Just to put it into perspective, the FBI data shows that "Hacking/Computer Invasion" happened in only... 26 cases out of 583,178 burglaries reported in 2021, whereas unlawful entries (when the door was unlocked or a window was left open) account on average for nearly 40% of all burglaries. So, using Hubitat Elevation to lock your doors and notify you when you left a window open is one of the most inexpensive ways to protect your property from a burglar.
4 Likes
I already have a smart lock, and get all the security benefits of it, so connecting my smart lock to other services and expanding it's attack area merely makes security much worse, not better.
Again, if someone really wants in, a brick or prybar is more expedient than trying to hack the lock...
1 Like
I've already responded to that point multiple times.
You mean like my old comic book collection in the basement?
1 Like
You are not "expanding" your risk. If someone gets passed your network security, will not target Hubitat, will go directly to the source (lock) 
2 Likes
You are not "expanding" your risk. If someone gets passed your network security, will not target Hubitat, will go directly to the source (lock)
Except if the lock is now controlled by the Hubitat (or any other service), that's now a giant extra attack surface. Finding a vulnerability in a secondary service that has access to the target is a classic attack.
Every new service you add to something you are trying to secure is a new attack vector with potential vulnerabilities. And an entire IoT platform like Hubitat is going to be much more complicated, and much more prone to mistakes than a single, much simpler program like a standalone lock.
The likelihood that someone would target your local platform is less plausible than you unlocking the door with your hand and inviting the burglar into your home. Now a cloud connected platform, is a different story. Accidents happen more often than hacking.
3 Likes
Hubitat doesn't expose your lock to the internet unless you enable it to do so. This isn't actually a risk. I've never heard of a case where an petty theif with the knowledge of how to penetrate ones local network, was happy to just steal a few physical items inside.
Perhaps if you are this concerned about intrusion by these means, you shouldn't own a connected lock of any kind and as you suggest "a single, much simpler program like a standalone lock" is more your speed. I can assure you that August isn't the safest place to put your trust. It's a cloud connected platform that was better off in the trust of Assa Abloy, but now they are owned by Fortune Brands Home & Security.
I trust my Yale Z-Wave only locks which are connected directly to Hubitat Elevation, but I do not trust August (have been burned by August once already) or their cloud services.
1 Like
The August locks I own only have internet if a hub is used, which is not required.
The app however, is cloud connected and managed.
Personally the main reason I trust August is that they people have actually attempted to analyze their security and look for vulnerabilities, without much success. See this paper. I would not be willing to use a smartlock unless a similar analysis was done on it beforehand.
Looks like Yale was also sold to Fortune Brands Home & Security.
I'd be curious how you were burned by August though, if it was a security issue I'd def. be interested.
I'd like be able to use my Hubitat for more integrations though, which would further expand the attack surface and require me to be thoughtful of each addition I added. Perhaps with a dedicated Hubitat to control just the lock, but I'm not quite willing to go that far. I think I will just accomplish my automation needs in a different manner, that does not require pairing the lock with the hub.
1 Like
Hacking August or Hubitat to get access to a home has an underpants gnome problem. Once theoretically into their systems there are several steps still required to get to a specific home. August doesn't store your address at all. Hubitat only potentially in cloud backups. Hackers are looking for quick scores, breaking into houses isn't quick. That's why there are essentially zero cases of burglary via hack.
2 Likes
Sigh.... As a network engineer, and one that also does network security I can say everything is an attack vector. Not everything is a useful vector. As I said, if someone is close enough to sniff your z-wave or zigbee network, they are close enough to jimmy the lock or just use a brick. They are not going to be interested in trying to hack hubitat nor the lock. As @JasonJoel points out, regardless of the driver, once I figure out how to attach myself to your hubitat, I'm going to simply inject raw z-wave commands. That will pretty much bypass the driver. You can't block out lock/unlock from the lock unless you rewrite the firmware... (good luck with that). See where I'm going here. I'm not going to bother with that. I'm simply going to wait till you leave and either rasp the lock, or break a window because honestly I'm not gonna care enough to spend hours attaching myself to your network to break into your hubitat to unlock the bloody door. I mean, he it's your system, but honestly you're wasting your time....
2 Likes
That's 6 years old, so it'a not a reflection of the new owner's security practices, or how well their services are maintained and kept up to date today. I'm going to guess that you don't have a Medeco or Schlage industrial lock on that door, so a skilled person can just penetrate the key lock itself to gain entry. No noise, no breaking glass.
August burned me with their hardware support. Just out of warranty, their crappy design (August lock 2) with a ribbon cable inside that flexed every time the lock opened and closed, broke. This rendered the lock useless. They refused to cover it, refused to send me the part, wouldn't send me a broken lock to salvage the part from, wouldn't offer me a discount on a replacement lock. I dropped them immediately and bought Yale locks. Have been very happy with them for many years now. I own five Yale locks, three have the Z-Wave module installed, one has a HomeKit module.
3 Likes
2 Likes
That's 6 years old, so it'a not a reflection of the new owner's security practices, or how well their services are maintained and kept up to date today. I'm going to guess that you don't have a Medeco or Schlage industrial lock on that door, so a skilled person can just penetrate the key lock itself to gain entry. No noise, no breaking glass.
There's no reason to assume the security has gotten worse, especially with so recent a sale. And a older analysis paper is a lot better than no analysis paper.
As I said, if someone is close enough to sniff your z-wave or zigbee network, they are close enough to jimmy the lock or just use a brick.
Again, using a brick leaves an obvious and important insurance trail.
I'm going to simply inject raw z-wave commands.
Yes, I've realized early on that the lock firmware prevents me from using it in this manner.
As for jimmying/picking the lock....
Not to mention adding integrations to the Hubitat exposes it and the lock further.
Exactly. Only my tenant's apartment has a key lock on it. The locks on our portion of the house don't have keyways. Picking or bumping is impossible.
All of these home improvement center locks are not going to protect against picking, and I've heard (cannot confirm myself) that you can sometimes have locks from the same manufacturer on the shelves at big box stores, that are keyed exactly the same as one found in another package.
It's a valid argument, but not necessarily a correct one. I'm not here to argue with you. Assa Abloy bought August in October of 2017 and sold them in December of 2022. I don't know if you've ever been part of an acquisition before, but the high-paid people that know how to make stuff work properly and securely are often not moved to the new company, or sometimes don't stay long if they do move.
So here's an idea for you. Your lock sends a notification to something right? Run a shortcut if you're an iOS user and trigger what you want from that, or run tasker if you're an Andriod user and trigger what you want from that. Going to need an always on phone that you maintain and the security of the phone and the cloud connection (of which you have no control over) need to be maintained. Should get you what you want though.
I can confirm that one for you. Used to work for a lumber yard in college and, in general, when we received a case of locks they were in sets of 3 per key number - getting a set of keyed alike locks was simply a matter of checking the key numbers until you found a matching set. Wasn't unusual to get matching cases in on a large order either.
2 Likes
In the USA most standard home insurance (check yours specifically) covers theft even if doors and windows are left wide open.
1 Like
