This is more directed to HomeSeer developers. It may sound like a rant, but it is not. It's more a plea to HomeSeer to adopt better practices. Security is important in network applications.
HS3Pro has some security related options like building a users list with different accesses like guest, normal and admin. It also has an option called: "No Password Required for Local/Same Network Login (Web Browser/HSTouch)", along with a few others.
With this, my guess is developers are somewhat security inclined, which makes sense with an application that controls various functionalities in your house and can possibly be accessible from the net.
So why is it that 2 of the most common tools used with HS, namely Speaker and Z-Tool, require you to lower your security settings below an acceptable standard?
The issue with Speaker stems from the fact it must be used along with the so called user 'default'. In my systems, such a user, known from the entire planet, normally gets deactivated if not deleted. I initially set it to 'No Access' as I didn't have the need for it.
This is when I started getting the error "Speaker host connection refused from 127.0.0.1 User: default User does not exist, does not have adequate rights, or the password is incorrect."
So I created a user specifically for that with normal + local access, set the HS-Touch user properties to that user and then updated the user in the Speaker client config.
That worked for local speaker Client access. But I was still getting the default user error in the log. Moved to configure the Speaker client on another machine on the network. This time I had to up the speaker user access to admin + local for it to connect and some what work (I have another issue with that I will post in another thread). At this point, I'm now getting the default user error twice in the log, 1 for the HS machine and one for the workstation.
The only way to clear the error from the log is to use the default user within HS Touch and the speaker clients.
In my book, this is a security flaw that needs to be addressed. Even if you can change the default user password.
For the Z-tool mobile app, it's a different issue.
When it detects your HomeSeer IP, the message from the Android version is rather clear: "Permission denied at HomeSeer, make sure 'No Password Required for Local Network Login' is checked in HomeSeer setup: Response status code does not indicate success: 401()."
The Apple IOS app is not so friendly though. It just says: "Error GetInterfacesList Response status code does not indicate success: 401()."
Try to figure out what's going on now...
Again, why an external tool forces us to lower our security? I thought I'd found an easier way to manage z-wave devices. Apparently not, because I won't bend on this one and lower my network security. Everything on my network requires a user/password to connect to it.
HS Touch uses a stored user/password to access. Why not make the other tools do the same? It's not that hard to prompt for that information and ensure a minimum of security.
HS3Pro has some security related options like building a users list with different accesses like guest, normal and admin. It also has an option called: "No Password Required for Local/Same Network Login (Web Browser/HSTouch)", along with a few others.
With this, my guess is developers are somewhat security inclined, which makes sense with an application that controls various functionalities in your house and can possibly be accessible from the net.
So why is it that 2 of the most common tools used with HS, namely Speaker and Z-Tool, require you to lower your security settings below an acceptable standard?
The issue with Speaker stems from the fact it must be used along with the so called user 'default'. In my systems, such a user, known from the entire planet, normally gets deactivated if not deleted. I initially set it to 'No Access' as I didn't have the need for it.
This is when I started getting the error "Speaker host connection refused from 127.0.0.1 User: default User does not exist, does not have adequate rights, or the password is incorrect."
So I created a user specifically for that with normal + local access, set the HS-Touch user properties to that user and then updated the user in the Speaker client config.
That worked for local speaker Client access. But I was still getting the default user error in the log. Moved to configure the Speaker client on another machine on the network. This time I had to up the speaker user access to admin + local for it to connect and some what work (I have another issue with that I will post in another thread). At this point, I'm now getting the default user error twice in the log, 1 for the HS machine and one for the workstation.
The only way to clear the error from the log is to use the default user within HS Touch and the speaker clients.
In my book, this is a security flaw that needs to be addressed. Even if you can change the default user password.
For the Z-tool mobile app, it's a different issue.
When it detects your HomeSeer IP, the message from the Android version is rather clear: "Permission denied at HomeSeer, make sure 'No Password Required for Local Network Login' is checked in HomeSeer setup: Response status code does not indicate success: 401()."
The Apple IOS app is not so friendly though. It just says: "Error GetInterfacesList Response status code does not indicate success: 401()."
Try to figure out what's going on now...
Again, why an external tool forces us to lower our security? I thought I'd found an easier way to manage z-wave devices. Apparently not, because I won't bend on this one and lower my network security. Everything on my network requires a user/password to connect to it.
HS Touch uses a stored user/password to access. Why not make the other tools do the same? It's not that hard to prompt for that information and ensure a minimum of security.
Comment