At least 38 of you have your Hubitats exposed to the internet, about half of them without password authentication enabled. These are just the ones listed in Shodan, there are probably plenty more.
If you must have it exposed, at least turn on password authentication. Ideally you would not have it exposed at all and use something like PiVPN to access things on your home network.
I have openvpn to get to my network. Though I still think I need more security to some devices within my network.
Maybe a stupid question: How do I know if it is exposed? Does it need a forwarded port?
If you've set up port forwarding to it, it's exposed. Some cheap routers also allow you to put a host in a DMZ, but that checkbox just exposes all ports on that device to the internet.
You can scan your IP from the outside also using a site like this:
I don't know if Hubitat supports IPv6 at all. Some cheap devices will just pass through that traffic without any policy enforcement. However, unless someone knows the IPv6 address for your device, they probably won't find it. Your ISP if it supports IPv6 probably hands you a /64 address, which means that someone would have to scan 5.8 quintillion addresses to find the one that's assigned to your Hubitat. This really isn't possible, they would need access to another machine on that local network to use other methods for discovery, and if they already have that access... well...
How do you know this figure?
Crafted search in Shodan.io
There are a LOT of Vera and SmartThings devices out there also. Like, tons.
Whoa. That tool is crazy.
Too bad the lowest account is $59/month. No home user will pay that to check their stuff.
In the free account I just registered you can just type in your own public IP and check what is exposed. Pretty simple.
You can use the free account. You can't kick off on-demand scans with that though. But, once your IP is in the system, they will hit it fairly frequently.
It is. It can also be endless hours of entertainment looking at webcams and things that should definitely not have been exposed to the internet.
It's actually pretty scary how many industrial control platforms are exposed, and using default credentials. There are also radio stations with their broadcast platforms exposed that would allow an attacker to take over the broadcast and play their own audio, if you know how to search for them. Public safety systems also, with control of tornado sirens...
I'm sure some russian hackers have a button somewhere that they can press and it will just cause complete pandemonium all over the country.
or use iotscanner.bullguard.com
It'll tell you if your IP is on Shodan. It can then also search for devices that are exposed. Of course if you do this, they will be listed on Shodan.. so fix it.
Thank you, excellent advice!
Staff have mentioned many times on this forum (as have many community members) that port forwarding your Hubitat is a bad idea. So many times that, yes, each one of those words is a different hyperlink that will take you to someone saying so. 
Anyone who is doing this anyway should know better than to leave it open if they do, but it's not recommended in any case.
Great advice for you to share as a reminder! Anyone looking to do this should consider a VPN instead (you can host one yourself on something as simple as a Raspberry Pi with PiVPN, or many home routers have such a feature built-in).
Was there ever a time when a port forward was necessary to reach it from the cloud?
i have only the services i expected exposed (with strong passwords). but that site is awesome. it wouldn't take long to guess a default pass.
brute force wouldn't work as my passwords are long and random via lastpass. but you never know.
if this site was a bit cheaper i'd surely sign up for monitoring of my services. are there any others ?
No. The cloud endpoint has always been there. I suppose Hubitat Dashboard would be the most notable app where that is used (others like the Alexa skill use it in a less visible manner). The cloud link there has been there as long as Dashboard has been around.
It does depend on what "it" means, though--remote administration has never been possible, so you have (and likely always will) need a VPN or similar to do that. Nothing possible today remotely (that has previously existed as a feature) has ever not been possible in the manner in which it is possible today.
Then I just don't understand the need. Well I do, but I don't want to 
Wait. You're saying people have set up public port 80 access for their Hubitat Hub? 
A "crafted" search isn't available with the free API account, but if someone's "shared" it you can view it as well, right?
Is Shodan's documentation the best way to familiarize oneself with creating search queries or would you recommend another source of "learning the ropes"?
Yes it is. Click on explore and look at those for examples.
Download the Hubitat app
