When using Ethernet-mode, how is the communication between the Arduinos and the plugin secured? Thinking about both authentication and "commands" it receives/sends.
Announcement
Collapse
No announcement yet.
Security?
Collapse
X
-
Originally posted by ZoRaC View PostWhen using Ethernet-mode, how is the communication between the Arduinos and the plugin secured? Thinking about both authentication and "commands" it receives/sends.
PeteHS 2.2.0.11
-
Originally posted by petez69 View PostThere is no security. If there is a concern, put the HS box and Arduinos on a private v-lan...You can run wireshark and watch the commands from any PC that is connected to a port that can mirror to the HS switch port. The handshaking is straight forward when you watch it, equally you can look at the INO source code before compiling and you can see how it interacts with HS.
Pete
Thanks! That probably made the decision for me, to not buy the plugin.
If any device that is on the same network as the Arduino can send commands to the Arduino or send false statuses to Homeseer as if it was the Arduino, then that just isn't good enough for me...
Comment
-
Originally posted by ZoRaC View PostThanks! That probably made the decision for me, to not buy the plugin.
If any device that is on the same network as the Arduino can send commands to the Arduino or send false statuses to Homeseer as if it was the Arduino, then that just isn't good enough for me...
To be quite honest, I can't see someone with nefarious intent a) having access to my LAN or b) understanding the actual pin layout and functions of my Arduinos to the extent needed to do any harm.
Are you sharing your local network with other people?HS4 Pro, 4.2.19.16 Windows 10 pro, Supermicro LP Xeon
Comment
-
Originally posted by ZoRaC View PostThanks! That probably made the decision for me, to not buy the plugin.
If any device that is on the same network as the Arduino can send commands to the Arduino or send false statuses to Homeseer as if it was the Arduino, then that just isn't good enough for me...
Again if you are so concerned with packets being intercepted, lock the mac address down on the switch port and put your automation onto a seperate VLAN. Best security is an airgap, mixing devices on a network will never be secure. This beats any crypto if the network cant be gotten to
If you are truly concerned about security then you know your way around wireshark and would be sniffing the packets to assess the security.HS 2.2.0.11
Comment
-
Originally posted by rprade View PostThis would also be true for a Z-Net, Raspberry Pi, Ethernet to USB, Ethernet to serial, OWServer, GCIR, etc. I don't know of a single Ethernet connected device used with home automation that employs secure communications.
Originally posted by rprade View PostI suppose the communications could be encrypted, but that might be a lot of overhead for an Arduino.
Originally posted by rprade View PostI'm quite comfortable with my home network's isolation from the WAN with a separate firewall appliance. There are so many devices connected to my LAN, not just HomeSeer related, that can only rely on that isolation for security.
Originally posted by rprade View PostTo be quite honest, I can't see someone with nefarious intent a) having access to my LAN or b) understanding the actual pin layout and functions of my Arduinos to the extent needed to do any harm.
Originally posted by rprade View PostAre you sharing your local network with other people?
Comment
-
Originally posted by petez69 View PostIf you need security then you should select a product that uses secure authentication ie: PGP and encrypted packets. The Arduino doesn't really have the power to do this on the fly. Buy a dedicated solution like the ELK M1G, it uses a proprietary RS485 bus and that has crypto..
Originally posted by petez69 View PostAgain if you are so concerned with packets being intercepted, lock the mac address down on the switch port and put your automation onto a seperate VLAN. Best security is an airgap, mixing devices on a network will never be secure. This beats any crypto if the network cant be gotten to
Originally posted by petez69 View PostIf you are truly concerned about security then you know your way around wireshark and would be sniffing the packets to assess the security.
Comment
-
Originally posted by ZoRaC View PostEnded up using TLS and authentication.
I'm using wifi. All IoT in a separate VLAN already.
Yeah, but that doesn't reveal how the plugin handles "invalid" data. Could I just pass along any command I want and the plugin will process it? Etc. And asking is a lot easier than sniffing and analyzing.
Sent from my SM-N910G using TapatalkHS 2.2.0.11
Comment
-
Originally posted by logbuilder View PostZoRaC does have a valid concern and I share that concern. I'd love to work on bringing some sort of secured sockets to the plugin. I'm no guru on SSL but seems to me that you can't do SSL on UDP ports, only TCP. Is that right? If so, that creates a real challenge.
I do echo the sentiments of others here that security needs to be top of mind in automation and IoT. Ignoring it because "who would want to control my xxxxx" or "it's on a LAN" is a flawed way of thinking. We've all heard stories of how companies and governments have been compromised by unsecured printers and thermostats. There are stories of DVRs being used as slaves in botnets. Security must be built into products and devices and should never be an afterthought or something for paranoid folks only. It's actually the people who don't know much about security who need it most!HS Pro 3.0 | Linux Ubuntu 16.04 x64 virtualized under Proxmox (KVM)
Hardware: Z-NET - W800 Serial - Digi PortServer TS/8 and TS/16 serial to Ethernet - Insteon PLM - RFXCOM - X10 Wireless
Plugins: HSTouch iOS and Android, RFXCOM, BlueIris, BLLock, BLDSC, BLRF, Insteon PLM (MNSandler), Device History, Ecobee, BLRing, Kodi, UltraWeatherWU3
Second home: Zee S2 with Z-Wave, CT101 Z-Wave Thermostat, Aeotec Z-Wave microswitches, HSM200 occupancy sensor, Ecolink Z-Wave door sensors, STI Driveway Monitor interfaced to Zee S2 GPIO pins.
Comment
-
Is there a good reason why the plugin could not use TCP ports only? If we were talking hundreds of devices, I see the benefit of UDP. However, listening on ports unique to each device is not that much overhead given the number of devices that are normally supported by the PI.
If everything was TCP, we could work towards some sort of encrypted messaging. Maybe not certificate based but otherwise adequate.
Comment
Comment