Announcement

Collapse
No announcement yet.

Z-Net underlying OS updates

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Z-Net underlying OS updates

    I wasn't able to readily find this information so I figured I would just ask.

    Should we be applying OS updates on the Z-Net? Looks like there are some items that have CVEs attached to them that needs to be installed on a newly purchased Z-Net.

    Is there any functionality concerns over changing the default user name and password?

    Are there any functionality concerns with narrowing the configuration in iptables to only allow traffic from devices that need to communicate to the Z-Net like the Homeseer server?

    Are there secure configurations or baselines available for the Z-Net?

    #2
    I went ahead and took the plunge and updated my z-net. I saw that it was recommended in some of the older threads on the forum so I thought it would have been safe. Now my HS3 logs are filled with
    Code:
    Z-NET1: Cannot connect to Z-Wave Ethernet at IP 192.168.5.144 port: 2001, Ex=No connection could be made because the target machine actively refused it 192.168.5.144:2001
    Any suggestions on how I can recover my Z-Net?

    Comment


      #3
      If it ain't broke ... Tech support typically recommends against updating these units.
      💁‍♂️ Support & Customer Service 🙋‍♂️ Sales Questions 🛒 Shop HomeSeer Products

      Comment


        #4
        Originally posted by CyberRad View Post
        I went ahead and took the plunge and updated my z-net. I saw that it was recommended in some of the older threads on the forum so I thought it would have been safe. Now my HS3 logs are filled with
        Code:
        Z-NET1: Cannot connect to Z-Wave Ethernet at IP 192.168.5.144 port: 2001, Ex=No connection could be made because the target machine actively refused it 192.168.5.144:2001
        Any suggestions on how I can recover my Z-Net?
        I found that updating via
        sudo apt-get update
        sudo apt-get dist-upgrade

        worked without issue on the newer v2 znet (jessie OS), but was a different story when I tried on the original v1 (wheezy OS). You can tell what OS version you have via
        uname -a
        or
        cat /etc/os-release

        In your case, it looks like the ser2net daemon, which is configured to listen on port 2001, may not be running.

        See this post for a link to a v2 image, revision 1.0.17
        https://forums.homeseer.com/showpost...9&postcount=39

        Comment


          #5
          Originally posted by Rupp View Post
          If it ain't broke ...
          That is a very archaic stance. The Z-Net is nothing more then a Raspberry Pi with a Debian OS (Raspbian 8). By your statement you are suggesting (and tech support agrees) that we just leave these vulnerable items on our network and not touch them. I realize I am an FNG in this community but I believe the thinking needs to be changed on this.

          For those that run into this issue you can downgrade the Raspberry Pi kernel.
          Running ser2net showed the following:
          Code:
          Unable to determine hardware version. I see: Hardware : BCM2835
          ,
          - expecting BCM2708 or BCM2709.
          A little research lead me to the following post: https://www.raspberrypi.org/forums/v...c.php?t=182191 for wiringPi
          This then lead me to https://isahatipoglu.com/2015/09/29/...raspberry-pi2/.

          Instructions from that page:
          First, install rpi-update
          sudo apt-get install rpi-update

          Then, go to the firmware repository of rpi: https://github.com/Hexxeh/rpi-firmware/commits/master

          Comment


            #6
            Originally posted by zwolfpack View Post
            I found that updating via
            sudo apt-get update
            sudo apt-get dist-upgrade

            worked without issue on the newer v2 znet (jessie OS), but was a different story when I tried on the original v1 (wheezy OS). You can tell what OS version you have via
            uname -a
            or
            cat /etc/os-release

            In your case, it looks like the ser2net daemon, which is configured to listen on port 2001, may not be running.

            See this post for a link to a v2 image, revision 1.0.17
            https://forums.homeseer.com/showpost...9&postcount=39
            Interesting the Z-Net I have is running Jessie but I ran into the issue. I was able to restore functionality to the ser2net daemon by downgrading the kernel. Any thoughts on which kernel I could safely go to before issues would arise?

            Comment


              #7
              I'm fully up to date with the latest jessie on one unit and latest stretch on another. Running latest ser2net 3.5 built from source with wiringPi compiled in. No issues.

