Announcement

Collapse
No announcement yet.

IOT WiFi security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    IOT WiFi security

    HomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
    2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit

    #2
    I for one should think you should not log into them remotely but control them locally using the mqtt plugins for HomeSeer ===> Simple===> create events to trigger them using those plugins locally!


    Check this guy out : https://www.youtube.com/watch?v=vL54JfldB4Y

    Eman.
    TinkerLand : Life's Choices,"No One Size Fits All"

    Comment


      #3
      Originally posted by Eman View Post
      I for one should think you should not log into them remotely but control them locally using the mqtt plugins for HomeSeer ===> Simple===> create events to trigger them using those plugins locally!

      Eman.
      Thanks, I am pursuing using MQTT for local control. But this requires the sonoff devices to be reprogrammed with Tasmota software, which is freeware. They are still communicating via WiFi. Furthermore, it is my understanding that they can be reprogrammed OTA.

      How do we lock down our networks to prevent hacking. I’m ok with WiFi because my WiFi does not reach outside my house. But these devices, once connected to my LAN could conceivably send info out to the web. Am I being paranoid?

      Steve Q
      HomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
      2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit

      Comment


        #4
        Originally posted by Steve Q View Post
        Thanks, I am pursuing using MQTT for local control. But this requires the sonoff devices to be reprogrammed with Tasmota software, which is freeware. They are still communicating via WiFi. Furthermore, it is my understanding that they can be reprogrammed OTA.

        How do we lock down our networks to prevent hacking. I’m ok with WiFi because my WiFi does not reach outside my house. But these devices, once connected to my LAN could conceivably send info out to the web. Am I being paranoid?

        Steve Q

        Simple!
        Some routers like the new ASUS routers can block out connections using mac addresses or even use the more advanced routers like the MikroTik which can block out regions!

        No you are not paranoid but if you get to the nitty gritty of networking you segment your network even using Segmention
        ===> VLANS====Big topic


        Another way of thinking about the local connection is example : Tasker Plupin or the PHLocation Plungin, both can use MyHomeSeer to communicate to your server thus bypassing the direct connection.



        Edit : More on that =====> https://www.youtube.com/watch?v=E03gh1huvW4

        Eman.
        Last edited by Eman; March 14, 2018, 06:33 PM.
        TinkerLand : Life's Choices,"No One Size Fits All"

        Comment


          #5
          Originally posted by Eman View Post
          Simple!
          Some routers like the new ASUS routers can block out connections using mac addresses or even use the more advanced routers like the MikroTik which can block out regions!

          No you are not paranoid but if you get to the nitty gritty of networking you segment your network even using Segmention
          ===> VLANS====Big topic


          Another way of thinking about the local connection is example : Tasker Plupin or the PHLocation Plungin, both can use MYHomeSeer to communicate to your server thus bypassing the direct connection.

          Eman.
          Thanks, what about using a dedicated wireless router for IOT devices. I have several old lynksis routers. I also have a guest network on my primary Apple AirPort Extreme. I believe the guest network blocks access to your LAN. Buying a new router is not an option for me.

          Steve

          I did not see that you attached a video. I will watch it.
          HomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
          2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit

          Comment


            #6
            Originally posted by Steve Q View Post
            Thanks, what about using a dedicated wireless router for IOT devices. I have several old lynksis routers. I also have a guest network on my primary Apple AirPort Extreme. I believe the guest network blocks access to your LAN. Buying a new router is not an option for me.

            Steve

            I did not see that you attached a video. I will watch it.


            Exactly,

            That's what I meant when you use MQTT the devices can communicate locally without going on the internet! ====> Topics are published and Subscribed to locally. ===> Example, this plugin : http://dzjee.xs4all.nl/hs3/mqtt/mqtt.html You can publish a custom topic of your liking and have all types of actions you like in HomeSeer. Say if you had a button to trigger the action from HSTouch ====> You create an event ===> MQTT : Publish custom topic ====> Anything =====>
            Then you would have all devices triggered locally!

            So to round it up is, if only one was particularly interested in your home network they would have to be close to your house in order to hack your devices but I can't say the same for the Amazon Echo! Or if your HomeSeer server was completely hacked!

            EDIT: But if you must insist here is a good topic about that : https://github.com/arendst/Sonoff-Ta...T-from-hacking
            Eman.
            Last edited by Eman; March 14, 2018, 07:49 PM.
            TinkerLand : Life's Choices,"No One Size Fits All"

            Comment


              #7
              Last edited by Kerat; March 16, 2018, 12:25 AM.

              Comment


                #8
                Wow! You have done a lot of work to keep the hackers out. What you have done is way beyond my meager network knowledge. It’s way over my head! I’ve got a lot of learning to do!

                Thanks for the detailed description of your network.

