Habitat Elevation Remote Access Backdoor

It's pointless really. The more different IT-related brands I use the more I see that most of the companies have some means of accessing them. Some have ways to disable it if you are knowledgeable, otherwise it's on by default. I still think I am in more danger from a down-and-out following me home from the shop to mug me on my doorstep than I am from a person with a well-paid job in a tech company half way around the world.

The lack of response from Hubitat on this is interesting.

While I don't know any of this for certain, I have been here long enough to see what is said by staff publicly when they help users. And there are certain patterns that show up over time. None of this is really a secret, the diagnostic tool has been mentioned by staff multiple times.

These aren't the logs like you see. They seem to be OS level or low level logs at most. Probably more like error messages rather than actual logs. In fact, staff almost always ask for people to post screenshots of the actual logs from the hub as they are more complete than what their diagnostic tool shows.

From what I see, the staff need to know your email (account name) and hub name to use their diagnostic tool. They often will ask for your hub name when you are having troubles. So it would have to be very intentional to access jkister's hub. They aren't just monitoring your every move or watching you leave the house or whatever. And as busy as staff is, who would have time to do that?

My understanding is the logs are NOT automatically stored anywhere or automatically uploaded to a server, they have to use a specific method to view logs from your hub. In fact, Hubitat has always been very resistant to running a server due to the cost of the storage. Look at the phone app history, remote admin service history, and so on. In many cases they have cited the high cost of server time for not implementing some of this stuff sooner (or at all). They have also stated many times about how they run a lean company and don't have huge expenses due to not having servers and cloud stuff like other hubs.

Again this is certainly not possible. They constantly ask for screenshots of logs, rules, settings menus (gear menu) and other items when users are having troubles. If they had free reign over your hub, why would they need all that? They were just trying to "throw you off the trail" and trick you into thinking they can't see your GUI? That is tinfoil hat level silliness.

This whole thread is a bit over the top. I get the privacy concerns, (I refuse to use those China Wifi IOT devices, for example) but people haven't done their research or used logic as to what is going on here.

When I first got my hub, I wanted to prove it could work locally, so I didn't register an account for a while, and my devices all worked (those that were not cloud based). If they need our account numbers to log into the back door then I'd guess all one had to do to disable it would be to not connect it to our account online

In my defense that wasn't a direct quote @jasonjoel it was an interpretation. I just tried (and failed) to find posts where HE was warning about security risks and that xyz systems were incorrectly secured. I remember this because it fired up the talk about whether HE has remote access and blah blah. I personally don't care they have access and its somewhat comforting they do (or don't !) but my post was how statements like that get misunderstood and least common denominator has to be considered. Not everyone using a HE hub wicked smart. (points at self).

There was a pinned "sticky" thread about that security hole for weeks on this forum a while back. Apparently people don't pay attention to these announcements. There was one a couple years ago too.

There also have been warnings from other users way before this. Here is one example.

This has been an entertaining read, but this is pretty far, really really far down on my list of things to worry about. Now, if you'll excuse me, my Alexa just told me to buy something, and I don't want to keep her waiting. She gets angry when I don't obey.

Thanks for finding that! - I DO read everything! (well. I try to). I feel better knowing I wasn't dreaming it up!

I totally agree. I was baited by the subject but then when I read what bruce wrote, it made lots of sense. My post here was for confirmation, and it'd be nice for all to see that it's not as evil as it seems.

Nobody has mentioned that port forwarding is no longer a means to access the hub since the latest update (at least that’s my understanding). This I assume was prompted by users leaving their hubs exposed. HE developers do not want hubs to be hacked it would seem, and this is a step in that direction.
In my discussions with tech support over the past couple years, they were unable to identify devices by name (which made things much harder btw) or remotely change settings. If they ever make an opt in for remote access, I hope they expand their abilities at that time, much like remote access on Windows.

Agreed. In my opinion, the OP's reaction is disproportionate to what actually happened - i.e. access as indicated by the TOS to troubleshoot/identify to find a misbehaving device.

The very first time that I had an issue and the Hubitat support engineer used those "remote logs"
to uncover the problem, I was somewhat unnerved that Hubitat could access stuff on my machine. However, after thinking about it for a while, I realized that their access made a lot of support possible.
Now, I recognize that this type of access should be disclosed and documented. However, I WANT them to have access. After all, that's why I'm here and not using another tool - the support that I (and all of us....) have received from Hubitat (and the Community) has been outstanding!