              Might be something simple. Check if ser2net is getting started:

              ps -fwC ser2net

              ser2net gets started from /etc/rc.local.

              In response to your original question - if the earlier answer "Tech support typically recommends against updating these units" isn't enough of a clue... if you know a bit about Linux and a bit about security, poke around the znet build and you'll quickly realize that you know as much about Linux and certainly care more about security than whomever coded that. You'd be better off building your own OS from scratch and installing ser2net.

              ser2net itself isn't secure (no options for authentication or encryption). It does has an option to compile in TCP wrappers, which serves a similar function to iptables and is easy to configure. I have mine set up to only allow connections from my server. I'd also recommend running it as a non-root user.

              And disable or password protect the web interface!
              https://forums.homeseer.com/showpost...8&postcount=23

              PS check out the last post in that thread - 12/2016 "Adding a password for the config page is on the todo list for the Z-Net." LOL still waiting!

              Comment


                #8
                Yeah I noticed those other issues as well but wanted to start with updating the OS. I was thinking about sending in a vulnerability report to their support email address to make sure they are notified of potential issues. This way they can't plead ignorance when something does happen.

                What are your thoughts on building a community Z-Net image? Something that will make it easy for the community to ensure that their Z-Net device is as secure as can be made.

                Comment


                  #9
                  Send an email to support asking for the image download - at one time, I thought they had the Z-Net images on their ftp site, but that may have changed. You need to tell them which Gen Z-Net you have.
                  HS4Pro on a Raspberry Pi4
                  54 Z-Wave Nodes / 21 Zigbee Devices / 108 Events / 767 Devices
                  Plugins: Z-Wave / Zigbee Plus / EasyTrigger / AK Weather / OMNI

                  HSTouch Clients: 1 Android

                  Comment


                    #10
                    Originally posted by rmasonjr View Post
                    Send an email to support asking for the image download - at one time, I thought they had the Z-Net images on their ftp site, but that may have changed. You need to tell them which Gen Z-Net you have.
                    I talked with them yesterday and the only option to recover the Z-Net was a $20 SD card with their image. An image download was never offered. The person I was talking to seemed to be annoyed that I even went into the OS and that I was asking a bunch of security questions about the product.

                    Either way the actual issue of being yet another unsecured IoT device is the bigger issue here. zwolfpack brought up these issues a year ago and as far as I can tell no one from the company has addressed them. It is unfortunate.

                    Comment


                      #11
                      I think it's foolish to ignore security issues. There's a ton of ways they can build in update functionality, even if they only want to allow approved updates that don't break the serial connection.

                      Waiting until there's a breach of some kind will be too late. They will lose credibility.

                      In the future I'd grab some backups of your sd card periodically. That way you don't have to crawl back to support when something breaks.

                      Comment


                        #12
                        Originally posted by CyberRad View Post
                        Yeah I noticed those other issues as well but wanted to start with updating the OS. I was thinking about sending in a vulnerability report to their support email address to make sure they are notified of potential issues. This way they can't plead ignorance when something does happen.

                        What are your thoughts on building a community Z-Net image? Something that will make it easy for the community to ensure that their Z-Net device is as secure as can be made.
                        Has anyone taken up the task of a community Z-Net image? I have ignored my Z-Net for years, but a few weeks ago I realized it hadn't had any security updates in a long time, so I applied apt-get update/apt-get upgrade. When the Z-Net rebooted, it didn't open port 2001 for inbound traffic. I have 6 general purpose LINUX (Ubuntu) systems check them several times each week for updates. I don't like having a LINUX based computer on my network without adequate security updates (I also don't like having a computer on my network where unknown people know the password for root, but I don't. HS should not use root for restore operations to the Z-Net. There should be a dedicated user id with a password that has non-printable characters - and lots of them - for that purpose. Use of root over the network violates soooooo many security policies.

                        Comment


                          #13
                          Not that I have seen. I just went ahead and put it on its own network with very strict ACLs.

                          Comment


                            #14
                            Yes putting them on a VPN is a good approach, only I can't do that. I have 2 routers and a wireless shot between house and barn.

                            As others have mentioned, having a device on your network that can't be kept current is bad.

                            Comment

                            Working...
                            X