Announcement
Collapse
No announcement yet.
IOT WiFi security
Collapse
X
-
IOT WiFi security
HomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKitTags: None
-
I for one should think you should not log into them remotely but control them locally using the mqtt plugins for HomeSeer ===> Simple===> create events to trigger them using those plugins locally!
Check this guy out : https://www.youtube.com/watch?v=vL54JfldB4Y
Eman.TinkerLand : Life's Choices,"No One Size Fits All"
-
Originally posted by Eman View PostI for one should think you should not log into them remotely but control them locally using the mqtt plugins for HomeSeer ===> Simple===> create events to trigger them using those plugins locally!
Eman.
How do we lock down our networks to prevent hacking. I’m ok with WiFi because my WiFi does not reach outside my house. But these devices, once connected to my LAN could conceivably send info out to the web. Am I being paranoid?
Steve QHomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit
Comment
-
Originally posted by Steve Q View PostThanks, I am pursuing using MQTT for local control. But this requires the sonoff devices to be reprogrammed with Tasmota software, which is freeware. They are still communicating via WiFi. Furthermore, it is my understanding that they can be reprogrammed OTA.
How do we lock down our networks to prevent hacking. I’m ok with WiFi because my WiFi does not reach outside my house. But these devices, once connected to my LAN could conceivably send info out to the web. Am I being paranoid?
Steve Q
Simple!
Some routers like the new ASUS routers can block out connections using mac addresses or even use the more advanced routers like the MikroTik which can block out regions!
No you are not paranoid but if you get to the nitty gritty of networking you segment your network even using Segmention
===> VLANS====Big topic
Another way of thinking about the local connection is example : Tasker Plupin or the PHLocation Plungin, both can use MyHomeSeer to communicate to your server thus bypassing the direct connection.
Edit : More on that =====> https://www.youtube.com/watch?v=E03gh1huvW4
Eman.Last edited by Eman; March 14, 2018, 06:33 PM.TinkerLand : Life's Choices,"No One Size Fits All"
Comment
-
Originally posted by Eman View PostSimple!
Some routers like the new ASUS routers can block out connections using mac addresses or even use the more advanced routers like the MikroTik which can block out regions!
No you are not paranoid but if you get to the nitty gritty of networking you segment your network even using Segmention
===> VLANS====Big topic
Another way of thinking about the local connection is example : Tasker Plupin or the PHLocation Plungin, both can use MYHomeSeer to communicate to your server thus bypassing the direct connection.
Eman.
Steve
I did not see that you attached a video. I will watch it.HomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit
Comment
-
Originally posted by Steve Q View PostThanks, what about using a dedicated wireless router for IOT devices. I have several old lynksis routers. I also have a guest network on my primary Apple AirPort Extreme. I believe the guest network blocks access to your LAN. Buying a new router is not an option for me.
Steve
I did not see that you attached a video. I will watch it.
Exactly,
That's what I meant when you use MQTT the devices can communicate locally without going on the internet! ====> Topics are published and Subscribed to locally. ===> Example, this plugin : http://dzjee.xs4all.nl/hs3/mqtt/mqtt.html You can publish a custom topic of your liking and have all types of actions you like in HomeSeer. Say if you had a button to trigger the action from HSTouch ====> You create an event ===> MQTT : Publish custom topic ====> Anything =====>
Then you would have all devices triggered locally!
So to round it up is, if only one was particularly interested in your home network they would have to be close to your house in order to hack your devices but I can't say the same for the Amazon Echo! Or if your HomeSeer server was completely hacked!
EDIT: But if you must insist here is a good topic about that : https://github.com/arendst/Sonoff-Ta...T-from-hacking
Eman.Last edited by Eman; March 14, 2018, 07:49 PM.TinkerLand : Life's Choices,"No One Size Fits All"
Comment
-
Wow! You have done a lot of work to keep the hackers out. What you have done is way beyond my meager network knowledge. It’s way over my head! I’ve got a lot of learning to do!
Thanks for the detailed description of your network.
Steve QHomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit
Comment
-
Actually the major vendor Tuya is Chinese based but their network is hosted on AWS in various regions (Oregon for the US). You do need the devices to have cloud access to register them (which gives you the secret key needed to control them), but once you have that you can 100% control them on the local lan via TCP OR control them via MQTT. MQTT is great if the device is not on the local network (say an outbuilding) but for those you can reach via TCP there is no reason you cant block network access for those devices (WAN access) and just control them locally.
