5  
Old March 19th, 2017, 05:54 PM
petez69's Avatar
petez69 petez69 is offline
Seer Master
 
Join Date: Oct 2005
Location: Alice Springs, Australia
Posts: 781
Quote:
Originally Posted by ZoRaC View Post
Thanks! That probably made the decision for me, to not buy the plugin.

If any device that is on the same network as the Arduino can send commands to the Arduino or send false statuses to Homeseer as if it was the Arduino, then that just isn't good enough for me...
If you need security then you should select a product that uses secure authentication ie: PGP and encrypted packets. The Arduino doesn't really have the power to do this on the fly. Buy a dedicated solution like the ELK M1G, it uses a proprietary RS485 bus and that has crypto..

Again if you are so concerned with packets being intercepted, lock the mac address down on the switch port and put your automation onto a seperate VLAN. Best security is an airgap, mixing devices on a network will never be secure. This beats any crypto if the network cant be gotten to

If you are truly concerned about security then you know your way around wireshark and would be sniffing the packets to assess the security.
Reply With Quote
  #6  
Old March 20th, 2017, 04:58 AM
ZoRaC ZoRaC is offline
Seer Plus
 
Join Date: Jul 2016
Location: Trondheim, Norway
Posts: 87
Quote:
Originally Posted by rprade View Post
This would also be true for a Z-Net, Raspberry Pi, Ethernet to USB, Ethernet to serial, OWServer, GCIR, etc. I don't know of a single Ethernet connected device used with home automation that employs secure communications.
I hear you and I think that's a fundamental problem in the IoT-world. Security is at the bottom of the feature list... I bet Mirai also thought that using the same password on all their products wouldn't be a problem - after all, the device will be connected to a customers LAN, where all is safe...

Quote:
Originally Posted by rprade View Post
I suppose the communications could be encrypted, but that might be a lot of overhead for an Arduino.
That's what I ended up doing. TLS and authentication against JSON-interface of HS (a TLS-proxy between, as HS isn't exactly good at encryption either). Working great!


Quote:
Originally Posted by rprade View Post
I'm quite comfortable with my home network's isolation from the WAN with a separate firewall appliance. There are so many devices connected to my LAN, not just HomeSeer related, that can only rely on that isolation for security.
Same here - separate VLAN for all IoT-devices, separated from other parts of the network and limited access to WAN.

Quote:
Originally Posted by rprade View Post
To be quite honest, I can't see someone with nefarious intent a) having access to my LAN or b) understanding the actual pin layout and functions of my Arduinos to the extent needed to do any harm.
How do you define "access to your LAN"? If you mean sitting on the outside on a laptop, I agree. But what about your wifi doorbell? Wifi weatherstation? Wifi thermostat? Etc? We have no control of the security level of such devices. Maybe the doorbell could just send packets to the Arduino after seeing what packets HS sends to it?

Quote:
Originally Posted by rprade View Post
Are you sharing your local network with other people?
Yes. Logitech, Nexmo, Fitbit, Canal Digital - just from the top of my head...
Reply With Quote
  #7  
Old March 20th, 2017, 05:01 AM
ZoRaC ZoRaC is offline
Seer Plus
 
Join Date: Jul 2016
Location: Trondheim, Norway
Posts: 87
Quote:
Originally Posted by petez69 View Post
If you need security then you should select a product that uses secure authentication ie: PGP and encrypted packets. The Arduino doesn't really have the power to do this on the fly. Buy a dedicated solution like the ELK M1G, it uses a proprietary RS485 bus and that has crypto..
Ended up using TLS and authentication.

Quote:
Originally Posted by petez69 View Post
Again if you are so concerned with packets being intercepted, lock the mac address down on the switch port and put your automation onto a seperate VLAN. Best security is an airgap, mixing devices on a network will never be secure. This beats any crypto if the network cant be gotten to
I'm using wifi. All IoT in a separate VLAN already.

Quote:
Originally Posted by petez69 View Post
If you are truly concerned about security then you know your way around wireshark and would be sniffing the packets to assess the security.
Yeah, but that doesn't reveal how the plugin handles "invalid" data. Could I just pass along any command I want and the plugin will process it? Etc. And asking is a lot easier than sniffing and analyzing.
Reply With Quote
  #8  
Old March 20th, 2017, 06:44 AM
petez69's Avatar
petez69 petez69 is offline
Seer Master
 
Join Date: Oct 2005
Location: Alice Springs, Australia
Posts: 781
Quote:
Originally Posted by ZoRaC View Post
Ended up using TLS and authentication.



