I noticed this too. But I do have a little request for the next release to prevent Google indexing. Robots.txt in the webroot that prevents it from being indexed by search engines. Because now you can even find the hubs open to the internet by just asking Google for them.
Yeah this is just plain scary. I wouldn’t suggest port forwarding to begin with, even with authentication enabled. Especially since Hubitat also knows your hub’s/home’s location. In some cases, y’all have garage doors, door locks, alarm systems, all hooked into Hubitat. It’s just not worth the risk imho.
I’m personally not even comfortable with having my hub accessible from the Hubitat cloud, but I need the cloud features unfortunately.
All hubs I come across I add a device with the name: YOUR HUB IS EXPOSED TO THE INTERNET!
then I turn on all lights and shutdown the hub. People are going to disagree with my tactics. But this is a way to make people look at why the hub did this and maybe they solve it. It also prevent (until they boot the hub back on) others to do any real harm.
Yes... Yes I do disagree with that tactic. That is illegal in many countries, too... Is it ever enforced for something like that? No,. of course not. And you are in the EU, so are covered anyway. But still - not good advice for all without understanding the laws of the country they are in.
I can understand that. I don't disagree with you. It's like somebody left their door open (every day) of their home. I would go in and write a note and close the door after leaving the house. I don't believe it's illegal in The Netherlands. And since I'm not aware of the location of the hub it's not that I can take notice of any local law.
Except that has never been a valid defense in any cyber security case ever. Ignorance of the law (even due to geographical differences) is still ignorance of the law and wouldn't stand up in court. Granted, it may never get that far (extradition and all that), but it's still just the wrong thing to do.
Notify the ISP or notify Hubitat support and let them handle it. It keeps your hands clean AND allows them to notify the owner.
Unfortunately, yes. Sometimes, one just has to stand by and let people figure out things for themselves. The reason being that if you go into their hub, your IP address is logged via their ISP. The person that you are "saving" could easily turn around and claim that you hacked them and exposed their hub to the internet, even though you were trying to be nice and save them from their own stupidity. Believe me, I've seen enough of these situations over the years that I stay far away from "helping" anyone in this situation. There's just too much risk of retaliation.
I would also agree with the prevailing sentiment of "not modifying anyone else's Hubitat".
Certainly, just notifying them, is enough to wake most people up.
Especially notifying them in all CAPS, is about as far as I would go.
Ok, then you (almost) all stay and look the other way. No problem, I'll take the risk to help others. Maybe I'm naïef and think I can still make the world a better place by just warning people, be it by walking into their fully open front door.
North Carolina as well. I was going to say something along the same lines, but I don't want to seem like I don't appreciate @frits's intent. That's not the sentiment I mean to express, but textual conversation and all that crap.
@frits: It's not that we DON'T want to help others. It's that the risk (especially for those of us in the US) outweighs the benefits. That's why I suggested going through either the user's ISP or Hubitat support as they are technically authorized to contact the user directly about it without the user being able to turn it around and claim that they broke into his/her hub and network. For instance, if I were to go onto someone's network unauthorized (regardless of if they left every port on their router open or not), I can face jail time and fines (that's enforced here in the US) no matter what my intent was in doing so. That's the world we live in today and it sucks.