FYI Im writing plugin for these devices, I have all the device control done, just working now on merging it into HS proper.
Comment
-
HomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit
Comment
-
Originally posted by Steve Q View PostActually, I’m now into MQTT in a big way. I’m using the mcsMQTT plugin for HS3. It works very well and I can control all my Sonoff devices.
What products are manufactured by Tuya and how does this secret code work? I’ve not seen anything about this?
Steve Q
If you search Amazon for SmartLife wifi or Annhome wifi (there are quite a few different manufacturers all using the Tuya services). Tuya is behind 'Smartlife' as their generic brand. Annhome is just rebranded (there are a bunch of rebranded ones)
But all the devices are generic in that they connect to the Tuya backend based on a registration which binds you into a silo of devices based on the applications registration keys. So registering a device with the Smartlife app under user@email.com may be completely independent from registering a device on the Annhome app under the same user@email.com (even though they share the backend)
Devices come with a local default key to communicate with, but once they get wifi information and connect to the network they register themselves on the backend and are provisioned with a security key used to encrypt/decrypt commands to them (this key changes on each registration, but the deviceID does not, so its easy to pickup re-registered devices).
The devices support MQTT and local TCP. Right now I fully support both, opting to use local TCP when the device is reachable via TCP and fallback to MQTT automatically when it is not.
Ive been actually pleasantly surprised with the quality of the backend and the devices given their price points.
The biggest issue is being clear on device capabilities. For example these plugs:
https://www.amazon.com/Compatible-Re...ife+wifi&psc=1
offer simply on/off and a timer support while these:
https://www.amazon.com/gp/product/B0...?ie=UTF8&psc=1
support independent relays and power line (volt, amp, watts) reporting.
Sometimes its hard to tease out the capabilities without trying one, so Im starting to document the ones I've gotten (those little dual relay devices above are actually cool and I plan to feed their stat information into the HS power usage API so power tracking is automatic).
Here is an example of a LED bulb https://www.amazon.com/Compatible-Br...words=tuya+led Their physical quality is very similar to the Hue line, but at $16 I can buy 2-4 for what a Hue costs me!
Comment
-
Hi, bsobel
Originally posted by bsobel View Post
Actually the major vendor Tuya is Chinese based but their network is hosted on AWS in various regions (Oregon for the US). You do need the devices to have cloud access to register them (which gives you the secret key needed to control them), but once you have that you can 100% control them on the local lan via TCP OR control them via MQTT. MQTT is great if the device is not on the local network (say an outbuilding) but for those you can reach via TCP there is no reason you cant block network access for those devices (WAN access) and just control them locally.
FYI Im writing plugin for these devices, I have all the device control done, just working now on merging it into HS proper.
I just bought two switch for my shutter made by tuya to replace the switch x10 SW10
https://global.tuya.com/product/spd3bde0cf8450013.html
can you tell me where you are from your plugin?
is it possible to drive them directly by MQTT (mcsMQTT)
Thank you for your reply.
Jean-Francois.
Comment
-
Originally posted by jfla View PostHi, bsobel
is it possible to drive them directly by MQTT (mcsMQTT)
Jean-Francois.
Hi. I now have account creation and deletion done, so its ready for testing. Now the usual disclaimers, this is a beta version, there is very likely to be problems. I am, however, running it full time on my system as well.
http://download.casapiedrasoftware.i...r_override.txt
Put that file into your HS directory then the updater should pick it up and let you install from there. Go into the configuration page, add an account and validate it (after you enter your email/password Tuya will email you a confirmation code). Post that you can begin linking devices to the account. Remember that due to how Tuya does their backend, devices you add to this account will be 'different' than devices in the SmartLife app (even if you use the same email address). So you will not be able to use the SmartLife app to control any devices added here, but you could then use HSMobile, ImperiHome, etc to control all of your devices (Tuya and others) in the same place.
Please please send me any feedback, issues, concerns, suggestions, etc
Best
Bill
Comment
-
Here utilizing a Micro Travel router which runs a Mosquitton Broker, tiny antennas, OpenWRT. Tinkering with hardware GPIO ports, bit banging for RTC clock, et al. Some folks even have Node Red running on the OpenWRT OS.