                Steve Q
                HomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
                2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit

                Comment


                  #9
                  Actually the major vendor Tuya is Chinese based but their network is hosted on AWS in various regions (Oregon for the US). You do need the devices to have cloud access to register them (which gives you the secret key needed to control them), but once you have that you can 100% control them on the local lan via TCP OR control them via MQTT. MQTT is great if the device is not on the local network (say an outbuilding) but for those you can reach via TCP there is no reason you cant block network access for those devices (WAN access) and just control them locally.

                  FYI Im writing plugin for these devices, I have all the device control done, just working now on merging it into HS proper.

                  Comment


                    #10
                    HomeSeer Version: HS3 Pro Edition 3.0.0.368, Operating System: Microsoft Windows 10 - Home, Number of Devices: 373, Number of Events: 666, Enabled Plug-Ins
                    2.0.83.0: BLRF, 2.0.10.0: BLUSBUIRT, 3.0.0.75: HSTouch Server, 3.0.0.58: mcsXap, 3.0.0.11: NetCAM, 3.0.0.36: X10, 3.0.1.25: Z-Wave,Alexa,HomeKit

                    Comment


                      #11
                      Originally posted by Steve Q View Post
                      Actually, I’m now into MQTT in a big way. I’m using the mcsMQTT plugin for HS3. It works very well and I can control all my Sonoff devices.
                      What products are manufactured by Tuya and how does this secret code work? I’ve not seen anything about this?
                      Steve Q
                      Hi Steve,

                      If you search Amazon for SmartLife wifi or Annhome wifi (there are quite a few different manufacturers all using the Tuya services). Tuya is behind 'Smartlife' as their generic brand. Annhome is just rebranded (there are a bunch of rebranded ones)

                      But all the devices are generic in that they connect to the Tuya backend based on a registration which binds you into a silo of devices based on the applications registration keys. So registering a device with the Smartlife app under user@email.com may be completely independent from registering a device on the Annhome app under the same user@email.com (even though they share the backend)

                      Devices come with a local default key to communicate with, but once they get wifi information and connect to the network they register themselves on the backend and are provisioned with a security key used to encrypt/decrypt commands to them (this key changes on each registration, but the deviceID does not, so its easy to pickup re-registered devices).

                      The devices support MQTT and local TCP. Right now I fully support both, opting to use local TCP when the device is reachable via TCP and fallback to MQTT automatically when it is not.

                      Ive been actually pleasantly surprised with the quality of the backend and the devices given their price points.

                      The biggest issue is being clear on device capabilities. For example these plugs:
                      https://www.amazon.com/Compatible-Re...ife+wifi&psc=1
                      offer simply on/off and a timer support while these:
                      https://www.amazon.com/gp/product/B0...?ie=UTF8&psc=1
                      support independent relays and power line (volt, amp, watts) reporting.

                      Sometimes its hard to tease out the capabilities without trying one, so Im starting to document the ones I've gotten (those little dual relay devices above are actually cool and I plan to feed their stat information into the HS power usage API so power tracking is automatic).

                      Here is an example of a LED bulb https://www.amazon.com/Compatible-Br...words=tuya+led Their physical quality is very similar to the Hue line, but at $16 I can buy 2-4 for what a Hue costs me!

                      Comment


                        #12
                        Hi, bsobel

                        Originally posted by bsobel View Post

                        Actually the major vendor Tuya is Chinese based but their network is hosted on AWS in various regions (Oregon for the US). You do need the devices to have cloud access to register them (which gives you the secret key needed to control them), but once you have that you can 100% control them on the local lan via TCP OR control them via MQTT. MQTT is great if the device is not on the local network (say an outbuilding) but for those you can reach via TCP there is no reason you cant block network access for those devices (WAN access) and just control them locally.

                        FYI Im writing plugin for these devices, I have all the device control done, just working now on merging it into HS proper.

                        I just bought two switch for my shutter made by tuya to replace the switch x10 SW10

                        https://global.tuya.com/product/spd3bde0cf8450013.html

                        can you tell me where you are from your plugin?

                        is it possible to drive them directly by MQTT (mcsMQTT)

                        Thank you for your reply.

                        Jean-Francois.

                        Comment


                          #13
                          Originally posted by jfla View Post
                          Hi, bsobel
                          is it possible to drive them directly by MQTT (mcsMQTT)
                          Jean-Francois.
                          I have a beta available of the Tuya plugin. It is not possible to today drive them with MQTT, you would need to disassemble and flash with custom firmware. Copied below is a note I sent when the beta started to some other users who are also testing:

                          Hi. I now have account creation and deletion done, so its ready for testing. Now the usual disclaimers, this is a beta version, there is very likely to be problems. I am, however, running it full time on my system as well.

                          http://download.casapiedrasoftware.i...r_override.txt

                          Put that file into your HS directory then the updater should pick it up and let you install from there. Go into the configuration page, add an account and validate it (after you enter your email/password Tuya will email you a confirmation code). Post that you can begin linking devices to the account. Remember that due to how Tuya does their backend, devices you add to this account will be 'different' than devices in the SmartLife app (even if you use the same email address). So you will not be able to use the SmartLife app to control any devices added here, but you could then use HSMobile, ImperiHome, etc to control all of your devices (Tuya and others) in the same place.

