There was a pinned "sticky" thread about that security hole for weeks on this forum a while back. Apparently people don't pay attention to these announcements. There was one a couple years ago too.
It has recently been brought to our attention that some users are exposing their hubs online. We have notified these users to take action to secure their hubs as soon as possible.
As a reminder, port forwarding is not recommended as a way to enable remote administration of your Hubitat Elevation hubs. It can be difficult to secure and if it is not password protected, virtually anyone can control your hub and your home.
The easiest, secure method to access the admin interface of your hub remote…
Just a reminder that we do not recommend port forwarding to enable remote access of your Hubitat Elevation hub. Especially without password protection, virtually anyone can control your hub.
During an internal security audit, we identified several hubs that were exposed and users have been promptly notified to take corrective measures to secure their hubs.
There also have been warnings from other users way before this. Here is one example.
At least 38 of you have your Hubitats exposed to the internet, about half of them without password authentication enabled. These are just the ones listed in Shodan, there are probably plenty more.
If you must have it exposed, at least turn on password authentication. Ideally you would not have it exposed at all and use something like PiVPN to access things on your home network.
2 Likes
