Be aware of port forwarding

Just a reminder that we do not recommend port forwarding to enable remote access of your Hubitat Elevation hub. Especially without password protection, virtually anyone can control your hub.

During an internal security audit, we identified several hubs that were exposed and users have been promptly notified to take corrective measures to secure their hubs.


I noticed this too. But I do have a little request for the next release to prevent Google indexing. Robots.txt in the webroot that prevents it from being indexed by search engines. Because now you can even find the hubs open to the internet by just asking Google for them.


robots.txt is not going to stop from reporting it

I just found a hub on a rogers CA IP exposed.


I know, but most of the people don't know shodan.. but Google on the other hand.

1 Like

No reason NOT to add the robots.txt...

But make no mistake, while "most people" don't know Shodan, anyone that would actually want to try to get in or play around with an exposed hub does know.

So it not popping up on google doesn't do much to help.


Yeah this is just plain scary. I wouldn’t suggest port forwarding to begin with, even with authentication enabled. Especially since Hubitat also knows your hub’s/home’s location. In some cases, y’all have garage doors, door locks, alarm systems, all hooked into Hubitat. It’s just not worth the risk imho.

I’m personally not even comfortable with having my hub accessible from the Hubitat cloud, but I need the cloud features unfortunately.


All hubs I come across I add a device with the name: YOUR HUB IS EXPOSED TO THE INTERNET!

then I turn on all lights and shutdown the hub. People are going to disagree with my tactics. But this is a way to make people look at why the hub did this and maybe they solve it. It also prevent (until they boot the hub back on) others to do any real harm.


Yes... Yes I do disagree with that tactic. That is illegal in many countries, too... Is it ever enforced for something like that? No,. of course not. And you are in the EU, so are covered anyway. But still - not good advice for all without understanding the laws of the country they are in.

1 Like

How else would you contact the owner to warn him/her?

You wouldn't, or you alert their ISP.

1 Like

So you just let it be until somebody else runs into their hub and unlocks the doors?

Yes, or I contact their ISP.

Again, in many countries it is illegal to do what you described.

You do what you want - I'm not telling anyone what to do. But 'white hat' modifications and unauthorized access to others' systems is not something I will endorse.


I can understand that. I don't disagree with you. It's like somebody left their door open (every day) of their home. I would go in and write a note and close the door after leaving the house. I don't believe it's illegal in The Netherlands. And since I'm not aware of the location of the hub it's not that I can take notice of any local law.

Except that has never been a valid defense in any cyber security case ever. Ignorance of the law (even due to geographical differences) is still ignorance of the law and wouldn't stand up in court. Granted, it may never get that far (extradition and all that), but it's still just the wrong thing to do.

Notify the ISP or notify Hubitat support and let them handle it. It keeps your hands clean AND allows them to notify the owner.


You are asking to be arrested doing this even if you think it's white hat hacking.

Unfortunately, yes. Sometimes, one just has to stand by and let people figure out things for themselves. The reason being that if you go into their hub, your IP address is logged via their ISP. The person that you are "saving" could easily turn around and claim that you hacked them and exposed their hub to the internet, even though you were trying to be nice and save them from their own stupidity. Believe me, I've seen enough of these situations over the years that I stay far away from "helping" anyone in this situation. There's just too much risk of retaliation.


I would also agree with the prevailing sentiment of "not modifying anyone else's Hubitat".
Certainly, just notifying them, is enough to wake most people up.
Especially notifying them in all CAPS, is about as far as I would go.

Ok, then you (almost) all stay and look the other way. No problem, I'll take the risk to help others. Maybe I'm naïef and think I can still make the world a better place by just warning people, be it by walking into their fully open front door.


:slight_smile: It's clear your not from the US. Walking into someone's front door uninvited gets you shot in Texas. lol

All kidding aside, I applaud your intent and sentiment even if I wouldn't do it the same way.


North Carolina as well. I was going to say something along the same lines, but I don't want to seem like I don't appreciate @frits's intent. That's not the sentiment I mean to express, but textual conversation and all that crap.

@frits: It's not that we DON'T want to help others. It's that the risk (especially for those of us in the US) outweighs the benefits. That's why I suggested going through either the user's ISP or Hubitat support as they are technically authorized to contact the user directly about it without the user being able to turn it around and claim that they broke into his/her hub and network. For instance, if I were to go onto someone's network unauthorized (regardless of if they left every port on their router open or not), I can face jail time and fines (that's enforced here in the US) no matter what my intent was in doing so. That's the world we live in today and it sucks.

1 Like