At least 38 of you have your Hubitats exposed to the internet, about half of them without password authentication enabled. These are just the ones listed in Shodan, there are probably plenty more.
If you must have it exposed, at least turn on password authentication. Ideally you would not have it exposed at all and use something like PiVPN to access things on your home network.
If you've set up port forwarding to it, it's exposed. Some cheap routers also allow you to put a host in a DMZ, but that checkbox just exposes all ports on that device to the internet.
You can scan your IP from the outside also using a site like this:
I don't know if Hubitat supports IPv6 at all. Some cheap devices will just pass through that traffic without any policy enforcement. However, unless someone knows the IPv6 address for your device, they probably won't find it. Your ISP if it supports IPv6 probably hands you a /64 address, which means that someone would have to scan 5.8 quintillion addresses to find the one that's assigned to your Hubitat. This really isn't possible, they would need access to another machine on that local network to use other methods for discovery, and if they already have that access... well...
You can use the free account. You can't kick off on-demand scans with that though. But, once your IP is in the system, they will hit it fairly frequently.
It is. It can also be endless hours of entertainment looking at webcams and things that should definitely not have been exposed to the internet.
It's actually pretty scary how many industrial control platforms are exposed, and using default credentials. There are also radio stations with their broadcast platforms exposed that would allow an attacker to take over the broadcast and play their own audio, if you know how to search for them. Public safety systems also, with control of tornado sirens...
I'm sure some russian hackers have a button somewhere that they can press and it will just cause complete pandemonium all over the country.
It'll tell you if your IP is on Shodan. It can then also search for devices that are exposed. Of course if you do this, they will be listed on Shodan.. so fix it.
Staff have mentioned manytimesonthisforum (as have many communitymembers) that port forwarding your Hubitat is a bad idea. So many times that, yes, each one of those words is a different hyperlink that will take you to someone saying so. Anyone who is doing this anyway should know better than to leave it open if they do, but it's not recommended in any case.
Great advice for you to share as a reminder! Anyone looking to do this should consider a VPN instead (you can host one yourself on something as simple as a Raspberry Pi with PiVPN, or many home routers have such a feature built-in).
No. The cloud endpoint has always been there. I suppose Hubitat Dashboard would be the most notable app where that is used (others like the Alexa skill use it in a less visible manner). The cloud link there has been there as long as Dashboard has been around.
It does depend on what "it" means, though--remote administration has never been possible, so you have (and likely always will) need a VPN or similar to do that. Nothing possible today remotely (that has previously existed as a feature) has ever not been possible in the manner in which it is possible today.
Wait. You're saying people have set up public port 80 access for their Hubitat Hub?
A "crafted" search isn't available with the free API account, but if someone's "shared" it you can view it as well, right?
Is Shodan's documentation the best way to familiarize oneself with creating search queries or would you recommend another source of "learning the ropes"?