Is there an option to change this? You can get this with an arp command.
No way to change it that I know of. I would argue if you have people on your home network sniffing ARP responses, you're screwed anyway.
But it wouldn't hurt to submit a feature request to support asking them to change it, though. Might carry more weight than a forum post.
I get that but it seems silly and pointless. I guess if you really care you better put your home automation on its own subnet and wall it off.
The point is that no one really knows what it is, not that you can find mac with arp. Who's gonna be arping on your LAN? Besides, the mac address is in plain sight on the hub itself.
Show me a teenager that can figure out what the login is, and I'll show you one smart enough to read these forums.
I'm not really sure what you are saying.
That isn't the problem. The problem is the current method allows for something automated that anyone can run or malware can run.
I can peel the sticker or lock the box away. Besides, the point is already that it's very easy to get.
They don't need need to know anything beyond push a button if someone makes the tool and publishes it. My fear is how easily this could be automated.
If your LAN is that insecure, this is the least of your problems.
3 Likes
Seems you have no clue how to secure your own LAN. And if you have kids at home and they have access to the HE hub then again you have no clue about security. Parental guidance is highly suggested.
Well, I wouldn't go that far. I'm not sure getting personal about it is constructive, either.
Certainly if someone wanted to make a Hubitat targeted malware it would be VERY easy since the login format is known and the password queryable without admin credentials.
It is true that it would be more secure to have the password something that is only physically on the device, and not queryable over the network.
Thus my suggestion that he submit a formal enhancement request.
1 Like
I wasn't attempting to make it personal. All I'm getting at is your LAN is as secure as you make it.
Anything is hackable and that is what you MUST keep in mind whether its LAN or WAN
No argument there. But just because that is true doesn't mean that basic security measures shouldn't be taken. Someone can always break a window and get in my house, but it doesn't mean I still don't lock my doors...
I completely agree with @rich that using N characters [moderated post] of the MAC is a bad security practice in general.
Now, how big of a deal that is will vary from person to person. It's not a big deal to me personally, but philosophically I do agree with him that using a clear text queryable password format wasn't the best answer from a security design standpoint.
Is it 'good enough' though? Well, that's subjective, and I'm not getting into subjective arguments on forums today. 
2 Likes
Absolutely !! I don't let just anyone on my LAN WiFi just for that reason.
Forgot to add that when I do allow friends on my network I have my WiFi settings to not allow to see other devices or even contact them. Essentially a private WiFi connection.
1 Like
That's a pretty rude response. I love what Hubitat is doing but just throwing a security concern to the wind isn't giving me warm fuzzy feelings.
We shouldn't make it so easy. At least raise it to the whole Mac address so there are trillion plus possibilities.
I don't know the fully how bad this yet but we have some ideas on how to exploit this remotely. I for sure can make a tool that anyone run that can be run locally to nuke a Hubitat.
We are just going to look into exploiting this remotely (we have some ideas but we don't know enough about the page yet to be sure but we think we could make a nuke page) and for sure submit privately security bug report with proof of concepts at the very least for local attacks. It's pretty clear the Hubitat team needs examples why this is a bad idea that should be corrected in a future hardware release. It's also just not realistic to expect the average home network to be well designed.
There is nothing rude about my comments. You only want to see it as rude to satisfy your claim.
