I just ordered my first HE! One thing that I can't quite understand based on my reading here is the network security of the hub. I have a few questions about accessing the hub and its over all 'cybersecurity'.
If I place the hub on my local wifi network with a static IP but do NOT portforward it is anyone outside of my LAN able to access the hub?
It appears that if I disable my hub dashboard the answer to the above is there will be NO access whatsoever from the outside world to my hub unless someone is able to get through my router.
If I use homebridge to control via homekit and enable the HE dashboard am I running any crazy risks from an outsider point of view? Trying to avoid being seen on Shodan for example.
This community is awesome and was a large part of why I chose HE! While I feel fairly confident of my abilities and researching capabilities having this awesome community is second to none for support..
If you don't allow access past your firewall, don't have a dashboard enabled for cloud access, and don't use any cloud based apps, there's onlu a little data sent by Hubitat Elevation back to Hubitat. See:
Gotcha. So if I open up the dashboard or even Homebridge to Homekit its just as if you had only a Homekit device (apple tv or the like) sitting on your network. By using those two options its not like opening the floodgates of my personal home network...
In general, no one will be able to access your hub as long as you do NOT port forward any ports to it. However, by default, the Hubitat Elevation hub wants to register with Hubitat's Cloud Endpoint server (i.e. cloud.hubitat.com.) This is an optional step, but a necessary one in order for your hub to interact with any cloud services (Amazon Alexa, Google Assistant, SharpTools, Ecobee Thermostat, etc...) Also, in order to use the Hubitat Dashboards when on the road, the hub must be registered to the Hubitat Cloud Endpoint. Having your hub registered also enables proper time synchronization.
Doing so does not expose your hub to random hackers. No one can access your hub directly through the cloud endpoint. The Hubitat cloud endpoint is simply a bridge, that requires encrypted OAUTH2 keys for bi-directional communications.
The Hubitat support staff can access platform data (not user-space data) to assist you with troubleshooting, should any issues arise.
There is no security issue with the Hubitat Dashboard. You would have to share the cloud URL to your hub's dashboard, which includes a massive OAuth2 key. All data is encrypted, including the URL, when communicating remotely to the hub for Dashboard access.
Thanks @ogiewon! I was actually reading some of the other posts you have made and was hoping you would chime in! Are you or anyone else aware of any Homebridge Vulnerabilities? My understanding of Homebridge is it just sits on HE as a virtual homekit device and doesn't pose any security issues.
Pardon my wider networking lack of knowledge!
I am not much of a HomeKit/HomeBridge expert. In general, I have never heard of anyone pointing out this as an issue. To run HomeBridge, you will need another always on computer, like a Raspberry Pi, to host the HomeBridge software. There is a pretty big thread about Hubitat/HomeBridge here in the forum.
Hey, I think it's great that you ask these questions versus put your data/family at risk! Nothing to 'pardon' IMHO.
A few best practices regarding Hubitat/networking:
Never port forward to your Hubitat Hub. Instead, use a VPN connection if you want/need remote access to your hub's admin web page. I run an OpenVPN Server on my Asus router. This allows me to safely and securely access my entire home network when on the road via an OpenVPN client on my iPhone, iPad, or laptop.
Be sure to Reserve an IP Address for the Hubitat Elevation hub via your router'd DHCP server settings. This resolves a bunch of issues for users, especially after a power blip! It can take a little while for the Hub to register a new local LAN address with the portal.hubitat.com server, making cloud to hub connections a little wonky in the interim. Best to always keep the address the same.
Put your Hubitat hub, router, and cable modem on a small UPS. Keeping these devices up and running through power blips/short outages prevents Hubitat hub database corruption, time-synchronization race conditions, etc...
Homebridge does not talk to the internet at all and can’t be accessed directly from the internet either.
HomeKit / Homebridge use a local protocol to talk to your phone.
The way it works is that your phone looks up a local mDNS record to find your Homebridge instance and then communicates with your Homebridge instance via your local lan.
To have remote access to Homebridge, you need an always on iPad or Apple TV that is on your local lan. This will then communicate via your local lan to the Homebridge instance. That Apple TV or iPad acts as a gateway to Apples iCloud. Your phone would then communicate via Apples iCloud to that AppleTV/iPad which in turn would communicate to your local Homebridge.
I am not aware of any Apple iCloud breaches that would allow access to someone’s HomeKit devices.
It's the same as all of them though. Mostly if it was easy to do a private voice control (that didn't suck) with remote WAF approved access we would. But...