"http://<hub_ip_address>/getstarted" allows anyone to become an admin and take over hub

Hmm... that does seem an unusual feature to have enabled once a hub is already registered and hub login security is already enabled.

@bobbyD can maybe shed some light on that, and confirm if that is working as intended and why.

Oh yes I've just tried it myself and it does redirect to that page. Was it always doing this?

Thanks for the feedback. We are looking into it.

1 Like

Quick update: there has been a change in the get started workflow as mentioned in the release notes for 2.3.1. To better align with this change for new users, the find.hubitat.com now redirects to getstarted.hubitat.com.

This change does not pose any security threats, as if the user is not on the local network, no hubs are discovered on step 4 of the "Getting Started" workflow, after selecting "Find Hubs".

For those who may have bookmarked find.hubitat.com as the easy way to discover hubs on the local network, please visit findmyhub.hubitat.com, instead.

2 Likes

Being able to register myself as a new admin is still a big vulnerability. Anyone that has access to the hub's IP address can easily take over a hub. Your update relies on current customers and future customers to have knowledge of this issue and have the ability to isolate the hub in its own network. A lot of us don't have the capability to create VLANs to put the hubitat on a different network.

Even if we created a VLAN for IoT devices, one of those devices could be a bad actor, either by getting hijacked or intentionally bad from the start, then take over the hubitat hub locking us out. The only true way to solve this issue currently is to have the hubitat be the only thing in its own network.

3 Likes

There is another way, that our developers are looking into it, and that is, to skip the get started if the hub is already registered. Thanks for bringing this up to our attention. You have a valid point.

4 Likes

I think it might have always been like this. My title is probably misleading, "find.hubitat.com" and "getstarted.hubitat.com" is not the real issue. "getstarted.hubitat.com" just helped me find the vulnerability.

The real issue is being able to "setup" the hub once its already been setup on this url: "http://<hub_ip_address>/getstarted".

Is there currently a way to skip the "getstarted" page if the hub has already been registered?

The hub knows if it has been registered, so I hope they just turn off the /getstarted page in this case to avoid this issue.

Of course, anyone on your local network can go to :8081 and reset your hub (since :8081 has effectively no security if you are on the same physical network). Then they'd be able to use /getstarted I suspect.

(basically: don't allow anyone you don't completely trust on your local network; e.g., use guest WiFi access)

1 Like

Thanks for showing me the 8081 port for the hub. I was playing around and it looks like most of the buttons in there require the user to know the mac address. Is there a way to take over the device using 8081 page that I'm not seeing?

Do a soft reset, and then go to the get started page.

1 Like

If you are on the same physical network as the hub, you easily find it's MAC address. Just use the "arp" command ("arp -a" on Windows, Linux, MacOS, etc) after you've connected to it.

1 Like

so in most cases insecure lol

Considering most people are behind a nat, unless someone is directly connected to your LAN this is unlikely to happen.

1 Like

Thats a good point. Thanks for showing me that command. The mac address seems like a security design flaw.

For the next iterations maybe there should be a pin that is on the bottom of the physical device instead of using the mac address.

Getting started logic has been tweaked in 2.3.1.132 release to prevent double registering the hub, among other things. During normal operation (unless the hub is soft reset), /getstarted will forward to the home page.

6 Likes

As @gopher.ny mentioned above, the get started is now skipped automatically once you reach step 4 (after updating to version 2.3.1.132).

If you are concerned about someone on your local network accessing your hub, you could always password protect the hub via local security.

3 Likes

The MAC address is a failsafe mechanism to get a user access to their hub if they lock themselves out by forgetting their password.

And having said that, let me reiterate that this hub is not indicated for use as a home security appliance.

2 Likes

A pin that is printed on the bottom of the hub would be a better failsafe mechanism in case someone locks themselves out. Or having a reset button that someone could hold in order to reset would be ideal.

I wouldn't categorize this as a home security device, however being able to reset / take over a device simply because you're on the same network is a vulnerability. I don't believe other smart hubs can be taken over this easily.

2 Likes

Thanks for the quick response. I tested it and can verify that the "getstarted" page doesn't allow me to register the hub to a new account

3 Likes

Download the Hubitat app