"Cloud" security

Thought I'd start a seperate thread for this.

I'm researching HE because I searched for a smart home hub that can be used locally...no cloud!

Now I see there's a "cloud link" available:

Cloud Links are remotely accessible URLs that you can use to access your Dashboard from the internet, when you are outside your local network.

I can't find any more info about it than that.

How does this work? What info is traveling across the interwebs, and to where? Do we need an account somewhere?

Just curious!

This can be turned on or off for each dashboard page. You just need a hubitat account (you need this to register your hub anyway) to be able to get the link. Once you have the link I believe anyone can use it which is why you can put passwords on each of your dashboard pages.

1 Like

The above is true, plus it is something you have to set up. This applies only to the Hubitat Dashboard app, which is not installed or created by default--it's just an option available to answer those who want the ability to remotely monitor or control devices (similar to ActionTiles on SmartThings, if not an answer to those who claim to be looking for something similar to the SmartThings app itself but really just want remove device control). When you create a Dashboard, you'll have the option to enable or disable the cloud link, so it is possible to use it as a LAN-only Dashboard if you want.

As for where the data is traveling to/from, I'm not sure anyone besides Hubitat staff knows for sure. But generally the way the "cloud" works in Hubitat is that the cloud endpoint is just way for the cloud service to communicate with your hub, not a cloud-based cache or "instance" of your hub/devices/etc. I imagine that the generic "Hubitat Dashboard" app code might be stored on Hubitat's server (it's entirely possible for your hub to serve its own web pages, but this seems less likely to me given occasional differences I've seen between cloud and local dashboards while they were in development), whereas it communicates with your hub to get all your specific information and communicates back and forth with your hub as things change. (It's also possible the entire page is just served from the hub over the cloud like it is over the LAN, using Hubitat's cloud URL as basically a bridge to publicly access this otherwise local resource, but again, I don't really know and I'm not sure if any of us do.)

The only "cloud" thing I'm really concerned about is the ability staff seem to have to view my logs without me needing to grant them any specific access. Or at least that seemed to be the case half a year or so ago when I needed support. I fully trust Hubitat staff, but I just wonder how Internet-accessible the hub itself may be. In the specific case you asked about, however, it's isn't for this purpose unless you set it up. Even if you do, it's an "extra" and not dependent on the cloud for the hub to continue functioning regardless of your (or their) Internet status.

1 Like

Thanks @BorrisTheCat and @bertabcd1234!

My apologies; I guess I should have named this thread something different; something like "Is HE really local?"

I do understand the link isn't required. What I'm really wondering about is, as you mention, if the HE is only accessible via my local LAN, how can that cloud link (or Hubitat support) find and access this hub past all the security measures: My ISP, my ISP's device, my firewall, my network, and into my HE device? That's the kind of outside access I'm trying to avoid.

I wonder if there's a technical discussion somewhere? It may be spelled out in the EULA, which I haven't looked up yet since I haven't purchased yet...

According to a podcast on youtube (I believe it was this one YouTube) that @patrick was on, the only identifiable information Hubitat stores/has is each Hub's mac address, to know what version of firmware each hub is running and for the ability to push new updates out to them.....he specifically stated that was pretty much it, they don't even store device data from the hubs.

1 Like

Security is layers.

If you disable internet access for your Hubitat Hub, other than that initial Registration, you do not need to have direct Internet access ever again. There have been several documented instances of this reported in this forum.

The hub does try and get NTP data, it does try to get DNS answers. If they are blocked, however, the hub continues to run. You will have to keep abreast of Time for your hub with periodic (monthly?) clicks of updating time from your browser.

If you integrate a Lutron SmartBridge PRO, lutron MAY have built their bridge to want internet. You'll have to decide what impact blocking that does. But the communication between Hubitat and the PRO bridge is entirely local.

Many people choose to use a voice assistant (Alexa / google) and of course those devices straight up demand internet.

Therefore, as you add complexity, you get complexity.

You can create a Dashboard that has tiles to perform actions of each device. Light switches go on and off, dimmers dim, fans spin. Etc. Block or disable, and the dashboards won't "leak out" onto the internet. You would have to VPN in to access them. (Easy enough.)

Similarly, Admin functions such as adding a device to ZWave or Zigbee, creating a rule, MUST be local, There is no option for remote, other than using a VPN.

1 Like

Hi @csteele, thanks for the info! A couple questions:

Is this a setting on the hub itself? That'd be nice. Otherwise, I'd obviously have to do that blocking manually (by mac address on my firewall, most likely).

I'm guessing if I have a local NTP server and a local DNS, I can point the HE to those?

Thanks!

By default, if the Hubitat Elevation hub can, it will, reach out and connect to the Hubitat Cloud server. That server does not maintain any state or history from your hub. No code from your hub is run in the cloud. It is simply a means for users (e.g. Hubitat Dashboard and Maker API) to have OAuth2 access to the hub via the Internet. As mentioned above, the Hubitat cloud endpoint allows integration with cloud services as well (e.g. Alexa, Google, Ecobee, Nest, Weather, Life360, Mobile Presence, etc...)

Since the hub reaches out and establishes a connection to the Hubitat cloud server, your router/firewall/ISP/etc... does not block the connection. Those security measures block unsolicited incoming connections.

If you want to stay completely off the Internet, I’d recommend using a router that supports running a local NTP time daemon, and that can intercept and handle all NTP client traffic. I am using an Asus RT-AC86U router running AsusWRT Merlin 384.11_2 firmware which just recently added this NTP feature. This alleviates the need to sync the HE hub’s clock using your web browser.

The Hubitat Hub requires DHCP IP addressing. You can not manually enter a NTP or DNS server address. Using a router that can “intercept” DNS and NTP traffic to handle it locally is the only way I know to force the behavior.

Note: The more complicated you make your network design, the harder it will be to ask others for assistance as most of us are willing to trust Hubitat’s cloud server as a simple endpoint for our hubs. There is no way into the hub externally without using an OAuth2 key, which are generated by the hub itself.

2 Likes

Ah! Ok, now we're cooking with Pam! :smiley: This is good news. I'm sure the OAuth2 scope(s) being used are probably published somewhere.

Ha! My bad; I didn't think about it reaching out upon initial startup...that makes total sense.

Very cool setup; that firmware is really new! Thanks for sharing that.

And truth be told, I've already given Google, Amazon, Facebook, and Verizon every piece of information about me and my family that they'd ever need to wipe us off the face of the earth simply by signing up with them and using their services, so the HE does seem very secure compared to that. :slight_smile:

Thanks everybody for your help; my mind is more at ease now than it was 30 minutes ago. Guess I should get back to work now! :wink:

3 Likes

You’re asking excellent questions. It is always good to know the architecture of the systems within your own home! I am sure others will find this thread useful as well.

8 Likes