                          Please please send me any feedback, issues, concerns, suggestions, etc

                          Best
                          Bill
                          ​​​​​​​

                          Comment


                            #14
                            Here utilizing a Micro Travel router which runs a Mosquitton Broker, tiny antennas, OpenWRT. Tinkering with hardware GPIO ports, bit banging for RTC clock, et al. Some folks even have Node Red running on the OpenWRT OS.

                            As mentioned above now you only need to JTAG once then you can utilize OTA afterwards.

                            Only have 4 Wifi modded firmware devices up at this time. The SonOff / other Wifi devices all appear to have a common and programmable ESP chip. It is easier and more cost effective to modify an existing wifi board than to bread board an a la carte device for me.

                            Checking timing to my analog wired alarm panel garage stuff and it is fast or faster response times.
                            - Pete

                            Auto mator
                            Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
                            Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
                            HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

                            HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
                            HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

                            X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

                            Comment


                              #15
                              Originally posted by Kerat View Post
                              IOT WiFi security

                              So, IOT has multiple vectors of attack. I would say least of which is poor security built into the device itself. An example of this is the cheap gray market IP cameras that are sold. Often they have very lax security built into their underlying operating systems that allow access to root level command and control and remote code execution. This can be done from continents away. That combined with the fact that many of them phone home using a tunneling configuration that often crosses over your home router�s firewall makes them difficult to mitigate once they are on your network.

                              Then there is the fact that these IOT devices then also have your WiFi network�s passphrase.

                              I divide IOT devices into three categories:
                              1. Devices that need access to the Internet (but don�t need access to your internal network
                              2. Devices that need access to your internal network but don�t need access to the Internet.
                              3. Devices that need access to the Internet and your internal network. Type three devices are actually pose the greatest risk to your network. Be very careful allowing these on your internal LAN.

                              An amazon dot is a great example of a type 1 IOT device.

                              An IP camera that is connected to a NVR in your home is a great example of a type 2 IOT device.

                              I run HS3 and use BLLAN to monitor and automatically shutdown, power on LAN, and
                              reboot my network and server equipment. I also need HS3 to access the myhs in order for my dot to control my home Zwave network. In this case HS3 is an example of a type 3 IOT device.

                              At home I have a:
                              1. A 2 port mini PC running PFsense as my firewall.
                              2. A managed Ubiquiti 24 port POE switch.
                              3. A Ubiquiti wireless AP for my home network.

                              A Vlan is simply a virtual LAN (Local Area Network). Think of your home router as hosting a single LAN. Well a Vlan is a method of using a single group of network devices to host multiple VLANS. Originally this was done in order to allow more than 1024 ethernet nodes in a single business environment without forcing an organization to purchase incrementally more network equipment. Within a home network VLANS can be put to different use.

                              For example, on my network I host 4 VLANS:
                              1. A Vlan for my network equipment that limits TCP/UDP port access from the rest of my VLANS. This protects my network equipment from a potential internal attack.
                              2. A Vlan for my internal computers. This vlan has access to the rest of the internal network and the Internet.
                              3. A guest network Vlan. This network only has access to the Internet. I also isolate each devices on this network from each other.
                              4. A local only IOT network. No access to the Internet. Only access to the NVR on the specific TCP/UDP port required. I also isolate each devices on this network from each other.

                              In this case I am using VLANS to allow me to identify types of equipment and traffic. I then create firewall rules that allow or deny traffic from one Vlan to another, or from one vlan to the public Internet.

                              The Ubiquiti wireless AP I have can support up to four separate SSIDs. So, I have an internal WiFi network, a guest WiFi network, and if I ever need it a separate local only IOT WiFi network.

                              I force Type 1 IOT devices to my guest network. I force type 2 IOT devices onto my local only IOT network. I allow type three IOT devices on my internal VLAN.

                              Doing some of what I have done above would provide you with a relatively high level of segregation between untrusted and trusted systems. The only other thing I would advise is beefing up your DNS query security, and automatically block communication with known malicious IP sources.

                              Here, I went a step further. I have extra layers of security in my network. I run
                              1. IDS on all traffic that travels between the VLANs or the public Internet and my VLANS. Any out of normal traffic is banned.
                              2. I then use public DNS block lists to deny dns requests for known malicious, ad based, or illicit content.
                              3. I then use public IP block lists for known malicious, ad based, or illicit content.
                              4. I then have a web proxy with network level A/V scanning enforced on my internal network running on my home firewall.
                              5. Lastly, I run a separate anti-malware client on my computer systems on my internal network.
                              6. I even do tricky stuff with my publicly accessible services to potential attackers.

                              If they get through my defenses they are really good.


                              Sent from my iPhone using Tapatalk
                              I'm really impressed with your network security and configuration setup.

                              How did you learn all that, and how could someone else do the same?

                              Comment

                              Working...
                              X