As mentioned above now you only need to JTAG once then you can utilize OTA afterwards.
Only have 4 Wifi modded firmware devices up at this time. The SonOff / other Wifi devices all appear to have a common and programmable ESP chip. It is easier and more cost effective to modify an existing wifi board than to bread board an a la carte device for me.
Checking timing to my analog wired alarm panel garage stuff and it is fast or faster response times.- Pete
Auto matorHomeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram
HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant
Comment
-
Originally posted by Kerat View PostIOT WiFi security
So, IOT has multiple vectors of attack. I would say least of which is poor security built into the device itself. An example of this is the cheap gray market IP cameras that are sold. Often they have very lax security built into their underlying operating systems that allow access to root level command and control and remote code execution. This can be done from continents away. That combined with the fact that many of them phone home using a tunneling configuration that often crosses over your home router�s firewall makes them difficult to mitigate once they are on your network.
Then there is the fact that these IOT devices then also have your WiFi network�s passphrase.
I divide IOT devices into three categories:
1. Devices that need access to the Internet (but don�t need access to your internal network
2. Devices that need access to your internal network but don�t need access to the Internet.
3. Devices that need access to the Internet and your internal network. Type three devices are actually pose the greatest risk to your network. Be very careful allowing these on your internal LAN.
An amazon dot is a great example of a type 1 IOT device.
An IP camera that is connected to a NVR in your home is a great example of a type 2 IOT device.
I run HS3 and use BLLAN to monitor and automatically shutdown, power on LAN, and
reboot my network and server equipment. I also need HS3 to access the myhs in order for my dot to control my home Zwave network. In this case HS3 is an example of a type 3 IOT device.
At home I have a:
1. A 2 port mini PC running PFsense as my firewall.
2. A managed Ubiquiti 24 port POE switch.
3. A Ubiquiti wireless AP for my home network.
A Vlan is simply a virtual LAN (Local Area Network). Think of your home router as hosting a single LAN. Well a Vlan is a method of using a single group of network devices to host multiple VLANS. Originally this was done in order to allow more than 1024 ethernet nodes in a single business environment without forcing an organization to purchase incrementally more network equipment. Within a home network VLANS can be put to different use.
For example, on my network I host 4 VLANS:
1. A Vlan for my network equipment that limits TCP/UDP port access from the rest of my VLANS. This protects my network equipment from a potential internal attack.
2. A Vlan for my internal computers. This vlan has access to the rest of the internal network and the Internet.
3. A guest network Vlan. This network only has access to the Internet. I also isolate each devices on this network from each other.
4. A local only IOT network. No access to the Internet. Only access to the NVR on the specific TCP/UDP port required. I also isolate each devices on this network from each other.
In this case I am using VLANS to allow me to identify types of equipment and traffic. I then create firewall rules that allow or deny traffic from one Vlan to another, or from one vlan to the public Internet.
The Ubiquiti wireless AP I have can support up to four separate SSIDs. So, I have an internal WiFi network, a guest WiFi network, and if I ever need it a separate local only IOT WiFi network.
I force Type 1 IOT devices to my guest network. I force type 2 IOT devices onto my local only IOT network. I allow type three IOT devices on my internal VLAN.
Doing some of what I have done above would provide you with a relatively high level of segregation between untrusted and trusted systems. The only other thing I would advise is beefing up your DNS query security, and automatically block communication with known malicious IP sources.
Here, I went a step further. I have extra layers of security in my network. I run
1. IDS on all traffic that travels between the VLANs or the public Internet and my VLANS. Any out of normal traffic is banned.
2. I then use public DNS block lists to deny dns requests for known malicious, ad based, or illicit content.
3. I then use public IP block lists for known malicious, ad based, or illicit content.
4. I then have a web proxy with network level A/V scanning enforced on my internal network running on my home firewall.
5. Lastly, I run a separate anti-malware client on my computer systems on my internal network.
6. I even do tricky stuff with my publicly accessible services to potential attackers.
If they get through my defenses they are really good.
Sent from my iPhone using Tapatalk
How did you learn all that, and how could someone else do the same?
Comment
Comment