I'm using wifi. All IoT in a separate VLAN already.



Yeah, but that doesn't reveal how the plugin handles "invalid" data. Could I just pass along any command I want and the plugin will process it? Etc. And asking is a lot easier than sniffing and analyzing.
Greig will have to answer the question of command set. Good luck and hope youbuse yhe plugin as it s great.

Sent from my SM-N910G using Tapatalk
Reply With Quote
  #9  
Old October 13th, 2017, 01:44 PM
Archcantor's Avatar
Archcantor Archcantor is offline
Seer
 
Join Date: Dec 2016
Location: CT
Posts: 22
You could always run an Arduino over USB and eliminate the network completely. Of course you have to use Wifi with NodeMCU but the other variants can be on USB.
Reply With Quote
  #10  
Old October 14th, 2017, 03:58 PM
logbuilder logbuilder is offline
Seer Master
 
Join Date: Nov 2016
Location: Pacific North West
Posts: 540
ZoRaC does have a valid concern and I share that concern. I'd love to work on bringing some sort of secured sockets to the plugin. I'm no guru on SSL but seems to me that you can't do SSL on UDP ports, only TCP. Is that right? If so, that creates a real challenge.
Reply With Quote
  #11  
Old October 14th, 2017, 06:12 PM
reidfo's Avatar
reidfo reidfo is offline
Seer Master
 
Join Date: May 2006
Location: FL and TX
Posts: 1,225
Quote:
Originally Posted by logbuilder View Post
ZoRaC does have a valid concern and I share that concern. I'd love to work on bringing some sort of secured sockets to the plugin. I'm no guru on SSL but seems to me that you can't do SSL on UDP ports, only TCP. Is that right? If so, that creates a real challenge.
Correct, SSL (TLS really these days) requires a TCP connection. UDP is connectionless, so there is no way to secure it using TLS. In theory you could secure UDP communication using either pre-shared keys or a proprietary key exchange protocol and token, but that's a lot of work.

I do echo the sentiments of others here that security needs to be top of mind in automation and IoT. Ignoring it because "who would want to control my xxxxx" or "it's on a LAN" is a flawed way of thinking. We've all heard stories of how companies and governments have been compromised by unsecured printers and thermostats. There are stories of DVRs being used as slaves in botnets. Security must be built into products and devices and should never be an afterthought or something for paranoid folks only. It's actually the people who don't know much about security who need it most!
__________________
Gearhouse Club Member
HS Pro 3.0 | Linux Ubuntu 16.04 virtualized under Proxmox (KVM)
Hardware: Z-NET - W800 Serial - Digi PortServer TS/8 and TS/16 serial to Ethernet - Insteon PLM - RFXCOM - X10 Wireless
Plugins: HSTouch iOS and Android, RFXCOM, BLLock, BLDSC, BLRF, Insteon PLM (MNSandler), BeakerStat, Device History
Second home: Zee S2 with Z-Wave, CT100 Z-Wave Thermostat, Aeotec Z-Wave microswitches, HSM200 occupancy sensor, Ecolink Z-Wave door sensors, STI Driveway Monitor interfaced to Zee S2 GPIO pins.
Author of BeakerStat, the Radio Thermostat WiFi thermostat plugin for HS2.
Reply With Quote
  #12  
Old October 15th, 2017, 02:02 AM
logbuilder logbuilder is offline
Seer Master
 
Join Date: Nov 2016
Location: Pacific North West
Posts: 540
Is there a good reason why the plugin could not use TCP ports only? If we were talking hundreds of devices, I see the benefit of UDP. However, listening on ports unique to each device is not that much overhead given the number of devices that are normally supported by the PI.

If everything was TCP, we could work towards some sort of encrypted messaging. Maybe not certificate based but otherwise adequate.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security, Homeseer, Dedicated Security Systems masman HomeSeer General Discussion Area 6 September 13th, 2011 05:18 PM
Security system pad/without security pannel nk89 Security System Discussion 3 August 15th, 2011 08:00 AM
Security Remote and the ACRF Security System karib ACRF Processor (3P) 0 November 19th, 2005 04:42 PM
Security Remote hardware needed for security system? snedecor W800 RF Receiver (3P) 3 February 6th, 2004 02:22 PM
Reliability DS7000 Security system + X10-HA vs X10-Security napoleon3rd General Home Automation Hardware Discussion 0 June 11th, 2003 09:26 AM


All times are GMT -4. The time now is 11:09 PM.


Copyright HomeSeer Technologies, LLC