This is, IMO, the most egregious misrepresentation of all posts in this thread. Your interpretation is simply inconsistent with reality.

Edit: and as @bertabcd1234 points out in the post below this one, not even a little bit related to the OP.

Yeah...I accidentally found someone's hub on Google once just by using the "right" search term; presumably they were port-forwarding without regard for security (something a change in 2.2.9 should address). That is, as you mention, a totally different issue from the engineer logs that are, presumably, the original issue of concern.

The discourse in this thread reminds me of the current state of politics in the US. Everyone is defending their position with specious arguments. The question is not how much you trust Hubitat not to abuse the access they have to sensitive data. The question is how much do you trust Hubitat’s security practices.

As we’ve recently seen, Ubiquiti failed at that and put all of it’s customers at risk. Personally, I feel better about trusting Hubitat’s security more than I do Ubiquiti. And I also trust Amazon’s security for the Alexa’s. I don’t trust Amazon to not use my info for internal marketing. I do trust Hubitat to not do that, regardless of what the TOS says.

When is someone going to ask Hubitat how they protect this trusted access that we’ve agreed to bestow on them? I’m happy to have them support me quickly when I ask for it. Help me trust that they’re doing the right thing to secure that privilege.

In case it’s not obvious, I’m 25 years in IT. This means by default I’m in IT security. I’m a consultant so I work with many different organizations to secure their systems. I’ve held most of the Cisco certs shy of the CCIE. I’ve learned the hard way that security in a support organization is a hard thing.

I’m sure I missed it, if it exists. Has Hubitat published the internal security practices for the service desk? How strong is the change management review process? I don’t really expect that this has been published. It’s poor security to tell all about the inner workings. But how about some high level info so we know you’re doing things like CMMC auditing, SOC2’s for the data centers you’re in, and good code review and management practices (not my strong area). I’ll be happy to be the fool that didn’t find this if someone can point me to it. It would put me more at ease, for sure!

This ended up being a lot longer than I expected. I just wish everyone would be a lot less offended by someone asking questions. If you look at the thread again it’s just a bunch of people that care about the success of Hubitat. Maybe we can start with that.

Just as a reminder, Hubitat has a handful or two of staff members, we’re not even talking some entity with even 50 employees. Companies 10 times the size often don’t have all of the things you’re asking about, let alone to spend the time, money, and significant amount of effort to go through an entire SOC2 certification.

Not to play the what about game, but does SmartThings or Wink provide the sort of policy info you’re asking about - do either of them have a SOC2? HomeSeer? Do any consumer electronic companies provide this level of detail?

I frequently conduct security vendor reviews in my professional life and ask for a lot of the documentation you’re asking about and it almost always requires an NDA to be signed before a software company will provide that level of detail. So to think they would provide detailed implementation details around their security practices or how their tooling is secured, is just misplaced energy in my mind.

Should Hubitat maybe have a blurb about what sort of data can be collected? Sure. Am I worried about it? Not really. Are any of us entitled to the level of detail a handful of folks seem to want based on comments in this thread? No, it just not the sort of information provided in the consumer electronic space, at least as far as I’ve ever seen.

I’ll say, it would be nice and prudent to know what can and cannot be seen. For example, I log some confidential information. I’m not concerned since I assumed only I can see it. Is that true? I really don’t know. All we know is they can see SOMETHING. None of us know how (does it push logs to the cloud, do they SSH into our devices over an HTTPS tunnel, none of the above) none of us know what they can and cannot see. None of us have a way to turn this off. Anything other than what I just said is all of us guessing. What I can also say is, I don’t see any of the staff chiming in to clarify what they can or cannot see. As we all know, that silence leads people to assume nefarious intentions. Also I want to be clear, whatever capabilities they have, even if we assume they have only the best intentions, what if they have a disgruntled former employee? What if they get hacked? Just because people have good intentions doesn’t prevent bad outcomes.

It would be nice to hear from the staff what they can see and honestly, it seems prudent to offer a way to turn this off. I compare it to UniFi. I can download a support file I can upload to their staff when I need them to troubleshoot. They don’t have 24/7 access to my router. Why wouldn’t such a solution be sufficient here? Seems it makes this concern vanish and gives them the ability to troubleshoot still.

Can they for example download the porn videos we keep on our hubs? Important to know...

Only the donkey stuff

And can that be shared with the rest of us.... securely....